Amazon AWS Certified Security - Specialty (Replaced with SCS-C03) SCS-C02 Dumps in PDF

Free Amazon SCS-C02 Real Questions (page: 6)

A company that uses AWS Organizations is using AWS IAM Identity Center (AWS Single Sign-On) to administer access to AWS accounts. A security engineer is creating a custom permission set in IAM Identity Center. The company will use the permission set across multiple accounts. An AWS managed policy and a customer managed policy are attached to the permission set. The security engineer has full administrative permissions and is operating in the management account.
When the security engineer attempts to assign the permission set to an IAM Identity Center user who has access to multiple accounts, the assignment fails.
What should the security engineer do to resolve this failure?

  1. Create the customer managed policy in every account where the permission set is assigned. Give the customer managed policy the same name and same permissions in each account.
  2. Remove either the AWS managed policy or the customer managed policy from the permission set. Create a second permission set that includes the removed policy. Apply the permission sets separately to the user.
  3. Evaluate the logic of the AWS managed policy and the customer managed policy. Resolve any policy conflicts in the permission set before deployment.
  4. Do not add the new permission set to the user. Instead, edit the user's existing permission set to include the AWS managed policy and the customer managed policy.

Answer(s): A



A company has thousands of AWS Lambda functions. While reviewing the Lambda functions, a security engineer discovers that sensitive information is being stored in environment variables and is viewable as plaintext in the Lambda console. The values of the sensitive information are only a few characters long.
What is the MOST cost-effective way to address this security issue?

  1. Set up IAM policies from the Lambda console to hide access to the environment variables.
  2. Use AWS Step Functions to store the environment variables. Access the environment variables at runtime. Use IAM permissions to restrict access to the environment variables to only the Lambda functions that require access.
  3. Store the environment variables in AWS Secrets Manager, and access them at runtime. Use IAM permissions to restrict access to the secrets to only the Lambda functions that require access.
  4. Store the environment variables in AWS Systems Manager Parameter Store as secure string parameters, and access them at runtime. Use IAM permissions to restrict access to the parameters to only the Lambda functions that require access.

Answer(s): D



A security engineer is using AWS Organizations and wants to optimize SCPs. The security engineer needs to ensure that the SCPs conform to best practices.
Which approach should the security engineer take to meet this requirement?

  1. Use AWS IAM Access Analyzer to analyze the polices. View the findings from policy validation checks.
  2. Review AWS Trusted Advisor checks for all accounts in the organization.
  3. Set up AWS Audit Manager. Run an assessment for all AWS Regions for all accounts.
  4. Ensure that Amazon Inspector agents are installed on all Amazon EC2 instances in all accounts.

Answer(s): A



A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected.
Which combination of steps should the security engineer take to accomplish this? (Choose two.)

  1. Create an AWS Config rule to detect the creation of unencrypted RDS databases. Create an Amazon EventBridge rule to trigger on the AWS Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
  2. Use AWS System Manager State Manager to detect RDS database encryption configuration drift. Create an Amazon EventBridge rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
  3. Create a read replica for the existing unencrypted RDS database and enable replica encryption in the process. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.
  4. Take a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance.
  5. Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database.

Answer(s): A,D



A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots. The company uses an AWS Key Management Service (AWS KMS) customer managed key to encrypt all Amazon Elastic Block Store (Amazon EBS) snapshots.
The company performs a gap analysis of its disaster recovery procedures and backup strategies. A security engineer needs to implement a solution so that the company can recover the EC2 instances if the AWS account is compromised and the EBS snapshots are deleted.
Which solution will meet this requirement?

  1. Create a new Amazon S3 bucket. Use EBS lifecycle policies to move EBS snapshots to the new S3 bucket. Use lifecycle policies to move snapshots to the S3 Glacier Instant Retrieval storage class. Use S3 Object Lock to prevent deletion of the snapshots.
  2. Use AWS Systems Manager to distribute a configuration that backs up all attached disks to Amazon S3.
  3. Create a new AWS account that has limited privileges. Allow the new account to access the KMS key that encrypts the EBS snapshots. Copy the encrypted snapshots to the new account on a recurring basis.
  4. Use AWS Backup to copy EBS snapshots to Amazon S3. Use S3 Object Lock to prevent deletion of the snapshots.

Answer(s): C



A company's security engineer is designing an isolation procedure for Amazon EC2 instances as part of an incident response plan. The security engineer needs to isolate a target instance to block any traffic to and from the target instance, except for traffic from the company's forensics team. Each of the company's EC2 instances has its own dedicated security group. The EC2 instances are deployed in subnets of a VPC. A subnet can contain multiple instances.
The security engineer is testing the procedure for EC2 isolation and opens an SSH session to the target instance. The procedure starts to simulate access to the target instance by an attacker. The security engineer removes the existing security group rules and adds security group rules to give the forensics team access to the target instance on port 22.
After these changes, the security engineer notices that the SSH connection is still active and usable. When the security engineer runs a ping command to the public IP address of the target instance, the ping command is blocked.
What should the security engineer do to isolate the target instance?

  1. Add an inbound rule to the security group to allow traffic from 0.0.0.0/0 for all ports. Add an outbound rule to the security group to allow traffic to 0.0.0.0/0 for all ports. Then immediately delete these rules.
  2. Remove the port 22 security group rule. Attach an instance role policy that allows AWS Systems Manager Session Manager connections so that the forensics team can access the target instance.
  3. Create a network ACL that is associated with the target instance's subnet. Add a rule at the top of the inbound rule set to deny all traffic from 0.0.0.0/0. Add a rule at the top of the outbound rule set to deny all traffic to 0.0.0.0/0.
  4. Create an AWS Systems Manager document that adds a host-level firewall rule to block all inbound traffic and outbound traffic. Run the document on the target instance.

