{"id":107007,"date":"2025-07-30T07:22:13","date_gmt":"2025-07-30T07:22:13","guid":{"rendered":"https:\/\/www.dumpsbase.com\/freedumps\/?p=107007"},"modified":"2025-08-04T03:59:59","modified_gmt":"2025-08-04T03:59:59","slug":"updated-scs-c02-exam-dumps-v13-03-suit-your-learning-needs-read-scs-c02-free-dumps-part-1-q1-q40-online","status":"publish","type":"post","link":"https:\/\/www.dumpsbase.com\/freedumps\/updated-scs-c02-exam-dumps-v13-03-suit-your-learning-needs-read-scs-c02-free-dumps-part-1-q1-q40-online.html","title":{"rendered":"Updated SCS-C02 Exam Dumps (V13.03) Suit Your Learning Needs: Read SCS-C02 Free Dumps (Part 1, Q1-Q40) Online"},"content":{"rendered":"<p>Start your learning and prepare for your AWS Certified Security &#8211; Specialty (SCS-C02) exam. DumpsBase has updated the AWS SCS-C02 exam dumps to V13.03, featuring the most accurate questions and answers, allowing you to practice with Q&amp;As tailored to your learning needs. To download the latest study materials, you need to verify the validity of the free updates. DumpsBase is aware that the AWS Certified Security &#8211; Specialty exam updates its content regularly. To help you prepare according to the latest content, we offer up to one year of free updates. If your free updates are still valid, just come to DumpsBase and download the SCS-C02 exam dumps (V13.03). Before downloading, you can come here to read the SCS-C02 free dumps online.<\/p>\n<h2>Read the <span style=\"background-color: #00ffff;\"><em>AWS SCS-C02 free dumps (Part 1, Q1-Q40) online<\/em><\/span> to verify the V13.03:<\/h2>\n<script>\n\t  window.fbAsyncInit = function() {\n\t    FB.init({\n\t      appId            : '622169541470367',\n\t      autoLogAppEvents : true,\n\t      xfbml            : true,\n\t      version          : 'v3.1'\n\t    });\n\t  };\n\t\n\t  (function(d, s, id){\n\t     var js, fjs = d.getElementsByTagName(s)[0];\n\t     if (d.getElementById(id)) {return;}\n\t     js = d.createElement(s); js.id = id;\n\t     js.src = \"https:\/\/connect.facebook.net\/en_US\/sdk.js\";\n\t     fjs.parentNode.insertBefore(js, fjs);\n\t   }(document, 'script', 'facebook-jssdk'));\n\t<\/script><script type=\"text\/javascript\" >\ndocument.addEventListener(\"DOMContentLoaded\", function(event) { \nif(!window.jQuery) alert(\"The important jQuery library is not properly loaded in your site. Your WordPress theme is probably missing the essential wp_head() call. You can switch to another theme and you will see that the plugin works fine and this notice disappears. If you are still not sure what to do you can contact us for help.\");\n});\n<\/script>  \n  \n<div  id=\"watupro_quiz\" class=\"quiz-area single-page-quiz\">\n<p id=\"submittingExam10336\" style=\"display:none;text-align:center;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/img\/loading.gif\" width=\"16\" height=\"16\"><\/p>\n\n<div class=\"watupro-exam-description\" id=\"description-quiz-10336\"><\/div>\n\n<form action=\"\" method=\"post\" class=\"quiz-form\" id=\"quiz-10336\"  enctype=\"multipart\/form-data\" >\n<div class='watu-question ' id='question-1' style=';'><div id='questionWrap-1'  class='   watupro-question-id-409853'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>1. <\/span>A business requires a forensic logging solution for hundreds of Docker-based apps running on Amazon EC2. <br \/>\r<br>The solution must analyze logs in real time, provide message replay, and persist logs. <br \/>\r<br>Which Amazon Web Offerings (IAM) services should be employed to satisfy these requirements? (Select two.)<\/div><input type='hidden' name='question_id[]' id='qID_1' value='409853' \/><input type='hidden' id='answerType409853' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409853[]' id='answer-id-1588544' class='answer   answerof-409853 ' value='1588544'   \/><label for='answer-id-1588544' id='answer-label-1588544' class=' answer'><span>Amazon Athena<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409853[]' id='answer-id-1588545' class='answer   answerof-409853 ' value='1588545'   \/><label for='answer-id-1588545' id='answer-label-1588545' class=' answer'><span>Amazon Kinesis<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409853[]' id='answer-id-1588546' class='answer   answerof-409853 ' value='1588546'   \/><label for='answer-id-1588546' id='answer-label-1588546' class=' answer'><span>Amazon SQS<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409853[]' id='answer-id-1588547' class='answer   answerof-409853 ' value='1588547'   \/><label for='answer-id-1588547' id='answer-label-1588547' class=' answer'><span>Amazon Elasticsearch<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409853[]' id='answer-id-1588548' class='answer   answerof-409853 ' value='1588548'   \/><label for='answer-id-1588548' id='answer-label-1588548' class=' answer'><span>Amazon EMR<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-2' style=';'><div id='questionWrap-2'  class='   watupro-question-id-409854'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>2. <\/span>A company developed an application by using AWS Lambda, Amazon S3, Amazon Simple Notification Service (Amazon SNS), and Amazon DynamoDB. An external application puts objects into the company's S3 bucket and tags the objects with date and time. A Lambda function periodically pulls data from the company's S3 bucket based on date and time tags and inserts specific values into a DynamoDB table for further processing. <br \/>\r<br>The data includes personally identifiable information (Pll). The company must remove data that is older than 30 days from the S3 bucket and the DynamoDB table. <br \/>\r<br>Which solution will meet this requirement with the MOST operational efficiency?<\/div><input type='hidden' name='question_id[]' id='qID_2' value='409854' \/><input type='hidden' id='answerType409854' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409854[]' id='answer-id-1588549' class='answer   answerof-409854 ' value='1588549'   \/><label for='answer-id-1588549' id='answer-label-1588549' class=' answer'><span>Update the Lambda function to add a TTL S3 flag to S3 objects. Create an S3 Lifecycle policy to expire objects that are older than 30 days by using the TTL S3 flag.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409854[]' id='answer-id-1588550' class='answer   answerof-409854 ' value='1588550'   \/><label for='answer-id-1588550' id='answer-label-1588550' class=' answer'><span>Create an S3 Lifecycle policy to expire objects that are older than 30 days. Update the Lambda function to add the TTL attribute in the DynamoDB table. Enable TTL on the DynamoDB table to expire entires that are older than 30 days based on the TTL attribute.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409854[]' id='answer-id-1588551' class='answer   answerof-409854 ' value='1588551'   \/><label for='answer-id-1588551' id='answer-label-1588551' class=' answer'><span>Create an S3 Lifecycle policy to expire objects that are older than 30 days and to add all prefixes to the S3 bucket. Update the Lambda function to delete entries that are older than 30 days.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409854[]' id='answer-id-1588552' class='answer   answerof-409854 ' value='1588552'   \/><label for='answer-id-1588552' id='answer-label-1588552' class=' answer'><span>Create an S3 Lifecycle policy to expire objects that are older than 30 days by using object tags. Update the Lambda function to delete entries that are older than 30 days.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-3' style=';'><div id='questionWrap-3'  class='   watupro-question-id-409855'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>3. <\/span>A company is hosting a static website on Amazon S3 The company has configured an Amazon CloudFront distribution to serve the website contents. The company has associated an IAM WAF web ACL with the CloudFront distribution. The web ACL ensures that requests originate from the United States to address compliance restrictions. <br \/>\r<br>THE company is worried that the S3 URL might still be accessible directly and that requests can bypass the CloudFront distribution <br \/>\r<br>Which combination of steps should the company take to remove direct access to the S3 URL? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_3' value='409855' \/><input type='hidden' id='answerType409855' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409855[]' id='answer-id-1588553' class='answer   answerof-409855 ' value='1588553'   \/><label for='answer-id-1588553' id='answer-label-1588553' class=' answer'><span>Select &quot;Restrict Bucket Access&quot; in the origin settings of the CloudFront distribution<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409855[]' id='answer-id-1588554' class='answer   answerof-409855 ' value='1588554'   \/><label for='answer-id-1588554' id='answer-label-1588554' class=' answer'><span>Create an origin access identity (OAI) for the S3 origin<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409855[]' id='answer-id-1588555' class='answer   answerof-409855 ' value='1588555'   \/><label for='answer-id-1588555' id='answer-label-1588555' class=' answer'><span>Update the S3 bucket policy to allow s3 GetObject with a condition that the IAM Referer key matches the secret value Deny all other requests<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409855[]' id='answer-id-1588556' class='answer   answerof-409855 ' value='1588556'   \/><label for='answer-id-1588556' id='answer-label-1588556' class=' answer'><span>Configure the S3 bucket poky so that only the origin access identity (OAI) has read permission for objects in the bucket<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409855[]' id='answer-id-1588557' class='answer   answerof-409855 ' value='1588557'   \/><label for='answer-id-1588557' id='answer-label-1588557' class=' answer'><span>Add an origin custom header that has the name Referer to the CloudFront distribution Give the header a secret value.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-4' style=';'><div id='questionWrap-4'  class='   watupro-question-id-409856'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>4. <\/span>A company is testing its incident response plan for compromised credentials. The company runs a database on an Amazon EC2 instance and stores the sensitive data-base credentials as a secret in AWS Secrets Manager. The secret has rotation configured with an AWS Lambda function that uses the generic rotation function template. The EC2 instance and the Lambda function are deployed in the same private subnet. The VPC has a Secrets Manager VPC endpoint. <br \/>\r<br>A security engineer discovers that the secret cannot rotate. The security engineer determines that the VPC endpoint is working as intended. The Amazon Cloud-Watch logs contain the following error: <br \/>\r<br>&quot;setSecret: Unable to log into database&quot;. <br \/>\r<br>Which solution will resolve this error?<\/div><input type='hidden' name='question_id[]' id='qID_4' value='409856' \/><input type='hidden' id='answerType409856' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409856[]' id='answer-id-1588558' class='answer   answerof-409856 ' value='1588558'   \/><label for='answer-id-1588558' id='answer-label-1588558' class=' answer'><span>Use the AWS Management Console to edit the JSON structure of the secret in Secrets Manager so that the secret automatically conforms with the structure that the database requires.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409856[]' id='answer-id-1588559' class='answer   answerof-409856 ' value='1588559'   \/><label for='answer-id-1588559' id='answer-label-1588559' class=' answer'><span>Ensure that the security group that is attached to the Lambda function al-lows outbound connections to the EC2 instance. Ensure that the security group that is attached to the EC2 instance allows inbound connections from the security group that is attached to the Lambda function.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409856[]' id='answer-id-1588560' class='answer   answerof-409856 ' value='1588560'   \/><label for='answer-id-1588560' id='answer-label-1588560' class=' answer'><span>Use the Secrets Manager list-secrets command in the AWS CLI to list the secret. Identify the database \r\ncredentials. Use the Secrets Manager rotate-secret command in the AWS CLI to force the immediate rotation of the secret.