{"id":116484,"date":"2025-12-23T02:57:13","date_gmt":"2025-12-23T02:57:13","guid":{"rendered":"https:\/\/www.dumpsbase.com\/freedumps\/?p=116484"},"modified":"2026-01-02T03:08:32","modified_gmt":"2026-01-02T03:08:32","slug":"new-scs-c03-dumps-v8-02-for-your-aws-certified-security-specialty-certification-preparation-check-the-scs-c03-free-dumps-part-1-q1-q40-first","status":"publish","type":"post","link":"https:\/\/www.dumpsbase.com\/freedumps\/new-scs-c03-dumps-v8-02-for-your-aws-certified-security-specialty-certification-preparation-check-the-scs-c03-free-dumps-part-1-q1-q40-first.html","title":{"rendered":"New SCS-C03 Dumps (V8.02) for Your AWS Certified Security &#8211; Specialty Certification Preparation: Check the SCS-C03 Free Dumps (Part 1, Q1-Q40) First"},"content":{"rendered":"<p>The AWS Certified Security &#8211; Specialty certification has been upgraded. You must pass the SCS-C03 exam to validate your expertise in creating and implementing security solutions in the AWS Cloud, not the SCS-C02 exam. To support your success, the new SCS-C03 dumps (V8.02) from DumpsBase are available online. With the SCS-C03 dumps (V8.02), you can access precise information through 390 practice exam questions and answers. You can organize your AWS Certified Security &#8211; Specialty (SCS-C03) exam preparation simply and confidently, reaching the desired goal with the up-to-date practice questions. Choose DumpsBase as your AWS Certified Security &#8211; Specialty SCS-C03 exam learning partner. The SCS-C03 exam dumps (V8.02) supply you with the latest and high-level exam questions, guaranteeing that you clear your exam with excellent grades.<\/p>\n<h2>We have <span style=\"background-color: #ffff99;\"><em>SCS-C03 free dumps (Part 1, Q1-Q40) of V8.02<\/em><\/span> here to help you check the quality first:<\/h2>\n<script>\n\t  window.fbAsyncInit = function() {\n\t    FB.init({\n\t      appId            : '622169541470367',\n\t      autoLogAppEvents : true,\n\t      xfbml            : true,\n\t      version          : 'v3.1'\n\t    });\n\t  };\n\t\n\t  (function(d, s, id){\n\t     var js, fjs = d.getElementsByTagName(s)[0];\n\t     if (d.getElementById(id)) {return;}\n\t     js = d.createElement(s); js.id = id;\n\t     js.src = \"https:\/\/connect.facebook.net\/en_US\/sdk.js\";\n\t     fjs.parentNode.insertBefore(js, fjs);\n\t   }(document, 'script', 'facebook-jssdk'));\n\t<\/script><script type=\"text\/javascript\" >\ndocument.addEventListener(\"DOMContentLoaded\", function(event) { \nif(!window.jQuery) alert(\"The important jQuery library is not properly loaded in your site. Your WordPress theme is probably missing the essential wp_head() call. You can switch to another theme and you will see that the plugin works fine and this notice disappears. If you are still not sure what to do you can contact us for help.\");\n});\n<\/script>  \n  \n<div  id=\"watupro_quiz\" class=\"quiz-area single-page-quiz\">\n<p id=\"submittingExam11374\" style=\"display:none;text-align:center;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/img\/loading.gif\" width=\"16\" height=\"16\"><\/p>\n\n<div class=\"watupro-exam-description\" id=\"description-quiz-11374\"><\/div>\n\n<form action=\"\" method=\"post\" class=\"quiz-form\" id=\"quiz-11374\"  enctype=\"multipart\/form-data\" >\n<div class='watu-question ' id='question-1' style=';'><div id='questionWrap-1'  class='   watupro-question-id-447023'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>1. <\/span>An organization has a multi-petabyte workload that it is moving to Amazon S3, but the CISO is concerned about cryptographic wear-out and the blast radius if a key is compromised. <br \/>\r<br>How can the CISO be assured that IAM KMS and Amazon S3 are addressing the concerns? (Select TWO)<\/div><input type='hidden' name='question_id[]' id='qID_1' value='447023' \/><input type='hidden' id='answerType447023' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447023[]' id='answer-id-1729542' class='answer   answerof-447023 ' value='1729542'   \/><label for='answer-id-1729542' id='answer-label-1729542' class=' answer'><span>There is no API operation to retrieve an S3 object in its encrypted form.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447023[]' id='answer-id-1729543' class='answer   answerof-447023 ' value='1729543'   \/><label for='answer-id-1729543' id='answer-label-1729543' class=' answer'><span>Encryption of S3 objects is performed within the secure boundary of the KMS service.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447023[]' id='answer-id-1729544' class='answer   answerof-447023 ' value='1729544'   \/><label for='answer-id-1729544' id='answer-label-1729544' class=' answer'><span>S3 uses KMS to generate a unique data key for each individual object.