{"id":107072,"date":"2025-08-04T03:57:19","date_gmt":"2025-08-04T03:57:19","guid":{"rendered":"https:\/\/www.dumpsbase.com\/freedumps\/?p=107072"},"modified":"2025-08-13T07:22:00","modified_gmt":"2025-08-13T07:22:00","slug":"verify-the-aws-scs-c02-free-dumps-part-2-q41-q80-online-check-the-scs-c02-dumps-v13-03-online","status":"publish","type":"post","link":"https:\/\/www.dumpsbase.com\/freedumps\/verify-the-aws-scs-c02-free-dumps-part-2-q41-q80-online-check-the-scs-c02-dumps-v13-03-online.html","title":{"rendered":"Verify the AWS SCS-C02 Free Dumps (Part 2, Q41-Q80) Online: Check the SCS-C02 Dumps (V13.03) Online"},"content":{"rendered":"<p>When coming for your AWS Certified Security &#8211; Specialty (SCS-C02) preparation materials, you can download the SCS-C02 dumps (V13.03) from DumpsBase. Our latest dumps for your AWS Certified Security &#8211; Specialty exam preparation are created with a focus on quality and accuracy. We understand the challenges of preparing for complex AWS exams, which is why our dumps are designed to simplify the learning process while ensuring comprehensive coverage of all exam topics. If you have read the <a href=\"https:\/\/www.dumpsbase.com\/freedumps\/updated-scs-c02-exam-dumps-v13-03-suit-your-learning-needs-read-scs-c02-free-dumps-part-1-q1-q40-online.html\"><em><strong>SCS-C02 free dumps (Part 1, Q1-Q40) of V13.03<\/strong><\/em><\/a>, you can find that the most current dumps are valuable for learning. Choose DumpsBase now, with the right SCS-C02 exam questions, you&#8217;re setting yourself up for achievement.<\/p>\n<h2>You can verify the <span style=\"background-color: #00ff00;\"><em>SCS-C02 free dumps (Part 2, Q41-Q80) of V13.02 online<\/em><\/span> to check more:<\/h2>\n<script>\n\t  window.fbAsyncInit = function() {\n\t    FB.init({\n\t      appId            : '622169541470367',\n\t      autoLogAppEvents : true,\n\t      xfbml            : true,\n\t      version          : 'v3.1'\n\t    });\n\t  };\n\t\n\t  (function(d, s, id){\n\t     var js, fjs = d.getElementsByTagName(s)[0];\n\t     if (d.getElementById(id)) {return;}\n\t     js = d.createElement(s); js.id = id;\n\t     js.src = \"https:\/\/connect.facebook.net\/en_US\/sdk.js\";\n\t     fjs.parentNode.insertBefore(js, fjs);\n\t   }(document, 'script', 'facebook-jssdk'));\n\t<\/script><script type=\"text\/javascript\" >\ndocument.addEventListener(\"DOMContentLoaded\", function(event) { \nif(!window.jQuery) alert(\"The important jQuery library is not properly loaded in your site. Your WordPress theme is probably missing the essential wp_head() call. You can switch to another theme and you will see that the plugin works fine and this notice disappears. If you are still not sure what to do you can contact us for help.\");\n});\n<\/script>  \n  \n<div  id=\"watupro_quiz\" class=\"quiz-area single-page-quiz\">\n<p id=\"submittingExam10337\" style=\"display:none;text-align:center;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/img\/loading.gif\" width=\"16\" height=\"16\"><\/p>\n\n<div class=\"watupro-exam-description\" id=\"description-quiz-10337\"><\/div>\n\n<form action=\"\" method=\"post\" class=\"quiz-form\" id=\"quiz-10337\"  enctype=\"multipart\/form-data\" >\n<div class='watu-question ' id='question-1' style=';'><div id='questionWrap-1'  class='   watupro-question-id-409893'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>1. <\/span>A company uses Amazon API Gateway to present REST APIs to users. An API developer wants to analyze API access patterns without the need to parse the log files. <br \/>\r<br>Which combination of steps will meet these requirements with the LEAST effort? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_1' value='409893' \/><input type='hidden' id='answerType409893' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409893[]' id='answer-id-1588722' class='answer   answerof-409893 ' value='1588722'   \/><label for='answer-id-1588722' id='answer-label-1588722' class=' answer'><span>Configure access logging for the required API stage.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409893[]' id='answer-id-1588723' class='answer   answerof-409893 ' value='1588723'   \/><label for='answer-id-1588723' id='answer-label-1588723' class=' answer'><span>Configure an AWS CloudTrail trail destination for API Gateway events. Configure filters on the userldentity, userAgent, and sourcelPAddress fields.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409893[]' id='answer-id-1588724' class='answer   answerof-409893 ' value='1588724'   \/><label for='answer-id-1588724' id='answer-label-1588724' class=' answer'><span>Configure an Amazon S3 destination for API Gateway logs. Run Amazon Athena queries to analyze API access information.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409893[]' id='answer-id-1588725' class='answer   answerof-409893 ' value='1588725'   \/><label for='answer-id-1588725' id='answer-label-1588725' class=' answer'><span>Use Amazon CloudWatch Logs Insights to analyze API access information.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409893[]' id='answer-id-1588726' class='answer   answerof-409893 ' value='1588726'   \/><label for='answer-id-1588726' id='answer-label-1588726' class=' answer'><span>Select the Enable Detailed CloudWatch Metrics option on the required API stage.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-2' style=';'><div id='questionWrap-2'  class='   watupro-question-id-409894'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>2. <\/span>There are currently multiple applications hosted in a VPC. During monitoring it has been noticed that multiple port scans are coming in from a specific IP Address block. The internal security team has requested that all offending IP Addresses be denied for the next 24 hours. <br \/>\r<br>Which of the following is the best method to quickly and temporarily deny access from the specified IP Address's.<\/div><input type='hidden' name='question_id[]' id='qID_2' value='409894' \/><input type='hidden' id='answerType409894' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409894[]' id='answer-id-1588727' class='answer   answerof-409894 ' value='1588727'   \/><label for='answer-id-1588727' id='answer-label-1588727' class=' answer'><span>Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409894[]' id='answer-id-1588728' class='answer   answerof-409894 ' value='1588728'   \/><label for='answer-id-1588728' id='answer-label-1588728' class=' answer'><span>Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409894[]' id='answer-id-1588729' class='answer   answerof-409894 ' value='1588729'   \/><label for='answer-id-1588729' id='answer-label-1588729' class=' answer'><span>Add a rule to all of the VPC Security Groups to deny access from the IP Address block.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409894[]' id='answer-id-1588730' class='answer   answerof-409894 ' value='1588730'   \/><label for='answer-id-1588730' id='answer-label-1588730' class=' answer'><span>Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-3' style=';'><div id='questionWrap-3'  class='   watupro-question-id-409895'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>3. <\/span>A company needs to store multiple years of financial records. The company wants to use Amazon S3 to store copies of these documents. The company must implement a solution to prevent the documents from being edited, replaced, or deleted for 7 years after the documents are stored in Amazon S3. The solution must also encrypt the documents at rest. <br \/>\r<br>A security engineer creates a new S3 bucket to store the documents. <br \/>\r<br>What should the security engineer do next to meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_3' value='409895' \/><input type='hidden' id='answerType409895' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409895[]' id='answer-id-1588731' class='answer   answerof-409895 ' value='1588731'   \/><label for='answer-id-1588731' id='answer-label-1588731' class=' answer'><span>Configure S3 server-side encryption. Create an S3 bucket policy that has an explicit deny rule for all users for s3:DeleteObject and s3:PutObject API calls. Configure S3 Object Lock to use governance mode with a retention period of 7 years.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409895[]' id='answer-id-1588732' class='answer   answerof-409895 ' value='1588732'   \/><label for='answer-id-1588732' id='answer-label-1588732' class=' answer'><span>Configure S3 server-side encryption. Configure S3 Versioning on the S3 bucket. Configure S3 Object Lock to use compliance mode with a retention period of 7 years.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409895[]' id='answer-id-1588733' class='answer   answerof-409895 ' value='1588733'   \/><label for='answer-id-1588733' id='answer-label-1588733' class=' answer'><span>Configure S3 Versioning. Configure S3 Intelligent-Tiering on the S3 bucket to move the documents to S3 Glacier Deep Archive storage. Use S3 server-side encryption immediately. Expire the objects after 7 years.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409895[]' id='answer-id-1588734' class='answer   answerof-409895 ' value='1588734'   \/><label for='answer-id-1588734' id='answer-label-1588734' class=' answer'><span>Set up S3 Event Notifications and use S3 server-side encryption. Configure S3 Event Notifications to target an AWS Lambda function that will review any S3 API call to the S3 bucket and deny the s3:DeleteObject and s3:PutObject API calls. Remove the S3 event notification after 7 years.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-4' style=';'><div id='questionWrap-4'  class='   watupro-question-id-409896'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>4. <\/span>There is a requirement for a company to transfer large amounts of data between IAM and an on-premise location. There is an additional requirement for low latency and high consistency traffic to IAM. <br \/>\r<br>Given these requirements how would you design a hybrid architecture? Choose the correct answer from the options below<\/div><input type='hidden' name='question_id[]' id='qID_4' value='409896' \/><input type='hidden' id='answerType409896' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409896[]' id='answer-id-1588735' class='answer   answerof-409896 ' value='1588735'   \/><label for='answer-id-1588735' id='answer-label-1588735' class=' answer'><span>Provision a Direct Connect connection to an IAM region using a Direct Connect partner.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409896[]' id='answer-id-1588736' class='answer   answerof-409896 ' value='1588736'   \/><label for='answer-id-1588736' id='answer-label-1588736' class=' answer'><span>Create a VPN tunnel for private connectivity, which increases network consistency and reduces latency.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409896[]' id='answer-id-1588737' class='answer   answerof-409896 ' value='1588737'   \/><label for='answer-id-1588737' id='answer-label-1588737' class=' answer'><span>Create an IPsec tunnel for private connectivity, which increases network consistency and reduces latency.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409896[]' id='answer-id-1588738' class='answer   answerof-409896 ' value='1588738'   \/><label for='answer-id-1588738' id='answer-label-1588738' class=' answer'><span>Create a VPC peering connection between IAM and the Customer gateway.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-5' style=';'><div id='questionWrap-5'  class='   watupro-question-id-409897'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>5. <\/span>A company uses a third-party identity provider and SAML-based SSO for its AWS accounts. After the third-party identity provider renewed an expired signing certificate, users saw the following message when trying to log in: <br \/>\r<br>Error: Response Signature Invalid (Service: AWSSecurityTokenService; Status Code: 400; Error Code: <br \/>\r<br>InvalidldentityToken) <br \/>\r<br>A security engineer needs to provide a solution that corrects the error and minimizes operational overhead. <br \/>\r<br>Which solution meets these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_5' value='409897' \/><input type='hidden' id='answerType409897' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409897[]' id='answer-id-1588739' class='answer   answerof-409897 ' value='1588739'   \/><label for='answer-id-1588739' id='answer-label-1588739' class=' answer'><span>Upload the third-party signing certificate's new private key to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS Management Console.