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409856[]' id='answer-id-1588561' class='answer   answerof-409856 ' value='1588561'   \/><label for='answer-id-1588561' id='answer-label-1588561' class=' answer'><span>Add an internet gateway to the VP<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409856[]' id='answer-id-1588562' class='answer   answerof-409856 ' value='1588562'   \/><label for='answer-id-1588562' id='answer-label-1588562' class=' answer'><span>Create a NAT gateway in a public sub-net. Update the VPC route tables so that traffic from the Lambda function and traffic from the EC2 instance can reach the Secrets Manager public endpoint.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-5' style=';'><div id='questionWrap-5'  class='   watupro-question-id-409857'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>5. <\/span>A company needs a forensic-logging solution for hundreds of applications running in Docker on Amazon EC2 The solution must perform real-time analytics on the togs must support the replay of messages and must persist the logs. <br \/>\r<br>Which IAM services should be used to meet these requirements? (Select TWO)<\/div><input type='hidden' name='question_id[]' id='qID_5' value='409857' \/><input type='hidden' id='answerType409857' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409857[]' id='answer-id-1588563' class='answer   answerof-409857 ' value='1588563'   \/><label for='answer-id-1588563' id='answer-label-1588563' class=' answer'><span>Amazon Athena<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409857[]' id='answer-id-1588564' class='answer   answerof-409857 ' value='1588564'   \/><label for='answer-id-1588564' id='answer-label-1588564' class=' answer'><span>Amazon Kinesis<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409857[]' id='answer-id-1588565' class='answer   answerof-409857 ' value='1588565'   \/><label for='answer-id-1588565' id='answer-label-1588565' class=' answer'><span>Amazon SQS<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409857[]' id='answer-id-1588566' class='answer   answerof-409857 ' value='1588566'   \/><label for='answer-id-1588566' id='answer-label-1588566' class=' answer'><span>Amazon Elasticsearch<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409857[]' id='answer-id-1588567' class='answer   answerof-409857 ' value='1588567'   \/><label for='answer-id-1588567' id='answer-label-1588567' class=' answer'><span>Amazon EMR<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-6' style=';'><div id='questionWrap-6'  class='   watupro-question-id-409858'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>6. <\/span>A company is evaluating the use of AWS Systems Manager Session Manager to gam access to the company's Amazon EC2 instances. However, until the company implements the change, the company must protect the key file for the EC2 instances from read and write operations by any other users. <br \/>\r<br>When a security administrator tries to connect to a critical EC2 Linux instance during an emergency, the security administrator receives the following error. &quot;Error Unprotected private key file - Permissions for' ssh\/my_private_key pern' are too open&quot;. <br \/>\r<br>Which command should the security administrator use to modify the private key Me permissions to resolve this error?<\/div><input type='hidden' name='question_id[]' id='qID_6' value='409858' \/><input type='hidden' id='answerType409858' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409858[]' id='answer-id-1588568' class='answer   answerof-409858 ' value='1588568'   \/><label for='answer-id-1588568' id='answer-label-1588568' class=' answer'><span>chmod 0040 ssh\/my_private_key pern<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409858[]' id='answer-id-1588569' class='answer   answerof-409858 ' value='1588569'   \/><label for='answer-id-1588569' id='answer-label-1588569' class=' answer'><span>chmod 0400 ssh\/my_private_key pern<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409858[]' id='answer-id-1588570' class='answer   answerof-409858 ' value='1588570'   \/><label for='answer-id-1588570' id='answer-label-1588570' class=' answer'><span>chmod 0004 ssh\/my_private_key pern<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409858[]' id='answer-id-1588571' class='answer   answerof-409858 ' value='1588571'   \/><label for='answer-id-1588571' id='answer-label-1588571' class=' answer'><span>chmod 0777 ssh\/my_private_key pern<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-7' style=';'><div id='questionWrap-7'  class='   watupro-question-id-409859'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>7. <\/span>A company deploys a set of standard IAM roles in AWS accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented AWS Organizations SCPs to restrict access to critical security services in all company accounts. <br \/>\r<br>All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and AWS Security Hub. The security engineer also must not override other permissions that are granted by IAM policies that are defined in the accounts. <br \/>\r<br>Which SCP should the security engineer attach to the root of the organization to meet these requirements? <br \/>\r<br>A) <br \/>\r<br><br><img decoding=\"async\" width=382 height=265 id=\"\u56fe\u7247 64\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image001-7.png\"><br><br \/>\r<br>B) <br \/>\r<br><br><img decoding=\"async\" width=382 height=371 id=\"\u56fe\u7247 63\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image002-7.png\"><br><br \/>\r<br>C) <br \/>\r<br><br><img decoding=\"async\" width=382 height=371 id=\"\u56fe\u7247 62\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image003-3.png\"><br><br \/>\r<br>D) <br \/>\r<br><br><img decoding=\"async\" width=382 height=281 id=\"\u56fe\u7247 61\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image004-5.png\"><br><\/div><input type='hidden' name='question_id[]' id='qID_7' value='409859' \/><input type='hidden' id='answerType409859' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409859[]' id='answer-id-1588572' class='answer   answerof-409859 ' value='1588572'   \/><label for='answer-id-1588572' id='answer-label-1588572' class=' answer'><span>Option A<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409859[]' id='answer-id-1588573' class='answer   answerof-409859 ' value='1588573'   \/><label for='answer-id-1588573' id='answer-label-1588573' class=' answer'><span>Option B<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409859[]' id='answer-id-1588574' class='answer   answerof-409859 ' value='1588574'   \/><label for='answer-id-1588574' id='answer-label-1588574' class=' answer'><span>Option C<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409859[]' id='answer-id-1588575' class='answer   answerof-409859 ' value='1588575'   \/><label for='answer-id-1588575' id='answer-label-1588575' class=' answer'><span>Option D<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-8' style=';'><div id='questionWrap-8'  class='   watupro-question-id-409860'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>8. <\/span>A company is building a data processing application mat uses AWS Lambda functions. The application's Lambda functions need to communicate with an Amazon RDS OB instance that is deployed within a VPC in the same AWS account <br \/>\r<br>Which solution meets these requirements in the MOST secure way?<\/div><input type='hidden' name='question_id[]' id='qID_8' value='409860' \/><input type='hidden' id='answerType409860' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409860[]' id='answer-id-1588576' class='answer   answerof-409860 ' value='1588576'   \/><label for='answer-id-1588576' id='answer-label-1588576' class=' answer'><span>Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409860[]' id='answer-id-1588577' class='answer   answerof-409860 ' value='1588577'   \/><label for='answer-id-1588577' id='answer-label-1588577' class=' answer'><span>Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0.0.0.0\/0<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409860[]' id='answer-id-1588578' class='answer   answerof-409860 ' value='1588578'   \/><label for='answer-id-1588578' id='answer-label-1588578' class=' answer'><span>Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409860[]' id='answer-id-1588579' class='answer   answerof-409860 ' value='1588579'   \/><label for='answer-id-1588579' id='answer-label-1588579' class=' answer'><span>Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-9' style=';'><div id='questionWrap-9'  class='   watupro-question-id-409861'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>9. <\/span>A company has an application that uses an Amazon RDS PostgreSQL database. The company is developing an application feature that will store sensitive information for an individual in the database. <br \/>\r<br>During a security review of the environment, the company discovers that the RDS DB instance is not encrypting data at rest. The company needs a solution that will provide encryption at rest for all the existing data and for any new data that is entered for an individual. <br \/>\r<br>Which combination of options can the company use to meet these requirements? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_9' value='409861' \/><input type='hidden' id='answerType409861' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409861[]' id='answer-id-1588580' class='answer   answerof-409861 ' value='1588580'   \/><label for='answer-id-1588580' id='answer-label-1588580' class=' answer'><span>Create a snapshot of the DB instance. Copy the snapshot to a new snapshot, and enable encryption for the copy process. Use the new snapshot to restore the DB instance.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409861[]' id='answer-id-1588581' class='answer   answerof-409861 ' value='1588581'   \/><label for='answer-id-1588581' id='answer-label-1588581' class=' answer'><span>Modify the configuration of the DB instance by enabling encryption. Create a snapshot of the DB instance. Use the snapshot to restore the DB instance.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409861[]' id='answer-id-1588582' class='answer   answerof-409861 ' value='1588582'   \/><label for='answer-id-1588582' id='answer-label-1588582' class=' answer'><span>Use IAM Key Management Service (IAM KMS) to create a new default IAM managed awards key. Select this key as the encryption key for operations with Amazon RD<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409861[]' id='answer-id-1588583' class='answer   answerof-409861 ' value='1588583'   \/><label for='answer-id-1588583' id='answer-label-1588583' class=' answer'><span>Use IAM Key Management Service (IAM KMS] to create a new CM<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409861[]' id='answer-id-1588584' class='answer   answerof-409861 ' value='1588584'   \/><label for='answer-id-1588584' id='answer-label-1588584' class=' answer'><span>Select this key as the encryption key for operations with Amazon RD<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409861[]' id='answer-id-1588585' class='answer   answerof-409861 ' value='1588585'   \/><label for='answer-id-1588585' id='answer-label-1588585' class=' answer'><span>Create a snapshot of the DB instance. Enable encryption on the snapshoVUse the snapshot to restore the DB instance.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-10' style=';'><div id='questionWrap-10'  class='   watupro-question-id-409862'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>10. <\/span>Which of the following bucket policies will ensure that objects being uploaded to a bucket called 'demo' are encrypted. <br \/>\r<br>A) <br \/>\r<br><br><img decoding=\"async\" width=295 height=343 id=\"\u56fe\u7247 60\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image005-5.png\"><br><br \/>\r<br>B) <br \/>\r<br><br><img decoding=\"async\" width=294 height=343 id=\"\u56fe\u7247 59\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image006-3.png\"><br><br \/>\r<br>C) <br \/>\r<br><br><img decoding=\"async\" width=221 height=255 id=\"\u56fe\u7247 58\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image007-2.png\"><br><br \/>\r<br>D) <br \/>\r<br><br><img decoding=\"async\" width=223 height=255 id=\"\u56fe\u7247 57\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image008-5.png\"><br><\/div><input type='hidden' name='question_id[]' id='qID_10' value='409862' \/><input type='hidden' id='answerType409862' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409862[]' id='answer-id-1588586' class='answer   answerof-409862 ' value='1588586'   \/><label for='answer-id-1588586' id='answer-label-1588586' class=' answer'><span>Option A<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409862[]' id='answer-id-1588587' class='answer   answerof-409862 ' value='1588587'   \/><label for='answer-id-1588587' id='answer-label-1588587' class=' answer'><span>Option B<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409862[]' id='answer-id-1588588' class='answer   answerof-409862 ' value='1588588'   \/><label for='answer-id-1588588' id='answer-label-1588588' class=' answer'><span>Option C<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409862[]' id='answer-id-1588589' class='answer   answerof-409862 ' value='1588589'   \/><label for='answer-id-1588589' id='answer-label-1588589' class=' answer'><span>Option D<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-11' style=';'><div id='questionWrap-11'  class='   watupro-question-id-409863'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>11. <\/span>A company uses AWS Organizations to manage a multi-account AWS environment in a single AWS Region. The organization's management account is named management-01. The company has turned on AWS Config in all accounts in the organization. The company has designated an account named security-01 as the delegated administrator for AWS Config. <br \/>\r<br>All accounts report the compliance status of each account's rules to the AWS Config delegated administrator account by using an AWS Config aggregator. Each account administrator can configure and manage the account's own AWS Config rules to handle each account's unique compliance requirements. <br \/>\r<br>A security engineer needs to implement a solution to automatically deploy a set of 10 AWS Config rules to all existing and future AWS accounts in the organization. The solution must turn on AWS Config automatically during account creation. <br \/>\r<br>Which combination of steps will meet these requirements? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_11' value='409863' \/><input type='hidden' id='answerType409863' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409863[]' id='answer-id-1588590' class='answer   answerof-409863 ' value='1588590'   \/><label for='answer-id-1588590' id='answer-label-1588590' class=' answer'><span>Create an AWS CloudFormation template that contains the 1 0 required AVVS Config rules. Deploy the template by using CloudFormation StackSets in the security-01 account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409863[]' id='answer-id-1588591' class='answer   answerof-409863 ' value='1588591'   \/><label for='answer-id-1588591' id='answer-label-1588591' class=' answer'><span>Create a conformance pack that contains the 10 required AWS Config rules. Deploy the conformance pack from the security-01 account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409863[]' id='answer-id-1588592' class='answer   answerof-409863 ' value='1588592'   \/><label for='answer-id-1588592' id='answer-label-1588592' class=' answer'><span>Create a conformance pack that contains the 10 required AWS Config rules. Deploy the conformance pack from the management-01 account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409863[]' id='answer-id-1588593' class='answer   answerof-409863 ' value='1588593'   \/><label for='answer-id-1588593' id='answer-label-1588593' class=' answer'><span>Create an AWS CloudFormation template that will activate AWS Config. De-ploy the template by using CloudFormation StackSets in the security-01 ac-count.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409863[]' id='answer-id-1588594' class='answer   answerof-409863 ' value='1588594'   \/><label for='answer-id-1588594' id='answer-label-1588594' class=' answer'><span>Create an AWS CloudFormation template that will activate AWS Config. De-ploy the template by using CloudFormation StackSets in the management-01 account.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-12' style=';'><div id='questionWrap-12'  class='   watupro-question-id-409864'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>12. <\/span>A company has two IAM accounts within IAM Organizations. In Account-1. Amazon EC2 Auto Scaling is launched using a service-linked role. In Account-2. Amazon EBS volumes are encrypted with an IAM KMS key A Security Engineer needs to ensure that the service-linked role can launch instances with these encrypted volumes <br \/>\r<br>Which combination of steps should the Security Engineer take in both accounts? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_12' value='409864' \/><input type='hidden' id='answerType409864' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409864[]' id='answer-id-1588595' class='answer   answerof-409864 ' value='1588595'   \/><label for='answer-id-1588595' id='answer-label-1588595' class=' answer'><span>Allow Account-1 to access the KMS key in Account-2 using a key policy<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409864[]' id='answer-id-1588596' class='answer   answerof-409864 ' value='1588596'   \/><label for='answer-id-1588596' id='answer-label-1588596' class=' answer'><span>Attach an IAM policy to the service-linked role in Account-1 that allows these actions CreateGrant. DescnbeKey, Encrypt, GenerateDataKey, Decrypt, and ReEncrypt<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409864[]' id='answer-id-1588597' class='answer   answerof-409864 ' value='1588597'   \/><label for='answer-id-1588597' id='answer-label-1588597' class=' answer'><span>Create a KMS grant for the service-linked role with these actions CreateGrant, DescnbeKey Encrypt GenerateDataKey Decrypt, and ReEncrypt<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409864[]' id='answer-id-1588598' class='answer   answerof-409864 ' value='1588598'   \/><label for='answer-id-1588598' id='answer-label-1588598' class=' answer'><span>Attach an IAM policy to the role attached to the EC2 instances with KMS actions and then allow Account-1 in the KMS key policy.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409864[]' id='answer-id-1588599' class='answer   answerof-409864 ' value='1588599'   \/><label for='answer-id-1588599' id='answer-label-1588599' class=' answer'><span>Attach an IAM policy to the user who is launching EC2 instances and allow the user to access the KMS key policy of Account-2.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-13' style=';'><div id='questionWrap-13'  class='   watupro-question-id-409865'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>13. <\/span>Which of the following are valid configurations for using SSL certificates with Amazon CloudFront? (Select THREE)<\/div><input type='hidden' name='question_id[]' id='qID_13' value='409865' \/><input type='hidden' id='answerType409865' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409865[]' id='answer-id-1588600' class='answer   answerof-409865 ' value='1588600'   \/><label for='answer-id-1588600' id='answer-label-1588600' class=' answer'><span>Default AWS Certificate Manager certificate\r\n<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409865[]' id='answer-id-1621385' class='answer   answerof-409865 ' value='1621385'   \/><label for='answer-id-1621385' id='answer-label-1621385' class=' answer'><span>Custom SSL certificate stored in AWS KMS<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409865[]' id='answer-id-1621386' class='answer   answerof-409865 ' value='1621386'   \/><label for='answer-id-1621386' id='answer-label-1621386' class=' answer'><span>Default CloudFront certificate<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409865[]' id='answer-id-1621387' class='answer   answerof-409865 ' value='1621387'   \/><label for='answer-id-1621387' id='answer-label-1621387' class=' answer'><span>Custom SSL certificate stored in AWS Certificate Manager<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409865[]' id='answer-id-1621388' class='answer   answerof-409865 ' value='1621388'   \/><label for='answer-id-1621388' id='answer-label-1621388' class=' answer'><span>Default SSL certificate stored in AWS Secrets Manager<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409865[]' id='answer-id-1621389' class='answer   answerof-409865 ' value='1621389'   \/><label for='answer-id-1621389' id='answer-label-1621389' class=' answer'><span>Custom SSL certificate stored in AWS IAM<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-14' style=';'><div id='questionWrap-14'  class='   watupro-question-id-409866'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>14. <\/span>A Security Engineer is troubleshooting an issue with a company's custom logging application. The application logs are written to an Amazon S3 bucket with event notifications enabled to send events lo an Amazon SNS topic. All logs are encrypted at rest using an IAM KMS CMK. The SNS topic is subscribed to an encrypted Amazon SQS queue. The logging application polls the queue for new messages that contain metadata about the S3 object. The application then reads the content of the object from the S3 bucket for indexing. <br \/>\r<br>The Logging team reported that Amazon CloudWatch metrics for the number of messages sent or received is showing zero. No togs are being received. <br \/>\r<br>What should the Security Engineer do to troubleshoot this issue? <br \/>\r<br>A) Add the following statement to the IAM managed CMKs: <br \/>\r<br><br><img decoding=\"async\" width=641 height=203 id=\"\u56fe\u7247 55\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image010-5.png\"><br><br \/>\r<br>B) Add the following statement to the CMK key policy: <br \/>\r<br><br><img decoding=\"async\" width=363 height=200 id=\"\u56fe\u7247 54\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image011-4.png\"><br><br \/>\r<br>C) Add the following statement to the CMK key policy: <br \/>\r<br><br><img decoding=\"async\" width=362 height=201 id=\"\u56fe\u7247 53\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image012-6.png\"><br><br \/>\r<br>D) Add the following statement to the CMK key policy: <br \/>\r<br><br><img decoding=\"async\" width=362 height=201 id=\"\u56fe\u7247 52\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image013-6.png\"><br><\/div><input type='hidden' name='question_id[]' id='qID_14' value='409866' \/><input type='hidden' id='answerType409866' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409866[]' id='answer-id-1588601' class='answer   answerof-409866 ' value='1588601'   \/><label for='answer-id-1588601' id='answer-label-1588601' class=' answer'><span>Option A<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409866[]' id='answer-id-1588602' class='answer   answerof-409866 ' value='1588602'   \/><label for='answer-id-1588602' id='answer-label-1588602' class=' answer'><span>Option B<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409866[]' id='answer-id-1588603' class='answer   answerof-409866 ' value='1588603'   \/><label for='answer-id-1588603' id='answer-label-1588603' class=' answer'><span>Option C<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409866[]' id='answer-id-1588604' class='answer   answerof-409866 ' value='1588604'   \/><label for='answer-id-1588604' id='answer-label-1588604' class=' answer'><span>Option D<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-15' style=';'><div id='questionWrap-15'  class='   watupro-question-id-409867'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>15. <\/span>A security engineer needs to implement a write-once-read-many (WORM) model for data that a company will store in Amazon S3 buckets. The company uses the S3 Standard storage class for all of its S3 buckets. The security engineer must ensure that objects cannot be overwritten or deleted by any user, including the AWS account root user. <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_15' value='409867' \/><input type='hidden' id='answerType409867' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409867[]' id='answer-id-1588605' class='answer   answerof-409867 ' value='1588605'   \/><label for='answer-id-1588605' id='answer-label-1588605' class=' answer'><span>Create new S3 buckets with S3 Object Lock enabled in compliance mode. Place objects in the S3 \r\nbuckets.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409867[]' id='answer-id-1588606' class='answer   answerof-409867 ' value='1588606'   \/><label for='answer-id-1588606' id='answer-label-1588606' class=' answer'><span>Use S3 Glacier Vault Lock to attach a Vault Lock policy to new S3 buckets. Wait 24 hours to complete the Vault Lock process. Place objects in the S3 buckets.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409867[]' id='answer-id-1588607' class='answer   answerof-409867 ' value='1588607'   \/><label for='answer-id-1588607' id='answer-label-1588607' class=' answer'><span>Create new S3 buckets with S3 Object Lock enabled in governance mode. Place objects in the S3 buckets.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409867[]' id='answer-id-1588608' class='answer   answerof-409867 ' value='1588608'   \/><label for='answer-id-1588608' id='answer-label-1588608' class=' answer'><span>Create new S3 buckets with S3 Object Lock enabled in governance mode. Add a legal hold to the S3 buckets. Place objects in the S3 buckets.