{"id":108729,"date":"2025-08-13T07:20:05","date_gmt":"2025-08-13T07:20:05","guid":{"rendered":"https:\/\/www.dumpsbase.com\/freedumps\/?p=108729"},"modified":"2025-08-13T07:20:05","modified_gmt":"2025-08-13T07:20:05","slug":"aws-certified-security-specialty-scs-c02-dumps-v13-03-for-your-preparation-scs-c02-free-dumps-part-3-q81-q120-are-available-online","status":"publish","type":"post","link":"https:\/\/www.dumpsbase.com\/freedumps\/aws-certified-security-specialty-scs-c02-dumps-v13-03-for-your-preparation-scs-c02-free-dumps-part-3-q81-q120-are-available-online.html","title":{"rendered":"AWS Certified Security &#8211; Specialty SCS-C02 Dumps (V13.03) for Your Preparation: SCS-C02 Free Dumps (Part 3, Q81-Q120) Are Available Online"},"content":{"rendered":"<p>Achieving an outstanding score in the AWS Certified Security &#8211; Specialty (SCS-C02) exam becomes easier with the most current SCS-C02 dumps (V13.03). This updated version is diligently designed to include real exam questions and answers that embody specific knowledge and skills, arranging the AWS Certified Security &#8211; Specialty exam dumps in a way that is indispensable for your exam preparation. You can check the quality of V13.03 by reading our free dumps online:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.dumpsbase.com\/freedumps\/updated-scs-c02-exam-dumps-v13-03-suit-your-learning-needs-read-scs-c02-free-dumps-part-1-q1-q40-online.html\"><em>SCS-C02 free dumps (Part 1, Q1-Q40) of V13.03<\/em><\/a><\/li>\n<li><a href=\"https:\/\/www.dumpsbase.com\/freedumps\/verify-the-aws-scs-c02-free-dumps-part-2-q41-q80-online-check-the-scs-c02-dumps-v13-03-online.html\"><em>SCS-C02 free dumps (Part 2, Q41-Q80) of V13.03<\/em><\/a><\/li>\n<\/ul>\n<p>After testing all these demos, you can find that the SCS-C02 dumps (V13.03) are the most valuable for learning. Becoming a certified professional requires superiority in passing the AWS Certified Security &#8211; Specialty (SCS-C02) exam, and the most current SCS-C02 dumps (V13.03) are here to help your success with real exam questions and answers.<\/p>\n<p><!-- notionvc: 4af31dc9-8006-406a-b9d3-c836853153c1 --><\/p>\n<h2>AWS <span style=\"background-color: #ccffcc;\"><em>SCS-C02 free dumps (Part 3, Q81-Q120) of V13.03<\/em><\/span> are also available to help you check more demos:<\/h2>\n<script>\n\t  window.fbAsyncInit = function() {\n\t    FB.init({\n\t      appId            : '622169541470367',\n\t      autoLogAppEvents : true,\n\t      xfbml            : true,\n\t      version          : 'v3.1'\n\t    });\n\t  };\n\t\n\t  (function(d, s, id){\n\t     var js, fjs = d.getElementsByTagName(s)[0];\n\t     if (d.getElementById(id)) {return;}\n\t     js = d.createElement(s); js.id = id;\n\t     js.src = \"https:\/\/connect.facebook.net\/en_US\/sdk.js\";\n\t     fjs.parentNode.insertBefore(js, fjs);\n\t   }(document, 'script', 'facebook-jssdk'));\n\t<\/script><script type=\"text\/javascript\" >\ndocument.addEventListener(\"DOMContentLoaded\", function(event) { \nif(!window.jQuery) alert(\"The important jQuery library is not properly loaded in your site. Your WordPress theme is probably missing the essential wp_head() call. You can switch to another theme and you will see that the plugin works fine and this notice disappears. If you are still not sure what to do you can contact us for help.\");\n});\n<\/script>  \n  \n<div  id=\"watupro_quiz\" class=\"quiz-area single-page-quiz\">\n<p id=\"submittingExam10338\" style=\"display:none;text-align:center;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/img\/loading.gif\" width=\"16\" height=\"16\"><\/p>\n\n<div class=\"watupro-exam-description\" id=\"description-quiz-10338\"><\/div>\n\n<form action=\"\" method=\"post\" class=\"quiz-form\" id=\"quiz-10338\"  enctype=\"multipart\/form-data\" >\n<div class='watu-question ' id='question-1' style=';'><div id='questionWrap-1'  class='   watupro-question-id-409933'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>1. <\/span>A company wants to ensure that its IAM resources can be launched only in the us-east-1 and us-west-2 Regions. <br \/>\r<br>What is the MOST operationally efficient solution that will prevent developers from launching Amazon EC2 instances in other Regions?<\/div><input type='hidden' name='question_id[]' id='qID_1' value='409933' \/><input type='hidden' id='answerType409933' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409933[]' id='answer-id-1588900' class='answer   answerof-409933 ' value='1588900'   \/><label for='answer-id-1588900' id='answer-label-1588900' class=' answer'><span>Enable Amazon GuardDuty in all Regions. Create alerts to detect unauthorized activity outside us-east-1 and us-west-2.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409933[]' id='answer-id-1588901' class='answer   answerof-409933 ' value='1588901'   \/><label for='answer-id-1588901' id='answer-label-1588901' class=' answer'><span>Use an organization in IAM Organizations. Attach an SCP that allows all actions when the IAM: Requested Region condition key is either us-east-1 or us-west-2. Delete the FullIAMAccess policy.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409933[]' id='answer-id-1588902' class='answer   answerof-409933 ' value='1588902'   \/><label for='answer-id-1588902' id='answer-label-1588902' class=' answer'><span>Provision EC2 resources by using IAM Cloud Formation templates through IAM CodePipeline. Allow only the values of us-east-1 and us-west-2 in the IAM CloudFormation template's parameters.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409933[]' id='answer-id-1588903' class='answer   answerof-409933 ' value='1588903'   \/><label for='answer-id-1588903' id='answer-label-1588903' class=' answer'><span>Create an IAM Config rule to prevent unauthorized activity outside us-east-1 and us-west-2.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-2' style=';'><div id='questionWrap-2'  class='   watupro-question-id-409934'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>2. <\/span>A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised <br \/>\r<br>Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_2' value='409934' \/><input type='hidden' id='answerType409934' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409934[]' id='answer-id-1588904' class='answer   answerof-409934 ' value='1588904'   \/><label for='answer-id-1588904' id='answer-label-1588904' class=' answer'><span>Open a support case with the IAM Security team and ask them to remove the malicious code from the affected instance<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409934[]' id='answer-id-1588905' class='answer   answerof-409934 ' value='1588905'   \/><label for='answer-id-1588905' id='answer-label-1588905' class=' answer'><span>Respond to the notification and list the actions that have been taken to address the incident<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409934[]' id='answer-id-1588906' class='answer   answerof-409934 ' value='1588906'   \/><label for='answer-id-1588906' id='answer-label-1588906' class=' answer'><span>Delete all IAM users and resources in the account<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409934[]' id='answer-id-1588907' class='answer   answerof-409934 ' value='1588907'   \/><label for='answer-id-1588907' id='answer-label-1588907' class=' answer'><span>Detach the internet gateway from the VPC remove aft rules that contain 0.0.0.0V0 from the security groups, and create a NACL rule to deny all traffic Inbound from the internet<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409934[]' id='answer-id-1588908' class='answer   answerof-409934 ' value='1588908'   \/><label for='answer-id-1588908' id='answer-label-1588908' class=' answer'><span>Delete the identified compromised instances and delete any associated resources that the Security team did not create.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-3' style=';'><div id='questionWrap-3'  class='   watupro-question-id-409935'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>3. <\/span>A company is using Amazon Macie, AWS Firewall Manager, Amazon Inspector, and AWS Shield Advanced in its AWS account. The company wants to receive alerts if a DDoS attack occurs against the account. <br \/>\r<br>Which solution will meet this requirement?<\/div><input type='hidden' name='question_id[]' id='qID_3' value='409935' \/><input type='hidden' id='answerType409935' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409935[]' id='answer-id-1588909' class='answer   answerof-409935 ' value='1588909'   \/><label for='answer-id-1588909' id='answer-label-1588909' class=' answer'><span>Use Macie to detect an active DDoS event. Create Amazon CloudWatch alarms that respond to Macie findings.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409935[]' id='answer-id-1588910' class='answer   answerof-409935 ' value='1588910'   \/><label for='answer-id-1588910' id='answer-label-1588910' class=' answer'><span>Use Amazon Inspector to review resources and to invoke Amazon CloudWatch alarms for any resources that are vulnerable to DDoS attacks.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409935[]' id='answer-id-1588911' class='answer   answerof-409935 ' value='1588911'   \/><label for='answer-id-1588911' id='answer-label-1588911' class=' answer'><span>Create an Amazon CloudWatch alarm that monitors Firewall Manager metrics for an active DDoS event.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409935[]' id='answer-id-1588912' class='answer   answerof-409935 ' value='1588912'   \/><label for='answer-id-1588912' id='answer-label-1588912' class=' answer'><span>Create an Amazon CloudWatch alarm that monitors Shield Advanced metrics for an active DDoS event.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-4' style=';'><div id='questionWrap-4'  class='   watupro-question-id-409936'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>4. <\/span>A company is running internal microservices on Amazon Elastic Container Service (Amazon ECS) with the Amazon EC2 launch type. The company is using Amazon Elastic Container Registry (Amazon ECR) private repositories. <br \/>\r<br>A security engineer needs to encrypt the private repositories by using AWS Key Management Service (AWS KMS). The security engineer also needs to analyze the container images for any common vulnerabilities and exposures (CVEs). <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_4' value='409936' \/><input type='hidden' id='answerType409936' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409936[]' id='answer-id-1588913' class='answer   answerof-409936 ' value='1588913'   \/><label for='answer-id-1588913' id='answer-label-1588913' class=' answer'><span>Enable KMS encryption on the existing ECR repositories. Install Amazon Inspector Agent from the ECS container instances\u2019 user data. Run an assessment with the CVE rules.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409936[]' id='answer-id-1588914' class='answer   answerof-409936 ' value='1588914'   \/><label for='answer-id-1588914' id='answer-label-1588914' class=' answer'><span>Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Analyze the scan report after the next push of images.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409936[]' id='answer-id-1588915' class='answer   answerof-409936 ' value='1588915'   \/><label for='answer-id-1588915' id='answer-label-1588915' class=' answer'><span>Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Install AWS Systems \r\nManager Agent on the ECS container instances. Run an inventory report.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409936[]' id='answer-id-1588916' class='answer   answerof-409936 ' value='1588916'   \/><label for='answer-id-1588916' id='answer-label-1588916' class=' answer'><span>Enable KMS encryption on the existing ECR repositories. Use AWS Trusted Advisor to check the ECS container instances and to verily the findings against a list of current CVEs.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-5' style=';'><div id='questionWrap-5'  class='   watupro-question-id-409937'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>5. <\/span>A business stores website images in an Amazon S3 bucket. The firm serves the photos to end users through Amazon CloudFront. The firm learned lately that the photographs are being accessible from nations in which it does not have a distribution license. <br \/>\r<br>Which steps should the business take to safeguard the photographs and restrict their distribution? (Select two.)