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409897[]' id='answer-id-1588740' class='answer   answerof-409897 ' value='1588740'   \/><label for='answer-id-1588740' id='answer-label-1588740' class=' answer'><span>Sign the identity provider's metadata file with the new public key. Upload the signature to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS C<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409897[]' id='answer-id-1588741' class='answer   answerof-409897 ' value='1588741'   \/><label for='answer-id-1588741' id='answer-label-1588741' class=' answer'><span>Download the updated SAML metadata file from the identity service provider. Update the file in the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CL<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409897[]' id='answer-id-1588742' class='answer   answerof-409897 ' value='1588742'   \/><label for='answer-id-1588742' id='answer-label-1588742' class=' answer'><span>Configure the AWS identity provider entity defined in AWS Identity and Access Management (IAM) to synchronously fetch the new public key by using the AWS Management Console.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-6' style=';'><div id='questionWrap-6'  class='   watupro-question-id-409898'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>6. <\/span>An AWS account that is used for development projects has a VPC that contains two subnets. The first subnet is named public-subnet-1 and has the CIDR block 192.168.1.0\/24 assigned. The other subnet is named private-subnet-2 and has the CIDR block 192.168.2.0\/24 assigned. Each subnet contains Amazon EC2 instances. <br \/>\r<br>Each subnet is currently using the VPC's default network ACL. The security groups that the EC2 instances in these subnets use have rules that allow traffic between each instance where required. Currently, all network traffic flow is working as expected between the EC2 instances that are using these subnets. <br \/>\r<br>A security engineer creates a new network ACL that is named subnet-2-NACL with default entries. The security engineer immediately configures private-subnet-2 to use the new network ACL and makes no other changes to the infrastructure. The security engineer starts to receive reports that the EC2 instances in public-subnet-1 and public-subnet-2 cannot communicate with each other. <br \/>\r<br>Which combination of steps should the security engineer take to allow the EC2 instances that are running in these two subnets to communicate again? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_6' value='409898' \/><input type='hidden' id='answerType409898' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409898[]' id='answer-id-1588743' class='answer   answerof-409898 ' value='1588743'   \/><label for='answer-id-1588743' id='answer-label-1588743' class=' answer'><span>Add an outbound allow rule for 192.168.2.0\/24 in the VPC's default network AC<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409898[]' id='answer-id-1588744' class='answer   answerof-409898 ' value='1588744'   \/><label for='answer-id-1588744' id='answer-label-1588744' class=' answer'><span>Add an inbound allow rule for 192.168.2.0\/24 in the VPC's default network AC<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409898[]' id='answer-id-1588745' class='answer   answerof-409898 ' value='1588745'   \/><label for='answer-id-1588745' id='answer-label-1588745' class=' answer'><span>Add an outbound allow rule for 192.168.2.0\/24 in subnet-2-NAC<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409898[]' id='answer-id-1588746' class='answer   answerof-409898 ' value='1588746'   \/><label for='answer-id-1588746' id='answer-label-1588746' class=' answer'><span>Add an inbound allow rule for 192.168.1.0\/24 in subnet-2-NAC<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409898[]' id='answer-id-1588747' class='answer   answerof-409898 ' value='1588747'   \/><label for='answer-id-1588747' id='answer-label-1588747' class=' answer'><span>Add an outbound allow rule for 192.168.1.0\/24 in subnet-2-NAC<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-7' style=';'><div id='questionWrap-7'  class='   watupro-question-id-409899'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>7. <\/span>Within a VPC, a corporation runs an Amazon RDS Multi-AZ DB instance. The database instance is connected to the internet through a NAT gateway via two subnets. <br \/>\r<br>Additionally, the organization has application servers that are hosted on Amazon EC2 instances and use the RDS database. These EC2 instances have been deployed onto two more private subnets inside the same VPC. These EC2 instances connect to the internet through a default route via the same NAT gateway. Each VPC subnet has its own route table. <br \/>\r<br>The organization implemented a new security requirement after a recent security examination. Never allow the database instance to connect to the internet. A security engineer must perform this update promptly without interfering with the network traffic of the application servers. <br \/>\r<br>How will the security engineer be able to comply with these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_7' value='409899' \/><input type='hidden' id='answerType409899' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409899[]' id='answer-id-1588748' class='answer   answerof-409899 ' value='1588748'   \/><label for='answer-id-1588748' id='answer-label-1588748' class=' answer'><span>Remove the existing NAT gateway. Create a new NAT gateway that only the application server subnets can use.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409899[]' id='answer-id-1588749' class='answer   answerof-409899 ' value='1588749'   \/><label for='answer-id-1588749' id='answer-label-1588749' class=' answer'><span>Configure the DB instance&#8482;s inbound network ACL to deny traffic from the security group ID of the NAT gateway.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409899[]' id='answer-id-1588750' class='answer   answerof-409899 ' value='1588750'   \/><label for='answer-id-1588750' id='answer-label-1588750' class=' answer'><span>Modify the route tables of the DB instance subnets to remove the default route to the NAT gateway.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409899[]' id='answer-id-1588751' class='answer   answerof-409899 ' value='1588751'   \/><label for='answer-id-1588751' id='answer-label-1588751' class=' answer'><span>Configure the route table of the NAT gateway to deny connections to the DB instance subnets.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-8' style=';'><div id='questionWrap-8'  class='   watupro-question-id-409900'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>8. <\/span>An audit determined that a company's Amazon EC2 instance security group violated company policy by allowing unrestricted incoming SSH traffic. A security engineer must implement a near-real-time monitoring and alerting solution that will notify administrators of such violations. <br \/>\r<br>Which solution meets these requirements with the MOST operational efficiency?<\/div><input type='hidden' name='question_id[]' id='qID_8' value='409900' \/><input type='hidden' id='answerType409900' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409900[]' id='answer-id-1588752' class='answer   answerof-409900 ' value='1588752'   \/><label for='answer-id-1588752' id='answer-label-1588752' class=' answer'><span>Create a recurring Amazon Inspector assessment run that runs every day and uses the Network Reachability package. Create an Amazon CloudWatch rule that invokes an IAM Lambda function when an assessment run starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification if there are any violations for unrestricted incoming SSH traffic.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409900[]' id='answer-id-1588753' class='answer   answerof-409900 ' value='1588753'   \/><label for='answer-id-1588753' id='answer-label-1588753' class=' answer'><span>Use the restricted-ssh IAM Config managed rule that is invoked by security group configuration changes that are not compliant. Use the IAM Config remediation feature to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409900[]' id='answer-id-1588754' class='answer   answerof-409900 ' value='1588754'   \/><label for='answer-id-1588754' id='answer-label-1588754' class=' answer'><span>Configure VPC Flow Logs for the VP<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409900[]' id='answer-id-1588755' class='answer   answerof-409900 ' value='1588755'   \/><label for='answer-id-1588755' id='answer-label-1588755' class=' answer'><span>and specify an Amazon CloudWatch Logs group. Subscribe the CloudWatch Logs group to an IAM Lambda function that parses new log entries, detects successful connections on port 22, and publishes a notification through Amazon Simple Notification Service (Amazon SNS).<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409900[]' id='answer-id-1588756' class='answer   answerof-409900 ' value='1588756'   \/><label for='answer-id-1588756' id='answer-label-1588756' class=' answer'><span>Create a recurring Amazon Inspector assessment run that runs every day and uses the Security Best Practices package. Create an Amazon CloudWatch rule that invokes an IAM Lambda function when an assessment run starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification if there are any violations for unrestricted incoming SSH traffic.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-9' style=';'><div id='questionWrap-9'  class='   watupro-question-id-409901'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>9. <\/span>A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code In the company's source code repository <br \/>\r<br>A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates. The solution must also minimize administrate overhead <br \/>\r<br>Which solution meets these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_9' value='409901' \/><input type='hidden' id='answerType409901' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409901[]' id='answer-id-1588757' class='answer   answerof-409901 ' value='1588757'   \/><label for='answer-id-1588757' id='answer-label-1588757' class=' answer'><span>Use the IAM Systems Manager Parameter Store to generate database credentials. Use an IAM profile for ECS tasks to restrict access to database credentials to specific containers only.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409901[]' id='answer-id-1588758' class='answer   answerof-409901 ' value='1588758'   \/><label for='answer-id-1588758' id='answer-label-1588758' class=' answer'><span>Use IAM Secrets Manager to store database credentials. Use an IAM inline policy for ECS tasks to restrict access to database credentials to specific containers only.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409901[]' id='answer-id-1588759' class='answer   answerof-409901 ' value='1588759'   \/><label for='answer-id-1588759' id='answer-label-1588759' class=' answer'><span>Use the IAM Systems Manager Parameter Store to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials lo specific containers only<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409901[]' id='answer-id-1588760' class='answer   answerof-409901 ' value='1588760'   \/><label for='answer-id-1588760' id='answer-label-1588760' class=' answer'><span>Use IAM Secrets Manager to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-10' style=';'><div id='questionWrap-10'  class='   watupro-question-id-409902'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>10. <\/span>A company discovers a billing anomaly in its AWS account. A security consultant investigates the anomaly and discovers that an employee who left the company 30 days ago still has access to the account. <br \/>\r<br>The company has not monitored account activity in the past. <br \/>\r<br>The security consultant needs to determine which resources have been deployed or reconfigured by the employee as quickly as possible. <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_10' value='409902' \/><input type='hidden' id='answerType409902' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409902[]' id='answer-id-1588761' class='answer   answerof-409902 ' value='1588761'   \/><label for='answer-id-1588761' id='answer-label-1588761' class=' answer'><span>In AWS Cost Explorer, filter chart data to display results from the past 30 days. Export the results to a data table. Group the data table by re-source.