Spring Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = simple70

Pass the Amazon Web Services AWS Certified Specialty SCS-C02 Questions and answers with Dumpstech

Exam SCS-C02 Premium Access

View all detail and faqs for the SCS-C02 exam

Go to Exam
Practice at least 50% of the questions to maximize your chances of passing.
Viewing page 12 out of 14 pages
Viewing questions 111-120 out of questions
Questions # 111:

A developer is receiving AccessDenied errors when the developer invokes API calls to AWS services from a workstation. The developer previously configured environment variables and configuration files on the workstation to use multiple roles with other AWS accounts.

A security engineer needs to help the developer configure authentication. The current credentials must be evaluated without conflicting with other credentials that were previously configured on the workstation.

Where should these credentials be configured to meet this requirement?

Options:

A.

In the local AWS CLI configuration file

B.

As environment variables on the local workstation

C.

As variables in the AWS CLI command line options

D.

In the AWS shared configuration file

Questions # 112:

A company created an IAM account for its developers to use for testing and learning purposes Because MM account will be shared among multiple teams of developers, the company wants to restrict the ability to stop and terminate Amazon EC2 instances so that a team can perform these actions only on the instances it owns.

Developers were Instructed to tag al their instances with a Team tag key and use the team name in the tag value One of the first teams to use this account is Business Intelligence A security engineer needs to develop a highly scalable solution for providing developers with access to the appropriate resources within the account The security engineer has already created individual IAM roles for each team.

Which additional configuration steps should the security engineer take to complete the task?

Options:

A.

For each team, create an AM policy similar to the one that fellows Populate the ec2: ResourceTag/Team condition key with a proper team name Attach resulting policies to the corresponding IAM roles.

B.

B. For each team create an IAM policy similar to the one that follows Populate the IAM TagKeys/Team condition key with a proper team name.Attach the resuming policies to the corresponding IAM roles.

C.

C. Tag each IAM role with a Team lag key. and use the team name in the tag value. Create an IAM policy similar to the one that follows, and attach 4 to all the IAM roles used by developers.

D.

D. Tag each IAM role with the Team key, and use the team name in the tag value. Create an IAM policy similar to the one that follows, and it to all the IAM roles used by developers.

Questions # 113:

A company uses Amazon EC2 Linux instances in the AWS Cloud. A member of the company's security team recently received a report about common vulnerability identifiers on the instances.

A security engineer needs to verify patching and perform remediation if the instances do not have the correct patches installed. The security engineer must determine which EC2 instances are at risk and must implement a solution to automatically update those instances with the applicable patches.

What should the security engineer do to meet these requirements?

Options:

A.

Use AWS Systems Manager Patch Manager to view vulnerability identifiers for missing patches on the instances. Use Patch Manager also to automate the patching process.

B.

Use AWS Shield Advanced to view vulnerability identifiers for missing patches on the instances. Use AWS Systems Manager Patch Manager to automate the patching process.

C.

Use Amazon GuardDuty to view vulnerability identifiers for missing patches on the instances. Use Amazon Inspector to automate the patching process.

D.

Use Amazon Inspector to view vulnerability identifiers for missing patches on the instances. Use Amazon Inspector also to automate the patching process.

Questions # 114:

A company is using IAM Organizations to develop a multi-account secure networking strategy. The company plans to use separate centrally managed accounts for shared services, auditing, and security inspection. The company plans to provide dozens of additional accounts to application owners for production and development environments.

Company security policy requires that all internet traffic be routed through a centrally managed security inspection layer in the security inspection account. A security engineer must recommend a solution that minimizes administrative overhead and complexity.

Which solution meets these requirements?

Options:

A.

Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route table. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account.

B.

Create a centrally managed VPC in the security inspection account. Establish VPC peering connections between the security inspection account and other accounts. Instruct account owners to create default routes in their account route tables that point to the VPC peer. Create an SCP that denies theAttach InternetGateway action. Attach the SCP to all accounts except the security inspection account.

C.

Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transitgateway and to create a default route to the transit gateway in the default route table. Create an SCP that denies the AttachlnternetGateway action. Attach the SCP to all accounts except the security inspection account.

D.

Enable IAM Resource Access Manager (IAM RAM) for IAM Organizations. Create a shared transit gateway, and make it available by using an IAM RAM resource share. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account. Create routes in the route tables of all accounts that point to the shared transit gateway.

Questions # 115:

An AWS Lambda function was misused to alter data, and a security engineer must identify who invoked the function and what output was produced. The engineer cannot find any logs create^ by the Lambda function in Amazon CloudWatch Logs.

Which of the following explains why the logs are not available?

Options:

A.

The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.

B.

The Lambda function was invoked by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.

C.

The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.

D.

The version of the Lambda function that was invoked was not current.