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-16' style=';'><div id='questionWrap-16'  class='   watupro-question-id-409868'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>16. <\/span>A development team is attempting to encrypt and decode a secure string parameter from the IAM Systems Manager Parameter Store using an IAM Key Management Service (IAM KMS) CMK. However, each attempt results in an error message being sent to the development team. <br \/>\r<br>Which CMK-related problems possibly account for the error? (Select two.)<\/div><input type='hidden' name='question_id[]' id='qID_16' value='409868' \/><input type='hidden' id='answerType409868' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409868[]' id='answer-id-1588609' class='answer   answerof-409868 ' value='1588609'   \/><label for='answer-id-1588609' id='answer-label-1588609' class=' answer'><span>The CMK is used in the attempt does not exist.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409868[]' id='answer-id-1588610' class='answer   answerof-409868 ' value='1588610'   \/><label for='answer-id-1588610' id='answer-label-1588610' class=' answer'><span>The CMK is used in the attempt needs to be rotated.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409868[]' id='answer-id-1588611' class='answer   answerof-409868 ' value='1588611'   \/><label for='answer-id-1588611' id='answer-label-1588611' class=' answer'><span>The CMK is used in the attempt is using the CMK&#8482;s key ID instead of the CMK AR<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409868[]' id='answer-id-1588612' class='answer   answerof-409868 ' value='1588612'   \/><label for='answer-id-1588612' id='answer-label-1588612' class=' answer'><span>The CMK is used in the attempt is not enabled.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409868[]' id='answer-id-1588613' class='answer   answerof-409868 ' value='1588613'   \/><label for='answer-id-1588613' id='answer-label-1588613' class=' answer'><span>The CMK is used in the attempt is using an alias.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-17' style=';'><div id='questionWrap-17'  class='   watupro-question-id-409869'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>17. <\/span>A security engineer logs in to the AWS Lambda console with administrator permissions. The security engineer is trying to view logs in Amazon CloudWatch for a Lambda function that is named my Function. <br \/>\r<br>When the security engineer chooses the option in the Lambda console to view logs in CloudWatch, an \u201cerror loading Log Streams&quot; message appears. <br \/>\r<br>The IAM policy for the Lambda function's execution role contains the following: <br \/>\r<br><br><img decoding=\"async\" width=638 height=232 id=\"\u56fe\u7247 51\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image014-4.png\"><br><br \/>\r<br>How should the security engineer correct the error?<\/div><input type='hidden' name='question_id[]' id='qID_17' value='409869' \/><input type='hidden' id='answerType409869' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409869[]' id='answer-id-1588614' class='answer   answerof-409869 ' value='1588614'   \/><label for='answer-id-1588614' id='answer-label-1588614' class=' answer'><span>Move the logs:CreateLogGroup action to the second Allow statement.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409869[]' id='answer-id-1588615' class='answer   answerof-409869 ' value='1588615'   \/><label for='answer-id-1588615' id='answer-label-1588615' class=' answer'><span>Add the logs:PutDestination action to the second Allow statement.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409869[]' id='answer-id-1588616' class='answer   answerof-409869 ' value='1588616'   \/><label for='answer-id-1588616' id='answer-label-1588616' class=' answer'><span>Add the logs:GetLogEvents action to the second Allow statement.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409869[]' id='answer-id-1588617' class='answer   answerof-409869 ' value='1588617'   \/><label for='answer-id-1588617' id='answer-label-1588617' class=' answer'><span>Add the logs:CreateLogStream action to the second Allow statement.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-18' style=';'><div id='questionWrap-18'  class='   watupro-question-id-409870'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>18. <\/span>A company plans to create individual child accounts within an existing organization in IAM Organizations for each of its DevOps teams. IAM CloudTrail has been enabled and configured on all accounts to write audit logs to an Amazon S3 bucket in a centralized IAM account. A security engineer needs to ensure that DevOps team members are unable to modify or disable this configuration. <br \/>\r<br>How can the security engineer meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_18' value='409870' \/><input type='hidden' id='answerType409870' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409870[]' id='answer-id-1588618' class='answer   answerof-409870 ' value='1588618'   \/><label for='answer-id-1588618' id='answer-label-1588618' class=' answer'><span>Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the IAM account root user.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409870[]' id='answer-id-1588619' class='answer   answerof-409870 ' value='1588619'   \/><label for='answer-id-1588619' id='answer-label-1588619' class=' answer'><span>Create an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the IAM account root user in the source account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409870[]' id='answer-id-1588620' class='answer   answerof-409870 ' value='1588620'   \/><label for='answer-id-1588620' id='answer-label-1588620' class=' answer'><span>Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409870[]' id='answer-id-1588621' class='answer   answerof-409870 ' value='1588621'   \/><label for='answer-id-1588621' id='answer-label-1588621' class=' answer'><span>Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to a \r\nnew IAM group. Have team members use individual IAM accounts that are members of the new IAM group.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-19' style=';'><div id='questionWrap-19'  class='   watupro-question-id-409871'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>19. <\/span>A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected. <br \/>\r<br>Which combination of steps should the security engineer take to accomplish this? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_19' value='409871' \/><input type='hidden' id='answerType409871' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409871[]' id='answer-id-1588622' class='answer   answerof-409871 ' value='1588622'   \/><label for='answer-id-1588622' id='answer-label-1588622' class=' answer'><span>Create an IAM Config rule to detect the creation of unencrypted RDS databases. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the IAM Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409871[]' id='answer-id-1588623' class='answer   answerof-409871 ' value='1588623'   \/><label for='answer-id-1588623' id='answer-label-1588623' class=' answer'><span>Use IAM System Manager State Manager to detect RDS database encryption configuration drift. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409871[]' id='answer-id-1588624' class='answer   answerof-409871 ' value='1588624'   \/><label for='answer-id-1588624' id='answer-label-1588624' class=' answer'><span>Create a read replica for the existing unencrypted RDS database and enable replica encryption in the process. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409871[]' id='answer-id-1588625' class='answer   answerof-409871 ' value='1588625'   \/><label for='answer-id-1588625' id='answer-label-1588625' class=' answer'><span>Take a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409871[]' id='answer-id-1588626' class='answer   answerof-409871 ' value='1588626'   \/><label for='answer-id-1588626' id='answer-label-1588626' class=' answer'><span>Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-20' style=';'><div id='questionWrap-20'  class='   watupro-question-id-409872'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>20. <\/span>A company has a large fleet of Linux Amazon EC2 instances and Windows EC2 instances that run in private subnets. The company wants all remote administration to be performed as securely as possible in the AWS Cloud. <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_20' value='409872' \/><input type='hidden' id='answerType409872' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409872[]' id='answer-id-1588627' class='answer   answerof-409872 ' value='1588627'   \/><label for='answer-id-1588627' id='answer-label-1588627' class=' answer'><span>Do not use SSH-RSA private keys during the launch of new instances. Implement AWS Systems Manager Session Manager.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409872[]' id='answer-id-1588628' class='answer   answerof-409872 ' value='1588628'   \/><label for='answer-id-1588628' id='answer-label-1588628' class=' answer'><span>Generate new SSH-RSA private keys for existing instances. Implement AWS Systems Manager Session Manager.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409872[]' id='answer-id-1588629' class='answer   answerof-409872 ' value='1588629'   \/><label for='answer-id-1588629' id='answer-label-1588629' class=' answer'><span>Do not use SSH-RSA private keys during the launch of new instances. Configure EC2 Instance Connect.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409872[]' id='answer-id-1588630' class='answer   answerof-409872 ' value='1588630'   \/><label for='answer-id-1588630' id='answer-label-1588630' class=' answer'><span>Generate new SSH-RSA private keys for existing instances. Configure EC2 Instance Connect.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-21' style=';'><div id='questionWrap-21'  class='   watupro-question-id-409873'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>21. <\/span>A company has an AWS Lambda function that creates image thumbnails from larger images. The Lambda function needs read and write access to an Amazon S3 bucket in the same AWS account. <br \/>\r<br>Which solutions will provide the Lambda function this access? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_21' value='409873' \/><input type='hidden' id='answerType409873' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409873[]' id='answer-id-1588631' class='answer   answerof-409873 ' value='1588631'   \/><label for='answer-id-1588631' id='answer-label-1588631' class=' answer'><span>Create an IAM user that has only programmatic access. Create a new access key pair. Add environmental variables to the Lambda function with the access key ID and secret access key. Modify the Lambda function to use the environmental variables at run time during communication with Amazon S3.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409873[]' id='answer-id-1588632' class='answer   answerof-409873 ' value='1588632'   \/><label for='answer-id-1588632' id='answer-label-1588632' class=' answer'><span>Generate an Amazon EC2 key pair. Store the private key in AWS Secrets Man-ager. Modify the Lambda function to retrieve the private key from Secrets Manager and to use the private key during communication with Amazon S3.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409873[]' id='answer-id-1588633' class='answer   answerof-409873 ' value='1588633'   \/><label for='answer-id-1588633' id='answer-label-1588633' class=' answer'><span>Create an IAM role for the Lambda function. Attach an IAM policy that al-lows access to the S3 bucket.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409873[]' id='answer-id-1588634' class='answer   answerof-409873 ' value='1588634'   \/><label for='answer-id-1588634' id='answer-label-1588634' class=' answer'><span>Create an IAM role for the Lambda function. Attach a bucket policy to the S3 bucket to allow access. Specify the function's IAM role as the principal.