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409902[]' id='answer-id-1588762' class='answer   answerof-409902 ' value='1588762'   \/><label for='answer-id-1588762' id='answer-label-1588762' class=' answer'><span>Use AWS Cost Anomaly Detection to create a cost monitor. Access the detection history. Set the time frame to Last 30 days. In the search area, choose the service category.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409902[]' id='answer-id-1588763' class='answer   answerof-409902 ' value='1588763'   \/><label for='answer-id-1588763' id='answer-label-1588763' class=' answer'><span>In AWS CloudTrail, filter the event history to display results from the past 30 days. Create an Amazon Athena table that contains the data. Partition the table by event source.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409902[]' id='answer-id-1588764' class='answer   answerof-409902 ' value='1588764'   \/><label for='answer-id-1588764' id='answer-label-1588764' class=' answer'><span>Use AWS Audit Manager to create an assessment for the past 30 days. Apply a usage-based framework to the assessment. Configure the assessment to assess by resource.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-11' style=';'><div id='questionWrap-11'  class='   watupro-question-id-409903'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>11. <\/span>A company wants to monitor the deletion of AWS Key Management Service (AWS KMS) customer managed keys. A security engineer needs to create an alarm that will notify the company before a KMS key is deleted. The security engineer has configured the integration of AWS CloudTrail with Amazon CloudWatch. <br \/>\r<br>What should the security engineer do next to meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_11' value='409903' \/><input type='hidden' id='answerType409903' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409903[]' id='answer-id-1588765' class='answer   answerof-409903 ' value='1588765'   \/><label for='answer-id-1588765' id='answer-label-1588765' class=' answer'><span>Specify the deletion time of the key material during KMS key creation. Create a custom AWS Config rule to assess the key's scheduled deletion. Configure the rule to trigger upon a configuration change. Send a message to an Amazon Simple Notification Service (Amazon SNS) topic if the key is scheduled for deletion.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409903[]' id='answer-id-1588766' class='answer   answerof-409903 ' value='1588766'   \/><label for='answer-id-1588766' id='answer-label-1588766' class=' answer'><span>Create an Amazon EventBridge rule to detect KMS API calls of DeleteAlias. Create an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the company. Add the Lambda function as the target of the EventBridge rule.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409903[]' id='answer-id-1588767' class='answer   answerof-409903 ' value='1588767'   \/><label for='answer-id-1588767' id='answer-label-1588767' class=' answer'><span>Create an Amazon EventBridge rule to detect KMS API calls of DisableKey and ScheduleKeyDeletion. Create an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the company. Add the Lambda function as the target of the EventBridge rule.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409903[]' id='answer-id-1588768' class='answer   answerof-409903 ' value='1588768'   \/><label for='answer-id-1588768' id='answer-label-1588768' class=' answer'><span>Create an Amazon Simple Notification Service (Amazon SNS) policy to detect KMS API calls of RevokeGrant and ScheduleKeyDeletion. Create an AWS Lambda function to generate the alarm and send the notification to the company. Add the Lambda function as the target of the SNS policy.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-12' style=';'><div id='questionWrap-12'  class='   watupro-question-id-409904'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>12. <\/span>A company accidentally deleted the private key for an Amazon Elastic Block Store (Amazon EBS)-backed Amazon EC2 instance. A security engineer needs to regain access to the instance. <br \/>\r<br>Which combination of steps will meet this requirement? (Choose two.)<\/div><input type='hidden' name='question_id[]' id='qID_12' value='409904' \/><input type='hidden' id='answerType409904' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409904[]' id='answer-id-1588769' class='answer   answerof-409904 ' value='1588769'   \/><label for='answer-id-1588769' id='answer-label-1588769' class=' answer'><span>Stop the instance. Detach the root volume. Generate a new key pair.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409904[]' id='answer-id-1588770' class='answer   answerof-409904 ' value='1588770'   \/><label for='answer-id-1588770' id='answer-label-1588770' class=' answer'><span>Keep the instance running. Detach the root volume. Generate a new key pair.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409904[]' id='answer-id-1588771' class='answer   answerof-409904 ' value='1588771'   \/><label for='answer-id-1588771' id='answer-label-1588771' class=' answer'><span>When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new public key. Move the volume back to the original instance. Start the instance.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409904[]' id='answer-id-1588772' class='answer   answerof-409904 ' value='1588772'   \/><label for='answer-id-1588772' id='answer-label-1588772' class=' answer'><span>When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new private key. Move the volume back to the original instance. Start the instance.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409904[]' id='answer-id-1588773' class='answer   answerof-409904 ' value='1588773'   \/><label for='answer-id-1588773' id='answer-label-1588773' class=' answer'><span>When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new public key. Move the volume back to the original instance that is running.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-13' style=';'><div id='questionWrap-13'  class='   watupro-question-id-409905'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>13. <\/span>A company deployed Amazon GuardDuty In the us-east-1 Region. The company wants all DNS logs that relate to the company's Amazon EC2 instances to be inspected. <br \/>\r<br>What should a security engineer do to ensure that the EC2 instances are logged?<\/div><input type='hidden' name='question_id[]' id='qID_13' value='409905' \/><input type='hidden' id='answerType409905' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409905[]' id='answer-id-1588774' class='answer   answerof-409905 ' value='1588774'   \/><label for='answer-id-1588774' id='answer-label-1588774' class=' answer'><span>Use IPv6 addresses that are configured for hostnames.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409905[]' id='answer-id-1588775' class='answer   answerof-409905 ' value='1588775'   \/><label for='answer-id-1588775' id='answer-label-1588775' class=' answer'><span>Configure external DNS resolvers as internal resolvers that are visible only to IA<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409905[]' id='answer-id-1588776' class='answer   answerof-409905 ' value='1588776'   \/><label for='answer-id-1588776' id='answer-label-1588776' class=' answer'><span>Use IAM DNS resolvers for all EC2 instances.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409905[]' id='answer-id-1588777' class='answer   answerof-409905 ' value='1588777'   \/><label for='answer-id-1588777' id='answer-label-1588777' class=' answer'><span>Configure a third-party DNS resolver with logging for all EC2 instances.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-14' style=';'><div id='questionWrap-14'  class='   watupro-question-id-409906'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>14. <\/span>An ecommerce website was down for 1 hour following a DDoS attack Users were unable to connect to the website during the attack period. The ecommerce company's security team is worried about future potential attacks and wants to prepare for such events The company needs to minimize downtime in its response to similar attacks in the future. <br \/>\r<br>Which steps would help achieve this9 (Select TWO)<\/div><input type='hidden' name='question_id[]' id='qID_14' value='409906' \/><input type='hidden' id='answerType409906' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409906[]' id='answer-id-1588778' class='answer   answerof-409906 ' value='1588778'   \/><label for='answer-id-1588778' id='answer-label-1588778' class=' answer'><span>Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409906[]' id='answer-id-1588779' class='answer   answerof-409906 ' value='1588779'   \/><label for='answer-id-1588779' id='answer-label-1588779' class=' answer'><span>Subscribe to IAM Shield Advanced and reach out to IAM Support in the event of an attack.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409906[]' id='answer-id-1588780' class='answer   answerof-409906 ' value='1588780'   \/><label for='answer-id-1588780' id='answer-label-1588780' class=' answer'><span>Use VPC Flow Logs to monitor network: traffic and an IAM Lambda function to automatically block an attacker's IP using security groups.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409906[]' id='answer-id-1588781' class='answer   answerof-409906 ' value='1588781'   \/><label for='answer-id-1588781' id='answer-label-1588781' class=' answer'><span>Set up an Amazon CloudWatch Events rule to monitor the IAM CloudTrail events in real time use IAM Config rules to audit the configuration, and use IAM Systems Manager for remediation.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409906[]' id='answer-id-1588782' class='answer   answerof-409906 ' value='1588782'   \/><label for='answer-id-1588782' id='answer-label-1588782' class=' answer'><span>Use IAM WAF to create rules to respond to such attacks<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-15' style=';'><div id='questionWrap-15'  class='   watupro-question-id-409907'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>15. <\/span>A security engineer receives an IAM abuse email message. According to the message, an Amazon EC2 instance that is running in the security engineer's IAM account is sending phishing email messages. <br \/>\r<br>The EC2 instance is part of an application that is deployed in production. The application runs on many EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple subnets and multiple Availability Zones. <br \/>\r<br>The instances normally communicate only over the HTTP. HTTPS, and MySQL protocols. Upon investigation, the security engineer discovers that email messages are being sent over port 587. All other traffic is normal. <br \/>\r<br>The security engineer must create a solution that contains the compromised EC2 instance, preserves forensic evidence for analysis, and minimizes application downtime. <br \/>\r<br>Which combination of steps must the security engineer take to meet these requirements? (Select THREE.)<\/div><input type='hidden' name='question_id[]' id='qID_15' value='409907' \/><input type='hidden' id='answerType409907' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409907[]' id='answer-id-1588783' class='answer   answerof-409907 ' value='1588783'   \/><label for='answer-id-1588783' id='answer-label-1588783' class=' answer'><span>Add an outbound rule to the security group that is attached to the compromised EC2 instance to deny traffic to 0.0.0.0\/0 and port 587.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409907[]' id='answer-id-1588784' class='answer   answerof-409907 ' value='1588784'   \/><label for='answer-id-1588784' id='answer-label-1588784' class=' answer'><span>Add an outbound rule to the network ACL for the subnet that contains the compromised EC2 instance to deny traffic to 0.0.0.0\/0 and port 587.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409907[]' id='answer-id-1588785' class='answer   answerof-409907 ' value='1588785'   \/><label for='answer-id-1588785' id='answer-label-1588785' class=' answer'><span>Gather volatile memory from the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then take a snapshot of the compromised EC2 instance.