Summer Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

AWS Certified Specialty SCS-C03 Amazon Web Services Study Notes

Page: 16 / 17
Total 231 questions

AWS Certified Security – Specialty Questions and Answers

Question 61

A company sends Amazon RDS snapshots to two accounts as part of its disaster recovery (DR) plan. The snapshots must be encrypted. However, each account needs to be able to decrypt the snapshots in case of a DR event.

Which solution will meet these requirements?

Options:

A.

Use the default AWS Key Management Service (AWS KMS) key to generate the snapshots. Create an AWS Lambda function that copies the KMS encryption key to the two accounts.

B.

Use an AWS Key Management Service (AWS KMS) customer managed key to generate the snapshots. Create an AWS Lambda function that imports the KMS key in the two accounts.

C.

Use the default AWS Key Management Service (AWS KMS) key to generate the snapshots. Share the KMS key with the two accounts by using an IAM principal that has the proper KMS permissions in each account.

D.

Use an AWS Key Management Service (AWS KMS) customer managed key to generate the snapshots. Share the KMS key with the two accounts by using an IAM principal that has the proper KMS permissions in each account.

Question 62

A company runs ECS services behind an internet-facing ALB that is the origin for CloudFront. An AWS WAF web ACL is associated with CloudFront, but clients can bypass it by accessing the ALB directly.

Which solution will prevent direct access to the ALB?

Options:

A.

Use AWS PrivateLink with the ALB.

B.

Replace the ALB with an internal ALB.

C.

Restrict ALB listener rules to CloudFront IP ranges.

D.

Require a custom header from CloudFront and validate it at the ALB.

Question 63

A company runs a global ecommerce website using Amazon CloudFront. The company must block traffic from specific countries to comply with data regulations.

Which solution will meet these requirements MOST cost-effectively?

Options:

A.

Use AWS WAF IP match rules.

B.

Use AWS WAF geo match rules.

C.

Use CloudFront geo restriction to deny the countries.

D.

Use geolocation headers in CloudFront.

Question 64

A company uses Amazon API Gateway to present REST APIs to users. An API developer wants to analyze API access patterns without the need to parse the log files.

Which combination of steps will meet these requirements with the LEAST effort? (Select TWO.)

Options:

A.

Configure access logging for the required API stage.

B.

Configure an AWS CloudTrail trail destination for API Gateway events. Configure filters on the userIdentity, userAgent, and sourceIPAddress fields.

C.

Configure an Amazon S3 destination for API Gateway logs. Run Amazon Athena queries to analyze API access information.

D.

Use Amazon CloudWatch Logs Insights to analyze API access information.

E.

Select the Enable Detailed CloudWatch Metrics option on the required API stage.

Page: 16 / 17
Total 231 questions