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447023[]' id='answer-id-1729545' class='answer   answerof-447023 ' value='1729545'   \/><label for='answer-id-1729545' id='answer-label-1729545' class=' answer'><span>Using a single master key to encrypt all data includes having a single place to perform audits and usage validation.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447023[]' id='answer-id-1729546' class='answer   answerof-447023 ' value='1729546'   \/><label for='answer-id-1729546' id='answer-label-1729546' class=' answer'><span>The KMS encryption envelope digitally signs the master key during encryption to prevent cryptographic wear-out<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-2' style=';'><div id='questionWrap-2'  class='   watupro-question-id-447024'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>2. <\/span>1.A business requires a forensic logging solution for hundreds of Docker-based apps running on Amazon EC2. <br \/>\r<br>The solution must analyze logs in real time, provide message replay, and persist logs. <br \/>\r<br>Which Amazon Web Offerings (IAM) services should be employed to satisfy these requirements? (Select two.)<\/div><input type='hidden' name='question_id[]' id='qID_2' value='447024' \/><input type='hidden' id='answerType447024' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447024[]' id='answer-id-1729547' class='answer   answerof-447024 ' value='1729547'   \/><label for='answer-id-1729547' id='answer-label-1729547' class=' answer'><span>Amazon Athena<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447024[]' id='answer-id-1729548' class='answer   answerof-447024 ' value='1729548'   \/><label for='answer-id-1729548' id='answer-label-1729548' class=' answer'><span>Amazon Kinesis<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447024[]' id='answer-id-1729549' class='answer   answerof-447024 ' value='1729549'   \/><label for='answer-id-1729549' id='answer-label-1729549' class=' answer'><span>Amazon SQS<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447024[]' id='answer-id-1729550' class='answer   answerof-447024 ' value='1729550'   \/><label for='answer-id-1729550' id='answer-label-1729550' class=' answer'><span>Amazon Elasticsearch<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447024[]' id='answer-id-1729551' class='answer   answerof-447024 ' value='1729551'   \/><label for='answer-id-1729551' id='answer-label-1729551' class=' answer'><span>Amazon EMR<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-3' style=';'><div id='questionWrap-3'  class='   watupro-question-id-447025'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>3. <\/span>A company h as a legacy application that runs on a single Amazon E C2 instance. A security audit shows that the application has been using an IAM access key within its code to access an Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET1 in the same AWS account. This access key pair has the s3:GetObject permission to all objects in only this S3 bucket. The company takes the application offline because the application is not compliant with the company\u2019s security policies for accessing other AWS resources from Amazon EC2. <br \/>\r<br>A security engineer validates that AWS CloudTrail is turned on in all AWS Regions. CloudTrail is sending logs to an S3 bucket that is named DOC-EXAMPLE-BUCKET2. This S3 bucket is in the same AWS account as DOC-EXAMPLE-BUCKET1. However, CloudTrail has not been configured to send logs to Amazon CloudWatch Logs. <br \/>\r<br>The company wants to know if any objects in DOC-EXAMPLE-BUCKET1 were accessed with the IAM access key in the past 60 days. If any objects were accessed, the company wants to know if any of the objects that are text files (.txt extension) contained personally identifiable information (PII). <br \/>\r<br>Which combination of steps should the security engineer take to gather this information? (Choose two.)<\/div><input type='hidden' name='question_id[]' id='qID_3' value='447025' \/><input type='hidden' id='answerType447025' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447025[]' id='answer-id-1729552' class='answer   answerof-447025 ' value='1729552'   \/><label for='answer-id-1729552' id='answer-label-1729552' class=' answer'><span>Configure Amazon Macie to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII and that were available to the access key.