Answer(s): B



A startup company is using a single AWS account that has resources in a single AWS Region. A security engineer configures an AWS CloudTrail trail in the same Region to deliver log files to an Amazon S3 bucket by using the AWS CLI.
Because of expansion, the company adds resources in multiple Regions. The security engineer notices that the logs from the new Regions are not reaching the S3 bucket.
What should the security engineer do to fix this issue with the LEAST amount of operational overhead?

  1. Create a new CloudTrail trail. Select the new Regions where the company added resources.
  2. Change the S3 bucket to receive notifications to track all actions from all Regions.
  3. Create a new CloudTrail trail that applies to all Regions.
  4. Change the existing CloudTrail trail so that it applies to all Regions.

Answer(s): D



A company's public Application Load Balancer (ALB) recently experienced a DDoS attack. To mitigate this issue, the company deployed Amazon CloudFront in front of the ALB so that users would not directly access the Amazon EC2 instances behind the ALB.
The company discovers that some traffic is still coming directly into the ALB and is still being handled by the EC2 instances.
Which combination of steps should the company take to ensure that the EC2 instances will receive traffic only from CloudFront? (Choose two.)

  1. Configure CloudFront to add a cache key policy to allow a custom HTTP header that CloudFront sends to the ALB.
  2. Configure CloudFront to add a custom HTTP header to requests that CloudFront sends to the AL
  3. Configure the ALB to forward only requests that contain the custom HTTP header.
  4. Configure the ALB and CloudFront to use the X-Forwarded-For header to check client IP addresses.
  5. Configure the ALB and CloudFront to use the same X.509 certificate that is generated by AWS Certificate Manager (ACM).

Answer(s): B,C



Share your comments for Amazon SCS-C02 exam with other users:

N
Neha
9/28/2023 1:58:00 PM

its helpful

D
Desmond
1/5/2023 9:11:00 PM

i just took my oracle exam and let me tell you, this exam dumps was a lifesaver! without them, iam not sure i would have passed. the questions were tricky and the answers were obscure, but the exam dumps had everything i needed. i would recommend to anyone looking to pass their oracle exams with flying colors (and a little bit of cheating) lol.

D
Davidson OZ
9/9/2023 6:37:00 PM

22. if you need to make sure that one computer in your hot-spot network can access the internet without hot-spot authentication, which menu allows you to do this? answer is ip binding and not wall garden. wall garden allows specified websites to be accessed with users authentication to the hotspot

3
381
9/2/2023 4:31:00 PM

is question 1 correct?

L
Laurent
10/6/2023 5:09:00 PM

good content

S
Sniper69
5/9/2022 11:04:00 PM

manged to pass the exam with this exam dumps.

D
Deepak
12/27/2023 2:37:00 AM

good questions

D
dba
9/23/2023 3:10:00 AM

can we please have the latest exam questions?

P
Prasad
9/29/2023 7:27:00 AM

please help with jn0-649 latest dumps

G
GTI9982
7/31/2023 10:15:00 PM

please i need this dump. thanks

E
Elton Riva
12/12/2023 8:20:00 PM

i have to take the aws certified developer - associate dva-c02 in the next few weeks and i wanted to know if the questions on your website are the same as the official exam.

B
Berihun Desalegn Wonde
7/13/2023 11:00:00 AM

all questions are more important

G
gr
7/2/2023 7:03:00 AM

ques 4 answer should be c ie automatically recover from failure

R
RS
7/27/2023 7:17:00 AM

very very useful page

B
Blessious Phiri
8/12/2023 11:47:00 AM

the exams are giving me an eye opener

A
AD
10/22/2023 9:08:00 AM

3rd so far, need to cover more

M
Matt
11/18/2023 2:32:00 AM

aligns with the pecd notes

S
Sri
10/15/2023 4:38:00 PM

question 4: b securityadmin is the correct answer. https://docs.snowflake.com/en/user-guide/security-access-control-overview#access-control-framework

H
H.T.M. D
6/25/2023 2:55:00 PM

kindly please share dumps

S
Satish
11/6/2023 4:27:00 AM

it is very useful, thank you

C
Chinna
7/30/2023 8:37:00 AM

need safe rte dumps

1
1234
6/30/2023 3:40:00 AM

can you upload the cis - cpg dumps

D
Did
1/12/2024 3:01:00 AM

q6 = 1. download odt application 2. create a configuration file (xml) 3. setup.exe /download to download the installation files 4. setup.exe /configure to deploy the application

J
John
10/12/2023 12:30:00 PM

great material

D
Dinesh
8/1/2023 2:26:00 PM

could you please upload sap c_arsor_2302 questions? it will be very much helpful.

L
LBert
6/19/2023 10:23:00 AM

vraag 20c: rsa veilig voor symmtrische cryptografie? antwoord c is toch fout. rsa is voor asymmetrische cryptogafie??

G
g
12/22/2023 1:51:00 PM

so far good

M
Milos
8/4/2023 9:33:00 AM

question 31 has obviously wrong answers. tls and ssl are used to encrypt data at transit, not at rest.

D
Diksha
9/25/2023 2:32:00 AM

pls provide dump for 1z0-1080-23 planning exams

H
H
7/17/2023 4:28:00 AM

could you please upload the exam?

A
Anonymous
9/14/2023 4:47:00 AM

please upload this

N
Naveena
1/13/2024 9:55:00 AM

good material

W
WildWilly
1/19/2024 10:43:00 AM

lets see if this is good stuff...

L
Lavanya
11/2/2023 1:53:00 AM

useful information

AI Tutor 👋 I’m here to help!