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409907[]' id='answer-id-1588786' class='answer   answerof-409907 ' value='1588786'   \/><label for='answer-id-1588786' id='answer-label-1588786' class=' answer'><span>Take a snapshot of the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then gather volatile memory from the compromised EC2 instance.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409907[]' id='answer-id-1588787' class='answer   answerof-409907 ' value='1588787'   \/><label for='answer-id-1588787' id='answer-label-1588787' class=' answer'><span>Move the compromised EC2 instance to an isolated subnet that has a network ACL that has no inbound rules or outbound rules.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409907[]' id='answer-id-1588788' class='answer   answerof-409907 ' value='1588788'   \/><label for='answer-id-1588788' id='answer-label-1588788' class=' answer'><span>Replace the existing security group that is attached to the compromised EC2 instance with a new security group that has no inbound rules or outbound rules.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-16' style=';'><div id='questionWrap-16'  class='   watupro-question-id-409908'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>16. <\/span>You need to create a policy and apply it for just an individual user. <br \/>\r<br>How could you accomplish this in the right way?<\/div><input type='hidden' name='question_id[]' id='qID_16' value='409908' \/><input type='hidden' id='answerType409908' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409908[]' id='answer-id-1588789' class='answer   answerof-409908 ' value='1588789'   \/><label for='answer-id-1588789' id='answer-label-1588789' class=' answer'><span>Add an IAM managed policy for the user<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409908[]' id='answer-id-1588790' class='answer   answerof-409908 ' value='1588790'   \/><label for='answer-id-1588790' id='answer-label-1588790' class=' answer'><span>Add a service policy for the user<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409908[]' id='answer-id-1588791' class='answer   answerof-409908 ' value='1588791'   \/><label for='answer-id-1588791' id='answer-label-1588791' class=' answer'><span>Add an IAM role for the user<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409908[]' id='answer-id-1588792' class='answer   answerof-409908 ' value='1588792'   \/><label for='answer-id-1588792' id='answer-label-1588792' class=' answer'><span>Add an inline policy for the user<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-17' style=';'><div id='questionWrap-17'  class='   watupro-question-id-409909'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>17. <\/span>Company A has an AWS account that is named Account A. Company A recently acquired Company B, which has an AWS account that is named Account B. Company B stores its files in an Amazon S3 bucket. <br \/>\r<br>The administrators need to give a user from Account A full access to the S3 bucket in Account B. <br \/>\r<br>After the administrators adjust the IAM permissions for the user in Account A to access the S3 bucket in Account B, the user still cannot access any files in the S3 bucket. <br \/>\r<br>Which solution will resolve this issue?<\/div><input type='hidden' name='question_id[]' id='qID_17' value='409909' \/><input type='hidden' id='answerType409909' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409909[]' id='answer-id-1588793' class='answer   answerof-409909 ' value='1588793'   \/><label for='answer-id-1588793' id='answer-label-1588793' class=' answer'><span>In Account B, create a bucket ACL to allow the user from Account A to access the S3 bucket in Account<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409909[]' id='answer-id-1588794' class='answer   answerof-409909 ' value='1588794'   \/><label for='answer-id-1588794' id='answer-label-1588794' class=' answer'><span>In Account B, create an object ACL to allow the user from Account A to access all the objects in the S3 bucket in Account<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409909[]' id='answer-id-1588795' class='answer   answerof-409909 ' value='1588795'   \/><label for='answer-id-1588795' id='answer-label-1588795' class=' answer'><span>In Account B, create a bucket policy to allow the user from Account A to access the S3 bucket in Account<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409909[]' id='answer-id-1588796' class='answer   answerof-409909 ' value='1588796'   \/><label for='answer-id-1588796' id='answer-label-1588796' class=' answer'><span>In Account B, create a user policy to allow the user from Account A to access the S3 bucket in Account<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-18' style=';'><div id='questionWrap-18'  class='   watupro-question-id-409910'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>18. <\/span>A company has a web-based application using Amazon CloudFront and running on Amazon Elastic Container Service (Amazon ECS) behind an Application Load Balancer (ALB). The ALB is terminating TLS and balancing load across ECS service tasks A security engineer needs to design a solution to ensure that application content is accessible only through CloudFront and that I is never accessible directly. <br \/>\r<br>How should the security engineer build the MOST secure solution?<\/div><input type='hidden' name='question_id[]' id='qID_18' value='409910' \/><input type='hidden' id='answerType409910' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409910[]' id='answer-id-1588797' class='answer   answerof-409910 ' value='1588797'   \/><label for='answer-id-1588797' id='answer-label-1588797' class=' answer'><span>Add an origin custom header Set the viewer protocol policy to HTTP and HTTPS Set the origin protocol pokey to HTTPS only Update the application to validate the CloudFront custom header<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409910[]' id='answer-id-1588798' class='answer   answerof-409910 ' value='1588798'   \/><label for='answer-id-1588798' id='answer-label-1588798' class=' answer'><span>Add an origin custom header Set the viewer protocol policy to HTTPS only Set the origin protocol policy to match viewer Update the application to validate the CloudFront custom header.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409910[]' id='answer-id-1588799' class='answer   answerof-409910 ' value='1588799'   \/><label for='answer-id-1588799' id='answer-label-1588799' class=' answer'><span>Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS Set the origin protocol policy to HTTP only Update the application to validate the CloudFront custom header.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409910[]' id='answer-id-1588800' class='answer   answerof-409910 ' value='1588800'   \/><label for='answer-id-1588800' id='answer-label-1588800' class=' answer'><span>Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTP<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409910[]' id='answer-id-1588801' class='answer   answerof-409910 ' value='1588801'   \/><label for='answer-id-1588801' id='answer-label-1588801' class=' answer'><span>Set the origin protocol policy to HTTPS only Update the application to validate the CloudFront custom header<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-19' style=';'><div id='questionWrap-19'  class='   watupro-question-id-409911'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>19. <\/span>A company is using IAM Secrets Manager to store secrets for its production Amazon RDS database. The Security Officer has asked that secrets be rotated every 3 months. <br \/>\r<br>Which solution would allow the company to securely rotate the secrets? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_19' value='409911' \/><input type='hidden' id='answerType409911' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409911[]' id='answer-id-1588802' class='answer   answerof-409911 ' value='1588802'   \/><label for='answer-id-1588802' id='answer-label-1588802' class=' answer'><span>Place the RDS instance in a public subnet and an IAM Lambda function outside the VP<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409911[]' id='answer-id-1588803' class='answer   answerof-409911 ' value='1588803'   \/><label for='answer-id-1588803' id='answer-label-1588803' class=' answer'><span>Schedule the Lambda function to run every 3 months to rotate the secrets.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409911[]' id='answer-id-1588804' class='answer   answerof-409911 ' value='1588804'   \/><label for='answer-id-1588804' id='answer-label-1588804' class=' answer'><span>Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure the private subnet to use a NAT gateway. Schedule the Lambda function to run every 3 months to rotate the secrets.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409911[]' id='answer-id-1588805' class='answer   answerof-409911 ' value='1588805'   \/><label for='answer-id-1588805' id='answer-label-1588805' class=' answer'><span>Place the RDS instance in a private subnet and an IAM Lambda function outside the VP<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409911[]' id='answer-id-1588806' class='answer   answerof-409911 ' value='1588806'   \/><label for='answer-id-1588806' id='answer-label-1588806' class=' answer'><span>Configure the private subnet to use an internet gateway. Schedule the Lambda function to run every 3 months lo rotate the secrets.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409911[]' id='answer-id-1588807' class='answer   answerof-409911 ' value='1588807'   \/><label for='answer-id-1588807' id='answer-label-1588807' class=' answer'><span>Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Schedule the Lambda function to run quarterly to rotate the secrets.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409911[]' id='answer-id-1588808' class='answer   answerof-409911 ' value='1588808'   \/><label for='answer-id-1588808' id='answer-label-1588808' class=' answer'><span>Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure a Secrets Manager interface endpoint. Schedule the Lambda function to run every 3 months to rotate the secrets.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-20' style=';'><div id='questionWrap-20'  class='   watupro-question-id-409912'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>20. <\/span>You work at a company that makes use of IAM resources. One of the key security policies is to ensure that all data i encrypted both at rest and in transit. <br \/>\r<br>Which of the following is one of the right ways to implement this.<\/div><input type='hidden' name='question_id[]' id='qID_20' value='409912' \/><input type='hidden' id='answerType409912' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409912[]' id='answer-id-1588809' class='answer   answerof-409912 ' value='1588809'   \/><label for='answer-id-1588809' id='answer-label-1588809' class=' answer'><span>Use S3 SSE and use SSL for data in transit<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409912[]' id='answer-id-1588810' class='answer   answerof-409912 ' value='1588810'   \/><label for='answer-id-1588810' id='answer-label-1588810' class=' answer'><span>SSL termination on the ELB<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409912[]' id='answer-id-1588811' class='answer   answerof-409912 ' value='1588811'   \/><label for='answer-id-1588811' id='answer-label-1588811' class=' answer'><span>Enabling Proxy Protocol<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409912[]' id='answer-id-1588812' class='answer   answerof-409912 ' value='1588812'   \/><label for='answer-id-1588812' id='answer-label-1588812' class=' answer'><span>Enabling sticky sessions on your load balancer<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-21' style=';'><div id='questionWrap-21'  class='   watupro-question-id-409913'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>21. <\/span>A security engineer configures Amazon S3 Cross-Region Replication (CRR) for all objects that are in an S3 bucket in the us-east-1. Region Some objects in this S3 bucket use server-side encryption with AWS KMS keys (SSE-KMS) for encryption at test. The security engineer creates a destination S3 bucket in the us-west-2 Region. The destination S3 bucket is in the same AWS account as the source S3 bucket. <br \/>\r<br>The security engineer also creates a customer managed key in us-west-2 to encrypt objects at rest in the destination S3 bucket. The replication configuration is set to use the key in us-west-2 to encrypt objects in the destination S3 bucket. The security engineer has provided the S3 replication configuration with an IAM role to perform the replication in Amazon S3. <br \/>\r<br>After a day, the security engineer notices that no encrypted objects from the source S3 bucket are replicated to the destination S3 bucket. However, all the unencrypted objects are replicated. <br \/>\r<br>Which combination of steps should the security engineer take to remediate this issue? (Select THREE.)