New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

SCS-C02 Amazon Web Services Exam Lab Questions

Page: 12 / 24
Question 48

A company is storing data in Amazon S3 Glacier. A security engineer implemented a new vault lock policy for 10 TB of data and called the initiate-vault-lock operation 12 hours ago. The audit team identified a typo in the policy that is allowing unintended access to the vault.

What is the MOST cost-effective way to correct this error?

Options:

A.

Call the abort-vault-lock operation. Update the policy. Call the initiate-vault-lock operation again.

B.

Copy the vault data to a new S3 bucket. Delete the vault. Create a new vault with the data.

C.

Update the policy to keep the vault lock in place

D.

Update the policy. Call the initiate-vault-lock operation again to apply the new policy.

Question 49

A company is using AWS Organizations to implement a multi-account strategy. The company does not have on-premises infrastructure. All workloads run on AWS. The company currently has eight member accounts. The company anticipates that it will have no more than 20 AWS accounts total at any time.

The company issues a new security policy that contains the following requirements:

• No AWS account should use a VPC within the AWS account for workloads.

• The company should use a centrally managed VPC that all AWS accounts can access to launch workloads in subnets.

• No AWS account should be able to modify another AWS account's application resources within the centrally managed VPC.

• The centrally managed VPC should reside in an existing AWS account that is named Account-A within an organization.

The company uses an AWS CloudFormation template to create a VPC that contains multiple subnets in Account-A. This template exports the subnet IDs through the CloudFormation Outputs section.

Which solution will complete the security setup to meet these requirements?

Options:

A.

Use a CloudFormation template in the member accounts to launch workloads. Configure the template to use the Fn::lmportValue function to obtain the subnet ID values.

B.

Use a transit gateway in the VPC within Account-A. Configure the member accounts to use the transit gateway to access the subnets in Account-A to launch workloads.

C.

Use AWS Resource Access Manager (AWS RAM) to share Account-A's VPC subnets with the remaining member accounts. Configure the member accounts to use the shared subnets to launch workloads.

D.

Create a peering connection between Account-A and the remaining member accounts. Configure the member accounts to use the subnets in Account-A through the VPC peering connection to launch workloads.

Question 50

A Security Engineer is troubleshooting an issue with a company's custom logging application. The application logs are written to an Amazon S3 bucket with event notifications enabled to send events lo an Amazon SNS topic. All logs are encrypted at rest using an IAM KMS CMK. The SNS topic is subscribed to an encrypted Amazon SQS queue. The logging application polls the queue for new messages that contain metadata about the S3 object. The application then reads the content of the object from the S3 bucket for indexing.

The Logging team reported that Amazon CloudWatch metrics for the number of messages sent or received is showing zero. No togs are being received.

What should the Security Engineer do to troubleshoot this issue?

A) Add the following statement to the IAM managed CMKs:

B)

Add the following statement to the CMK key policy:

C)

Add the following statement to the CMK key policy:

D)

Add the following statement to the CMK key policy:

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 51

A company has two IAM accounts within IAM Organizations. In Account-1. Amazon EC2 Auto Scaling is launched using a service-linked role. In Account-2. Amazon EBS volumes are encrypted with an IAM KMS key A Security Engineer needs to ensure that the service-linked role can launch instances with these encrypted volumes

Which combination of steps should the Security Engineer take in both accounts? (Select TWO.)

Options:

A.

Allow Account-1 to access the KMS key in Account-2 using a key policy

B.

Attach an IAM policy to the service-linked role in Account-1 that allows these actions CreateGrant. DescnbeKey, Encrypt, GenerateDataKey, Decrypt, and ReEncrypt

C.

Create a KMS grant for the service-linked role with these actions CreateGrant, DescnbeKey Encrypt GenerateDataKey Decrypt, and ReEncrypt

D.

Attach an IAM policy to the role attached to the EC2 instances with KMS actions and then allow Account-1 in the KMS key policy.

E.

Attach an IAM policy to the user who is launching EC2 instances and allow the user to access the KMS key policy of Account-2.

Page: 12 / 24
Exam Code: SCS-C02
Exam Name: AWS Certified Security - Specialty
Last Update: Dec 27, 2024
Questions: 338
SCS-C02 pdf

SCS-C02 PDF

$25.5  $84.99
SCS-C02 Engine

SCS-C02 Testing Engine

$28.5  $94.99
SCS-C02 PDF + Engine

SCS-C02 PDF + Testing Engine

$40.5  $134.99