Questions # 116:

A company uses a collaboration application. A security engineer needs to configure automated alerts from AWS Security Hub in the us-west-2 Region for the application. The security engineer wants to receive an alert in a channel in the application every time Security Hub receives a new finding.

The security engineer creates an AWS Lambda function to convert the message to the format that the application requires. The Lambda function also sends the message to the application's API. The security engineer configures a corresponding Amazon EventBridge rule that specifies the Lambda function as the target.

After the EventBridge rule is implemented, the channel begins to constantly receive alerts from Security Hub. Many of the alerts are Amazon Inspector alerts that do not require any action. The security engineer wants to stop the Amazon Inspector alerts.

Which solution will meet this requirement with the LEAST operational effort?

Options:

A.

Create an Amazon Simple Notification Service (Amazon SNS) topic to send messages to the application. Set a filter policy on the topic subscriptions to reject any messages that contain the product/aws/inspector string.

B.

Update the Lambda function code to find pattern matches of events from Amazon Inspector and to suppress the findings.

C.

Create a Security Hub custom action that automatically sends findings from all services except Amazon Inspector to the EventBridge event bus.

D.

Modify the value of the ProductArn attribute in the event pattern of the EventBridge rule to "anything-but": ["arn:aws:securityhub:us-west-2::product/aws/inspector"].

Questions # 117:

A security team is using Amazon EC2 Image Builder to build a hardened AMI with forensic capabilities. An AWS Key Management Service (AWS KMS) key will encrypt the forensic AMI EC2 Image Builder successfully installs the required patches and packages in the security team's AWS account. The security team uses a federated IAM role m the same AWS account to sign in to the AWS Management Console and attempts to launch the forensic AMI. The EC2 instance launches and immediately terminates.

What should the security learn do lo launch the EC2 instance successfully

Options:

A.

Update the policy that is associated with the federated IAM role to allow the ec2. Describelmages action for the forensic AMI.

B.

Update the policy that is associated with the federated IAM role to allow the ec2 Start Instances action m the security team's AWS account.

C.

Update the policy that is associated with the KMS key that is used to encrypt the forensic AMI. Configure the policy to allow the kms. Encrypt and kms Decrypt actions for the federated IAM role.

D.

Update the policy that is associated with the federated IAM role to allow the kms. DescribeKey action for the KMS key that is used to encrypt the forensic AMI.

Questions # 118:

An organization must establish the ability to delete an IAM KMS Customer Master Key (CMK) within a 24-hour timeframe to keep it from being used for encrypt or decrypt operations Which of tne following actions will address this requirement?

Options:

A.

Manually rotate a key within KMS to create a new CMK immediately

B.

Use the KMS import key functionality to execute a delete key operation

C.

Use the schedule key deletion function within KMS to specify the minimum wait period for deletion

D.

Change the KMS CMK alias to immediately prevent any services from using the CMK.

Questions # 119:

A security engineer has created an Amazon GuardDuty detector in several AWS accounts. The accounts are in an organization in AWS Organizations. The security engineer needs centralized visibility of the security findings from the detectors.

Options:

A.

Configure Amazon CloudWatch Logs Insights

B.

Create an Amazon CloudWatch dashboard

C.

Configure AWS Security Hub integrations

D.

Query the findings by using Amazon Athena

Questions # 120:

A company that uses GitHub Actions needs to use a workflow to deploy AWS services. A security engineer must set up authentication between the GitHub Actions workflow and the company's AWS account.

The solution must involve no static credentials and no long-lived credentials for access to AWS Additionally, the workflow must be able to run without requiring any manual changes.

Which solution will meet these requirements?

Options:

A.

Create an 1AM user Attach an 1AM policy to the 1AM user Use the AWS CLI to generate temporary credentials for the 1AM user Use the access key, secret key, and session token to authenticate to AWS from the workflow.

B.

Enable AWS 1AM Identity Center and configure it to use a local directory. Create a new service user in the 1AM Identity Center directory. Use the AWS CLI to generate temporary credentials for the service user Use the user ID and session token to authenticate to AWS from the workflow.

C.

Create an OpenID Connect (OIDC) identity provider (IdP) in 1AM Use GitHub as the provider. Create an 1AM role Attach the role to a trust policy that contains condition keys to restrict the GitHub repositones that will run the workflow. Use the role ARN to authenticate to AWS from the workflow.

D.

Configure Amazon Cognito and create an identity pool. Configure the identity pool for a SAML identity provider (IdP) Use GitHub as the provider. Create an 1AM role Attach the role to a trust policy that allows the sts AssumeRole action for Cognito Configure the workflow in GitHub to authenticate against the SAML IdP.

Viewing page 12 out of 14 pages
Viewing questions 111-120 out of questions