<\/div><input type='hidden' name='question_id[]' id='qID_21' value='409913' \/><input type='hidden' id='answerType409913' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409913[]' id='answer-id-1588813' class='answer   answerof-409913 ' value='1588813'   \/><label for='answer-id-1588813' id='answer-label-1588813' class=' answer'><span>Change the replication configuration to use the key in us-east-1 to encrypt the objects that are in the destination S3 bucket.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409913[]' id='answer-id-1588814' class='answer   answerof-409913 ' value='1588814'   \/><label for='answer-id-1588814' id='answer-label-1588814' class=' answer'><span>Grant the IAM role the kms. Encrypt permission for the key in us-east-1 that encrypts source objects.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409913[]' id='answer-id-1588815' class='answer   answerof-409913 ' value='1588815'   \/><label for='answer-id-1588815' id='answer-label-1588815' class=' answer'><span>Grant the IAM role the s3 GetObjectVersionForReplication permission for objects that are in the source S3 bucket.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409913[]' id='answer-id-1588816' class='answer   answerof-409913 ' value='1588816'   \/><label for='answer-id-1588816' id='answer-label-1588816' class=' answer'><span>Grant the IAM role the kms. Decrypt permission for the key in us-east-1 that encrypts source objects.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409913[]' id='answer-id-1588817' class='answer   answerof-409913 ' value='1588817'   \/><label for='answer-id-1588817' id='answer-label-1588817' class=' answer'><span>Change the key policy of the key in us-east-1 to grant the kms. Decrypt permission to the security engineer's IAM account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409913[]' id='answer-id-1588818' class='answer   answerof-409913 ' value='1588818'   \/><label for='answer-id-1588818' id='answer-label-1588818' class=' answer'><span>Grant the IAM role the kms Encrypt permission for the key in us-west-2 that encrypts objects that are in the destination S3 bucket.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-22' style=';'><div id='questionWrap-22'  class='   watupro-question-id-409914'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>22. <\/span>A company uses an Amazon S3 bucket to store reports Management has mandated that all new objects stored in this bucket must be encrypted at rest using server-side encryption with a client-specified IAM Key Management Service (IAM KMS) CMK owned by the same account as the S3 bucket. The IAM account number is 111122223333, and the bucket name Is report bucket. The company's security specialist must write the S3 bucket policy to ensure the mandate can be Implemented <br \/>\r<br>Which statement should the security specialist include in the policy? <br \/>\r<br>A) <br \/>\r<br><br><img decoding=\"async\" width=342 height=145 id=\"\u56fe\u7247 42\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image023-5.png\"><br><br \/>\r<br>B) <br \/>\r<br><br><img decoding=\"async\" width=598 height=145 id=\"\u56fe\u7247 41\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image024-5.png\"><br><br \/>\r<br>C) <br \/>\r<br><br><img decoding=\"async\" width=349 height=144 id=\"\u56fe\u7247 40\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image025-3.png\"><br><br \/>\r<br>D) <br \/>\r<br><br><img decoding=\"async\" width=599 height=145 id=\"\u56fe\u7247 39\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image026-3.png\"><br><\/div><input type='hidden' name='question_id[]' id='qID_22' value='409914' \/><input type='hidden' id='answerType409914' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409914[]' id='answer-id-1588819' class='answer   answerof-409914 ' value='1588819'   \/><label for='answer-id-1588819' id='answer-label-1588819' class=' answer'><span>Option A<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409914[]' id='answer-id-1588820' class='answer   answerof-409914 ' value='1588820'   \/><label for='answer-id-1588820' id='answer-label-1588820' class=' answer'><span>Option B<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409914[]' id='answer-id-1588821' class='answer   answerof-409914 ' value='1588821'   \/><label for='answer-id-1588821' id='answer-label-1588821' class=' answer'><span>Option C<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409914[]' id='answer-id-1588822' class='answer   answerof-409914 ' value='1588822'   \/><label for='answer-id-1588822' id='answer-label-1588822' class=' answer'><span>Option D<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-23' style=';'><div id='questionWrap-23'  class='   watupro-question-id-409915'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>23. <\/span>A developer 15 building a serverless application hosted on IAM that uses Amazon Redshift in a data store. The application has separate modules for read\/write and read-only functionality. The modules need their own database users tor compliance reasons. <br \/>\r<br>Which combination of steps should a security engineer implement to grant appropriate access' (Select TWO)<\/div><input type='hidden' name='question_id[]' id='qID_23' value='409915' \/><input type='hidden' id='answerType409915' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409915[]' id='answer-id-1588823' class='answer   answerof-409915 ' value='1588823'   \/><label for='answer-id-1588823' id='answer-label-1588823' class=' answer'><span>Configure cluster security groups for each application module to control access to database users that are required for read-only and read\/write.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409915[]' id='answer-id-1588824' class='answer   answerof-409915 ' value='1588824'   \/><label for='answer-id-1588824' id='answer-label-1588824' class=' answer'><span>Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read\/write<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409915[]' id='answer-id-1588825' class='answer   answerof-409915 ' value='1588825'   \/><label for='answer-id-1588825' id='answer-label-1588825' class=' answer'><span>Configure an IAM poky for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409915[]' id='answer-id-1588826' class='answer   answerof-409915 ' value='1588826'   \/><label for='answer-id-1588826' id='answer-label-1588826' class=' answer'><span>Create focal database users for each module<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409915[]' id='answer-id-1588827' class='answer   answerof-409915 ' value='1588827'   \/><label for='answer-id-1588827' id='answer-label-1588827' class=' answer'><span>Configure an IAM policy for each module Specify the ARN of an IAM user that allows the GetClusterCredentials API call<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-24' style=';'><div id='questionWrap-24'  class='   watupro-question-id-409916'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>24. <\/span>Your company uses IAM to host its resources. <br \/>\r<br>They have the following requirements <br \/>\r<br>1) Record all API calls and Transitions <br \/>\r<br>2) Help in understanding what resources are there in the account <br \/>\r<br>3) Facility to allow auditing credentials and logins <br \/>\r<br>Which services would suffice the above requirements Please select:<\/div><input type='hidden' name='question_id[]' id='qID_24' value='409916' \/><input type='hidden' id='answerType409916' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409916[]' id='answer-id-1588828' class='answer   answerof-409916 ' value='1588828'   \/><label for='answer-id-1588828' id='answer-label-1588828' class=' answer'><span>IAM Inspector, CloudTrail, IAM Credential Reports<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409916[]' id='answer-id-1588829' class='answer   answerof-409916 ' value='1588829'   \/><label for='answer-id-1588829' id='answer-label-1588829' class=' answer'><span>CloudTrail. IAM Credential Reports, IAM SNS<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409916[]' id='answer-id-1588830' class='answer   answerof-409916 ' value='1588830'   \/><label for='answer-id-1588830' id='answer-label-1588830' class=' answer'><span>CloudTrail, IAM Config, IAM Credential Reports<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409916[]' id='answer-id-1588831' class='answer   answerof-409916 ' value='1588831'   \/><label for='answer-id-1588831' id='answer-label-1588831' class=' answer'><span>IAM SQS, IAM Credential Reports, CloudTrail<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-25' style=';'><div id='questionWrap-25'  class='   watupro-question-id-409917'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>25. <\/span>A company is designing a multi-account structure for its development teams. The company is using AWS Organizations and AWS Single Sign-On (AWS SSO). The company must implement a solution so that the development teams can use only specific AWS Regions and so that each AWS account allows access to only specific AWS services. <br \/>\r<br>Which solution will meet these requirements with the LEAST operational overhead?<\/div><input type='hidden' name='question_id[]' id='qID_25' value='409917' \/><input type='hidden' id='answerType409917' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409917[]' id='answer-id-1588832' class='answer   answerof-409917 ' value='1588832'   \/><label for='answer-id-1588832' id='answer-label-1588832' class=' answer'><span>Use AWS SSO to set up service-linked roles with IAM policy statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409917[]' id='answer-id-1588833' class='answer   answerof-409917 ' value='1588833'   \/><label for='answer-id-1588833' id='answer-label-1588833' class=' answer'><span>Deactivate AWS Security Token Service (AWS STS) in Regions that the developers are not allowed to use.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409917[]' id='answer-id-1588834' class='answer   answerof-409917 ' value='1588834'   \/><label for='answer-id-1588834' id='answer-label-1588834' class=' answer'><span>Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409917[]' id='answer-id-1588835' class='answer   answerof-409917 ' value='1588835'   \/><label for='answer-id-1588835' id='answer-label-1588835' class=' answer'><span>For each AWS account, create tailored identity-based policies for AWS SS<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409917[]' id='answer-id-1588836' class='answer   answerof-409917 ' value='1588836'   \/><label for='answer-id-1588836' id='answer-label-1588836' class=' answer'><span>Use statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-26' style=';'><div id='questionWrap-26'  class='   watupro-question-id-409918'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>26. <\/span>A company has deployed Amazon GuardDuty and now wants to implement automation for potential threats. The company has decided to start with RDP brute force attacks that come from Amazon EC2 instances in the company\u2019s AWS environment. A security engineer needs to implement a solution that blocks the detected communication from a suspicious instance until investigation and potential remediation can occur. <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_26' value='409918' \/><input type='hidden' id='answerType409918' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409918[]' id='answer-id-1588837' class='answer   answerof-409918 ' value='1588837'   \/><label for='answer-id-1588837' id='answer-label-1588837' class=' answer'><span>Configure GuardDuty to send the event to an Amazon Kinesis data stream. Process the event with an \r\nAmazon Kinesis Data Analytics for Apache Flink application that sends a notification to the company through Amazon Simple Notification Service (Amazon SNS). Add rules to the network ACL to block traffic to and from the suspicious instance.