Spring Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = simple70

Pass the Amazon Web Services AWS Certified Specialty SCS-C02 Questions and answers with Dumpstech

Exam SCS-C02 Premium Access

View all detail and faqs for the SCS-C02 exam

Go to Exam
Practice at least 50% of the questions to maximize your chances of passing.
Viewing page 11 out of 14 pages
Viewing questions 101-110 out of questions
Questions # 101:

A company has an AWS account that hosts a production application. The company receives an email notification that Amazon GuardDuty has detected an

Impact lAMUser/AnomalousBehavior finding in the account. A security engineer needs to run the investigation playbook for this secunty incident and must collect and analyze the information without affecting the application.

Which solution will meet these requirements MOST quickly?

Options:

A.

Log in to the AWS account by using read-only credentials Review the GuardDuty finding for details about the 1AM credentials that were used. Use the 1AM console to add a DenyAII policy to the 1AM pnncipal.

B.

Log in to the AWS account by using read-only credentials Review the GuardDuty finding to determine which API calls initiated the finding Use Amazon Detective to review the API calls in context.

C.

Log in to the AWS account by using administrator credentials Review the GuardDuty finding for details about the 1AM credentials that were used Use the 1AM console to add a DenyAII policy to the 1AM principal.

D.

Log in to the AWS account by using read-only credentials Review the GuardDuty finding to determine which API calls initiated the finding Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context.

Questions # 102:

You work at a company that makes use of IAM resources. One of the key security policies is to ensure that all data i encrypted both at rest and in transit. Which of the following is one of the right ways to implement this.

Please select:

Options:

A.

Use S3 SSE and use SSL for data in transit

B.

SSL termination on the ELB

C.

Enabling Proxy Protocol

D.

Enabling sticky sessions on your load balancer

Questions # 103:

A company has implemented IAM WAF and Amazon CloudFront for an application. The application runs on Amazon EC2 instances that are part of an Auto Scaling group. The Auto Scaling group is behind an Application Load Balancer (ALB).

The IAM WAF web ACL uses an IAM Managed Rules rule group and is associated with the CloudFront distribution. CloudFront receives the request from IAM WAF and then uses the ALB as the distribution's origin.

During a security review, a security engineer discovers that the infrastructure is susceptible to a large, layer 7 DDoS attack.

How can the security engineer improve the security at the edge of the solution to defend against this type of attack?

Options:

A.

Configure the CloudFront distribution to use the Lambda@Edge feature. Create an IAM Lambda function that imposes a rate limit on CloudFront viewer requests. Block the request if the rate limit is exceeded.

B.

Configure the IAM WAF web ACL so that the web ACL has more capacity units to process all IAM WAF rules faster.

C.

Configure IAM WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.

D.

Configure the CloudFront distribution to use IAM WAF as its origin instead of the ALB.

Questions # 104:

A security engineer has been asked to troubleshoot inbound connectivity to a web server. This single web server is not receiving inbound connections from the internet, whereas all other web servers are functioning properly.

The architecture includes network ACLs, security groups, and a virtual security appliance. In addition, the development team has implemented Application Load Balancers (ALBs) to distribute the load across all web servers. It is a requirement that traffic between the web servers and the internet flow through the virtual security appliance.

The security engineer has verified the following:

The rule set in the security groups is correct.

The rule set in the network ACLs is correct.

The rule set in the virtual appliance is correct.

Which of the following are other valid items to troubleshoot in this scenario? (Select TWO.)

Options:

A.

Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway.

B.

Verify which security group is applied to the particular web server's elastic network interface (ENI).

C.

Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance.

D.

Verify the registered targets in the ALB.

E.

Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.

Questions # 105:

A company has a new web-based account management system for an online game Players create a unique username and password to log in to the system.

The company has implemented an AWS WAF web ACL for the system. The web ACL includes the core rule set (CRS) AWS managed rule group on the Application Load Balancer that serves the system.

The company's security team finds that the system was the target of a credential stuffing attack Credentials that were exposed in other breaches were used to try to log in to the system

The security team must implement a solution to reduce the chance of a successful credential stuffing attack in the future The solution also must minimize impact on legitimate users of the system

Which combination of actions will meet these requirements? (Select TWO.)

Options:

A.

Create an Amazon CloudWatch custom metric to analyze the number of successful login responses from a single IP address

B.

Add the account takeover prevention (ATP) AWS managed rule group to the web ACL Configure the rule group to inspect login requests to the system Block any requests that have the awswaf managed awsatp signal credential_compromised label

C.

Configure a default web ACL action that requires all users to solve a CAPTCHA puzzle when they log in

D.

Implement IP-based match rules in the web ACL for any IP addresses that generate many successful login responses Block any IP addresses that generate many successful logins

E.