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447025[]' id='answer-id-1729553' class='answer   answerof-447025 ' value='1729553'   \/><label for='answer-id-1729553' id='answer-label-1729553' class=' answer'><span>Use Amazon CloudWatch Logs Insights to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII and that were available to the access key.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447025[]' id='answer-id-1729554' class='answer   answerof-447025 ' value='1729554'   \/><label for='answer-id-1729554' id='answer-label-1729554' class=' answer'><span>Use Amazon OpenSearch Service (Amazon Elasticsearch Service) to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for API calls that used the access key to access an object that contained PI<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447025[]' id='answer-id-1729555' class='answer   answerof-447025 ' value='1729555'   \/><label for='answer-id-1729555' id='answer-label-1729555' class=' answer'><span>Use Amazon Athena to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for any API calls that used the access key to access an object that contained PI<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447025[]' id='answer-id-1729556' class='answer   answerof-447025 ' value='1729556'   \/><label for='answer-id-1729556' id='answer-label-1729556' class=' answer'><span>Use AWS Identity and Access Management Access Analyzer to identify any API calls that used the access key to access objects that contained PII in DOC-EXAMPLE-BUCKET1.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-4' style=';'><div id='questionWrap-4'  class='   watupro-question-id-447026'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>4. <\/span>A company is evaluating the use of AWS Systems Manager Session Manager to gam access to the company's Amazon EC2 instances. However, until the company implements the change, the company must protect the key file for the EC2 instances from read and write operations by any other users. <br \/>\r<br>When a security administrator tries to connect to a critical EC2 Linux instance during an emergency, the security administrator receives the following error. &quot;Error Unprotected private key file - Permissions for' ssh\/my_private_key pern' are too open&quot;. <br \/>\r<br>Which command should the security administrator use to modify the private key Me permissions to resolve this error?<\/div><input type='hidden' name='question_id[]' id='qID_4' value='447026' \/><input type='hidden' id='answerType447026' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447026[]' id='answer-id-1729557' class='answer   answerof-447026 ' value='1729557'   \/><label for='answer-id-1729557' id='answer-label-1729557' class=' answer'><span>chmod 0040 ssh\/my_private_key pern<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447026[]' id='answer-id-1729558' class='answer   answerof-447026 ' value='1729558'   \/><label for='answer-id-1729558' id='answer-label-1729558' class=' answer'><span>chmod 0400 ssh\/my_private_key pern<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447026[]' id='answer-id-1729559' class='answer   answerof-447026 ' value='1729559'   \/><label for='answer-id-1729559' id='answer-label-1729559' class=' answer'><span>chmod 0004 ssh\/my_private_key pern<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447026[]' id='answer-id-1729560' class='answer   answerof-447026 ' value='1729560'   \/><label for='answer-id-1729560' id='answer-label-1729560' class=' answer'><span>chmod 0777 ssh\/my_private_key pern<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-5' style=';'><div id='questionWrap-5'  class='   watupro-question-id-447027'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>5. <\/span>Your company uses IAM to host its resources. <br \/>\r<br>They have the following requirements <br \/>\r<br>1) Record all API calls and Transitions <br \/>\r<br>2) Help in understanding what resources are there in the account <br \/>\r<br>3) Facility to allow auditing credentials and logins <br \/>\r<br>Which services would suffice the above requirements Please select:<\/div><input type='hidden' name='question_id[]' id='qID_5' value='447027' \/><input type='hidden' id='answerType447027' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447027[]' id='answer-id-1729561' class='answer   answerof-447027 ' value='1729561'   \/><label for='answer-id-1729561' id='answer-label-1729561' class=' answer'><span>IAM Inspector, CloudTrail, IAM Credential Reports<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447027[]' id='answer-id-1729562' class='answer   answerof-447027 ' value='1729562'   \/><label for='answer-id-1729562' id='answer-label-1729562' class=' answer'><span>CloudTrail. IAM Credential Reports, IAM SNS<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447027[]' id='answer-id-1729563' class='answer   