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409918[]' id='answer-id-1588838' class='answer   answerof-409918 ' value='1588838'   \/><label for='answer-id-1588838' id='answer-label-1588838' class=' answer'><span>Configure GuardDuty to send the event to Amazon EventBridge (Amazon CloudWatch Events). Deploy an AWS WAF web AC<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409918[]' id='answer-id-1588839' class='answer   answerof-409918 ' value='1588839'   \/><label for='answer-id-1588839' id='answer-label-1588839' class=' answer'><span>Process the event with an AWS Lambda function that sends a notification to the company through Amazon Simple Notification Service (Amazon SNS) and adds a web ACL rule to block traffic to and from the suspicious instance.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409918[]' id='answer-id-1588840' class='answer   answerof-409918 ' value='1588840'   \/><label for='answer-id-1588840' id='answer-label-1588840' class=' answer'><span>Enable AWS Security Hub to ingest GuardDuty findings and send the event to Amazon EventBridge (Amazon CloudWatch Events). Deploy AWS Network Firewall. Process the event with an AWS Lambda function that adds a rule to a Network Firewall firewall policy to block traffic to and from the suspicious instance.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409918[]' id='answer-id-1588841' class='answer   answerof-409918 ' value='1588841'   \/><label for='answer-id-1588841' id='answer-label-1588841' class=' answer'><span>Enable AWS Security Hub to ingest GuardDuty findings. Configure an Amazon Kinesis data stream as an event destination for Security Hub. Process the event with an AWS Lambda function that replaces the security group of the suspicious instance with a security group that does not allow any connections.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-27' style=';'><div id='questionWrap-27'  class='   watupro-question-id-409919'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>27. <\/span>A company uses an external identity provider to allow federation into different IAM accounts. A security engineer for the company needs to identify the federated user that terminated a production Amazon EC2 instance a week ago. <br \/>\r<br>What is the FASTEST way for the security engineer to identify the federated user?<\/div><input type='hidden' name='question_id[]' id='qID_27' value='409919' \/><input type='hidden' id='answerType409919' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409919[]' id='answer-id-1588842' class='answer   answerof-409919 ' value='1588842'   \/><label for='answer-id-1588842' id='answer-label-1588842' class=' answer'><span>Review the IAM CloudTrail event history logs in an Amazon S3 bucket and look for the Terminatelnstances event to identify the federated user from the role session name.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409919[]' id='answer-id-1588843' class='answer   answerof-409919 ' value='1588843'   \/><label for='answer-id-1588843' id='answer-label-1588843' class=' answer'><span>Filter the IAM CloudTrail event history for the Terminatelnstances event and identify the assumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409919[]' id='answer-id-1588844' class='answer   answerof-409919 ' value='1588844'   \/><label for='answer-id-1588844' id='answer-label-1588844' class=' answer'><span>Search the IAM CloudTrail logs for the Terminatelnstances event and note the event time. Review the IAM Access Advisor tab for all federated roles. The last accessed time should match the time when the instance was terminated.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409919[]' id='answer-id-1588845' class='answer   answerof-409919 ' value='1588845'   \/><label for='answer-id-1588845' id='answer-label-1588845' class=' answer'><span>Use Amazon Athena to run a SQL query on the IAM CloudTrail logs stored in an Amazon S3 bucket and filter on the Terminatelnstances event. Identify the corresponding role and run another query to filter the AssumeRoleWithWebldentity event for the user name.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-28' style=';'><div id='questionWrap-28'  class='   watupro-question-id-409920'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>28. <\/span>A company Is planning to use Amazon Elastic File System (Amazon EFS) with its on-premises servers. The company has an existing IAM Direct Connect connection established between its on-premises data center and an IAM Region Security policy states that the company's on-premises firewall should only have specific IP addresses added to the allow list and not a CIDR range. The company also wants to restrict access so that only certain data center-based servers have access to Amazon EFS <br \/>\r<br>How should a security engineer implement this solution''<\/div><input type='hidden' name='question_id[]' id='qID_28' value='409920' \/><input type='hidden' id='answerType409920' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409920[]' id='answer-id-1588846' class='answer   answerof-409920 ' value='1588846'   \/><label for='answer-id-1588846' id='answer-label-1588846' class=' answer'><span>Add the file-system-id efs IAM-region amazonIAM com URL to the allow list for the data center firewall Install the IAM CLI on the data center-based servers to mount the EFS file system in the EFS security group add the data center IP range to the allow list Mount the EFS using the EFS file system name<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409920[]' id='answer-id-1588847' class='answer   answerof-409920 ' value='1588847'   \/><label for='answer-id-1588847' id='answer-label-1588847' class=' answer'><span>Assign an Elastic IP address to Amazon EFS and add the Elastic IP address to the allow list for the data center firewall Install the IAM CLI on the data center-based servers to mount the EFS file system In the EFS security group, add the IP addresses of the data center servers to the allow list Mount the EFS using the Elastic IP address<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409920[]' id='answer-id-1588848' class='answer   answerof-409920 ' value='1588848'   \/><label for='answer-id-1588848' id='answer-label-1588848' class=' answer'><span>Add the EFS file system mount target IP addresses to the allow list for the data center firewall In the EFS security group, add the data center server IP addresses to the allow list Use the Linux terminal to mount the EFS file system using the IP address of one of the mount targets<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409920[]' id='answer-id-1588849' class='answer   answerof-409920 ' value='1588849'   \/><label for='answer-id-1588849' id='answer-label-1588849' class=' answer'><span>Assign a static range of IP addresses for the EFS file system by contacting IAM Support In the EFS security group add the data center server IP addresses to the allow list Use the Linux terminal to mount the EFS file system using one of the static IP addresses<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-29' style=';'><div id='questionWrap-29'  class='   watupro-question-id-409921'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>29. <\/span>A website currently runs on Amazon EC2, wan mostly statics content on the site. Recently the site was subjected to a DDoS attack a security engineer was (asked was redesigning the edge security to help Mitigate this risk in the future. <br \/>\r<br>What are some ways the engineer could achieve this (Select THREE)?<\/div><input type='hidden' name='question_id[]' id='qID_29' value='409921' \/><input type='hidden' id='answerType409921' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409921[]' id='answer-id-1588850' class='answer   answerof-409921 ' value='1588850'   \/><label for='answer-id-1588850' id='answer-label-1588850' class=' answer'><span>Use IAM X-Ray to inspect the trafc going to the EC2 instances.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409921[]' id='answer-id-1588851' class='answer   answerof-409921 ' value='1588851'   \/><label for='answer-id-1588851' id='answer-label-1588851' class=' answer'><span>Move the static content to Amazon S3, and front this with an Amazon Cloud Front distribution.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409921[]' id='answer-id-1588852' class='answer   answerof-409921 ' value='1588852'   \/><label for='answer-id-1588852' id='answer-label-1588852' class=' answer'><span>Change the security group conguration to block the source of the attack trafc<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409921[]' id='answer-id-1588853' class='answer   answerof-409921 ' value='1588853'   \/><label for='answer-id-1588853' id='answer-label-1588853' class=' answer'><span>Use IAM WAF security rules to inspect the inbound trafc.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409921[]' id='answer-id-1588854' class='answer   answerof-409921 ' value='1588854'   \/><label for='answer-id-1588854' id='answer-label-1588854' class=' answer'><span>Use Amazon Inspector assessment templates to inspect the inbound traffic.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409921[]' id='answer-id-1588855' class='answer   answerof-409921 ' value='1588855'   \/><label for='answer-id-1588855' id='answer-label-1588855' class=' answer'><span>Use Amazon Route 53 to distribute trafc.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-30' style=';'><div id='questionWrap-30'  class='   watupro-question-id-409922'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>30. <\/span>A company needs to use HTTPS when connecting to its web applications to meet compliance requirements. These web applications run in Amazon VPC on Amazon EC2 instances behind an Application Load Balancer (ALB). A security engineer wants to ensure that the load balancer win only accept connections over port 443. even if the ALB is mistakenly configured with an HTTP listener <br \/>\r<br>Which configuration steps should the security engineer take to accomplish this task?<\/div><input type='hidden' name='question_id[]' id='qID_30' value='409922' \/><input type='hidden' id='answerType409922' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409922[]' id='answer-id-1588856' class='answer   answerof-409922 ' value='1588856'   \/><label for='answer-id-1588856' id='answer-label-1588856' class=' answer'><span>Create a security group with a rule that denies Inbound connections from 0.0.0 0\/0 on port 00. Attach this security group to the ALB to overwrite more permissive rules from the ALB's default security \r\ngroup.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409922[]' id='answer-id-1588857' class='answer   answerof-409922 ' value='1588857'   \/><label for='answer-id-1588857' id='answer-label-1588857' class=' answer'><span>Create a network ACL that denies inbound connections from 0 0.0.0\/0 on port 80 Associate the network ACL with the VPC s internet gateway<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409922[]' id='answer-id-1588858' class='answer   answerof-409922 ' value='1588858'   \/><label for='answer-id-1588858' id='answer-label-1588858' class=' answer'><span>Create a network ACL that allows outbound connections to the VPC IP range on port 443 only. Associate the network ACL with the VPC's internet gateway.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409922[]' id='answer-id-1588859' class='answer   answerof-409922 ' value='1588859'   \/><label for='answer-id-1588859' id='answer-label-1588859' class=' answer'><span>Create a security group with a single inbound rule that allows connections from 0.0.0 0\/0 on port 443. Ensure this security group is the only one associated with the ALB<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-31' style=';'><div id='questionWrap-31'  class='   watupro-question-id-409923'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>31. <\/span>Example.com is hosted on Amazon EC2 instances behind an Application Load Balancer (ALB). Third-party host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host. The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers. <br \/>\r<br>What is the MOST secure way to meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_31' value='409923' \/><input type='hidden' id='answerType409923' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409923[]' id='answer-id-1588860' class='answer   answerof-409923 ' value='1588860'   \/><label for='answer-id-1588860' id='answer-label-1588860' class=' answer'><span>Enable TLS pass through on the ALB, and handle decryption at the server using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409923[]' id='answer-id-1588861' class='answer   answerof-409923 ' value='1588861'   \/><label for='answer-id-1588861' id='answer-label-1588861' class=' answer'><span>Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409923[]' id='answer-id-1588862' class='answer   answerof-409923 ' value='1588862'   \/><label for='answer-id-1588862' id='answer-label-1588862' class=' answer'><span>Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do not enable Perfect Forward Secrecy (PFS).