Spring Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = simple70

Pass the Amazon Web Services AWS Certified Specialty SCS-C02 Questions and answers with Dumpstech

Exam SCS-C02 Premium Access

View all detail and faqs for the SCS-C02 exam

Go to Exam
Practice at least 50% of the questions to maximize your chances of passing.
Viewing page 5 out of 14 pages
Viewing questions 41-50 out of questions
Questions # 41:

A company has two AWS accounts: Account A and Account B. Account A has an IAM role that IAM users in Account B assume when they need to upload sensitive documents to Amazon S3 buckets in Account A.

A new requirement mandates that users can assume the role only if they are authenticated with multi-factor authentication (MFA). A security engineer must recommend a solution that meets this requirement with minimum risk and effort.

Which solution should the security engineer recommend?

Options:

A.

Add an aws:MultiFactorAuthPresent condition to therole's permissions policy.

B.

Add an aws:MultiFactorAuthPresent condition to therole's trust policy.

C.

Add an aws:MultiFactorAuthPresent condition to thesession policy.

D.

Add an aws:MultiFactorAuthPresent condition to theS3 bucket policies.

Questions # 42:

A security engineer needs to centralize logging from VPC Flow Logs and AWS CloudTrail. The security engineer also needs to query the log data after an incident occurs. Which solution will meet these requirements?

Options:

A.

Configure VPC Flow Logs and CloudTrail to send the log data directly to Amazon CloudWatch Logs Query the log data by using a metric filter.

B.

Configure VPC Flow Logs and CloudTrail to send the log data directly to Amazon CloudWatch Logs Query the log data by using a subscription filter.

C.

Configure VPC Flow Logs and CloudTrail to send the log data directly to Amazon DynamoDB Use the DynamoDB Query API operation to query items based on their primary key values.

D.

Configure VPC Flow Logs and CloudTrail to send the log data directly to an Amazon S3 bucket Use Amazon Athena to query the log data.

Questions # 43:

A development team is attempting to encrypt and decode a secure string parameter from the IAM Systems Manager Parameter Store using an IAM Key Management Service (IAM KMS) CMK. However, each attempt results in an error message being sent to the development team.

Which CMK-related problems possibly account for the error? (Select two.)

Options:

A.

The CMK is used in the attempt does not exist.

B.

The CMK is used in the attempt needs to be rotated.

C.

The CMK is used in the attempt is using the CMKג€™s key ID instead of the CMK ARN.

D.

The CMK is used in the attempt is not enabled.

E.

The CMK is used in the attempt is using an alias.

Questions # 44:

A company wants to know when users make changes to IAM roles in the company's AWS account. The company uses Amazon CloudWatch and AWS CloudTrail in the account. The company has configured a CloudTrail trail to capture read and write API activity for management events. The company has an Amazon Simple Notification Service (Amazon SNS) topic for security notifications.

A security engineer must implement a solution that provides a notification when an IAM role is edited.

Which solution will meet this requirement?

Options:

A.

Enable Amazon Detective. Run a Detective investigation for changes to IAM roles. Create an Amazon EventBridge rule that monitors the results of the Detective investigation. Set the SNS topic as the target of the EventBridge rule.

B.

Create an Amazon EventBridge rule that monitors AWS API calls from CloudTrail. Scope the event pattern to monitor changes to IAM roles from the lam.amazonaws.com event source. Set the SNS topic as the target of the EventBridge rule.

C.

Create a new CloudWatch log group. Configure the CloudTrail trail to send events to the new log group. Set up a CloudWatch metric to monitor changes to IAM roles from the lam.amazonaws.com event source. Create a subscription filter for the log group. Set the SNS topic as the target of the subscription filter.

D.

Create a new CloudWatch log group. Configure the CloudTrail trail to send events to the new log group. Create a subscription filter that includes an event pattemn to monitor changes to IAM roles from the lam.amazonaws.com event source. Set the SNS topic as the target of the subscription filter.

Questions # 45:

Your company has just set up a new central server in a VPC. There is a requirement for other teams who have their servers located in different VPC's in the same region to connect to the central server. Which of the below options is best suited to achieve this requirement.

Please select:

Options:

A.