<\/div><input type='hidden' name='question_id[]' id='qID_5' value='409937' \/><input type='hidden' id='answerType409937' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409937[]' id='answer-id-1588917' class='answer   answerof-409937 ' value='1588917'   \/><label for='answer-id-1588917' id='answer-label-1588917' class=' answer'><span>Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409937[]' id='answer-id-1588918' class='answer   answerof-409937 ' value='1588918'   \/><label for='answer-id-1588918' id='answer-label-1588918' class=' answer'><span>Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409937[]' id='answer-id-1588919' class='answer   answerof-409937 ' value='1588919'   \/><label for='answer-id-1588919' id='answer-label-1588919' class=' answer'><span>Add a CloudFront geo restriction deny list of countries where the company lacks a license.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409937[]' id='answer-id-1588920' class='answer   answerof-409937 ' value='1588920'   \/><label for='answer-id-1588920' id='answer-label-1588920' class=' answer'><span>Update the S3 bucket policy with a deny list of countries where the company lacks a license.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409937[]' id='answer-id-1588921' class='answer   answerof-409937 ' value='1588921'   \/><label for='answer-id-1588921' id='answer-label-1588921' class=' answer'><span>Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-6' style=';'><div id='questionWrap-6'  class='   watupro-question-id-409938'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>6. <\/span>A company wants to remove all SSH keys permanently from a specific subset of its Amazon Linux 2 Amazon EC2 instances that are using the same 1AM instance profile However three individuals who have IAM user accounts will need to access these instances by using an SSH session to perform critical duties <br \/>\r<br>How can a security engineer provide the access to meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_6' value='409938' \/><input type='hidden' id='answerType409938' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409938[]' id='answer-id-1588922' class='answer   answerof-409938 ' value='1588922'   \/><label for='answer-id-1588922' id='answer-label-1588922' class=' answer'><span>Assign an 1AM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the 1AM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Inventory to select the EC2 instance and connect<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409938[]' id='answer-id-1588923' class='answer   answerof-409938 ' value='1588923'   \/><label for='answer-id-1588923' id='answer-label-1588923' class=' answer'><span>Assign an 1AM policy to the 1AM user accounts to provide permission to use AWS Systems Manager Run Command Remove the SSH keys from the EC2 instances Use Run Command to open an SSH connection to the EC2 instance<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409938[]' id='answer-id-1588924' class='answer   answerof-409938 ' value='1588924'   \/><label for='answer-id-1588924' id='answer-label-1588924' class=' answer'><span>Assign an 1AM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the 1AM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Session Manager to select the EC2 instance and connect<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409938[]' id='answer-id-1588925' class='answer   answerof-409938 ' value='1588925'   \/><label for='answer-id-1588925' id='answer-label-1588925' class=' answer'><span>Assign an 1AM policy to the 1AM user accounts to provide permission to use the EC2 service in the AWS Management Console Remove the SSH keys from the EC2 instances Connect to the EC2 instance as the ec2-user through the AWS Management Console's EC2 SSH client method<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-7' style=';'><div id='questionWrap-7'  class='   watupro-question-id-409939'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>7. <\/span>A security engineer is using AWS Organizations and wants to optimize SCPs. The security engineer needs to ensure that the SCPs conform to best practices. <br \/>\r<br>Which approach should the security engineer take to meet this requirement?<\/div><input type='hidden' name='question_id[]' id='qID_7' value='409939' \/><input type='hidden' id='answerType409939' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409939[]' id='answer-id-1588926' class='answer   answerof-409939 ' value='1588926'   \/><label for='answer-id-1588926' id='answer-label-1588926' class=' answer'><span>Use AWS IAM Access Analyzer to analyze the policies. View the findings from policy validation checks.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409939[]' id='answer-id-1588927' class='answer   answerof-409939 ' value='1588927'   \/><label for='answer-id-1588927' id='answer-label-1588927' class=' answer'><span>Review AWS Trusted Advisor checks for all accounts in the organization.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409939[]' id='answer-id-1588928' class='answer   answerof-409939 ' value='1588928'   \/><label for='answer-id-1588928' id='answer-label-1588928' class=' answer'><span>Set up AWS Audit Manager. Run an assessment for all AWS Regions for all accounts.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409939[]' id='answer-id-1588929' class='answer   answerof-409939 ' value='1588929'   \/><label for='answer-id-1588929' id='answer-label-1588929' class=' answer'><span>Ensure that Amazon Inspector agents are installed on all Amazon EC2 in-stances in all accounts.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-8' style=';'><div id='questionWrap-8'  class='   watupro-question-id-409940'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>8. <\/span>A company's security engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other IAM services The contractors IAM account must not be able to gain access to any other IAM service, even it the IAM account rs assigned additional permissions based on IAM group membership <br \/>\r<br>What should the security engineer do to meet these requirements''<\/div><input type='hidden' name='question_id[]' id='qID_8' value='409940' \/><input type='hidden' id='answerType409940' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409940[]' id='answer-id-1588930' class='answer   answerof-409940 ' value='1588930'   \/><label for='answer-id-1588930' id='answer-label-1588930' class=' answer'><span>Create an mime IAM user policy that allows for Amazon EC2 access for the contractor's IAM user<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409940[]' id='answer-id-1588931' class='answer   answerof-409940 ' value='1588931'   \/><label for='answer-id-1588931' id='answer-label-1588931' class=' answer'><span>Create an IAM permissions boundary policy that allows Amazon EC2 access Associate the contractor's IAM account with the IAM permissions boundary policy<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409940[]' id='answer-id-1588932' class='answer   answerof-409940 ' value='1588932'   \/><label for='answer-id-1588932' id='answer-label-1588932' class=' answer'><span>Create an IAM group with an attached policy that allows for Amazon EC2 access Associate the contractor's IAM account with the IAM group<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409940[]' id='answer-id-1588933' class='answer   answerof-409940 ' value='1588933'   \/><label for='answer-id-1588933' id='answer-label-1588933' class=' answer'><span>Create a IAM role that allows for EC2 and explicitly denies all other services Instruct the contractor to always assume this role<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-9' style=';'><div id='questionWrap-9'  class='   watupro-question-id-409941'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>9. <\/span>A company is using AWS Organizations to manage multiple accounts. The company needs to allow an IAM user to use a role to access resources that are in another organization's AWS account. <br \/>\r<br>Which combination of steps must the company perform to meet this requirement? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_9' value='409941' \/><input type='hidden' id='answerType409941' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409941[]' id='answer-id-1588934' class='answer   answerof-409941 ' value='1588934'   \/><label for='answer-id-1588934' id='answer-label-1588934' class=' answer'><span>Create an identity policy that allows the sts: AssumeRole action in the AWS account that contains the resources. Attach the identity policy to the IAM user.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409941[]' id='answer-id-1588935' class='answer   answerof-409941 ' value='1588935'   \/><label for='answer-id-1588935' id='answer-label-1588935' class=' answer'><span>Ensure that the sts: AssumeRole action is allowed by the SCPs of the organization that owns the resources that the IAM user needs to access.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409941[]' id='answer-id-1588936' class='answer   answerof-409941 ' value='1588936'   \/><label for='answer-id-1588936' id='answer-label-1588936' class=' answer'><span>Create a role in the AWS account that contains the resources. Create an entry in the role's trust policy that allows the IAM user to assume the role. Attach the trust policy to the role.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409941[]' id='answer-id-1588937' class='answer   answerof-409941 ' value='1588937'   \/><label for='answer-id-1588937' id='answer-label-1588937' class=' answer'><span>Establish a trust relationship between the IAM user and the AWS account that contains the resources.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409941[]' id='answer-id-1588938' class='answer   answerof-409941 ' value='1588938'   \/><label for='answer-id-1588938' id='answer-label-1588938' class=' answer'><span>Create a role in the IAM user's AWS account. Create an identity policy that allows the sts: AssumeRole action. Attach the identity policy to the role.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-10' style=';'><div id='questionWrap-10'  class='   watupro-question-id-409942'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>10. <\/span>A company's AWS CloudTrail logs are all centrally stored in an Amazon S3 bucket. The security team controls the company's AWS account. The security team must prevent unauthorized access and tampering of the CloudTrail logs. <br \/>\r<br>Which combination of steps should the security team take? (Choose three.)<\/div><input type='hidden' name='question_id[]' id='qID_10' value='409942' \/><input type='hidden' id='answerType409942' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409942[]' id='answer-id-1588939' class='answer   answerof-409942 ' value='1588939'   \/><label for='answer-id-1588939' id='answer-label-1588939' class=' answer'><span>Configure server-side encryption with AWS KMS managed encryption keys (SSE-KMS)<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409942[]' id='answer-id-1588940' class='answer   answerof-409942 ' value='1588940'   \/><label for='answer-id-1588940' id='answer-label-1588940' class=' answer'><span>Compress log file with secure gzip.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409942[]' id='answer-id-1588941' class='answer   answerof-409942 ' value='1588941'   \/><label for='answer-id-1588941' id='answer-label-1588941' class=' answer'><span>Create an Amazon EventBridge (Amazon CloudWatch Events) rule to notify the security team of any modifications on CloudTrail log files.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409942[]' id='answer-id-1588942' class='answer   answerof-409942 ' value='1588942'   \/><label for='answer-id-1588942' id='answer-label-1588942' class=' answer'><span>Implement least privilege access to the S3 bucket by configuring a bucket policy.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409942[]' id='answer-id-1588943' class='answer   answerof-409942 ' value='1588943'   \/><label for='answer-id-1588943' id='answer-label-1588943' class=' answer'><span>Configure CloudTrail log file integrity validation.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409942[]' id='answer-id-1588944' class='answer   answerof-409942 ' value='1588944'   \/><label for='answer-id-1588944' id='answer-label-1588944' class=' answer'><span>Configure Access Analyzer for S3.