New Year Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmas50

Amazon Web Services SCS-C02 - AWS Certified Security - Specialty

Amazon Web Services SCS-C02 Premium Access     Download Demo    
Page: 9 / 14
Total 467 questions

A company needs to log object-level activity in its Amazon S3 buckets. The company also needs to validate the integrity of the log file by using a digital signature.

A.

Create an AWS CloudTrail trail with log file validation enabled. Enable data events. Specify Amazon S3 as the data event type.

B.

Create a new S3 bucket for S3 server access logs. Configure the existing S3 buckets to send their S3 server access logs to the new S3 bucket.

C.

Create an Amazon CloudWatch Logs log group. Configure the existing S3 buckets tosend their S3 server access logs to the log group.

D.

Create a new S3 bucket for S3 server access logs with log file validation enabled. Enable data events. Specify Amazon S3 as the data event type.

A company needs to retain tog data archives for several years to be compliant with regulations. The tog data is no longer used but It must be retained

What Is the MOST secure and cost-effective solution to meet these requirements?

A.

Archive the data to Amazon S3 and apply a restrictive bucket policy to deny the s3 DeleteOotect API

B.

Archive the data to Amazon S3 Glacier and apply a Vault Lock policy

C.

Archive the data to Amazon S3 and replicate it to a second bucket in a second IAM Region Choose the S3 Standard-Infrequent Access (S3 Standard-1A) storage class and apply a restrictive bucket policy to deny the s3 DeleteObject API

D.

Migrate the log data to a 16 T8 Amazon Elastic Block Store (Amazon EBS) volume Create a snapshot of the EBS volume

A security engineer needs to analyze Apache web server access logs that are stored in an Amazon S3 bucket. Amazon EC2 instance web servers generated the logs. The EC2 instances have the Amazon CloudWatch agent installed and configured to report their access logs.

The security engineer needs to use a query in Amazon Athena to analyze the logs. The query must identify IP addresses that have attempted and failed to access restricted web server content held at the /admin URL path. The query also must identify the URLs that the IP addresses attempted to access

Which query will meet these requirements?

A.

B.

B.

C.

C.

D.

D.

A company has several Amazon S3 buckets that do not enforce encryption in transit. A security engineer must implement a solution that enforces encryption in transit for all the company's existing and future S3 buckets.

Which solution will meet these requirements?

A.

Enable AWS Config. Create a proactive AWS Config Custom Policy rule. Create a Guard clause to evaluate the S3 bucket policies to check for a value of True for the aws:SecureTransport condition key. If the AWS Config rule evaluates to NON_COMPLIANT, block resource creation.

B.

Enable AWS Config. Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid. Create an AWS Systems Manager Automation runbook that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure automatic remediation. Set the runbook as the target of the rule.

C.

Enable Amazon Inspector. Create a custom AWS Lambda rule. Create a Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Set the Lambda function as the target of the rule.

D.

Create an AWS CloudTrail trail. Enable S3 data events on the trail. Create an AWS Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure the CloudTrail trail to invoke the Lambda function.

A company runs a cron job on an Amazon EC2 instance on a predefined schedule. The cron job calls a bash script that encrypts a 2 KB file. A security engineer creates an AWS Key Management Service (AWS KMS) customer managed key with a key policy. The key policy and the EC2 instance role have the necessary configuration for this job.

Which process should the bash script use to encrypt the file?

A.

Use the aws kms encrypt command to encrypt the file by using the existing KMS key.

B.

Use the aws kms create-grant command to generate a grant for the existing KMS key.

C.

Use the aws kms encrypt command to generate a data key. Use the plaintext data key to encrypt the file.

D.

Use the aws kms generate-data-key command to generate a data key. Use the encrypted data key to encrypt the file.

A security engineer needs to implement a write-once-read-many (WORM) model for data that a company will store in Amazon S3 buckets. The company uses the S3 Standard storage class for all of its S3 buckets. The security engineer must ensure that objects cannot be overwritten or deleted by any user, including the AWS account root user.

A.

Create new S3 buckets with S3 Object Lock enabled in compliance mode. Place objects in the S3 buckets.

B.

Use S3 Glacier Vault Lock to attach a Vault Lock policy to new S3 buckets. Wait 24hours to complete the Vault Lock process. Place objects in the S3 buckets.

C.

Create new S3 buckets with S3 Object Lock enabled in governance mode. Place objects in the S3 buckets.

D.

Create new S3 buckets with S3 Object Lock enabled in governance mode. Add a legal hold to the S3 buckets. Place objects in the S3 buckets.

A company is hosting a static website on Amazon S3 The company has configured an Amazon CloudFront distribution to serve the website contents The company has associated an IAM WAF web ACL with the CloudFront distribution. The web ACL ensures that requests originate from the United States to address compliance restrictions.

THE company is worried that the S3 URL might still be accessible directly and that requests can bypass the CloudFront distribution

Which combination of steps should the company take to remove direct access to the S3 URL? (Select TWO. )

A.

Select "Restrict Bucket Access" in the origin settings of the CloudFront distribution

B.

Create an origin access identity (OAI) for the S3 origin

C.

Update the S3 bucket policy to allow s3 GetObject with a condition that the IAM Referer key matches the secret value Deny all other requests

D.

Configure the S3 bucket poky so that only the origin access identity (OAI) has read permission for objects in the bucket

E.

Add an origin custom header that has the name Referer to the CloudFront distribution Give the header a secret value.

A company uses AWS Key Management Service (AWS KMS). During an attempt to attach an encrypted Amazon Elastic Block Store (Amazon EBS) volume to an Amazon EC2 instance, the attachment fails. The company discovers that a customer managed key has become unusable because the key material for the key was deleted. The company needs the data that is on the EBS volume.

A security engineer must recommend a solution to decrypt the EBS volume's encrypted data key. The solution must also attach the volume to the EC2 instance.

Which solution will meet these requirements?

A.

Import new key material into the key. Attach the EBS volume.

B.

Restore the EBS volume from a snapshot that was taken before the deletion of the key material.

C.

Reimport the same key material lhat originally was imported into the key. Attach the EBS volume.

D.

Create a new key. Import new key material. Attach the EBS volume.

A Security Engineer is asked to update an AWS CloudTrail log file prefix for an existing trail. When attempting to save the change in the CloudTrail console, the

Security Engineer receives the following error message: `There is a problem with the bucket policy.`

What will enable the Security Engineer to save the change?

A.

Create a new trail with the updated log file prefix, and then delete the original trail. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.

B.

Update the existing bucket policy in the Amazon S3 console to allow the Security Engineer's Principal to perform PutBucketPolicy, and then update the log file prefix in the CloudTrail console.

C.

Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.

D.

Update the existing bucket policy in the Amazon S3 console to allow the Security Engineer's Principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console.

A company has multiple Amazon S3 buckets encrypted with customer-managed CMKs Due to regulatory requirements the keys must be rotated every year. The company's Security Engineer has enabled automatic key rotation for the CMKs; however the company wants to verity that the rotation has occurred.

What should the Security Engineer do to accomplish this?

A.

Filter IAM CloudTrail logs for KeyRotaton events

B.

Monitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events

C.

Using the IAM CLI. run the IAM kms gel-key-relation-status operation with the --key-id parameter to check the CMK rotation date

D.

Use Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filter Generate New Key events