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409873[]' id='answer-id-1588635' class='answer   answerof-409873 ' value='1588635'   \/><label for='answer-id-1588635' id='answer-label-1588635' class=' answer'><span>Create a security group. Attach the security group to the Lambda function. Attach a bucket policy that allows access to the S3 bucket through the security group I<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-22' style=';'><div id='questionWrap-22'  class='   watupro-question-id-409874'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>22. <\/span>A security engineer is designing an IAM policy for a script that will use the AWS CLI. The script currently assumes an IAM role that is attached to three AWS managed IAM policies: AmazonEC2FullAccess, AmazonDynamoDBFullAccess, and Ama-zonVPCFull Access. <br \/>\r<br>The security engineer needs to construct a least privilege IAM policy that will replace the AWS managed IAM policies that are attached to this role. <br \/>\r<br>Which solution will meet these requirements in the MOST operationally efficient way?<\/div><input type='hidden' name='question_id[]' id='qID_22' value='409874' \/><input type='hidden' id='answerType409874' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409874[]' id='answer-id-1588636' class='answer   answerof-409874 ' value='1588636'   \/><label for='answer-id-1588636' id='answer-label-1588636' class=' answer'><span>In AWS CloudTrail, create a trail for management events. Run the script with the existing AWS managed IAM policies. Use IAM Access Analyzer to generate a new IAM policy that is based on access activity in the trail. Replace the existing AWS managed IAM policies with the generated IAM poli-cy for the role.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409874[]' id='answer-id-1588637' class='answer   answerof-409874 ' value='1588637'   \/><label for='answer-id-1588637' id='answer-label-1588637' class=' answer'><span>Remove the existing AWS managed IAM policies from the role. Attach the IAM Access Analyzer Role Policy Generator to the role. Run the script. Return to IAM Access Analyzer and generate a least privilege IAM policy. Attach the new IAM policy to the role.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409874[]' id='answer-id-1588638' class='answer   answerof-409874 ' value='1588638'   \/><label for='answer-id-1588638' id='answer-label-1588638' class=' answer'><span>Create an account analyzer in IAM Access Analyzer. Create an archive rule that has a filter that checks whether the Principal Arn value matches the ARN of the role. Run the script. Remove the existing AWS managed IAM policies from the role.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409874[]' id='answer-id-1588639' class='answer   answerof-409874 ' value='1588639'   \/><label for='answer-id-1588639' id='answer-label-1588639' class=' answer'><span>In AWS CloudTrail, create a trail for management events. Remove the existing AWS managed IAM policies from the role. Run the script. Find the authorization failure in the trail event that is associated with the script. Create a new IAM policy that includes the action and resource that caused the authorization failure. Repeat the process until the script succeeds. Attach the new IAM policy to the role.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-23' style=';'><div id='questionWrap-23'  class='   watupro-question-id-409875'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>23. <\/span>A company that uses AWS Organizations wants to see AWS Security Hub findings for many AWS accounts and AWS Regions. Some of the accounts are in the company's organization, and some accounts are in organizations that the company manages for customers. Although the company can see findings in the Security Hub administrator account for accounts in the company's organization, there are no findings from accounts in other organizations. <br \/>\r<br>Which combination of steps should the company take to see findings from accounts that are outside the organization that includes the Security Hub administrator account? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_23' value='409875' \/><input type='hidden' id='answerType409875' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409875[]' id='answer-id-1588640' class='answer   answerof-409875 ' value='1588640'   \/><label for='answer-id-1588640' id='answer-label-1588640' class=' answer'><span>Use a designated administration account to automatically set up member accounts.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409875[]' id='answer-id-1588641' class='answer   answerof-409875 ' value='1588641'   \/><label for='answer-id-1588641' id='answer-label-1588641' class=' answer'><span>Create the AWS Service Role ForSecurrty Hub service-linked rote for Security Hub.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409875[]' id='answer-id-1588642' class='answer   answerof-409875 ' value='1588642'   \/><label for='answer-id-1588642' id='answer-label-1588642' class=' answer'><span>Send an administration request from the member accounts.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409875[]' id='answer-id-1588643' class='answer   answerof-409875 ' value='1588643'   \/><label for='answer-id-1588643' id='answer-label-1588643' class=' answer'><span>Enable Security Hub for all member accounts.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409875[]' id='answer-id-1588644' class='answer   answerof-409875 ' value='1588644'   \/><label for='answer-id-1588644' id='answer-label-1588644' class=' answer'><span>Send invitations to accounts that are outside the company's organization from the Security Hub administrator account.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-24' style=';'><div id='questionWrap-24'  class='   watupro-question-id-409876'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>24. <\/span>A company uses identity federation to authenticate users into an identity account (987654321987) where the users assume an IAM role named IdentityRole. The users then assume an IAM role named JobFunctionRole in the target IAM account (123456789123) to perform their job functions. <br \/>\r<br>A user is unable to assume the IAM role in the target account. <br \/>\r<br>The policy attached to the role in the identity account is: <br \/>\r<br><br><img decoding=\"async\" width=504 height=285 id=\"\u56fe\u7247 50\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image015-3.png\"><br><br \/>\r<br>What should be done to enable the user to assume the appropriate role in the target account? <br \/>\r<br><br><img decoding=\"async\" width=642 height=306 id=\"\u56fe\u7247 49\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image016-5.png\"><br><br \/>\r<br><br><img decoding=\"async\" width=650 height=525 id=\"\u56fe\u7247 48\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image017-4.png\"><br><br \/>\r<br><br><img decoding=\"async\" width=649 height=219 id=\"\u56fe\u7247 47\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image018-19.jpg\"><br><\/div><input type='hidden' name='question_id[]' id='qID_24' value='409876' \/><input type='hidden' id='answerType409876' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409876[]' id='answer-id-1588645' class='answer   answerof-409876 ' value='1588645'   \/><label for='answer-id-1588645' id='answer-label-1588645' class=' answer'><span>Option A<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409876[]' id='answer-id-1588646' class='answer   answerof-409876 ' value='1588646'   \/><label for='answer-id-1588646' id='answer-label-1588646' class=' answer'><span>Option B<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409876[]' id='answer-id-1588647' class='answer   answerof-409876 ' value='1588647'   \/><label for='answer-id-1588647' id='answer-label-1588647' class=' answer'><span>Option C<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409876[]' id='answer-id-1588648' class='answer   answerof-409876 ' value='1588648'   \/><label for='answer-id-1588648' id='answer-label-1588648' class=' answer'><span>Option D<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-25' style=';'><div id='questionWrap-25'  class='   watupro-question-id-409877'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>25. <\/span>A company hosts a web application on an Apache web server. The application runs on Amazon EC2 instances that are in an Auto Scaling group. The company configured the EC2 instances to send the Apache web server logs to an Amazon CloudWatch Logs group that the company has configured to expire after 1 year. <br \/>\r<br>Recently, the company discovered in the Apache web server logs that a specific IP address is sending suspicious requests to the web application. A security engineer wants to analyze the past week of Apache web server logs to determine how many requests that the IP address sent and the corresponding URLs that the IP address requested. <br \/>\r<br>What should the security engineer do to meet these requirements with the LEAST effort?<\/div><input type='hidden' name='question_id[]' id='qID_25' value='409877' \/><input type='hidden' id='answerType409877' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409877[]' id='answer-id-1588649' class='answer   answerof-409877 ' value='1588649'   \/><label for='answer-id-1588649' id='answer-label-1588649' class=' answer'><span>Export the CloudWatch Logs group data to Amazon S3. Use Amazon Macie to query the logs for the specific IP address and the requested URLs.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409877[]' id='answer-id-1588650' class='answer   answerof-409877 ' value='1588650'   \/><label for='answer-id-1588650' id='answer-label-1588650' class=' answer'><span>Configure a CloudWatch Logs subscription to stream the log group to an Amazon OpenSearch Service cluster. Use OpenSearch Service to analyze the logs for the specific IP address and the requested URLs.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409877[]' id='answer-id-1588651' class='answer   answerof-409877 ' value='1588651'   \/><label for='answer-id-1588651' id='answer-label-1588651' class=' answer'><span>Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested URLs.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409877[]' id='answer-id-1588652' class='answer   answerof-409877 ' value='1588652'   \/><label for='answer-id-1588652' id='answer-label-1588652' class=' answer'><span>Export the CloudWatch Logs group data to Amazon S3. Use AWS Glue to crawl the S3 bucket for only the log entries that contain the specific IP ad-dress. Use AWS Glue to view the results.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-26' style=';'><div id='questionWrap-26'  class='   watupro-question-id-409878'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>26. <\/span>A company has multiple Amazon S3 buckets encrypted with customer-managed CMKs Due to regulatory requirements the keys must be rotated every year. The company's Security Engineer has enabled automatic key rotation for the CMKs; however the company wants to verity that the rotation has occurred. <br \/>\r<br>What should the Security Engineer do to accomplish this?<\/div><input type='hidden' name='question_id[]' id='qID_26' value='409878' \/><input type='hidden' id='answerType409878' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409878[]' id='answer-id-1588653' class='answer   answerof-409878 ' value='1588653'   \/><label for='answer-id-1588653' id='answer-label-1588653' class=' answer'><span>Filter IAM CloudTrail logs for KeyRotaton events<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409878[]' id='answer-id-1588654' class='answer   answerof-409878 ' value='1588654'   \/><label for='answer-id-1588654' id='answer-label-1588654' class=' answer'><span>Monitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409878[]' id='answer-id-1588655' class='answer   answerof-409878 ' value='1588655'   \/><label for='answer-id-1588655' id='answer-label-1588655' class=' answer'><span>Using the IAM CL<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409878[]' id='answer-id-1588656' class='answer   answerof-409878 ' value='1588656'   \/><label for='answer-id-1588656' id='answer-label-1588656' class=' answer'><span>run the IAM kms gel-key-relation-status operation with the --key-id parameter to check the CMK rotation date<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409878[]' id='answer-id-1588657' class='answer   answerof-409878 ' value='1588657'   \/><label for='answer-id-1588657' id='answer-label-1588657' class=' answer'><span>Use Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filter Generate New Key events<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-27' style=';'><div id='questionWrap-27'  class='   watupro-question-id-409879'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>27. <\/span>A company has implemented IAM WAF and Amazon CloudFront for an application. The application runs on Amazon EC2 instances that are part of an Auto Scaling group. The Auto Scaling group is behind an Application Load Balancer (ALB). <br \/>\r<br>The IAM WAF web ACL uses an IAM Managed Rules rule group and is associated with the CloudFront distribution. CloudFront receives the request from IAM WAF and then uses the ALB as the distribution's origin. <br \/>\r<br>During a security review, a security engineer discovers that the infrastructure is susceptible to a large, layer 7 DDoS attack. <br \/>\r<br>How can the security engineer improve the security at the edge of the solution to defend against this type of attack?