New Year Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmas50

Amazon Web Services SCS-C02 - AWS Certified Security - Specialty

Amazon Web Services SCS-C02 Premium Access     Download Demo    
Page: 1 / 14
Total 467 questions

A company wants to migrate its static primary domain website to AWS. The company hosts the website and DNS servers internally. The company wants the website to enforce SSL/TLS encryption block IP addresses from outside the United States (US), and take advantage of managed services whenever possible.

Which solution will meet these requirements?

A.

Migrate the website to Amazon S3 Import a public SSL certificate to an Application Load. Balancer with rules to block traffic from outside the US Migrate DNS to Amazon Route 53.

B.

Migrate the website to Amazon EC2 Import a public SSL certificate that is created by AWS Certificate Manager (ACM) to an Application Load Balancer with rules to block traffic from outside the US Update DNS accordingly.

C.

Migrate the website to Amazon S3. Import a public SSL certificate to Amazon CloudFront Use AWS WAF rules to block traffic from outside the US Update DNS.accordingly

D.

Migrate the website to Amazon S3 Import a public SSL certificate that is created by AWS Certificate Manager (ACM) to Amazon. CloudFront Configure CloudFront to block traffic from outside the US. Migrate DNS to Amazon Route 53.

A company is running an application in The eu-west-1 Region. The application uses an IAM Key Management Service (IAM KMS) CMK to encrypt sensitive data. The company plans to deploy the application in the eu-north-1 Region.

A security engineer needs to implement a key management solution for the application deployment in the new Region. The security engineer must minimize changes to the application code.

Which change should the security engineer make to the IAM KMS configuration to meet these requirements?

A.

Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same CMK as the application in eu-west-1.

B.

Allocate a new CMK to eu-north-1 to be used by the application that is deployed in that Region.

C.

Allocate a new CMK to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias.

D.

Allocate a new CMK to eu-north-1. Create an alias for eu-'-1. Change the application code to point to the alias for eu-'-1.

A company has an application on Amazon EC2 instances that store confidential customer data. The company must restrict access to customer data. A security engineer requires secure access to the instances that host the application. According to company policy, users must not open any inbound ports, maintain bastion hosts, or manage SSH keys for the EC2 instances.

The security engineer wants lo monitor, store, and access all session activity logs. The logs must be encrypted.

Which solution will meet these requirements?

A.

Use AWS Control Tower to connect to the EC2 instances. Configure Amazon CloudWatch logging for the sessions. Select the upload session logs option and allow only encrypted CloudWatch Logs log groups.

B.

Use AWS Security Hub to connect to the EC2 instances. Configure Amazon CloudWatch logging for the sessions. Select the upload session logs option and allow only encrypted CloudWatch Logs log groups.

C.

Use AWS Systems Manager Session Manager to connect to the EC2 instances. Configure Amazon CloudWatch monitoring to record the sessions. Select the store session logs option for the desired CloudWatch Logs log groups.

D.

Use AWS Systems Manager Session Manager to connect to the EC2 instances. Configure Amazon CloudWatch logging. Select the upload session logs option and allow only encrypted CloudWatch Logs log groups.

A company has an external web application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB) within a VPC. The web application stores data in an Amazon RDS for MySQL DB instance. The company uses a Linux bastion host to apply schema updates to the database Administrators connect to the bastion host through SSH from their corporate workstations. The following security groups are applied to the infrastructure.

• sgLB associated with the ALB

• sgWeb associated with the EC2 instances

• sgDB associated with the DB instance

• sgBastion associated with the bastion host

Which security group configuration will meet these requirements MOST securely?

A.

• sgLB Allow port 80 traffic and port 443 traffic from 0 0 0 0/0

• sgWeb Allow port 80 traffic and port 443 traffic from sgLB

• sgDB Allow port 3306 traffic from sgWeb and sgBastion

• sgBastion Allow port 22 traffic from the corporate IP address range

B.

• sgLB Allow port 80 traffic and port 443 traffic from 0 0 0 0/0

• sgWeb Allow port 80 traffic and port 443 traffic from sgLB

• sgDB Allow port 3306 traffic from sgWeb and sgLB

• sgBastion Allow port 22 traffic from the VPC IP address range

C.

• sgLB Allow port 80 traffic and port 443 traffic from 0 0 0 0/0

• sgWeb Allow port 80 traffic and port 443 traffic from sgLB

• sgDB Allow port 3306 traffic from sgWeb and sgBastion

• sgBastion Allow port 22 traffic from the VPC IP address range

D.

* sgLB: Allow port 80 traffic and port 443 traffic from 0.0.0.0/0

* sgWeb: Allow port 80 traffic and port 443 traffic from 0.0.0.0/0

* sgDB: Allow port 3306 traffic from sgWeb and sgBastion

* sgBastion: Allow port 22 traffic from the corporate IP address range

A security engineer is investigating a malware infection that has spread across a set of Amazon EC2 instances. A key indicator of the compromise is outbound traffic on TCP port 2905 to a set of command and control hosts on the internet.