Create a custom block response that redirects users to a secure workflow to reset their password inside the system

Questions # 106:

A company suspects that an attacker has exploited an overly permissive role to export credentials from Amazon EC2 instance metadata. The company uses Amazon GuardDuty and AWS Audit Manager. The company has enabled AWS CloudTrail logging and Amazon CloudWatch logging for all of its AWS accounts.

A security engineer must determine if the credentials were used to access the company's resources from an external account.

Which solution will provide this information?

Options:

A.

Review GuardDuty findings to find InstanceCredentialExfiltration events.

B.

Review assessment reports in the Audit Manager console to find InstanceCredentialExfiltration events.

C.

Review CloudTrail logs for GetSessionToken API calls to AWS Security Token Service (AWS STS) that come from an acount ID from outside the company.

D.

Review CloudWatch logs for GetSessionToken API calls to AWS Security Token Service (AWS STS) that come from an account ID from outside the company.

Questions # 107:

A company hosts a web application on an Apache web server. The application runs on Amazon EC2 instances that are in an Auto Scaling group. The company configured the EC2 instances to send the Apache web server logs to an Amazon CloudWatch Logs group that the company has configured to expire after 1 year.

Recently, the company discovered in the Apache web server logs that a specific IP address is sending suspicious requests to the web application. A security engineer wants to analyze the past week of Apache web server logs to determine how many requests that the IP address sent and the corresponding URLs that the IP address requested.

What should the security engineer do to meet these requirements with the LEAST effort?

Options:

A.

Export the CloudWatch Logs group data to Amazon S3. Use Amazon Macie to query the logs for the specific IP address and the requested URLs.

B.

Configure a CloudWatch Logs subscription to stream the log group to an Amazon OpenSearch Service cluster. Use OpenSearch Service to analyze the logs for the specific IP address and the requested URLs.

C.

Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested URLs.

D.

Export the CloudWatch Log group data to Amazon S3. Use AWS Glue to crawl the S3 bucket for only the log entries that contain the specific IP address. Use AWS Glue to view the results.

Questions # 108:

A company has AWS accounts in an organization in AWS Organizations. The company requires a specific software application to be installed on all new and existing Amazon EC2 instances in the organization. AWS Systems Manager Agent (SSM Agent) is installed and active on all the instances.

How can the company continuously monitor the deployment status of the software application on all the instances?

Options:

A.

Enable AWS Config for the entire organization. For all accounts, set up the ec2-managedinstance-applications-required AWS Config managed rule and specify the application name.

B.

Enable AWS Config for the entire organization. Provide new AMIs that have the required software application pre-installed. Set up the approved-amis-by-id AWS Config managed rule for all accounts.

C.

Create a Systems Manager Distributor package for the required software application for the entire organization. Install the Distributor package by using Systems Manager Run Command. Review the output.

D.

Configure Systems Manager Application Manager to collect a current list of installed software applications in the entire organization. Filter for the required application by software status.

Questions # 109:

Your company has a set of EC2 Instances defined in IAM. These Ec2 Instances have strict security groups attached to them. You need to ensure that changes to the Security groups are noted and acted on accordingly. How can you achieve this?

Please select:

Options:

A.

Use Cloudwatch logs to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.

B.

Use Cloudwatch metrics to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.

C.

Use IAM inspector to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS f the notification.

D.

Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.

Questions # 110:

A company wants to create a log analytics solution for logs generated from its on-premises devices. The logs are collected from the devices onto a server on premises. The company wants to use AWS services to perform near real-time log analysis. The company also wants to store these logs for 365 days for pattern matching and substring search capabilities later.

Which solution will meet these requirements with the LEAST development overhead?

Options:

A.

Install Amazon Kinesis Agent on the on-premises server to send the logs to Amazon DynamoDB. Configure an AWS Lambda trigger on DynamoDB streams to perform near real-time log analysis. Export the DynamoDB data to Amazon S3 periodically. Run Amazon Athena queries for pattern matching and substring search. Set up S3 Ufecycle policies to delete the log data after 365 days.

B.

Install Amazon Managed Streaming for Apache Kafka (Amazon MSK) on the on-premises server. Create an MSK cluster to collect the streaming data and analyze the data in real time. Set the data retention period to 365 days to store the logs persistently for pattern matching and substring search.

C.

Install Amazon Kinesis Agent on the on-premises server to send the logs to Amazon Data Firehose. Configure Amazon Managed Service for Apache Flink (previously known as Amazon Kinesis Data Analytics) as the destination for real-time processing. Store the logs in Amazon OpenSearch Service for pattern matching and substring search. Configure an OpenSearch Service Index State Management (ISM) policy to delete the data after 365 days.

D.

Use Amazon API Gateway and AWS Lambda to write the logs from the on-premises server to Amazon DynamoDB. Configure a Lambda trigger on DynamoDB streams to perform near real-time log analysis. Run Amazon Athena federated queries on DynamoDB data for pattern matching and substring search. Set up TTL to delete data after 365 days.

Viewing page 11 out of 14 pages
Viewing questions 101-110 out of questions