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-11' style=';'><div id='questionWrap-11'  class='   watupro-question-id-409943'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>11. <\/span>A company stores sensitive documents in Amazon S3 by using server-side encryption with an IAM Key Management Service (IAM KMS) CMK. A new requirement mandates that the CMK that is used for these documents can be used only for S3 actions. <br \/>\r<br>Which statement should the company add to the key policy to meet this requirement? <br \/>\r<br>A) <br \/>\r<br><br><img decoding=\"async\" width=369 height=192 id=\"\u56fe\u7247 38\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image027-1.png\"><br><br \/>\r<br>B) <br \/>\r<br><br><img decoding=\"async\" width=360 height=191 id=\"\u56fe\u7247 37\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image028-3.png\"><br><br \/>\r<br>C <br \/>\r<br><br><img decoding=\"async\" width=440 height=227 id=\"\u56fe\u7247 1\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image029-3.png\"><br><\/div><input type='hidden' name='question_id[]' id='qID_11' value='409943' \/><input type='hidden' id='answerType409943' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409943[]' id='answer-id-1588945' class='answer   answerof-409943 ' value='1588945'   \/><label for='answer-id-1588945' id='answer-label-1588945' class=' answer'><span>Option A<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409943[]' id='answer-id-1588946' class='answer   answerof-409943 ' value='1588946'   \/><label for='answer-id-1588946' id='answer-label-1588946' class=' answer'><span>Option B<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409943[]' id='answer-id-1588947' class='answer   answerof-409943 ' value='1588947'   \/><label for='answer-id-1588947' id='answer-label-1588947' class=' answer'><span>Option C<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-12' style=';'><div id='questionWrap-12'  class='   watupro-question-id-409944'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>12. <\/span>A Security Engineer receives alerts that an Amazon EC2 instance on a public subnet is under an SFTP brute force attack from a specific IP address, which is a known malicious bot. <br \/>\r<br>What should the Security Engineer do to block the malicious bot?<\/div><input type='hidden' name='question_id[]' id='qID_12' value='409944' \/><input type='hidden' id='answerType409944' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409944[]' id='answer-id-1588948' class='answer   answerof-409944 ' value='1588948'   \/><label for='answer-id-1588948' id='answer-label-1588948' class=' answer'><span>Add a deny rule to the public VPC security group to block the malicious IP<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409944[]' id='answer-id-1588949' class='answer   answerof-409944 ' value='1588949'   \/><label for='answer-id-1588949' id='answer-label-1588949' class=' answer'><span>Add the malicious IP to IAM WAF backhsted IPs<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409944[]' id='answer-id-1588950' class='answer   answerof-409944 ' value='1588950'   \/><label for='answer-id-1588950' id='answer-label-1588950' class=' answer'><span>Configure Linux iptables or Windows Firewall to block any traffic from the malicious IP<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409944[]' id='answer-id-1588951' class='answer   answerof-409944 ' value='1588951'   \/><label for='answer-id-1588951' id='answer-label-1588951' class=' answer'><span>Modify the hosted zone in Amazon Route 53 and create a DNS sinkhole for the malicious IP<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-13' style=';'><div id='questionWrap-13'  class='   watupro-question-id-409945'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>13. <\/span>A systems engineer deployed containers from several custom-built images that an application team provided through a QA workflow The systems engineer used Amazon Elastic Container Service (Amazon ECS) with the Fargate launch type as the target platform The system engineer now needs to collect logs from all containers into an existing Amazon CloudWatch log group <br \/>\r<br>Which solution will meet this requirement?<\/div><input type='hidden' name='question_id[]' id='qID_13' value='409945' \/><input type='hidden' id='answerType409945' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409945[]' id='answer-id-1588952' class='answer   answerof-409945 ' value='1588952'   \/><label for='answer-id-1588952' id='answer-label-1588952' class=' answer'><span>Turn on the awslogs log driver by specifying parameters for awslogs-group and awslogs-region m the LogConfiguration property<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409945[]' id='answer-id-1588953' class='answer   answerof-409945 ' value='1588953'   \/><label for='answer-id-1588953' id='answer-label-1588953' class=' answer'><span>Download and configure the CloudWatch agent on the container instances<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409945[]' id='answer-id-1588954' class='answer   answerof-409945 ' value='1588954'   \/><label for='answer-id-1588954' id='answer-label-1588954' class=' answer'><span>Set up Fluent Bit and FluentO as a DaemonSet to send logs to Amazon CloudWatch Logs<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409945[]' id='answer-id-1588955' class='answer   answerof-409945 ' value='1588955'   \/><label for='answer-id-1588955' id='answer-label-1588955' class=' answer'><span>Configure an 1AM policy that includes the togs CreateLogGroup action Assign the policy to the container instances<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-14' style=';'><div id='questionWrap-14'  class='   watupro-question-id-409946'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>14. <\/span>A recent security audit found that IAM CloudTrail logs are insufficiently protected from tampering and unauthorized access <br \/>\r<br>Which actions must the Security Engineer take to address these audit findings? (Select THREE)<\/div><input type='hidden' name='question_id[]' id='qID_14' value='409946' \/><input type='hidden' id='answerType409946' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409946[]' id='answer-id-1588956' class='answer   answerof-409946 ' value='1588956'   \/><label for='answer-id-1588956' id='answer-label-1588956' class=' answer'><span>Ensure CloudTrail log file validation is turned on<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409946[]' id='answer-id-1588957' class='answer   answerof-409946 ' value='1588957'   \/><label for='answer-id-1588957' id='answer-label-1588957' class=' answer'><span>Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409946[]' id='answer-id-1588958' class='answer   answerof-409946 ' value='1588958'   \/><label for='answer-id-1588958' id='answer-label-1588958' class=' answer'><span>Use an S3 bucket with tight access controls that exists m a separate account<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409946[]' id='answer-id-1588959' class='answer   answerof-409946 ' value='1588959'   \/><label for='answer-id-1588959' id='answer-label-1588959' class=' answer'><span>Use Amazon Inspector to monitor the file integrity of CloudTrail log files.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409946[]' id='answer-id-1588960' class='answer   answerof-409946 ' value='1588960'   \/><label for='answer-id-1588960' id='answer-label-1588960' class=' answer'><span>Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409946[]' id='answer-id-1588961' class='answer   answerof-409946 ' value='1588961'   \/><label for='answer-id-1588961' id='answer-label-1588961' class=' answer'><span>Encrypt the CloudTrail log files with server-side encryption with IAM KMS-managed keys (SSE-KMS)<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-15' style=';'><div id='questionWrap-15'  class='   watupro-question-id-409947'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>15. <\/span>Auditors for a health care company have mandated that all data volumes be encrypted at rest Infrastructure is deployed mainly via IAM CloudFormation however third-party frameworks and manual deployment are required on some legacy systems <br \/>\r<br>What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?<\/div><input type='hidden' name='question_id[]' id='qID_15' value='409947' \/><input type='hidden' id='answerType409947' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409947[]' id='answer-id-1588962' class='answer   answerof-409947 ' value='1588962'   \/><label for='answer-id-1588962' id='answer-label-1588962' class=' answer'><span>On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409947[]' id='answer-id-1588963' class='answer   answerof-409947 ' value='1588963'   \/><label for='answer-id-1588963' id='answer-label-1588963' class=' answer'><span>Configure an IAM Config rule lo run on a recurring basis 'or volume encryption<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409947[]' id='answer-id-1588964' class='answer   answerof-409947 ' value='1588964'   \/><label for='answer-id-1588964' id='answer-label-1588964' class=' answer'><span>Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409947[]' id='answer-id-1588965' class='answer   answerof-409947 ' value='1588965'   \/><label for='answer-id-1588965' id='answer-label-1588965' class=' answer'><span>Use CloudWatch Logs to determine whether instances were created with an encrypted volume<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-16' style=';'><div id='questionWrap-16'  class='   watupro-question-id-409948'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>16. <\/span>A startup company is using a single AWS account that has resources in a single AWS Region. A security engineer configures an AWS Cloud Trail trail in the same Region to deliver log files to an Amazon S3 bucket by using the AWS CLI. <br \/>\r<br>Because of expansion, the company adds resources in multiple Regions. The security engineer notices that the logs from the new Regions are not reaching the S3 bucket. <br \/>\r<br>What should the security engineer do to fix this issue with the LEAST amount of operational overhead?<\/div><input type='hidden' name='question_id[]' id='qID_16' value='409948' \/><input type='hidden' id='answerType409948' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409948[]' id='answer-id-1588966' class='answer   answerof-409948 ' value='1588966'   \/><label for='answer-id-1588966' id='answer-label-1588966' class=' answer'><span>Create a new CloudTrail trail. Select the new Regions where the company added resources.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409948[]' id='answer-id-1588967' class='answer   answerof-409948 ' value='1588967'   \/><label for='answer-id-1588967' id='answer-label-1588967' class=' answer'><span>Change the S3 bucket to receive notifications to track all actions from all Regions.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409948[]' id='answer-id-1588968' class='answer   answerof-409948 ' value='1588968'   \/><label for='answer-id-1588968' id='answer-label-1588968' class=' answer'><span>Create a new CloudTrail trail that applies to all Regions.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409948[]' id='answer-id-1588969' class='answer   answerof-409948 ' value='1588969'   \/><label for='answer-id-1588969' id='answer-label-1588969' class=' answer'><span>Change the existing CloudTrail trail so that it applies to all Regions.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-17' style=';'><div id='questionWrap-17'  class='   watupro-question-id-409949'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>17. <\/span>A company's cloud operations team is responsible for building effective security for IAM cross-account access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: <br \/>\r<br><br><img decoding=\"async\" width=497 height=825 id=\"\u56fe\u7247 36\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/06\/image030-5.png\"><br><br \/>\r<br>Which recommendations should the security engineer make to resolve this issue? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_17' value='409949' \/><input type='hidden' id='answerType409949' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409949[]' id='answer-id-1588970' class='answer   answerof-409949 ' value='1588970'   \/><label for='answer-id-1588970' id='answer-label-1588970' class=' answer'><span>Ask the developers to change their password and use a different web browser.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409949[]' id='answer-id-1588971' class='answer   answerof-409949 ' value='1588971'   \/><label for='answer-id-1588971' id='answer-label-1588971' class=' answer'><span>Ensure that developers are using multi-factor authentication (MFA) when they log in to their developer account as the developer role.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409949[]' id='answer-id-1588972' class='answer   answerof-409949 ' value='1588972'   \/><label for='answer-id-1588972' id='answer-label-1588972' class=' answer'><span>Modify the production account ReadS3 role policy to allow the PutBucketPolicy action on the productionapp S3 bucket.