<\/div><input type='hidden' name='question_id[]' id='qID_27' value='409879' \/><input type='hidden' id='answerType409879' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409879[]' id='answer-id-1588658' class='answer   answerof-409879 ' value='1588658'   \/><label for='answer-id-1588658' id='answer-label-1588658' class=' answer'><span>Configure the CloudFront distribution to use the Lambda@Edge feature. Create an IAM Lambda function that imposes a rate limit on CloudFront viewer requests. Block the request if the rate limit is exceeded.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409879[]' id='answer-id-1588659' class='answer   answerof-409879 ' value='1588659'   \/><label for='answer-id-1588659' id='answer-label-1588659' class=' answer'><span>Configure the IAM WAF web ACL so that the web ACL has more capacity units to process all IAM WAF rules faster.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409879[]' id='answer-id-1588660' class='answer   answerof-409879 ' value='1588660'   \/><label for='answer-id-1588660' id='answer-label-1588660' class=' answer'><span>Configure IAM WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409879[]' id='answer-id-1588661' class='answer   answerof-409879 ' value='1588661'   \/><label for='answer-id-1588661' id='answer-label-1588661' class=' answer'><span>Configure the CloudFront distribution to use IAM WAF as its origin instead of the AL<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-28' style=';'><div id='questionWrap-28'  class='   watupro-question-id-409880'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>28. <\/span>A company has multiple accounts in the AWS Cloud. Users in the developer account need to have access to specific resources in the production account. <br \/>\r<br>What is the MOST secure way to provide this access?<\/div><input type='hidden' name='question_id[]' id='qID_28' value='409880' \/><input type='hidden' id='answerType409880' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409880[]' id='answer-id-1588662' class='answer   answerof-409880 ' value='1588662'   \/><label for='answer-id-1588662' id='answer-label-1588662' class=' answer'><span>Create one IAM user in the production account. Grant the appropriate permissions to the resources that are needed. Share the password only with the users that need access.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409880[]' id='answer-id-1588663' class='answer   answerof-409880 ' value='1588663'   \/><label for='answer-id-1588663' id='answer-label-1588663' class=' answer'><span>Create cross account access with an IAM role in the developer account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409880[]' id='answer-id-1588664' class='answer   answerof-409880 ' value='1588664'   \/><label for='answer-id-1588664' id='answer-label-1588664' class=' answer'><span>Create cross-account access with an IAM user account in the production account. Grant the appropriate permissions to this user account. Allow users in the developer account to use this user account to access the production resources.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409880[]' id='answer-id-1588665' class='answer   answerof-409880 ' value='1588665'   \/><label for='answer-id-1588665' id='answer-label-1588665' class=' answer'><span>Create cross-account access with an IAM role in the production account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-29' style=';'><div id='questionWrap-29'  class='   watupro-question-id-409881'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>29. <\/span>A System Administrator is unable to start an Amazon EC2 instance in the eu-west-1 Region using an IAM role The same System Administrator is able to start an EC2 instance in the eu-west-2 and eu-west-3 Regions. The IAMSystemAdministrator access policy attached to the System Administrator IAM role allows unconditional access to all IAM services and resources within the account <br \/>\r<br>Which configuration caused this issue? <br \/>\r<br>A) An SCP is attached to the account with the following permission statement: <br \/>\r<br><br><img decoding=\"async\" width=390 height=619 id=\"\u56fe\u7247 46\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image019-4.png\"><br><br \/>\r<br>B) A permission boundary policy is attached to the System Administrator role with the following permission statement: <br \/>\r<br><br><img decoding=\"async\" width=389 height=683 id=\"\u56fe\u7247 45\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image020-4.png\"><br><br \/>\r<br>C) A permission boundary is attached to the System Administrator role with the following permission statement: <br \/>\r<br><br><img decoding=\"async\" width=231 height=294 id=\"\u56fe\u7247 44\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image021-5.png\"><br><br \/>\r<br>D) An SCP is attached to the account with the following statement: <br \/>\r<br><br><img decoding=\"async\" width=233 height=342 id=\"\u56fe\u7247 43\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image022-4.png\"><br><\/div><input type='hidden' name='question_id[]' id='qID_29' value='409881' \/><input type='hidden' id='answerType409881' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409881[]' id='answer-id-1588666' class='answer   answerof-409881 ' value='1588666'   \/><label for='answer-id-1588666' id='answer-label-1588666' class=' answer'><span>Option A<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409881[]' id='answer-id-1588667' class='answer   answerof-409881 ' value='1588667'   \/><label for='answer-id-1588667' id='answer-label-1588667' class=' answer'><span>Option B<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409881[]' id='answer-id-1588668' class='answer   answerof-409881 ' value='1588668'   \/><label for='answer-id-1588668' id='answer-label-1588668' class=' answer'><span>Option C<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409881[]' id='answer-id-1588669' class='answer   answerof-409881 ' value='1588669'   \/><label for='answer-id-1588669' id='answer-label-1588669' class=' answer'><span>Option D<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-30' style=';'><div id='questionWrap-30'  class='   watupro-question-id-409882'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>30. <\/span>Amazon GuardDuty has detected communications to a known command and control endpoint from a company's Amazon EC2 instance. The instance was found to be running a vulnerable version of a common web framework. The company's security operations team wants to quickly identity other compute resources with the specific version of that framework installed. <br \/>\r<br>Which approach should the team take to accomplish this task?<\/div><input type='hidden' name='question_id[]' id='qID_30' value='409882' \/><input type='hidden' id='answerType409882' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409882[]' id='answer-id-1588670' class='answer   answerof-409882 ' value='1588670'   \/><label for='answer-id-1588670' id='answer-label-1588670' class=' answer'><span>Scan all the EC2 instances for noncompliance with IAM Config. Use Amazon Athena to query IAM CloudTrail logs for the framework installation<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409882[]' id='answer-id-1588671' class='answer   answerof-409882 ' value='1588671'   \/><label for='answer-id-1588671' id='answer-label-1588671' class=' answer'><span>Scan all the EC2 instances with the Amazon Inspector Network Reachability rules package to identity instances running a web server with RecognizedPortWithListener findings<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409882[]' id='answer-id-1588672' class='answer   answerof-409882 ' value='1588672'   \/><label for='answer-id-1588672' id='answer-label-1588672' class=' answer'><span>Scan all the EC2 instances with IAM Systems Manager to identify the vulnerable version of the web framework<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409882[]' id='answer-id-1588673' class='answer   answerof-409882 ' value='1588673'   \/><label for='answer-id-1588673' id='answer-label-1588673' class=' answer'><span>Scan an the EC2 instances with IAM Resource Access Manager to identify the vulnerable version of the web framework<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-31' style=';'><div id='questionWrap-31'  class='   watupro-question-id-409883'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>31. <\/span>A developer is building a serverless application hosted on AWS that uses Amazon Redshift as a data store The application has separate modules for readwrite and read-only functionality The modules need their own database users for compliance reasons <br \/>\r<br>Which combination of steps should a security engineer implement to grant appropriate access? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_31' value='409883' \/><input type='hidden' id='answerType409883' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409883[]' id='answer-id-1588674' class='answer   answerof-409883 ' value='1588674'   \/><label for='answer-id-1588674' id='answer-label-1588674' class=' answer'><span>Configure cluster security groups for each application module to control access to database users that are required for read-only and readwrite<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409883[]' id='answer-id-1588675' class='answer   answerof-409883 ' value='1588675'   \/><label for='answer-id-1588675' id='answer-label-1588675' class=' answer'><span>Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read\/write<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409883[]' id='answer-id-1588676' class='answer   answerof-409883 ' value='1588676'   \/><label for='answer-id-1588676' id='answer-label-1588676' class=' answer'><span>Configure an 1AM policy for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409883[]' id='answer-id-1588677' class='answer   answerof-409883 ' value='1588677'   \/><label for='answer-id-1588677' id='answer-label-1588677' class=' answer'><span>Create local database users for each module<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409883[]' id='answer-id-1588678' class='answer   answerof-409883 ' value='1588678'   \/><label for='answer-id-1588678' id='answer-label-1588678' class=' answer'><span>Configure an 1AM policy for each module Specify the ARN of an 1AM user that allows the GetClusterCredentials API call<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-32' style=';'><div id='questionWrap-32'  class='   watupro-question-id-409884'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>32. <\/span>A company finds that one of its Amazon EC2 instances suddenly has a high CPU usage. The company does not know whether the EC2 instance is compromised or whether the operating system is performing background cleanup. <br \/>\r<br>Which combination of steps should a security engineer take before investigating the issue? (Select THREE.)<\/div><input type='hidden' name='question_id[]' id='qID_32' value='409884' \/><input type='hidden' id='answerType409884' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409884[]' id='answer-id-1588679' class='answer   answerof-409884 ' value='1588679'   \/><label for='answer-id-1588679' id='answer-label-1588679' class=' answer'><span>Disable termination protection for the EC2 instance if termination protection has not been disabled.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409884[]' id='answer-id-1588680' class='answer   answerof-409884 ' value='1588680'   \/><label for='answer-id-1588680' id='answer-label-1588680' class=' answer'><span>Enable termination protection for the EC2 instance if termination protection has not been enabled.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409884[]' id='answer-id-1588681' class='answer   answerof-409884 ' value='1588681'   \/><label for='answer-id-1588681' id='answer-label-1588681' class=' answer'><span>Take snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409884[]' id='answer-id-1588682' class='answer   answerof-409884 ' value='1588682'   \/><label for='answer-id-1588682' id='answer-label-1588682' class=' answer'><span>Remove all snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409884[]' id='answer-id-1588683' class='answer   answerof-409884 ' value='1588683'   \/><label for='answer-id-1588683' id='answer-label-1588683' class=' answer'><span>Capture the EC2 instance metadata, and then tag the EC2 instance as under quarantine.