<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409923[]' id='answer-id-1588863' class='answer   answerof-409923 ' value='1588863'   \/><label for='answer-id-1588863' id='answer-label-1588863' class=' answer'><span>Create a listener on the ALB that does not enable Perfect Forward Secrecy (PFS) cipher suites, and use encrypted connections to the servers using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-32' style=';'><div id='questionWrap-32'  class='   watupro-question-id-409924'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>32. <\/span>A company has an AWS Key Management Service (AWS KMS) customer managed key with imported key material Company policy requires all encryption keys to be rotated every year.<br \/>\r\n<br \/>\r\nWhat should a security engineer do to meet this requirement for this customer managed key?<\/div><input type='hidden' name='question_id[]' id='qID_32' value='409924' \/><input type='hidden' id='answerType409924' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409924[]' id='answer-id-1588864' class='answer   answerof-409924 ' value='1588864'   \/><label for='answer-id-1588864' id='answer-label-1588864' class=' answer'><span>Enable automatic key rotation annually for the existing customer managed key<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409924[]' id='answer-id-1621382' class='answer   answerof-409924 ' value='1621382'   \/><label for='answer-id-1621382' id='answer-label-1621382' class=' answer'><span>Use the AWS CLI to create an AWS Lambda function to rotate the existing customer managed key annually<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409924[]' id='answer-id-1621383' class='answer   answerof-409924 ' value='1621383'   \/><label for='answer-id-1621383' id='answer-label-1621383' class=' answer'><span>Import new key material to the existing customer managed key Manually rotate the key<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409924[]' id='answer-id-1621384' class='answer   answerof-409924 ' value='1621384'   \/><label for='answer-id-1621384' id='answer-label-1621384' class=' answer'><span>Create a new customer managed key Import new key material to the new key Point the key alias to the new key<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-33' style=';'><div id='questionWrap-33'  class='   watupro-question-id-409925'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>33. <\/span>A company's on-premises networks are connected to VPCs using an IAM Direct Connect gateway. The company's on-premises application needs to stream data using an existing Amazon Kinesis Data Firehose delivery stream. The company's security policy requires that data be encrypted in transit using a private network. <br \/>\r<br>How should the company meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_33' value='409925' \/><input type='hidden' id='answerType409925' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409925[]' id='answer-id-1588865' class='answer   answerof-409925 ' value='1588865'   \/><label for='answer-id-1588865' id='answer-label-1588865' class=' answer'><span>Create a VPC endpoint tor Kinesis Data Firehose. Configure the application to connect to the VPC endpoint.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409925[]' id='answer-id-1588866' class='answer   answerof-409925 ' value='1588866'   \/><label for='answer-id-1588866' id='answer-label-1588866' class=' answer'><span>Configure an IAM policy to restrict access to Kinesis Data Firehose using a source IP condition. Configure the application to connect to the existing Firehose delivery stream.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409925[]' id='answer-id-1588867' class='answer   answerof-409925 ' value='1588867'   \/><label for='answer-id-1588867' id='answer-label-1588867' class=' answer'><span>Create a new TLS certificate in IAM Certificate Manager (ACM). Create a public-facing Network Load Balancer (NLB) and select the newly created TLS certificate. Configure the NLB to forward all traffic to Kinesis Data Firehose. Configure the application to connect to the NL<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409925[]' id='answer-id-1588868' class='answer   answerof-409925 ' value='1588868'   \/><label for='answer-id-1588868' id='answer-label-1588868' class=' answer'><span>Peer the on-premises network with the Kinesis Data Firehose VPC using Direct Connect. Configure the application to connect to the existing Firehose delivery stream.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-34' style=';'><div id='questionWrap-34'  class='   watupro-question-id-409926'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>34. <\/span>A security team is using Amazon EC2 Image Builder to build a hardened AMI with forensic capabilities. An AWS Key Management Service (AWS KMS) key will encrypt the forensic AMI EC2 Image Builder successfully installs the required patches and packages in the security team's AWS account. The security team uses a federated IAM role m the same AWS account to sign in to the AWS Management Console and attempts to launch the forensic AMI. The EC2 instance launches and immediately terminates. <br \/>\r<br>What should the security learn do lo launch the EC2 instance successfully<\/div><input type='hidden' name='question_id[]' id='qID_34' value='409926' \/><input type='hidden' id='answerType409926' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409926[]' id='answer-id-1588869' class='answer   answerof-409926 ' value='1588869'   \/><label for='answer-id-1588869' id='answer-label-1588869' class=' answer'><span>Update the policy that is associated with the federated IAM role to allow the ec2. Describelmages action for the forensic AM<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409926[]' id='answer-id-1588870' class='answer   answerof-409926 ' value='1588870'   \/><label for='answer-id-1588870' id='answer-label-1588870' class=' answer'><span>Update the policy that is associated with the federated IAM role to allow the ec2 Start Instances action m the security team's AWS account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409926[]' id='answer-id-1588871' class='answer   answerof-409926 ' value='1588871'   \/><label for='answer-id-1588871' id='answer-label-1588871' class=' answer'><span>Update the policy that is associated with the KMS key that is used to encrypt the forensic AM<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409926[]' id='answer-id-1588872' class='answer   answerof-409926 ' value='1588872'   \/><label for='answer-id-1588872' id='answer-label-1588872' class=' answer'><span>Configure the policy to allow the kms. Encrypt and kms Decrypt actions for the federated IAM role.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409926[]' id='answer-id-1588873' class='answer   answerof-409926 ' value='1588873'   \/><label for='answer-id-1588873' id='answer-label-1588873' class=' answer'><span>Update the policy that is associated with the federated IAM role to allow the kms. DescribeKey action for the KMS key that is used to encrypt the forensic AM<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-35' style=';'><div id='questionWrap-35'  class='   watupro-question-id-409927'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>35. <\/span>A company wants to monitor the deletion of customer managed CMKs A security engineer must create an alarm that will notify the company before a CMK is deleted. The security engineer has configured the integration of IAM CloudTrail with Amazon CloudWatch <br \/>\r<br>What should the security engineer do next to meet this requirement?<\/div><input type='hidden' name='question_id[]' id='qID_35' value='409927' \/><input type='hidden' id='answerType409927' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409927[]' id='answer-id-1588874' class='answer   answerof-409927 ' value='1588874'   \/><label for='answer-id-1588874' id='answer-label-1588874' class=' answer'><span>Use inbound rule 100 to allow traffic on TCP port 443 Use inbound rule 200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409927[]' id='answer-id-1588875' class='answer   answerof-409927 ' value='1588875'   \/><label for='answer-id-1588875' id='answer-label-1588875' class=' answer'><span>Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port 443<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409927[]' id='answer-id-1588876' class='answer   answerof-409927 ' value='1588876'   \/><label for='answer-id-1588876' id='answer-label-1588876' class=' answer'><span>Use inbound rule 100 to allow traffic on TCP port range 1024-65535 Use inbound rule 200 to deny \r\ntraffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409927[]' id='answer-id-1588877' class='answer   answerof-409927 ' value='1588877'   \/><label for='answer-id-1588877' id='answer-label-1588877' class=' answer'><span>Use inbound rule 100 to deny traffic on TCP port 3306 Use inbound rule 200 to allow traffic on TCP port 443 Use outbound rule 100 to allow traffic on TCP port 443<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-36' style=';'><div id='questionWrap-36'  class='   watupro-question-id-409928'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>36. <\/span>A company is building an application on IAM that will store sensitive Information. The company has a support team with access to the IT infrastructure, including databases. The company's security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead. The credentials must be regularly rotated. <br \/>\r<br>What should the security engineer recommend?<\/div><input type='hidden' name='question_id[]' id='qID_36' value='409928' \/><input type='hidden' id='answerType409928' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409928[]' id='answer-id-1588878' class='answer   answerof-409928 ' value='1588878'   \/><label for='answer-id-1588878' id='answer-label-1588878' class=' answer'><span>Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an IAM Lambda function to rotate database credentials. Set up TLS for the connection to the database.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409928[]' id='answer-id-1588879' class='answer   answerof-409928 ' value='1588879'   \/><label for='answer-id-1588879' id='answer-label-1588879' class=' answer'><span>Install a database on an Amazon EC2 Instance. Enable third-party disk encryption to encrypt the Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in IAM CloudHSM with automatic rotation. Set up TLS for the connection to the database.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409928[]' id='answer-id-1588880' class='answer   answerof-409928 ' value='1588880'   \/><label for='answer-id-1588880' id='answer-label-1588880' class=' answer'><span>Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in IAM Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409928[]' id='answer-id-1588881' class='answer   answerof-409928 ' value='1588881'   \/><label for='answer-id-1588881' id='answer-label-1588881' class=' answer'><span>Set up an IAM CloudHSM cluster with IAM Key Management Service (IAM KMS) to store KMS keys. Set up Amazon RDS encryption using IAM KMS to encrypt the database. Store database credentials in the IAM Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-37' style=';'><div id='questionWrap-37'  class='   watupro-question-id-409929'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>37. <\/span>A company deployed IAM Organizations to help manage its increasing number of IAM accounts. A security engineer wants to ensure only principals in the Organization structure can access a specic Amazon S3 bucket. The solution must also minimize operational overhead <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_37' value='409929' \/><input type='hidden' id='answerType409929' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409929[]' id='answer-id-1588882' class='answer   answerof-409929 ' value='1588882'   \/><label for='answer-id-1588882' id='answer-label-1588882' class=' answer'><span>1 Put all users into an IAM group with an access policy granting access to the J bucket.