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409949[]' id='answer-id-1588973' class='answer   answerof-409949 ' value='1588973'   \/><label for='answer-id-1588973' id='answer-label-1588973' class=' answer'><span>Update the trust relationship policy on the production account S3 role to allow the account number of the developer account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409949[]' id='answer-id-1588974' class='answer   answerof-409949 ' value='1588974'   \/><label for='answer-id-1588974' id='answer-label-1588974' class=' answer'><span>Update the developer group permissions in the developer account to allow access to the productionapp S3 bucket.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-18' style=';'><div id='questionWrap-18'  class='   watupro-question-id-409950'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>18. <\/span>A company deploys a distributed web application on a fleet of Amazon EC2 instances. The fleet is behind an Application Load Balancer (ALB) that will be configured to terminate the TLS connection. All TLS traffic to the ALB must stay secure, even if the certificate private key is compromised. <br \/>\r<br>How can a security engineer meet this requirement?<\/div><input type='hidden' name='question_id[]' id='qID_18' value='409950' \/><input type='hidden' id='answerType409950' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409950[]' id='answer-id-1588975' class='answer   answerof-409950 ' value='1588975'   \/><label for='answer-id-1588975' id='answer-label-1588975' class=' answer'><span>Create an HTTPS listener that uses a certificate that is managed by IAM Certificate Manager (ACM).<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409950[]' id='answer-id-1588976' class='answer   answerof-409950 ' value='1588976'   \/><label for='answer-id-1588976' id='answer-label-1588976' class=' answer'><span>Create an HTTPS listener that uses a security policy that uses a cipher suite with perfect toward secrecy (PFS).<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409950[]' id='answer-id-1588977' class='answer   answerof-409950 ' value='1588977'   \/><label for='answer-id-1588977' id='answer-label-1588977' class=' answer'><span>Create an HTTPS listener that uses the Server Order Preference security feature.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409950[]' id='answer-id-1588978' class='answer   answerof-409950 ' value='1588978'   \/><label for='answer-id-1588978' id='answer-label-1588978' class=' answer'><span>Create a TCP listener that uses a custom security policy that allows only cipher suites with perfect forward secrecy (PFS).<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-19' style=';'><div id='questionWrap-19'  class='   watupro-question-id-409951'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>19. <\/span>A company\u2019s public Application Load Balancer (ALB) recently experienced a DDoS attack. To mitigate this issue. the company deployed Amazon CloudFront in front of the ALB so that users would not directly access the Amazon EC2 instances behind the ALB. <br \/>\r<br>The company discovers that some traffic is still coming directly into the ALB and is still being handled by the EC2 instances. <br \/>\r<br>Which combination of steps should the company take to ensure that the EC2 instances will receive traffic only from CloudFront? (Choose two.)<\/div><input type='hidden' name='question_id[]' id='qID_19' value='409951' \/><input type='hidden' id='answerType409951' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409951[]' id='answer-id-1588979' class='answer   answerof-409951 ' value='1588979'   \/><label for='answer-id-1588979' id='answer-label-1588979' class=' answer'><span>Configure CloudFront to add a cache key policy to allow a custom HTTP header that CloudFront sends to the AL<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409951[]' id='answer-id-1588980' class='answer   answerof-409951 ' value='1588980'   \/><label for='answer-id-1588980' id='answer-label-1588980' class=' answer'><span>Configure CloudFront to add a custom: HTTP header to requests that CloudFront sends to the AL<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409951[]' id='answer-id-1588981' class='answer   answerof-409951 ' value='1588981'   \/><label for='answer-id-1588981' id='answer-label-1588981' class=' answer'><span>Configure the ALB to forward only requests that contain the custom HTTP header.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409951[]' id='answer-id-1588982' class='answer   answerof-409951 ' value='1588982'   \/><label for='answer-id-1588982' id='answer-label-1588982' class=' answer'><span>Configure the ALB and CloudFront to use the X-Forwarded-For header to check client IP addresses.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409951[]' id='answer-id-1588983' class='answer   answerof-409951 ' value='1588983'   \/><label for='answer-id-1588983' id='answer-label-1588983' class=' answer'><span>Configure the ALB and CloudFront to use the same<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409951[]' id='answer-id-1588984' class='answer   answerof-409951 ' value='1588984'   \/><label for='answer-id-1588984' id='answer-label-1588984' class=' answer'><span>509 certificate that is generated by AWS Certificate Manager (ACM).<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-20' style=';'><div id='questionWrap-20'  class='   watupro-question-id-409952'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>20. <\/span>A company h as a legacy application that runs on a single Amazon E C2 instance. A security audit shows that the application has been using an IAM access key within its code to access an Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET1 in the same AWS account. This access key pair has the s3:GetObject permission to all objects in only this S3 bucket. The company takes the application offline because the application is not compliant with the company\u2019s security policies for accessing other AWS resources from Amazon EC2. <br \/>\r<br>A security engineer validates that AWS CloudTrail is turned on in all AWS Regions. CloudTrail is sending logs to an S3 bucket that is named DOC-EXAMPLE-BUCKET2. This S3 bucket is in the same AWS account as DOC-EXAMPLE-BUCKET1. However, CloudTrail has not been configured to send logs to Amazon CloudWatch Logs. <br \/>\r<br>The company wants to know if any objects in DOC-EXAMPLE-BUCKET1 were accessed with the IAM access key in the past 60 days. If any objects were accessed, the company wants to know if any of the objects that are text files (.txt extension) contained personally identifiable information (PII). <br \/>\r<br>Which combination of steps should the security engineer take to gather this information? (Choose two.)<\/div><input type='hidden' name='question_id[]' id='qID_20' value='409952' \/><input type='hidden' id='answerType409952' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409952[]' id='answer-id-1588985' class='answer   answerof-409952 ' value='1588985'   \/><label for='answer-id-1588985' id='answer-label-1588985' class=' answer'><span>Configure Amazon Macie to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII and that were available to the access key.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409952[]' id='answer-id-1588986' class='answer   answerof-409952 ' value='1588986'   \/><label for='answer-id-1588986' id='answer-label-1588986' class=' answer'><span>Use Amazon CloudWatch Logs Insights to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII and that were available to the access key.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409952[]' id='answer-id-1588987' class='answer   answerof-409952 ' value='1588987'   \/><label for='answer-id-1588987' id='answer-label-1588987' class=' answer'><span>Use Amazon OpenSearch Service (Amazon Elasticsearch Service) to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for API calls that used the access key to access an object that contained PI<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409952[]' id='answer-id-1588988' class='answer   answerof-409952 ' value='1588988'   \/><label for='answer-id-1588988' id='answer-label-1588988' class=' answer'><span>Use Amazon Athena to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for any API calls that used the access key to access an object that contained PI<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409952[]' id='answer-id-1588989' class='answer   answerof-409952 ' value='1588989'   \/><label for='answer-id-1588989' id='answer-label-1588989' class=' answer'><span>Use AWS Identity and Access Management Access Analyzer to identify any API calls that used the access key to access objects that contained PII in DOC-EXAMPLE-BUCKET1.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-21' style=';'><div id='questionWrap-21'  class='   watupro-question-id-409953'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>21. <\/span>An organization has a multi-petabyte workload that it is moving to Amazon S3, but the CISO is concerned about cryptographic wear-out and the blast radius if a key is compromised. <br \/>\r<br>How can the CISO be assured that IAM KMS and Amazon S3 are addressing the concerns? (Select TWO)<\/div><input type='hidden' name='question_id[]' id='qID_21' value='409953' \/><input type='hidden' id='answerType409953' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409953[]' id='answer-id-1588990' class='answer   answerof-409953 ' value='1588990'   \/><label for='answer-id-1588990' id='answer-label-1588990' class=' answer'><span>There is no API operation to retrieve an S3 object in its encrypted form.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409953[]' id='answer-id-1588991' class='answer   answerof-409953 ' value='1588991'   \/><label for='answer-id-1588991' id='answer-label-1588991' class=' answer'><span>Encryption of S3 objects is performed within the secure boundary of the KMS service.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409953[]' id='answer-id-1588992' class='answer   answerof-409953 ' value='1588992'   \/><label for='answer-id-1588992' id='answer-label-1588992' class=' answer'><span>S3 uses KMS to generate a unique data key for each individual object.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409953[]' id='answer-id-1588993' class='answer   answerof-409953 ' value='1588993'   \/><label for='answer-id-1588993' id='answer-label-1588993' class=' answer'><span>Using a single master key to encrypt all data includes having a single place to perform audits and usage validation.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409953[]' id='answer-id-1588994' class='answer   answerof-409953 ' value='1588994'   \/><label for='answer-id-1588994' id='answer-label-1588994' class=' answer'><span>The KMS encryption envelope digitally signs the master key during encryption to prevent cryptographic wear-out<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-22' style=';'><div id='questionWrap-22'  class='   watupro-question-id-409954'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>22. <\/span>A company has a set of EC2 Instances hosted in IAM. The EC2 Instances have EBS volumes which is used to store critical information. There is a business continuity requirement to ensure high availability for the EBS volumes. <br \/>\r<br>How can you achieve this?<\/div><input type='hidden' name='question_id[]' id='qID_22' value='409954' \/><input type='hidden' id='answerType409954' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409954[]' id='answer-id-1588995' class='answer   answerof-409954 ' value='1588995'   \/><label for='answer-id-1588995' id='answer-label-1588995' class=' answer'><span>Use lifecycle policies for the EBS volumes<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409954[]' id='answer-id-1588996' class='answer   answerof-409954 ' value='1588996'   \/><label for='answer-id-1588996' id='answer-label-1588996' class=' answer'><span>Use EBS Snapshots<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409954[]' id='answer-id-1588997' class='answer   answerof-409954 ' value='1588997'   \/><label for='answer-id-1588997' id='answer-label-1588997' class=' answer'><span>Use EBS volume replication<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409954[]' id='answer-id-1588998' class='answer   answerof-409954 ' value='1588998'   \/><label for='answer-id-1588998' id='answer-label-1588998' class=' answer'><span>Use EBS volume encryption<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-23' style=';'><div id='questionWrap-23'  class='   watupro-question-id-409955'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>23. <\/span>A Development team has built an experimental environment to test a simple stale web application It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer a NAT gateway, and an internet gateway. The private subnet holds ail of the Amazon EC2 instances <br \/>\r<br>There are 3 different types of servers Each server type has its own Security Group that limits access lo only required connectivity. The Security Groups nave both inbound and outbound rules applied Each subnet has both inbound and outbound network ACls applied to limit access to only required connectivity <br \/>\r<br>Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Select THREE.)