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409884[]' id='answer-id-1588684' class='answer   answerof-409884 ' value='1588684'   \/><label for='answer-id-1588684' id='answer-label-1588684' class=' answer'><span>Immediately remove any entries in the EC2 instance metadata that contain sensitive information.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-33' style=';'><div id='questionWrap-33'  class='   watupro-question-id-409885'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>33. <\/span>A company hosts an application on Amazon EC2 that is subject to specific rules for regulatory compliance. One rule states that traffic to and from the workload must be inspected for network-level attacks. This involves inspecting the whole packet. <br \/>\r<br>To comply with this regulatory rule, a security engineer must install intrusion detection software on a c5n.4xlarge EC2 instance. The engineer must then configure the software to monitor traffic to and from the application instances. <br \/>\r<br>What should the security engineer do next?<\/div><input type='hidden' name='question_id[]' id='qID_33' value='409885' \/><input type='hidden' id='answerType409885' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409885[]' id='answer-id-1588685' class='answer   answerof-409885 ' value='1588685'   \/><label for='answer-id-1588685' id='answer-label-1588685' class=' answer'><span>Place the network interface in promiscuous mode to capture the traffic.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409885[]' id='answer-id-1588686' class='answer   answerof-409885 ' value='1588686'   \/><label for='answer-id-1588686' id='answer-label-1588686' class=' answer'><span>Configure VPC Flow Logs to send traffic to the monitoring EC2 instance using a Network Load Balancer.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409885[]' id='answer-id-1588687' class='answer   answerof-409885 ' value='1588687'   \/><label for='answer-id-1588687' id='answer-label-1588687' class=' answer'><span>Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409885[]' id='answer-id-1588688' class='answer   answerof-409885 ' value='1588688'   \/><label for='answer-id-1588688' id='answer-label-1588688' class=' answer'><span>Use Amazon Inspector to detect network-level attacks and trigger an IAM Lambda function to send the suspicious packets to the EC2 instance.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-34' style=';'><div id='questionWrap-34'  class='   watupro-question-id-409886'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>34. <\/span>A company has a relational database workload that runs on Amazon Aurora MySQL. According to new compliance standards the company must rotate all database credentials every 30 days. The company needs a solution that maximizes security and minimizes development effort. <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_34' value='409886' \/><input type='hidden' id='answerType409886' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409886[]' id='answer-id-1588689' class='answer   answerof-409886 ' value='1588689'   \/><label for='answer-id-1588689' id='answer-label-1588689' class=' answer'><span>Store the database credentials in AWS Secrets Manager. Configure automatic credential rotation tor every 30 days.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409886[]' id='answer-id-1588690' class='answer   answerof-409886 ' value='1588690'   \/><label for='answer-id-1588690' id='answer-label-1588690' class=' answer'><span>Store the database credentials in AWS Systems Manager Parameter Store. Create an AWS Lambda function to rotate the credentials every 30 days.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409886[]' id='answer-id-1588691' class='answer   answerof-409886 ' value='1588691'   \/><label for='answer-id-1588691' id='answer-label-1588691' class=' answer'><span>Store the database credentials in an environment file or in a configuration file. Modify the credentials every 30 days.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409886[]' id='answer-id-1588692' class='answer   answerof-409886 ' value='1588692'   \/><label for='answer-id-1588692' id='answer-label-1588692' class=' answer'><span>Store the database credentials in an environment file or in a configuration file. Create an AWS Lambda function to rotate the credentials every 30 days.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-35' style=';'><div id='questionWrap-35'  class='   watupro-question-id-409887'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>35. <\/span>A company uses AWS Organizations to manage a small number of AWS accounts. However, the company plans to add 1 000 more accounts soon. The company allows only a centralized security team to create IAM roles for all AWS accounts and teams. Application teams submit requests for IAM roles to the security team. The security team has a backlog of IAM role requests and cannot review and provision the IAM roles quickly. <br \/>\r<br>The security team must create a process that will allow application teams to provision their own IAM roles. <br \/>\r<br>The process must also limit the scope of IAM roles and prevent privilege escalation. <br \/>\r<br>Which solution will meet these requirements with the LEAST operational overhead?<\/div><input type='hidden' name='question_id[]' id='qID_35' value='409887' \/><input type='hidden' id='answerType409887' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409887[]' id='answer-id-1588693' class='answer   answerof-409887 ' value='1588693'   \/><label for='answer-id-1588693' id='answer-label-1588693' class=' answer'><span>Create an IAM group for each application team. Associate policies with each IAM group. Provision IAM users for each application team member. Add the new IAM users to the appropriate IAM group by using role-based access control (RBAC).<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409887[]' id='answer-id-1588694' class='answer   answerof-409887 ' value='1588694'   \/><label for='answer-id-1588694' id='answer-label-1588694' class=' answer'><span>Delegate application team leads to provision IAM rotes for each team. Conduct a quarterly review of the IAM rotes the team leads have provisioned. Ensure that the application team leads have the appropriate training to review IAM roles.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409887[]' id='answer-id-1588695' class='answer   answerof-409887 ' value='1588695'   \/><label for='answer-id-1588695' id='answer-label-1588695' class=' answer'><span>Put each AWS account in its own O<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409887[]' id='answer-id-1588696' class='answer   answerof-409887 ' value='1588696'   \/><label for='answer-id-1588696' id='answer-label-1588696' class=' answer'><span>Add an SCP to each OU to grant access to only the AWS services that the teams plan to use. Include conditions tn the AWS account of each team.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409887[]' id='answer-id-1588697' class='answer   answerof-409887 ' value='1588697'   \/><label for='answer-id-1588697' id='answer-label-1588697' class=' answer'><span>Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-36' style=';'><div id='questionWrap-36'  class='   watupro-question-id-409888'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>36. <\/span>A company's security engineer is developing an incident response plan to detect suspicious activity in an AWS account for VPC hosted resources. The security engineer needs to provide visibility for as many AWS Regions as possible. <br \/>\r<br>Which combination of steps will meet these requirements MOST cost-effectively? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_36' value='409888' \/><input type='hidden' id='answerType409888' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409888[]' id='answer-id-1588698' class='answer   answerof-409888 ' value='1588698'   \/><label for='answer-id-1588698' id='answer-label-1588698' class=' answer'><span>Turn on VPC Flow Logs for all VPCs in the account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409888[]' id='answer-id-1588699' class='answer   answerof-409888 ' value='1588699'   \/><label for='answer-id-1588699' id='answer-label-1588699' class=' answer'><span>Activate Amazon GuardDuty across all AWS Regions.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409888[]' id='answer-id-1588700' class='answer   answerof-409888 ' value='1588700'   \/><label for='answer-id-1588700' id='answer-label-1588700' class=' answer'><span>Activate Amazon Detective across all AWS Regions.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409888[]' id='answer-id-1588701' class='answer   answerof-409888 ' value='1588701'   \/><label for='answer-id-1588701' id='answer-label-1588701' class=' answer'><span>Create an Amazon Simple Notification Service (Amazon SNS) topic. Create an Amazon EventBridge rule that responds to findings and publishes the findings to the SNS topic.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409888[]' id='answer-id-1588702' class='answer   answerof-409888 ' value='1588702'   \/><label for='answer-id-1588702' id='answer-label-1588702' class=' answer'><span>Create an AWS Lambda function. Create an Amazon EventBridge rule that invokes the Lambda function to publish findings to Amazon Simple Email Ser-vice (Amazon SES).<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-37' style=';'><div id='questionWrap-37'  class='   watupro-question-id-409889'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>37. <\/span>A team is using AWS Secrets Manager to store an application database password. Only a limited number of IAM principals within the account can have access to the secret. The principals who require access to the secret change frequently. A security engineer must create a solution that maximizes flexibility and scalability. <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_37' value='409889' \/><input type='hidden' id='answerType409889' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409889[]' id='answer-id-1588703' class='answer   answerof-409889 ' value='1588703'   \/><label for='answer-id-1588703' id='answer-label-1588703' class=' answer'><span>Use a role-based approach by creating an IAM role with an inline permissions policy that allows access to the secret. Update the IAM principals in the role trust policy as required.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409889[]' id='answer-id-1588704' class='answer   answerof-409889 ' value='1588704'   \/><label for='answer-id-1588704' id='answer-label-1588704' class=' answer'><span>Deploy a VPC endpoint for Secrets Manager. Create and attach an endpoint policy that specifies the IAM principals that are allowed to access the secret. Update the list of IAM principals as required.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409889[]' id='answer-id-1588705' class='answer   answerof-409889 ' value='1588705'   \/><label for='answer-id-1588705' id='answer-label-1588705' class=' answer'><span>Use a tag-based approach by attaching a resource policy to the secret. Apply tags to the secret and the IAM principals. Use the aws:PrincipalTag and aws:ResourceTag IAM condition keys to control access.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409889[]' id='answer-id-1588706' class='answer   answerof-409889 ' value='1588706'   \/><label for='answer-id-1588706' id='answer-label-1588706' class=' answer'><span>Use a deny-by-default approach by using IAM policies to deny access to the secret explicitly. Attach the policies to an IAM group. Add all IAM principals to the IAM group. Remove principals from the group when they need access. Add the principals to the group again when access is no longer allowed.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-38' style=';'><div id='questionWrap-38'  class='   watupro-question-id-409890'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>38. <\/span>A company uses AWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open. The company must secure access management and implement a centralized togging solution. <br \/>\r<br>Which solution will meet these requirements MOST securely?