The security engineer creates a network ACL rule that denies the identified outbound traffic. The security engineer applies the network ACL rule to the subnet of the EC2 instances. The security engineer must identify any EC2 instances that are trying to communtcate on TCP port 2905.

Which solution will identify the affected EC2 instances with the LEAST operational effort?

A.

Create a Network Access Scope in Amazon VPC Network Access Analyzer. Use the Network Access Scope to identify EC2 instances that try to send traffic to TCP port 2905.

B.

Enable VPC flow logs for the VPC where the affected EC2 instances are located Configure the flow logs to capture rejected traffic. In the flow logs, search for REJECT records that have a destination TCP port of 2905.

C.

Enable Amazon GuardDuty Create a custom GuardDuty IP list to create a finding when an EC2 instance tries to communicate with one of the command and control hosts. Use Amazon Detective to identify the EC2 instances that initiate the communication.

D.

Create a firewall in AWS Network Firewall. Attach the firewall to the subnet of the EC2 instances. Create a custom rule to identify and log traffic from the firewall on TCP port 2905. Create an Amazon CloudWatch Logs metric filter to identify firewall logs that reference traffic on TCP port 2905.

A company stores sensitive data in an Amazon S3 bucket. The company encrypts the data at rest by using server-side encryption with Amazon S3 managed keys (SSE-S3). A security engineer must prevent any modifications to the data in the S3 bucket. Which solution will meet this requirement?

A.

Configure S3 bucket policies to deny DELETE and PUT object permissions.

B.

Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled.

C.

Change the encryption on the S3 bucket to use AWS Key Management Service (AWS KMS) customer managed keys.

D.

Configure the S3 bucket with multi-factor authentication (MFA) delete protection.

A security engineer needs to suppress AWS. Security Hub findings automatically for resources that have a specific tag attached.

Which solution will meet this requirement?

A.

Create a Security Hub automation rule Edit the rule to include the specific resource tag and the specific tag value as the criteria. Select the automated action to change the workflow status to SUPPRESSED.

B.

Select each Security Hub control that needs to be suppressed. Add an exception to each control to suppress any findings that contain the specific tag value if the resource contains the specific resource tag.

C.

Send each Security Hub finding to Amazon Detective Create an automated rule in Detective to suppress any findings that contain the specific resource tag and the specific tag value

D.

Send each Security Hub finding to Amazon Inspector. Configure a suppression rule to suppress any findings that contain the specific resource tag and the specific tag value.

A company wants to store all objects that contain sensitive data in an Amazon S3 bucket. The company will use server-side encryption to encrypt the S3 bucket. The company's operations team manages access to the company's S3 buckets. The company's security team manages access to encryption keys.

The company wants to separate the duties of the two teams to ensure that configuration errors by only one of these teams will not compromise the data by granting unauthorized access to plaintext data.

Which solution will meet this requirement?

A.

Ensure that the operations team configures default bucket encryption on the S3 bucket to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to use the encryption keys.

B.

Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with AWS KMS keys (SSE-KMS) that are customer managed. Ensure that the security team creates a key policy that controls access to the encryption keys.

C.

Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with Amazon S3 managed keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to the encryption keys.

D.

Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with customer-provided encryption keys (SSE-C). Ensure that the security team stores the customer-provided keys in AWS Key Management Service (AWS KMS). Ensure that the security team creates a key policy that controls access to the encryption keys.

A company uses AWS Organizations. The company wants to implement short-term cre-dentials for third-party AWS accounts to use to access accounts within the com-pany's organization. Access is for the AWS Management Console and third-party software-as-a-service (SaaS) applications. Trust must be enhanced to prevent two external accounts from using the same credentials. The solution must require the least possible operational effort.

Which solution will meet these requirements?

A.

Use a bearer token authentication with OAuth or SAML to manage and share a central Amazon Cognito user pool across multiple Amazon API Gateway APIs.

B.

Implement AWS IAM Identity Center (AWS Single Sign-On), and use an identi-ty source of choice. Grant access to users and groups from other accounts by using permission sets that are assigned by account.

C.

Create a unique IAM role for each external account. Create a trust policy. Use AWS Secrets Manager to create a random external key.

D.

Create a unique IAM role for each external account. Create a trust policy that includes a condition that uses the sts:Externalld condition key.

An AWS account includes two S3 buckets: bucketl and bucket2. The bucket2 does not have a policy defined, but bucketl has the following bucket policy:

In addition, the same account has an 1AM User named "alice", with the following 1AM policy.

Which buckets can user "alice" access?

A.

bucketl only

B.

bucket2 only

C.

Both bucketl and bucket2

D.

Neither bucketl nor bucket2