<\/div><input type='hidden' name='question_id[]' id='qID_23' value='409955' \/><input type='hidden' id='answerType409955' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409955[]' id='answer-id-1588999' class='answer   answerof-409955 ' value='1588999'   \/><label for='answer-id-1588999' id='answer-label-1588999' class=' answer'><span>The route tables and the outbound rules on the appropriate private subnet security group<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409955[]' id='answer-id-1589000' class='answer   answerof-409955 ' value='1589000'   \/><label for='answer-id-1589000' id='answer-label-1589000' class=' answer'><span>The outbound network ACL rules on the private subnet and the Inbound network ACL rules on the public subnet<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409955[]' id='answer-id-1589001' class='answer   answerof-409955 ' value='1589001'   \/><label for='answer-id-1589001' id='answer-label-1589001' class=' answer'><span>The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409955[]' id='answer-id-1589002' class='answer   answerof-409955 ' value='1589002'   \/><label for='answer-id-1589002' id='answer-label-1589002' class=' answer'><span>The rules on any host-based firewall that may be applied on the Amazon EC2 instances<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409955[]' id='answer-id-1589003' class='answer   answerof-409955 ' value='1589003'   \/><label for='answer-id-1589003' id='answer-label-1589003' class=' answer'><span>The Security Group applied to the Application Load Balancer and NAT gateway<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409955[]' id='answer-id-1589004' class='answer   answerof-409955 ' value='1589004'   \/><label for='answer-id-1589004' id='answer-label-1589004' class=' answer'><span>That the 0.0.0.\/0 route in the private subnet route table points to the internet gateway in the public subnet<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-24' style=';'><div id='questionWrap-24'  class='   watupro-question-id-409956'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>24. <\/span>A company has two AWS accounts. One account is for development workloads. The other account is for production workloads. For compliance reasons the production account contains all the AWS Key Management. Service (AWS KMS) keys that the company uses for encryption. <br \/>\r<br>The company applies an IAM role to an AWS Lambda function in the development account to allow secure access to AWS resources. The Lambda function must access a specific KMS customer managed key that exists in the production account to encrypt the Lambda function's data. <br \/>\r<br>Which combination of steps should a security engineer take to meet these requirements? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_24' value='409956' \/><input type='hidden' id='answerType409956' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409956[]' id='answer-id-1589005' class='answer   answerof-409956 ' value='1589005'   \/><label for='answer-id-1589005' id='answer-label-1589005' class=' answer'><span>Configure the key policy for the customer managed key in the production account to allow access to the Lambda service.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409956[]' id='answer-id-1589006' class='answer   answerof-409956 ' value='1589006'   \/><label for='answer-id-1589006' id='answer-label-1589006' class=' answer'><span>Configure the key policy for the customer managed key in the production account to allow access to the IAM role of the Lambda function in the development account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409956[]' id='answer-id-1589007' class='answer   answerof-409956 ' value='1589007'   \/><label for='answer-id-1589007' id='answer-label-1589007' class=' answer'><span>Configure a new IAM policy in the production account with permissions to use the customer managed key. Apply the IAM policy to the IAM role that the Lambda function in the development account uses.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409956[]' id='answer-id-1589008' class='answer   answerof-409956 ' value='1589008'   \/><label for='answer-id-1589008' id='answer-label-1589008' class=' answer'><span>Configure a new key policy in the development account with permissions to use the customer managed key. Apply the key policy to the IAM role that the Lambda function in the development account uses.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409956[]' id='answer-id-1589009' class='answer   answerof-409956 ' value='1589009'   \/><label for='answer-id-1589009' id='answer-label-1589009' class=' answer'><span>Configure the IAM role for the Lambda function in the development account by attaching an IAM policy that allows access to the customer managed key in the production account.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-25' style=';'><div id='questionWrap-25'  class='   watupro-question-id-409957'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>25. <\/span>A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message. <br \/>\r<br>What is the likely cause of this access denial?<\/div><input type='hidden' name='question_id[]' id='qID_25' value='409957' \/><input type='hidden' id='answerType409957' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409957[]' id='answer-id-1589010' class='answer   answerof-409957 ' value='1589010'   \/><label for='answer-id-1589010' id='answer-label-1589010' class=' answer'><span>The ACL in the bucket needs to be updated<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409957[]' id='answer-id-1589011' class='answer   answerof-409957 ' value='1589011'   \/><label for='answer-id-1589011' id='answer-label-1589011' class=' answer'><span>The IAM policy does not allow the user to access the bucket<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409957[]' id='answer-id-1589012' class='answer   answerof-409957 ' value='1589012'   \/><label for='answer-id-1589012' id='answer-label-1589012' class=' answer'><span>It takes a few minutes for a bucket policy to take effect<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409957[]' id='answer-id-1589013' class='answer   answerof-409957 ' value='1589013'   \/><label for='answer-id-1589013' id='answer-label-1589013' class=' answer'><span>The allow permission is being overridden by the deny<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-26' style=';'><div id='questionWrap-26'  class='   watupro-question-id-409958'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>26. <\/span>A company has a web server in the AWS Cloud. The company will store the content for the web server in an Amazon S3 bucket. A security engineer must use an Amazon CloudFront distribution to speed up delivery of the content. None of the files can be publicly accessible from the S3 bucket direct. <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_26' value='409958' \/><input type='hidden' id='answerType409958' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409958[]' id='answer-id-1589014' class='answer   answerof-409958 ' value='1589014'   \/><label for='answer-id-1589014' id='answer-label-1589014' class=' answer'><span>Configure the permissions on the individual files in the S3 bucket so that only the CloudFront distribution has access to them.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409958[]' id='answer-id-1589015' class='answer   answerof-409958 ' value='1589015'   \/><label for='answer-id-1589015' id='answer-label-1589015' class=' answer'><span>Create an origin access identity (OAI). Associate the OAI with the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI can access the files in the S3 bucket.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409958[]' id='answer-id-1589016' class='answer   answerof-409958 ' value='1589016'   \/><label for='answer-id-1589016' id='answer-label-1589016' class=' answer'><span>Create an S3 role in AWS Identity and Access Management (IAM). Allow only the CloudFront distribution to assume the role to access the files in the S3 bucket.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409958[]' id='answer-id-1589017' class='answer   answerof-409958 ' value='1589017'   \/><label for='answer-id-1589017' id='answer-label-1589017' class=' answer'><span>Create an S3 bucket policy that uses only the CloudFront distribution ID as the principal and the Amazon Resource Name (ARN) as the target.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-27' style=';'><div id='questionWrap-27'  class='   watupro-question-id-409959'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>27. <\/span>A company is implementing a new application in a new IAM account. A VPC and subnets have been created for the application. The application has been peered to an existing VPC in another account in the same IAM Region for database access. Amazon EC2 instances will regularly be created and terminated in the application VPC, but only some of them will need access to the databases in the peered VPC over TCP port 1521. A security engineer must ensure that only the EC2 instances that need access to the databases can access them through the network. <br \/>\r<br>How can the security engineer implement this solution?<\/div><input type='hidden' name='question_id[]' id='qID_27' value='409959' \/><input type='hidden' id='answerType409959' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409959[]' id='answer-id-1589018' class='answer   answerof-409959 ' value='1589018'   \/><label for='answer-id-1589018' id='answer-label-1589018' class=' answer'><span>Create a new security group in the database VPC and create an inbound rule that allows all traffic from the IP address range of the application VP<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409959[]' id='answer-id-1589019' class='answer   answerof-409959 ' value='1589019'   \/><label for='answer-id-1589019' id='answer-label-1589019' class=' answer'><span>Add a new network ACL rule on the database subnets. Configure the rule to TCP port 1521 from the IP address range of the application VP<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409959[]' id='answer-id-1589020' class='answer   answerof-409959 ' value='1589020'   \/><label for='answer-id-1589020' id='answer-label-1589020' class=' answer'><span>Attach the new security group to the database instances that the application instances need to access.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409959[]' id='answer-id-1589021' class='answer   answerof-409959 ' value='1589021'   \/><label for='answer-id-1589021' id='answer-label-1589021' class=' answer'><span>Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Create a new security group in the database VPC with an inbound rule that allows the IP address range of the application VPC over port 1521. Attach the new security group to the database instances and the application instances that need database access.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409959[]' id='answer-id-1589022' class='answer   answerof-409959 ' value='1589022'   \/><label for='answer-id-1589022' id='answer-label-1589022' class=' answer'><span>Create a new security group in the application VPC with no inbound rules. Create a new security group in the database VPC with an inbound rule that allows TCP port 1521 from the new application security group in the application VP<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409959[]' id='answer-id-1589023' class='answer   answerof-409959 ' value='1589023'   \/><label for='answer-id-1589023' id='answer-label-1589023' class=' answer'><span>Attach the application security group to the application instances that need database access, and attach the database security group to the database instances.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409959[]' id='answer-id-1589024' class='answer   answerof-409959 ' value='1589024'   \/><label for='answer-id-1589024' id='answer-label-1589024' class=' answer'><span>Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Add a new network ACL rule on the database subnets. Configure the rule to allow all traffic from the IP address range of the application VP<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409959[]' id='answer-id-1589025' class='answer   answerof-409959 ' value='1589025'   \/><label for='answer-id-1589025' id='answer-label-1589025' class=' answer'><span>Attach the new security group to the application instances that need database access.