<\/div><input type='hidden' name='question_id[]' id='qID_38' value='409890' \/><input type='hidden' id='answerType409890' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409890[]' id='answer-id-1588707' class='answer   answerof-409890 ' value='1588707'   \/><label for='answer-id-1588707' id='answer-label-1588707' class=' answer'><span>Configure trusted access for AWS System Manager in Organizations Configure a bastion host from the management account Replace SSH and RDP by using Systems Manager Session Manager from the management account Configure Session Manager logging to Amazon CloudWatch Logs<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409890[]' id='answer-id-1588708' class='answer   answerof-409890 ' value='1588708'   \/><label for='answer-id-1588708' id='answer-label-1588708' class=' answer'><span>Replace SSH and RDP with AWS Systems Manager Session Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409890[]' id='answer-id-1588709' class='answer   answerof-409890 ' value='1588709'   \/><label for='answer-id-1588709' id='answer-label-1588709' class=' answer'><span>AmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudWatch Logs Create a separate logging account that has appropriate cross-account permissions to audit the log data<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409890[]' id='answer-id-1588710' class='answer   answerof-409890 ' value='1588710'   \/><label for='answer-id-1588710' id='answer-label-1588710' class=' answer'><span>Install a bastion host in the management account Reconfigure all SSH and RDP to allow access only from the bastion host Install AWS Systems Manager Agent (SSM Agent) on the bastion host Attach the AmazonSSMManagedlnstanceCore role to the bastion host Configure session data streaming to Amazon CloudWatch Logs in a separate logging account to audit log data<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409890[]' id='answer-id-1588711' class='answer   answerof-409890 ' value='1588711'   \/><label for='answer-id-1588711' id='answer-label-1588711' class=' answer'><span>Replace SSH and RDP with AWS Systems Manager State Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the AmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudTrail Use CloudTrail Insights to analyze the trail data<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-39' style=';'><div id='questionWrap-39'  class='   watupro-question-id-409891'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>39. <\/span>A company became aware that one of its access keys was exposed on a code sharing website 11 days ago. A Security Engineer must review all use of the exposed access keys to determine the extent of the exposure. The company enabled IAM CloudTrail m an regions when it opened the account <br \/>\r<br>Which of the following will allow (he Security Engineer 10 complete the task?<\/div><input type='hidden' name='question_id[]' id='qID_39' value='409891' \/><input type='hidden' id='answerType409891' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409891[]' id='answer-id-1588712' class='answer   answerof-409891 ' value='1588712'   \/><label for='answer-id-1588712' id='answer-label-1588712' class=' answer'><span>Filter the event history on the exposed access key in the CloudTrail console Examine the data from the past 11 days.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409891[]' id='answer-id-1588713' class='answer   answerof-409891 ' value='1588713'   \/><label for='answer-id-1588713' id='answer-label-1588713' class=' answer'><span>Use the IAM CLI lo generate an IAM credential report Extract all the data from the past 11 days.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409891[]' id='answer-id-1588714' class='answer   answerof-409891 ' value='1588714'   \/><label for='answer-id-1588714' id='answer-label-1588714' class=' answer'><span>Use Amazon Athena to query the CloudTrail logs from Amazon S3 Retrieve the rows for the exposed access key tor the past 11 days.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409891[]' id='answer-id-1588715' class='answer   answerof-409891 ' value='1588715'   \/><label for='answer-id-1588715' id='answer-label-1588715' class=' answer'><span>Use the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-40' style=';'><div id='questionWrap-40'  class='   watupro-question-id-409892'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>40. <\/span>An application team wants to use IAM Certificate Manager (ACM) to request public certificates to ensure that data is secured in transit. The domains that are being used are not currently hosted on Amazon Route 53 <br \/>\r<br>The application team wants to use an IAM managed distribution and caching solution to optimize requests to its systems and provide better points of presence to customers The distribution solution will use a primary domain name that is customized The distribution solution also will use several alternative domain names The certificates must renew automatically over an indefinite period of time <br \/>\r<br>Which combination of steps should the application team take to deploy this architecture? (Select THREE.)<\/div><input type='hidden' name='question_id[]' id='qID_40' value='409892' \/><input type='hidden' id='answerType409892' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409892[]' id='answer-id-1588716' class='answer   answerof-409892 ' value='1588716'   \/><label for='answer-id-1588716' id='answer-label-1588716' class=' answer'><span>Request a certificate (torn ACM in the us-west-2 Region Add the domain names that the certificate will secure<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409892[]' id='answer-id-1588717' class='answer   answerof-409892 ' value='1588717'   \/><label for='answer-id-1588717' id='answer-label-1588717' class=' answer'><span>Send an email message to the domain administrators to request vacation of the domains for ACM<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409892[]' id='answer-id-1588718' class='answer   answerof-409892 ' value='1588718'   \/><label for='answer-id-1588718' id='answer-label-1588718' class=' answer'><span>Request validation of the domains for ACM through DNS Insert CNAME records into each domain's DNS zone<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409892[]' id='answer-id-1588719' class='answer   answerof-409892 ' value='1588719'   \/><label for='answer-id-1588719' id='answer-label-1588719' class=' answer'><span>Create an Application Load Balancer for me caching solution Select the newly requested certificate from ACM to be used for secure connections<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409892[]' id='answer-id-1588720' class='answer   answerof-409892 ' value='1588720'   \/><label for='answer-id-1588720' id='answer-label-1588720' class=' answer'><span>Create an Amazon CloudFront distribution for the caching solution Enter the main CNAME record as the Origin Name Enter the subdomain names or alternate names in the Alternate Domain Names Distribution Settings Select the newly requested certificate from ACM to be used for secure connections<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409892[]' id='answer-id-1588721' class='answer   answerof-409892 ' value='1588721'   \/><label for='answer-id-1588721' id='answer-label-1588721' class=' answer'><span>Request a certificate from ACM in the us-east-1 Region Add the domain names that the certificate wil secure<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div style='display:none' id='question-41'>\n\t<div class='question-content'>\n\t\t<img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/img\/loading.gif\" width=\"16\" height=\"16\" alt=\"Loading...\" title=\"Loading...\" \/>&nbsp;Loading...\t<\/div>\n<\/div>\n\n<br \/>\n\t\n\t\t\t<div class=\"watupro_buttons flex \" id=\"watuPROButtons10336\" >\n\t\t  <div id=\"prev-question\" style=\"display:none;\"><input type=\"button\" value=\"&lt; Previous\" onclick=\"WatuPRO.nextQuestion(event, 'previous');\"\/><\/div>\t\t  \t\t  \t\t   \n\t\t   \t  \t\t<div><input type=\"button\" name=\"action\" class=\"watupro-submit-button\" onclick=\"WatuPRO.submitResult(event)\" id=\"action-button\" value=\"View Results\"  \/>\n\t\t<\/div>\n\t\t<\/div>\n\t\t\n\t<input type=\"hidden\" name=\"quiz_id\" value=\"10336\" id=\"watuPROExamID\"\/>\n\t<input type=\"hidden\" name=\"start_time\" id=\"startTime\" value=\"2026-05-11 16:01:12\" \/>\n\t<input type=\"hidden\" name=\"start_timestamp\" id=\"startTimeStamp\" value=\"1778515272\" \/>\n\t<input type=\"hidden\" name=\"question_ids\" value=\"\" \/>\n\t<input type=\"hidden\" name=\"watupro_questions\" value=\"409853:1588544,1588545,1588546,1588547,1588548 | 409854:1588549,1588550,1588551,1588552 | 409855:1588553,1588554,1588555,1588556,1588557 | 409856:1588558,1588559,1588560,1588561,1588562 | 409857:1588563,1588564,1588565,1588566,1588567 | 409858:1588568,1588569,1588570,1588571 | 409859:1588572,1588573,1588574,1588575 | 409860:1588576,1588577,1588578,1588579 | 409861:1588580,1588581,1588582,1588583,1588584,1588585 | 409862:1588586,1588587,1588588,1588589 | 409863:1588590,1588591,1588592,1588593,1588594 | 409864:1588595,1588596,1588597,1588598,1588599 | 409865:1588600,1621385,1621386,1621387,1621388,1621389 | 409866:1588601,1588602,1588603,1588604 | 409867:1588605,1588606,1588607,1588608 | 409868:1588609,1588610,1588611,1588612,1588613 | 409869:1588614,1588615,1588616,1588617 | 409870:1588618,1588619,1588620,1588621 | 409871:1588622,1588623,1588624,1588625,1588626 | 409872:1588627,1588628,1588629,1588630 | 409873:1588631,1588632,1588633,1588634,1588635 | 409874:1588636,1588637,1588638,1588639 | 409875:1588640,1588641,1588642,1588643,1588644 | 409876:1588645,1588646,1588647,1588648 | 409877:1588649,1588650,1588651,1588652 | 409878:1588653,1588654,1588655,1588656,1588657 | 409879:1588658,1588659,1588660,1588661 | 409880:1588662,1588663,1588664,1588665 | 409881:1588666,1588667,1588668,1588669 | 409882:1588670,1588671,1588672,1588673 | 409883:1588674,1588675,1588676,1588677,1588678 | 409884:1588679,1588680,1588681,1588682,1588683,1588684 | 409885:1588685,1588686,1588687,1588688 | 409886:1588689,1588690,1588691,1588692 | 409887:1588693,1588694,1588695,1588696,1588697 | 409888:1588698,1588699,1588700,1588701,1588702 | 409889:1588703,1588704,1588705,1588706 | 409890:1588707,1588708,1588709,1588710,1588711 | 409891:1588712,1588713,1588714,1588715 | 409892:1588716,1588717,1588718,1588719,1588720,1588721\" \/>\n\t<input type=\"hidden\" name=\"no_ajax\" value=\"0\">\t\t\t<\/form>\n\t<p>&nbsp;<\/p>\n<\/div>\n\n<script type=\"text\/javascript\">\n\/\/jQuery(document).ready(function(){\ndocument.addEventListener(\"DOMContentLoaded\", function(event) { \t\nvar question_ids = \"409853,409854,409855,409856,409857,409858,409859,409860,409861,409862,409863,409864,409865,409866,409867,409868,409869,409870,409871,409872,409873,409874,409875,409876,409877,409878,409879,409880,409881,409882,409883,409884,409885,409886,409887,409888,409889,409890,409891,409892\";\nWatuPROSettings[10336] = {};\nWatuPRO.qArr = question_ids.split(',');\nWatuPRO.exam_id = 10336;\t    \nWatuPRO.post_id = 107007;\nWatuPRO.store_progress = 0;\nWatuPRO.curCatPage = 1;\nWatuPRO.requiredIDs=\"0\".split(\",\");\nWatuPRO.hAppID = \"0.35815000 1778515272\";\nvar url = \"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/show_exam.php\";\nWatuPRO.examMode = 1;\nWatuPRO.siteURL=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-admin\/admin-ajax.php\";\nWatuPRO.emailIsNotRequired = 0;\nWatuPROIntel.init(10336);\nWatuPRO.inCategoryPages=1;});    \t \n<\/script>\n<p>&nbsp;<\/p>\n<h3>Continue to read more demos, our <a href=\"https:\/\/www.dumpsbase.com\/freedumps\/verify-the-aws-scs-c02-free-dumps-part-2-q41-q80-online-check-the-scs-c02-dumps-v13-03-online.html\"><span style=\"background-color: #00ffff;\"><em>SCS-C02 free dumps (Part 2, Q41-Q80) of V13.03<\/em><\/span><\/a> are online.<\/h3>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Start your learning and prepare for your AWS Certified Security &#8211; Specialty (SCS-C02) exam. DumpsBase has updated the AWS SCS-C02 exam dumps to V13.03, featuring the most accurate questions and answers, allowing you to practice with Q&amp;As tailored to your learning needs. To download the latest study materials, you need to verify the validity of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[175,15758],"tags":[19436,19437],"class_list":["post-107007","post","type-post","status-publish","format-standard","hentry","category-amazon","category-aws-certified-specialty","tag-aws-scs-c02-exam-dumps","tag-scs-c02-free-dumps"],"_links":{"self":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/107007","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/comments?post=107007"}],"version-history":[{"count":3,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/107007\/revisions"}],"predecessor-version":[{"id":107075,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/107007\/revisions\/107075"}],"wp:attachment":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/media?parent=107007"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/categories?post=107007"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/tags?post=107007"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}