Amazon Web Services SCS-C02 Based on Real Exam Environment

Page: 21 / 24

Question 84

A company deploys a distributed web application on a fleet of Amazon EC2 instances. The fleet is behind an Application Load Balancer (ALB) that will be configured to terminate the TLS connection. All TLS traffic to the ALB must stay secure, even if the certificate private key is compromised.

How can a security engineer meet this requirement?

Options:

Create an HTTPS listener that uses a certificate that is managed by IAM Certificate Manager (ACM).

Create an HTTPS listener that uses a security policy that uses a cipher suite with perfect toward secrecy (PFS).

Create an HTTPS listener that uses the Server Order Preference security feature.

Create a TCP listener that uses a custom security policy that allows only cipher suites with perfect forward secrecy (PFS).

Question 85

A company uses AWS Organizations. The company wants to implement short-term cre-dentials for third-party AWS accounts to use to access accounts within the com-pany's organization. Access is for the AWS Management Console and third-party software-as-a-service (SaaS) applications. Trust must be enhanced to prevent two external accounts from using the same credentials. The solution must require the least possible operational effort.

Which solution will meet these requirements?

Options:

Use a bearer token authentication with OAuth or SAML to manage and share a central Amazon Cognito user pool across multiple Amazon API Gateway APIs.

Implement AWS IAM Identity Center (AWS Single Sign-On), and use an identi-ty source of choice. Grant access to users and groups from other accounts by using permission sets that are assigned by account.

Create a unique IAM role for each external account. Create a trust policy. Use AWS Secrets Manager to create a random external key.

Create a unique IAM role for each external account. Create a trust policy that includes a condition that uses the sts:Externalld condition key.

Question 86

Amazon GuardDuty has detected communications to a known command and control endpoint from a company's Amazon EC2 instance. The instance was found to be running a vulnerable version of a common web framework. The company's security operations team wants to quickly identity other compute resources with the specific version of that framework installed.

Which approach should the team take to accomplish this task?

Options:

Scan all the EC2 instances for noncompliance with IAM Config. Use Amazon Athena to query IAM CloudTrail logs for the framework installation

Scan all the EC2 instances with the Amazon Inspector Network Reachability rules package to identity instances running a web server with RecognizedPortWithListener findings

Scan all the EC2 instances with IAM Systems Manager to identify the vulnerable version of the web framework

Scan an the EC2 instances with IAM Resource Access Manager to identify the vulnerable version of the web framework