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-28' style=';'><div id='questionWrap-28'  class='   watupro-question-id-409960'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>28. <\/span>A company is using AWS Organizations to manage multiple AWS accounts for its hu-man resources, finance, software development, and production departments. All the company's developers are part of the software development AWS account. <br \/>\r<br>The company discovers that developers have launched Amazon EC2 instances that were preconfigured with software that the company has not approved for use. The company wants to implement a solution to ensure that developers can launch EC2 instances with only approved software applications and only in the software development AWS account. <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_28' value='409960' \/><input type='hidden' id='answerType409960' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409960[]' id='answer-id-1589026' class='answer   answerof-409960 ' value='1589026'   \/><label for='answer-id-1589026' id='answer-label-1589026' class=' answer'><span>In the software development account, create AMIS of preconfigured instanc-es that include only approved software. Include the AMI IDs in the condition section of an AWS CloudFormation template to launch the appropriate AMI based on the AWS Region. Provide the developers with the CloudFor-mation template to launch EC2 instances in the software development account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409960[]' id='answer-id-1589027' class='answer   answerof-409960 ' value='1589027'   \/><label for='answer-id-1589027' id='answer-label-1589027' class=' answer'><span>Create an Amazon EventBridge rule that runs when any EC2 Runlnstances API event occurs in the software development account. Specify AWS Systems Man-ager Run Command as a target of the rule. Configure Run Command to run a script that will install all approved software onto the instances that the developers launch.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409960[]' id='answer-id-1589028' class='answer   answerof-409960 ' value='1589028'   \/><label for='answer-id-1589028' id='answer-label-1589028' class=' answer'><span>Use an AWS Service Catalog portfolio that contains EC2 products with ap-propriate AMIS that include only approved software. Grant the developers permission to portfolio access only the Service Catalog to launch a product in the software development account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409960[]' id='answer-id-1589029' class='answer   answerof-409960 ' value='1589029'   \/><label for='answer-id-1589029' id='answer-label-1589029' class=' answer'><span>In the management account, create AMIS of preconfigured instances that include only approved software. Use AWS CloudFormation StackSets to launch the AMIS across any AWS account in the organization. Grant the developers permission to launch the stack sets within the management account.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-29' style=';'><div id='questionWrap-29'  class='   watupro-question-id-409961'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>29. <\/span>A developer has created an AWS Lambda function in a company's development account. The Lambda function requires the use of an AWS Key Management Service (AWS KMS) customer managed key that exists in a security account that the company's security team controls. The developer obtains the ARN of the KMS key from a previous Lambda function in the development account. The previous Lambda function had been working properly with the KMS key. <br \/>\r<br>When the developer uses the ARN and tests the new Lambda function an error message states that access is denied to the KMS key in the security account. The developer tests the previous Lambda function that uses the same KMS key and discovers that the previous Lambda function still can encrypt data as expected. <br \/>\r<br>A security engineer must resolve the problem so that the new Lambda function in the development account can use the KMS key from the security account. <br \/>\r<br>Which combination of steps should the security engineer take to meet these requirements? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_29' value='409961' \/><input type='hidden' id='answerType409961' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409961[]' id='answer-id-1589030' class='answer   answerof-409961 ' value='1589030'   \/><label for='answer-id-1589030' id='answer-label-1589030' class=' answer'><span>In the security account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409961[]' id='answer-id-1589031' class='answer   answerof-409961 ' value='1589031'   \/><label for='answer-id-1589031' id='answer-label-1589031' class=' answer'><span>In the development account configure an IAM role for the new Lambda function. Attach a key policy that allows access to the KMS key in the security account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409961[]' id='answer-id-1589032' class='answer   answerof-409961 ' value='1589032'   \/><label for='answer-id-1589032' id='answer-label-1589032' class=' answer'><span>In the development account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409961[]' id='answer-id-1589033' class='answer   answerof-409961 ' value='1589033'   \/><label for='answer-id-1589033' id='answer-label-1589033' class=' answer'><span>Configure a key policy for the KMS key m the security account to allow access to the IAM role of the new Lambda function in the security account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409961[]' id='answer-id-1589034' class='answer   answerof-409961 ' value='1589034'   \/><label for='answer-id-1589034' id='answer-label-1589034' class=' answer'><span>Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-30' style=';'><div id='questionWrap-30'  class='   watupro-question-id-409962'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>30. <\/span>A company uses several AWS CloudFormation stacks to handle the deployment of a suite of applications. The leader of the company's application development team notices that the stack deployments fail with permission errors when some team members try to deploy the stacks. However, other team members can deploy the stacks successfully. <br \/>\r<br>The team members access the account by assuming a role that has a specific set of permissions that are necessary for the job responsibilities of the team members. All team members have permissions to perform operations on the stacks. <br \/>\r<br>Which combination of steps will ensure consistent deployment of the stacks MOST securely? (Select THREE.)<\/div><input type='hidden' name='question_id[]' id='qID_30' value='409962' \/><input type='hidden' id='answerType409962' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409962[]' id='answer-id-1589035' class='answer   answerof-409962 ' value='1589035'   \/><label for='answer-id-1589035' id='answer-label-1589035' class=' answer'><span>Create a service role that has a composite principal that contains each service that needs the necessary permissions. Configure the role to allow the sts:AssumeRole action.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409962[]' id='answer-id-1589036' class='answer   answerof-409962 ' value='1589036'   \/><label for='answer-id-1589036' id='answer-label-1589036' class=' answer'><span>Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts:AssumeRole action.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409962[]' id='answer-id-1589037' class='answer   answerof-409962 ' value='1589037'   \/><label for='answer-id-1589037' id='answer-label-1589037' class=' answer'><span>For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each CloudFormation stack in the resource field of each policy.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409962[]' id='answer-id-1589038' class='answer   answerof-409962 ' value='1589038'   \/><label for='answer-id-1589038' id='answer-label-1589038' class=' answer'><span>For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each service that needs the per-missions in the resource field of the corresponding policy.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409962[]' id='answer-id-1589039' class='answer   answerof-409962 ' value='1589039'   \/><label for='answer-id-1589039' id='answer-label-1589039' class=' answer'><span>Update each stack to use the service role.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409962[]' id='answer-id-1589040' class='answer   answerof-409962 ' value='1589040'   \/><label for='answer-id-1589040' id='answer-label-1589040' class=' answer'><span>Add a policy to each member role to allow the iam:PassRole action. Set the policy's resource field to the ARN of the service role.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-31' style=';'><div id='questionWrap-31'  class='   watupro-question-id-409963'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>31. <\/span>Your company is planning on using bastion hosts for administering the servers in IAM. <br \/>\r<br>Which of the following is the best description of a bastion host from a security perspective?<\/div><input type='hidden' name='question_id[]' id='qID_31' value='409963' \/><input type='hidden' id='answerType409963' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409963[]' id='answer-id-1589041' class='answer   answerof-409963 ' value='1589041'   \/><label for='answer-id-1589041' id='answer-label-1589041' class=' answer'><span>A Bastion host should be on a private subnet and never a public subnet due to security concerns<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409963[]' id='answer-id-1589042' class='answer   answerof-409963 ' value='1589042'   \/><label for='answer-id-1589042' id='answer-label-1589042' class=' answer'><span>A Bastion host sits on the outside of an internal network and is used as a gateway into the private network and is considered the critical strong point of the network<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409963[]' id='answer-id-1589043' class='answer   answerof-409963 ' value='1589043'   \/><label for='answer-id-1589043' id='answer-label-1589043' class=' answer'><span>Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409963[]' id='answer-id-1589044' class='answer   answerof-409963 ' value='1589044'   \/><label for='answer-id-1589044' id='answer-label-1589044' class=' answer'><span>A Bastion host should maintain extremely tight security and monitoring as it is available to the public<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-32' style=';'><div id='questionWrap-32'  class='   watupro-question-id-409964'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>32. <\/span>A company has retail stores The company is designing a solution to store scanned copies of customer receipts on Amazon S3 Files will be between 100 KB and 5 MB in PDF format Each retail store must have a unique encryption key Each object must be encrypted with a unique key <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_32' value='409964' \/><input type='hidden' id='answerType409964' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409964[]' id='answer-id-1589045' class='answer   answerof-409964 ' value='1589045'   \/><label for='answer-id-1589045' id='answer-label-1589045' class=' answer'><span>Create a dedicated AWS Key Management Service (AWS KMS) customer managed key for each retail store Use the S3 Put operation to upload the objects to Amazon S3 Specify server-side encryption with AWS KMS keys (SSE-KMS) and the key ID of the store's key<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409964[]' id='answer-id-1589046' class='answer   answerof-409964 ' value='1589046'   \/><label for='answer-id-1589046' id='answer-label-1589046' class=' answer'><span>Create a new AWS Key Management Service (AWS KMS) customer managed key every day for each retail store Use the KMS Encrypt operation to encrypt objects Then upload the objects to Amazon S3<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409964[]' id='answer-id-1589047' class='answer   answerof-409964 ' value='1589047'   \/><label for='answer-id-1589047' id='answer-label-1589047' class=' answer'><span>Run the AWS Key Management Service (AWS KMS) GenerateDataKey operation every day for each retail store Use the data key and client-side encryption to encrypt the objects Then upload the objects to \r\nAmazon S3<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409964[]' id='answer-id-1589048' class='answer   answerof-409964 ' value='1589048'   \/><label for='answer-id-1589048' id='answer-label-1589048' class=' answer'><span>Use the AWS Key Management Service (AWS KMS) ImportKeyMaterial operation to import new key material to AWS KMS every day for each retail store Use a customer managed key and the KMS Encrypt operation to encrypt the objects Then upload the objects to Amazon S3<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-33' style=';'><div id='questionWrap-33'  class='   watupro-question-id-409965'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>33. <\/span>A development team is using an IAM Key Management Service (IAM KMS) CMK to try to encrypt and decrypt a secure string parameter from IAM Systems Manager Parameter Store. However, the development team receives an error message on each attempt. <br \/>\r<br>Which issues that are related to the CMK could be reasons for the error? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_33' value='409965' \/><input type='hidden' id='answerType409965' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409965[]' id='answer-id-1589049' class='answer   answerof-409965 ' value='1589049'   \/><label for='answer-id-1589049' id='answer-label-1589049' class=' answer'><span>The CMK that is used in the attempt does not exist.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409965[]' id='answer-id-1589050' class='answer   answerof-409965 ' value='1589050'   \/><label for='answer-id-1589050' id='answer-label-1589050' class=' answer'><span>The CMK that is used in the attempt needs to be rotated.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409965[]' id='answer-id-1589051' class='answer   answerof-409965 ' value='1589051'   \/><label for='answer-id-1589051' id='answer-label-1589051' class=' answer'><span>The CMK that is used in the attempt is using the CMK's key ID instead of the CMK AR<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409965[]' id='answer-id-1589052' class='answer   answerof-409965 ' value='1589052'   \/><label for='answer-id-1589052' id='answer-label-1589052' class=' answer'><span>The CMK that is used in the attempt is not enabled.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-409965[]' id='answer-id-1589053' class='answer   answerof-409965 ' value='1589053'   \/><label for='answer-id-1589053' id='answer-label-1589053' class=' answer'><span>The CMK that is used in the attempt is using an alias.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-34' style=';'><div id='questionWrap-34'  class='   watupro-question-id-409966'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>34. <\/span>A company receives a notification from the AWS Abuse team about an AWS account The notification indicates that a resource in the account is compromised The company determines that the compromised resource is an Amazon EC2 instance that hosts a web application The compromised EC2 instance is part of an EC2 Auto Scaling group <br \/>\r<br>The EC2 instance accesses Amazon S3 and Amazon DynamoDB resources by using an 1AM access key and secret key The 1AM access key and secret key are stored inside the AMI that is specified in the Auto Scaling <br \/>\r<br>group's launch configuration The company is concerned that the credentials that are stored in the AMI might also have been exposed <br \/>\r<br>The company must implement a solution that remediates the security concerns without causing downtime for the application The solution must comply with security best practices <br \/>\r<br>Which solution will meet these requirements'?<\/div><input type='hidden' name='question_id[]' id='qID_34' value='409966' \/><input type='hidden' id='answerType409966' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409966[]' id='answer-id-1589054' class='answer   answerof-409966 ' value='1589054'   \/><label for='answer-id-1589054' id='answer-label-1589054' class=' answer'><span>Rotate the potentially compromised access key that the EC2 instance uses Create a new AM I without the potentially compromised credentials Perform an EC2 Auto Scaling instance refresh<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409966[]' id='answer-id-1589055' class='answer   answerof-409966 ' value='1589055'   \/><label for='answer-id-1589055' id='answer-label-1589055' class=' answer'><span>Delete or deactivate the potentially compromised access key Create an EC2 Auto Scaling linked 1AM role that includes a custom policy that matches the potentially compromised access key permission Associate the new 1AM role with the Auto Scaling group Perform an EC2 Auto Scaling instance refresh.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409966[]' id='answer-id-1589056' class='answer   answerof-409966 ' value='1589056'   \/><label for='answer-id-1589056' id='answer-label-1589056' class=' answer'><span>Delete or deactivate the potentially compromised access key Create a new AMI without the potentially compromised credentials Create an 1AM role that includes the correct permissions Create a launch template for the Auto Scaling group to reference the new AMI and 1AM role Perform an EC2 Auto Scaling instance refresh<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409966[]' id='answer-id-1589057' class='answer   answerof-409966 ' value='1589057'   \/><label for='answer-id-1589057' id='answer-label-1589057' class=' answer'><span>Rotate the potentially compromised access key Create a new AMI without the potentially compromised access key Use a user data script to supply the new access key as environmental variables in the Auto Scaling group's launch configuration Perform an EC2 Auto Scaling instance refresh<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-35' style=';'><div id='questionWrap-35'  class='   watupro-question-id-409967'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>35. <\/span>A company has enabled Amazon GuardDuty in all AWS Regions as part of its security monitoring strategy. In one of its VPCs, the company hosts an Amazon EC2 instance that works as an FTP server. A high number of clients from multiple locations contact the FTP server. GuardDuty identifies this activity as a brute force attack because of the high number of connections that happen every hour. <br \/>\r<br>The company has flagged the finding as a false positive, but GuardDuty continues to raise the issue. A security engineer must improve the signal-to-noise ratio without compromising the companys visibility of potential anomalous behavior. <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_35' value='409967' \/><input type='hidden' id='answerType409967' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409967[]' id='answer-id-1589058' class='answer   answerof-409967 ' value='1589058'   \/><label for='answer-id-1589058' id='answer-label-1589058' class=' answer'><span>Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409967[]' id='answer-id-1589059' class='answer   answerof-409967 ' value='1589059'   \/><label for='answer-id-1589059' id='answer-label-1589059' class=' answer'><span>Add the FTP server to a trusted IP list. Deploy the list to GuardDuty to stop receiving the notifications.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409967[]' id='answer-id-1589060' class='answer   answerof-409967 ' value='1589060'   \/><label for='answer-id-1589060' id='answer-label-1589060' class=' answer'><span>Create a suppression rule in GuardDuty to filter findings by automatically archiving new findings that match the specified criteria.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409967[]' id='answer-id-1589061' class='answer   answerof-409967 ' value='1589061'   \/><label for='answer-id-1589061' id='answer-label-1589061' class=' answer'><span>Create an AWS Lambda function that has the appropriate permissions to de-lete the finding whenever a new occurrence is reported.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-36' style=';'><div id='questionWrap-36'  class='   watupro-question-id-409968'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>36. <\/span>Your company has a set of EC2 Instances defined in IAM. These Ec2 Instances have strict security groups attached to them. You need to ensure that changes to the Security groups are noted and acted on accordingly. <br \/>\r<br>How can you achieve this? <br \/>\r<br>Please select:<\/div><input type='hidden' name='question_id[]' id='qID_36' value='409968' \/><input type='hidden' id='answerType409968' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409968[]' id='answer-id-1589062' class='answer   answerof-409968 ' value='1589062'   \/><label for='answer-id-1589062' id='answer-label-1589062' class=' answer'><span>Use Cloudwatch logs to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409968[]' id='answer-id-1589063' class='answer   answerof-409968 ' value='1589063'   \/><label for='answer-id-1589063' id='answer-label-1589063' class=' answer'><span>Use Cloudwatch metrics to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409968[]' id='answer-id-1589064' class='answer   answerof-409968 ' value='1589064'   \/><label for='answer-id-1589064' id='answer-label-1589064' class=' answer'><span>Use IAM inspector to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS f the notification.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409968[]' id='answer-id-1589065' class='answer   answerof-409968 ' value='1589065'   \/><label for='answer-id-1589065' id='answer-label-1589065' class=' answer'><span>Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-37' style=';'><div id='questionWrap-37'  class='   watupro-question-id-409969'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>37. <\/span>A security engineer is configuring a new website that is named example.com. The security engineer wants to secure communications with the website by requiring users to connect to example.com through HTTPS. <br \/>\r<br>Which of the following is a valid option for storing SSL\/TLS certificates?<\/div><input type='hidden' name='question_id[]' id='qID_37' value='409969' \/><input type='hidden' id='answerType409969' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409969[]' id='answer-id-1589066' class='answer   answerof-409969 ' value='1589066'   \/><label for='answer-id-1589066' id='answer-label-1589066' class=' answer'><span>Custom SSL certificate that is stored in AWS Key Management Service (AWS KMS)<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409969[]' id='answer-id-1589067' class='answer   answerof-409969 ' value='1589067'   \/><label for='answer-id-1589067' id='answer-label-1589067' class=' answer'><span>Default SSL certificate that is stored in Amazon CloudFront.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409969[]' id='answer-id-1589068' class='answer   answerof-409969 ' value='1589068'   \/><label for='answer-id-1589068' id='answer-label-1589068' class=' answer'><span>Custom SSL certificate that is stored in AWS Certificate Manager (ACM)<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409969[]' id='answer-id-1589069' class='answer   answerof-409969 ' value='1589069'   \/><label for='answer-id-1589069' id='answer-label-1589069' class=' answer'><span>Default SSL certificate that is stored in Amazon S3<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-38' style=';'><div id='questionWrap-38'  class='   watupro-question-id-409970'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>38. <\/span>A company needs to encrypt all of its data stored in Amazon S3. The company wants to use IAM Key Management Service (IAM KMS) to create and manage its encryption keys. The company's security policies require the ability to Import the company's own key material for the keys, set an expiration date on the keys, and delete keys immediately, if needed. <br \/>\r<br>How should a security engineer set up IAM KMS to meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_38' value='409970' \/><input type='hidden' id='answerType409970' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409970[]' id='answer-id-1589070' class='answer   answerof-409970 ' value='1589070'   \/><label for='answer-id-1589070' id='answer-label-1589070' class=' answer'><span>Configure IAM KMS and use a custom key store. Create a customer managed CMK with no key material Import the company's keys and key material into the CMK<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409970[]' id='answer-id-1589071' class='answer   answerof-409970 ' value='1589071'   \/><label for='answer-id-1589071' id='answer-label-1589071' class=' answer'><span>Configure IAM KMS and use the default Key store Create an IAM managed CMK with no key material Import the company's key material into the CMK<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409970[]' id='answer-id-1589072' class='answer   answerof-409970 ' value='1589072'   \/><label for='answer-id-1589072' id='answer-label-1589072' class=' answer'><span>Configure IAM KMS and use the default key store Create a customer managed CMK with no key material import the company's key material into the CMK<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409970[]' id='answer-id-1589073' class='answer   answerof-409970 ' value='1589073'   \/><label for='answer-id-1589073' id='answer-label-1589073' class=' answer'><span>Configure IAM KMS and use a custom key store. Create an IAM managed CMK with no key material. Import the company's key material into the CM<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-39' style=';'><div id='questionWrap-39'  class='   watupro-question-id-409971'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>39. <\/span>A security engineer receives a notice from the AWS Abuse team about suspicious activity from a Linux-based Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS&gt;-based storage The instance is making connections to known malicious addresses <br \/>\r<br>The instance is in a development account within a VPC that is in the us-east-1 Region The VPC contains an internet gateway and has a subnet in us-east-1a and useasMb Each subnet is associate with a route table that uses the internet gateway as a default route Each subnet also uses the default network ACL The suspicious EC2 instance runs within the us-east-1 b subnet. During an initial investigation a security engineer discovers that the suspicious instance is the only instance that runs in the subnet <br \/>\r<br>Which response will immediately mitigate the attack and help investigate the root cause?