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409929[]' id='answer-id-1588883' class='answer   answerof-409929 ' value='1588883'   \/><label for='answer-id-1588883' id='answer-label-1588883' class=' answer'><span>Have the account creation trigger an IAM Lambda function that manages the bucket policy, allowing access to accounts listed in the policy only.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409929[]' id='answer-id-1588884' class='answer   answerof-409929 ' value='1588884'   \/><label for='answer-id-1588884' id='answer-label-1588884' class=' answer'><span>Add an SCP to the Organizations master account, allowing all principals access to the bucket.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409929[]' id='answer-id-1588885' class='answer   answerof-409929 ' value='1588885'   \/><label for='answer-id-1588885' id='answer-label-1588885' class=' answer'><span>Specify the organization ID in the global key condition element of a bucket policy, allowing all principals access.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-38' style=';'><div id='questionWrap-38'  class='   watupro-question-id-409930'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>38. <\/span>A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running on IAM. <br \/>\r<br>Which combination of IAM services and features will provide protection in this scenario? (Select THREE).<\/div><input type='hidden' name='question_id[]' id='qID_38' value='409930' \/><input type='hidden' id='answerType409930' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409930[]' id='answer-id-1588886' class='answer   answerof-409930 ' value='1588886'   \/><label for='answer-id-1588886' id='answer-label-1588886' class=' answer'><span>Amazon Route 53<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409930[]' id='answer-id-1588887' class='answer   answerof-409930 ' value='1588887'   \/><label for='answer-id-1588887' id='answer-label-1588887' class=' answer'><span>IAM Certificate Manager (ACM)<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409930[]' id='answer-id-1588888' class='answer   answerof-409930 ' value='1588888'   \/><label for='answer-id-1588888' id='answer-label-1588888' class=' answer'><span>Amazon S3<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409930[]' id='answer-id-1588889' class='answer   answerof-409930 ' value='1588889'   \/><label for='answer-id-1588889' id='answer-label-1588889' class=' answer'><span>IAM Shield<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409930[]' id='answer-id-1588890' class='answer   answerof-409930 ' value='1588890'   \/><label for='answer-id-1588890' id='answer-label-1588890' class=' answer'><span>Elastic Load Balancer<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409930[]' id='answer-id-1588891' class='answer   answerof-409930 ' value='1588891'   \/><label for='answer-id-1588891' id='answer-label-1588891' class=' answer'><span>Amazon Guard Duty<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-39' style=';'><div id='questionWrap-39'  class='   watupro-question-id-409931'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>39. <\/span>Your CTO thinks your IAM account was hacked. <br \/>\r<br>What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated IAM engineers and doing everything they can to cover their tracks?<\/div><input type='hidden' name='question_id[]' id='qID_39' value='409931' \/><input type='hidden' id='answerType409931' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409931[]' id='answer-id-1588892' class='answer   answerof-409931 ' value='1588892'   \/><label for='answer-id-1588892' id='answer-label-1588892' class=' answer'><span>Use CloudTrail Log File Integrity Validation.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409931[]' id='answer-id-1588893' class='answer   answerof-409931 ' value='1588893'   \/><label for='answer-id-1588893' id='answer-label-1588893' class=' answer'><span>Use IAM Config SNS Subscriptions and process events in real time.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409931[]' id='answer-id-1588894' class='answer   answerof-409931 ' value='1588894'   \/><label for='answer-id-1588894' id='answer-label-1588894' class=' answer'><span>Use CloudTrail backed up to IAM S3 and Glacier.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409931[]' id='answer-id-1588895' class='answer   answerof-409931 ' value='1588895'   \/><label for='answer-id-1588895' id='answer-label-1588895' class=' answer'><span>Use IAM Config Timeline forensics.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-40' style=';'><div id='questionWrap-40'  class='   watupro-question-id-409932'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>40. <\/span>A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances. The application will store highly sensitive user data in Amazon RDS tables <br \/>\r<br>The application must <br \/>\r<br>&#8226; Include migration to a different IAM Region in the application disaster recovery plan. <br \/>\r<br>&#8226; Provide a full audit trail of encryption key administration events <br \/>\r<br>&#8226; Allow only company administrators to administer keys. <br \/>\r<br>&#8226; Protect data at rest using application layer encryption <br \/>\r<br>A Security Engineer is evaluating options for encryption key management <br \/>\r<br>Why should the Security Engineer choose IAM CloudHSM over IAM KMS for encryption key management in this situation?<\/div><input type='hidden' name='question_id[]' id='qID_40' value='409932' \/><input type='hidden' id='answerType409932' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409932[]' id='answer-id-1588896' class='answer   answerof-409932 ' value='1588896'   \/><label for='answer-id-1588896' id='answer-label-1588896' class=' answer'><span>The key administration event logging generated by CloudHSM is significantly more extensive than IAM KM<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409932[]' id='answer-id-1588897' class='answer   answerof-409932 ' value='1588897'   \/><label for='answer-id-1588897' id='answer-label-1588897' class=' answer'><span>CloudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409932[]' id='answer-id-1588898' class='answer   answerof-409932 ' value='1588898'   \/><label for='answer-id-1588898' id='answer-label-1588898' class=' answer'><span>The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by IAM KMS<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409932[]' id='answer-id-1588899' class='answer   answerof-409932 ' value='1588899'   \/><label for='answer-id-1588899' id='answer-label-1588899' class=' answer'><span>CloudHSM provides the ability to copy keys to a different Region, whereas IAM KMS does not<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div style='display:none' id='question-41'>\n\t<div class='question-content'>\n\t\t<img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/img\/loading.gif\" width=\"16\" height=\"16\" alt=\"Loading...\" title=\"Loading...\" \/>&nbsp;Loading...\t<\/div>\n<\/div>\n\n<br \/>\n\t\n\t\t\t<div class=\"watupro_buttons flex \" id=\"watuPROButtons10337\" >\n\t\t  <div id=\"prev-question\" style=\"display:none;\"><input type=\"button\" value=\"&lt; Previous\" onclick=\"WatuPRO.nextQuestion(event, 'previous');\"\/><\/div>\t\t  \t\t  \t\t   \n\t\t   \t  \t\t<div><input type=\"button\" name=\"action\" class=\"watupro-submit-button\" onclick=\"WatuPRO.submitResult(event)\" id=\"action-button\" value=\"View Results\"  \/>\n\t\t<\/div>\n\t\t<\/div>\n\t\t\n\t<input type=\"hidden\" name=\"quiz_id\" value=\"10337\" id=\"watuPROExamID\"\/>\n\t<input type=\"hidden\" name=\"start_time\" id=\"startTime\" value=\"2026-05-11 15:49:33\" \/>\n\t<input type=\"hidden\" name=\"start_timestamp\" id=\"startTimeStamp\" value=\"1778514573\" \/>\n\t<input type=\"hidden\" name=\"question_ids\" value=\"\" \/>\n\t<input type=\"hidden\" name=\"watupro_questions\" value=\"409893:1588722,1588723,1588724,1588725,1588726 | 409894:1588727,1588728,1588729,1588730 | 409895:1588731,1588732,1588733,1588734 | 409896:1588735,1588736,1588737,1588738 | 409897:1588739,1588740,1588741,1588742 | 409898:1588743,1588744,1588745,1588746,1588747 | 409899:1588748,1588749,1588750,1588751 | 409900:1588752,1588753,1588754,1588755,1588756 | 409901:1588757,1588758,1588759,1588760 | 409902:1588761,1588762,1588763,1588764 | 409903:1588765,1588766,1588767,1588768 | 409904:1588769,1588770,1588771,1588772,1588773 | 409905:1588774,1588775,1588776,1588777 | 409906:1588778,1588779,1588780,1588781,1588782 | 409907:1588783,1588784,1588785,1588786,1588787,1588788 | 409908:1588789,1588790,1588791,1588792 | 409909:1588793,1588794,1588795,1588796 | 409910:1588797,1588798,1588799,1588800,1588801 | 409911:1588802,1588803,1588804,1588805,1588806,1588807,1588808 | 409912:1588809,1588810,1588811,1588812 | 409913:1588813,1588814,1588815,1588816,1588817,1588818 | 409914:1588819,1588820,1588821,1588822 | 409915:1588823,1588824,1588825,1588826,1588827 | 409916:1588828,1588829,1588830,1588831 | 409917:1588832,1588833,1588834,1588835,1588836 | 409918:1588837,1588838,1588839,1588840,1588841 | 409919:1588842,1588843,1588844,1588845 | 409920:1588846,1588847,1588848,1588849 | 409921:1588850,1588851,1588852,1588853,1588854,1588855 | 409922:1588856,1588857,1588858,1588859 | 409923:1588860,1588861,1588862,1588863 | 409924:1588864,1621382,1621383,1621384 | 409925:1588865,1588866,1588867,1588868 | 409926:1588869,1588870,1588871,1588872,1588873 | 409927:1588874,1588875,1588876,1588877 | 409928:1588878,1588879,1588880,1588881 | 409929:1588882,1588883,1588884,1588885 | 409930:1588886,1588887,1588888,1588889,1588890,1588891 | 409931:1588892,1588893,1588894,1588895 | 409932:1588896,1588897,1588898,1588899\" \/>\n\t<input type=\"hidden\" name=\"no_ajax\" value=\"0\">\t\t\t<\/form>\n\t<p>&nbsp;<\/p>\n<\/div>\n\n<script type=\"text\/javascript\">\n\/\/jQuery(document).ready(function(){\ndocument.addEventListener(\"DOMContentLoaded\", function(event) { \t\nvar question_ids = \"409893,409894,409895,409896,409897,409898,409899,409900,409901,409902,409903,409904,409905,409906,409907,409908,409909,409910,409911,409912,409913,409914,409915,409916,409917,409918,409919,409920,409921,409922,409923,409924,409925,409926,409927,409928,409929,409930,409931,409932\";\nWatuPROSettings[10337] = {};\nWatuPRO.qArr = question_ids.split(',');\nWatuPRO.exam_id = 10337;\t    \nWatuPRO.post_id = 107072;\nWatuPRO.store_progress = 0;\nWatuPRO.curCatPage = 1;\nWatuPRO.requiredIDs=\"0\".split(\",\");\nWatuPRO.hAppID = \"0.34132900 1778514573\";\nvar url = \"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/show_exam.php\";\nWatuPRO.examMode = 1;\nWatuPRO.siteURL=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-admin\/admin-ajax.php\";\nWatuPRO.emailIsNotRequired = 0;\nWatuPROIntel.init(10337);\nWatuPRO.inCategoryPages=1;});    \t \n<\/script>\n<p>&nbsp;<\/p>\n<h3>AWS <a href=\"https:\/\/www.dumpsbase.com\/freedumps\/aws-certified-security-specialty-scs-c02-dumps-v13-03-for-your-preparation-scs-c02-free-dumps-part-3-q81-q120-are-available-online.html\"><span style=\"background-color: #00ff00;\"><em>SCS-C02 free dumps (Part 3, Q81-Q120) of V13.03<\/em><\/span><\/a> are also available online.<\/h3>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When coming for your AWS Certified Security &#8211; Specialty (SCS-C02) preparation materials, you can download the SCS-C02 dumps (V13.03) from DumpsBase. Our latest dumps for your AWS Certified Security &#8211; Specialty exam preparation are created with a focus on quality and accuracy. We understand the challenges of preparing for complex AWS exams, which is why [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[175,15758],"tags":[16237,19463],"class_list":["post-107072","post","type-post","status-publish","format-standard","hentry","category-amazon","category-aws-certified-specialty","tag-scs-c02-dumps","tag-scs-c02-exam-questions"],"_links":{"self":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/107072","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/comments?post=107072"}],"version-history":[{"count":3,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/107072\/revisions"}],"predecessor-version":[{"id":108737,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/107072\/revisions\/108737"}],"wp:attachment":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/media?parent=107072"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/categories?post=107072"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/tags?post=107072"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}