CertsTopics Logo

Weekend Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

AWS Certified Specialty SCS-C02 Exam Dumps

Page: 31 / 31
Total 417 questions
Get SCS-C02 Full Access Download SCS-C02 PDF

AWS Certified Security - Specialty Questions and Answers

Question 121

A company has a web server in the AWS Cloud. The company will store the content for the web server in an Amazon S3 bucket. A security engineer must use an Amazon CloudFront distribution to speed up delivery of the content. None of the files can be publicly accessible from the S3 bucket direct.

Which solution will meet these requirements?

Options:

A.

Configure the permissions on the individual files in the S3 bucket so that only the CloudFront distribution has access to them.

B.

Create an origin access identity (OAI). Associate the OAI with the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI can access the files in the S3 bucket.

C.

Create an S3 role in AWS Identity and Access Management (IAM). Allow only the CloudFront distribution to assume the role to access the files in the S3 bucket.

D.

Create an S3 bucket policy that uses only the CloudFront distribution ID as the principal and the Amazon Resource Name (ARN) as the target.

Question 122

A company needs a security engineer to implement a scalable solution for multi-account authentication and authorization. The solution should not introduce additional user-managed architectural components. Native IAM features should be used as much as possible Thesecurity engineer has set up IAM Organizations w1th all features activated and IAM SSO enabled.

Which additional steps should the security engineer take to complete the task?

Options:

A.

Use AD Connector to create users and groups for all employees that require access to IAM accounts. Assign AD Connector groups to IAM accounts and link to the IAM roles in accordance with the employees‘job functions and access requirements Instruct employees to access IAM accounts by using the IAM Directory Service user portal.

B.

Use an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts. Assign groups to IAM accounts and link to permission sets in accordance with the employees‘job functions and access requirements. Instruct employees to access IAM accounts by using the IAM SSO user portal.

C.

Use an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts. Link IAM SSO groups to the IAM users present in all accounts to inherit existing permissions. Instruct employees to access IAM accounts by using the IAM SSO user portal.

D.

Use IAM Directory Service tor Microsoft Active Directory to create users and groups for all employees that require access to IAM accounts Enable IAM Management Console access in the created directory and specify IAM SSO as a source cl information tor integrated accounts and permission sets. Instruct employees to access IAM accounts by using the IAM Directory Service user portal.

Question 123

Auditors for a health care company have mandated that all data volumes be encrypted at rest Infrastructure is deployed mainly via IAM CloudFormation however third-party frameworks and manual deployment are required on some legacy systems

What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

Options:

A.

On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume

B.

Configure an IAM Config rule lo run on a recurring basis 'or volume encryption

C.

Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule

D.

Use CloudWatch Logs to determine whether instances were created with an encrypted volume

Question 124

Your company has a set of EC2 Instances defined in IAM. These Ec2 Instances have strict security groups attached to them. You need to ensure that changes to the Security groups are noted and acted on accordingly. How can you achieve this?

Please select:

Options:

A.

Use Cloudwatch logs to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.

B.

Use Cloudwatch metrics to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.

C.

Use IAM inspector to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS f the notification.

D.

Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.

Page: 31 / 31
Total 417 questions
Get SCS-C02 Full Access Download SCS-C02 PDF