<\/div><input type='hidden' name='question_id[]' id='qID_39' value='409971' \/><input type='hidden' id='answerType409971' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409971[]' id='answer-id-1589074' class='answer   answerof-409971 ' value='1589074'   \/><label for='answer-id-1589074' id='answer-label-1589074' class=' answer'><span>Log in to the suspicious instance and use the netstat command to identify remote connections Use the IP addresses from these remote connections to create deny rules in the security group of the instance Install diagnostic tools on the instance for investigation Update the outbound network ACL for the subnet in us-east- lb to explicitly deny all connections as the first rule during the investigation of the instance<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409971[]' id='answer-id-1589075' class='answer   answerof-409971 ' value='1589075'   \/><label for='answer-id-1589075' id='answer-label-1589075' class=' answer'><span>Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule Replace the security group with a new security group that allows connections only from a diagnostics security group Update the outbound network ACL for the us-east-1b subnet to remove the deny all rule Launch a new EC2 instance that has diagnostic tools Assign the new security group to the new EC2 instance Use the new EC2 instance to investigate the suspicious instance<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409971[]' id='answer-id-1589076' class='answer   answerof-409971 ' value='1589076'   \/><label for='answer-id-1589076' id='answer-label-1589076' class=' answer'><span>Ensure that the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the suspicious EC2 instance will not delete upon termination Terminate the instance Launch a new EC2 instance in us-east-1a that has diagnostic tools Mount the EBS volumes from the terminated instance for investigation<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409971[]' id='answer-id-1589077' class='answer   answerof-409971 ' value='1589077'   \/><label for='answer-id-1589077' id='answer-label-1589077' class=' answer'><span>Create an AWS WAF web ACL that denies traffic to and from the suspicious instance Attach the AWS WAF web ACL to the instance to mitigate the attack Log in to the instance and install diagnostic tools to investigate the instance<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-40' style=';'><div id='questionWrap-40'  class='   watupro-question-id-409972'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>40. <\/span>A company wants to prevent SSH access through the use of SSH key pairs for any Amazon Linux 2 Amazon EC2 instances in its AWS account. However, a system administrator occasionally will need to access these EC2 instances through SSH in an emergency. For auditing purposes, the company needs to record any commands that a user runs in an EC2 instance. <br \/>\r<br>What should a security engineer do to configure access to these EC2 instances to meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_40' value='409972' \/><input type='hidden' id='answerType409972' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409972[]' id='answer-id-1589078' class='answer   answerof-409972 ' value='1589078'   \/><label for='answer-id-1589078' id='answer-label-1589078' class=' answer'><span>Use the EC2 serial console Configure the EC2 serial console to save all commands that are entered to an Amazon S3 bucket. Provide the EC2 instances with an IAM role that allows the EC2 serial console to access Amazon S3. Configure an IAM account for the system administrator. Provide an IAM policy that allows the IAM account to use the EC2 serial console.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409972[]' id='answer-id-1589079' class='answer   answerof-409972 ' value='1589079'   \/><label for='answer-id-1589079' id='answer-label-1589079' class=' answer'><span>Use EC2 Instance Connect Configure EC2 Instance Connect to save all commands that are entered to Amazon CloudWatch Logs. Provide the EC2 instances with an IAM role that allows the EC2 instances to access CloudWatch Logs Configure an IAM account for the system administrator. Provide an IAM policy that allows the IAM account to use EC2 Instance Connect.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409972[]' id='answer-id-1589080' class='answer   answerof-409972 ' value='1589080'   \/><label for='answer-id-1589080' id='answer-label-1589080' class=' answer'><span>Use an EC2 key pair with an EC2 instance that needs SSH access Access the EC2 instance with this key pair by using SS<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409972[]' id='answer-id-1589081' class='answer   answerof-409972 ' value='1589081'   \/><label for='answer-id-1589081' id='answer-label-1589081' class=' answer'><span>Configure the EC2 instance to save all commands that are entered to Amazon CloudWatch Logs. Provide the EC2 instance with an IAM role that allows the EC2 instance to access Amazon S3 and CloudWatch Logs.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-409972[]' id='answer-id-1589082' class='answer   answerof-409972 ' value='1589082'   \/><label for='answer-id-1589082' id='answer-label-1589082' class=' answer'><span>Use AWS Systems Manager Session Manager Configure Session Manager to save all commands that are entered in a session to an Amazon S3 bucket. Provide the EC2 instances with an IAM role that allows Systems Manager to manage the EC2 instances. Configure an IAM account for the system administrator Provide an IAM policy that allows the IAM account to use Session Manager.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div style='display:none' id='question-41'>\n\t<div class='question-content'>\n\t\t<img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/img\/loading.gif\" width=\"16\" height=\"16\" alt=\"Loading...\" title=\"Loading...\" \/>&nbsp;Loading...\t<\/div>\n<\/div>\n\n<br \/>\n\t\n\t\t\t<div class=\"watupro_buttons flex \" id=\"watuPROButtons10338\" >\n\t\t  <div id=\"prev-question\" style=\"display:none;\"><input type=\"button\" value=\"&lt; Previous\" onclick=\"WatuPRO.nextQuestion(event, 'previous');\"\/><\/div>\t\t  \t\t  \t\t   \n\t\t   \t  \t\t<div><input type=\"button\" name=\"action\" class=\"watupro-submit-button\" onclick=\"WatuPRO.submitResult(event)\" id=\"action-button\" value=\"View Results\"  \/>\n\t\t<\/div>\n\t\t<\/div>\n\t\t\n\t<input type=\"hidden\" name=\"quiz_id\" value=\"10338\" id=\"watuPROExamID\"\/>\n\t<input type=\"hidden\" name=\"start_time\" id=\"startTime\" value=\"2026-04-21 15:54:18\" \/>\n\t<input type=\"hidden\" name=\"start_timestamp\" id=\"startTimeStamp\" value=\"1776786858\" \/>\n\t<input type=\"hidden\" name=\"question_ids\" value=\"\" \/>\n\t<input type=\"hidden\" name=\"watupro_questions\" value=\"409933:1588900,1588901,1588902,1588903 | 409934:1588904,1588905,1588906,1588907,1588908 | 409935:1588909,1588910,1588911,1588912 | 409936:1588913,1588914,1588915,1588916 | 409937:1588917,1588918,1588919,1588920,1588921 | 409938:1588922,1588923,1588924,1588925 | 409939:1588926,1588927,1588928,1588929 | 409940:1588930,1588931,1588932,1588933 | 409941:1588934,1588935,1588936,1588937,1588938 | 409942:1588939,1588940,1588941,1588942,1588943,1588944 | 409943:1588945,1588946,1588947 | 409944:1588948,1588949,1588950,1588951 | 409945:1588952,1588953,1588954,1588955 | 409946:1588956,1588957,1588958,1588959,1588960,1588961 | 409947:1588962,1588963,1588964,1588965 | 409948:1588966,1588967,1588968,1588969 | 409949:1588970,1588971,1588972,1588973,1588974 | 409950:1588975,1588976,1588977,1588978 | 409951:1588979,1588980,1588981,1588982,1588983,1588984 | 409952:1588985,1588986,1588987,1588988,1588989 | 409953:1588990,1588991,1588992,1588993,1588994 | 409954:1588995,1588996,1588997,1588998 | 409955:1588999,1589000,1589001,1589002,1589003,1589004 | 409956:1589005,1589006,1589007,1589008,1589009 | 409957:1589010,1589011,1589012,1589013 | 409958:1589014,1589015,1589016,1589017 | 409959:1589018,1589019,1589020,1589021,1589022,1589023,1589024,1589025 | 409960:1589026,1589027,1589028,1589029 | 409961:1589030,1589031,1589032,1589033,1589034 | 409962:1589035,1589036,1589037,1589038,1589039,1589040 | 409963:1589041,1589042,1589043,1589044 | 409964:1589045,1589046,1589047,1589048 | 409965:1589049,1589050,1589051,1589052,1589053 | 409966:1589054,1589055,1589056,1589057 | 409967:1589058,1589059,1589060,1589061 | 409968:1589062,1589063,1589064,1589065 | 409969:1589066,1589067,1589068,1589069 | 409970:1589070,1589071,1589072,1589073 | 409971:1589074,1589075,1589076,1589077 | 409972:1589078,1589079,1589080,1589081,1589082\" \/>\n\t<input type=\"hidden\" name=\"no_ajax\" value=\"0\">\t\t\t<\/form>\n\t<p>&nbsp;<\/p>\n<\/div>\n\n<script type=\"text\/javascript\">\n\/\/jQuery(document).ready(function(){\ndocument.addEventListener(\"DOMContentLoaded\", function(event) { \t\nvar question_ids = \"409933,409934,409935,409936,409937,409938,409939,409940,409941,409942,409943,409944,409945,409946,409947,409948,409949,409950,409951,409952,409953,409954,409955,409956,409957,409958,409959,409960,409961,409962,409963,409964,409965,409966,409967,409968,409969,409970,409971,409972\";\nWatuPROSettings[10338] = {};\nWatuPRO.qArr = question_ids.split(',');\nWatuPRO.exam_id = 10338;\t    \nWatuPRO.post_id = 108729;\nWatuPRO.store_progress = 0;\nWatuPRO.curCatPage = 1;\nWatuPRO.requiredIDs=\"0\".split(\",\");\nWatuPRO.hAppID = \"0.87239600 1776786858\";\nvar url = \"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/show_exam.php\";\nWatuPRO.examMode = 1;\nWatuPRO.siteURL=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-admin\/admin-ajax.php\";\nWatuPRO.emailIsNotRequired = 0;\nWatuPROIntel.init(10338);\nWatuPRO.inCategoryPages=1;});    \t \n<\/script>\n","protected":false},"excerpt":{"rendered":"<p>Achieving an outstanding score in the AWS Certified Security &#8211; Specialty (SCS-C02) exam becomes easier with the most current SCS-C02 dumps (V13.03). This updated version is diligently designed to include real exam questions and answers that embody specific knowledge and skills, arranging the AWS Certified Security &#8211; Specialty exam dumps in a way that is [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[175,15758],"tags":[19527,16237],"class_list":["post-108729","post","type-post","status-publish","format-standard","hentry","category-amazon","category-aws-certified-specialty","tag-aws-certified-security-specialty-scs-c02","tag-scs-c02-dumps"],"_links":{"self":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/108729","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/comments?post=108729"}],"version-history":[{"count":1,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/108729\/revisions"}],"predecessor-version":[{"id":108735,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/108729\/revisions\/108735"}],"wp:attachment":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/media?parent=108729"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/categories?post=108729"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/tags?post=108729"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}