Set up VPC peering between the central server VPC and each of the teams VPCs.

B.

Set up IAM DirectConnect between the central server VPC and each of the teams VPCs.

C.

Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.

D.

None of the above options will work.

Questions # 46:

A company has an application that uses an Amazon RDS PostgreSQL database. The company is developing an application feature that will store sensitive information for an individual in the database.

During a security review of the environment, the company discovers that the RDS DB instance is not encrypting data at rest. The company needs a solution that will provide encryption at rest for all the existing data and for any new data that is entered for an individual.

Which combination of options can the company use to meet these requirements? (Select TWO.)

Options:

A.

Create a snapshot of the DB instance. Copy the snapshot to a new snapshot, and enable encryption for the copy process. Use the new snapshot to restore the DB instance.

B.

Modify the configuration of the DB instance by enabling encryption. Create a snapshot of the DB instance. Use the snapshot to restore the DB instance.

C.

Use IAM Key Management Service (IAM KMS) to create a new default IAM managed awa/rds key. Select this key as the encryption key for operations with Amazon RDS.

D.

Use IAM Key Management Service (IAM KMS] to create a new CMK. Select this key as the encryption key for operations with Amazon RDS.

E.

Create a snapshot of the DB instance. Enable encryption on the snapshoVUse the snapshot to restore the DB instance.

Questions # 47:

A company has an application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Amazon EC2 Auto Scaling group and are attached to Amazon Elastic Blodfc Store (Amazon EBS) volumes.

A security engineer needs to preserve all forensic evidence from one of the instances.

Which order of steps should the security engineer use to meet this requirement?

Options:

A.

Take an EBS volume snapshot of the instance and store the snapshot in an Amazon S3 bucket. Take a memory snapshot of the instance and store the snapshot in an S3 bucket. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB. Stop the instance.

B.

Take a memory snapshot of the instance and store the snapshot in an Amazon S3 bucket. Stop the instance. Take an EBS volume snapshot of the instanceand store the snapshot in an S3 bucket. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB.

C.

Detach the instance from the Auto Scaling group. Deregister the instance from the ALB. Take an EBS volume snapshot of the instance and store the snapshotin an Amazon S3 bucket. Take a memory snapshot of the instance and store the snapshot in an S3 bucket. Stop the instance

D.

Detach the instance from the Auto Scaling group Deregister the instance from the ALB. Stop the instance. Take a memory snapshot of the instance and store the snapshot in an Amazon S3 bucket. Take an EBS volume snapshot of the instance and store the snapshot in an S3 bucket.

Questions # 48:

A company is building an application on IAM that will store sensitive Information. The company has a support team with access to the IT infrastructure, including databases. The company's security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead. The credentials must be regularly rotated.

What should the security engineer recommend?

Options:

A.

Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an IAM Lambda function to rotate database credentials. Set up TLS for the connection to the database.

B.

Install a database on an Amazon EC2 Instance. Enable third-party disk encryption to encrypt the Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in IAM CloudHSM with automatic rotation. Set up TLS for the connection to the database.

C.

Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in IAM Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.

D.

Set up an IAM CloudHSM cluster with IAM Key Management Service (IAM KMS) to store KMS keys. Set up Amazon RDS encryption using IAM KMS to encrypt the database. Store database credentials in the IAM Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.

Questions # 49:

A security engineer needs to create an IAM Key Management Service

Which statement in the KMS key policy will meet these requirements?

A)

Question # 49

B)

Question # 49

C)

Question # 49

Options:

A.

Option A

B.

Option B

C.

Option C

Questions # 50:

A company's Security Auditor discovers that users are able to assume roles without using multi-factor authentication (MFA). An example of a current policy being applied to these users is as follows:

Question # 50

The Security Auditor finds that the users who are able to assume roles without MFA are alt coming from the IAM CLI. These users are using long-term IAM credentials. Which changes should a Security Engineer implement to resolve this security issue?(Select TWO.)

A)

Question # 50

B)

Question # 50

C)

Question # 50

D)

Question # 50

E)

Question # 50

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

E.

Option E

Viewing page 5 out of 14 pages
Viewing questions 41-50 out of questions