answerof-447027 ' value='1729563'   \/><label for='answer-id-1729563' id='answer-label-1729563' class=' answer'><span>CloudTrail, IAM Config, IAM Credential Reports<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447027[]' id='answer-id-1729564' class='answer   answerof-447027 ' value='1729564'   \/><label for='answer-id-1729564' id='answer-label-1729564' class=' answer'><span>IAM SQS, IAM Credential Reports, CloudTrail<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-6' style=';'><div id='questionWrap-6'  class='   watupro-question-id-447028'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>6. <\/span>A company is designing a multi-account structure for its development teams. The company is using AWS Organizations and AWS Single Sign-On (AWS SSO). The company must implement a solution so that the development teams can use only specific AWS Regions and so that each AWS account allows access to only specific AWS services. <br \/>\r<br>Which solution will meet these requirements with the LEAST operational overhead?<\/div><input type='hidden' name='question_id[]' id='qID_6' value='447028' \/><input type='hidden' id='answerType447028' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447028[]' id='answer-id-1729565' class='answer   answerof-447028 ' value='1729565'   \/><label for='answer-id-1729565' id='answer-label-1729565' class=' answer'><span>Use AWS SSO to set up service-linked roles with IAM policy statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447028[]' id='answer-id-1729566' class='answer   answerof-447028 ' value='1729566'   \/><label for='answer-id-1729566' id='answer-label-1729566' class=' answer'><span>Deactivate AWS Security Token Service (AWS STS) in Regions that the developers are not allowed to use.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447028[]' id='answer-id-1729567' class='answer   answerof-447028 ' value='1729567'   \/><label for='answer-id-1729567' id='answer-label-1729567' class=' answer'><span>Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447028[]' id='answer-id-1729568' class='answer   answerof-447028 ' value='1729568'   \/><label for='answer-id-1729568' id='answer-label-1729568' class=' answer'><span>For each AWS account, create tailored identity-based policies for AWS SS<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447028[]' id='answer-id-1729569' class='answer   answerof-447028 ' value='1729569'   \/><label for='answer-id-1729569' id='answer-label-1729569' class=' answer'><span>Use statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-7' style=';'><div id='questionWrap-7'  class='   watupro-question-id-447029'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>7. <\/span>An application team wants to use IAM Certificate Manager (ACM) to request public certificates to ensure that data is secured in transit. The domains that are being used are not currently hosted on Amazon Route 53 <br \/>\r<br>The application team wants to use an IAM managed distribution and caching solution to optimize requests to its systems and provide better points of presence to customers The distribution solution will use a primary domain name that is customized The distribution solution also will use several alternative domain names The certificates must renew automatically over an indefinite period of time <br \/>\r<br>Which combination of steps should the application team take to deploy this architecture? (Select THREE.)<\/div><input type='hidden' name='question_id[]' id='qID_7' value='447029' \/><input type='hidden' id='answerType447029' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447029[]' id='answer-id-1729570' class='answer   answerof-447029 ' value='1729570'   \/><label for='answer-id-1729570' id='answer-label-1729570' class=' answer'><span>Request a certificate (torn ACM in the us-west-2 Region Add the domain names that the certificate will secure<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447029[]' id='answer-id-1729571' class='answer   answerof-447029 ' value='1729571'   \/><label for='answer-id-1729571' id='answer-label-1729571' class=' answer'><span>Send an email message to the domain administrators to request vacation of the domains for ACM<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447029[]' id='answer-id-1729572' class='answer   answerof-447029 ' value='1729572'   \/><label for='answer-id-1729572' id='answer-label-1729572' class=' answer'><span>Request validation of the domains for ACM through DNS Insert CNAME records into each domain's DNS zone<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447029[]' id='answer-id-1729573' class='answer   answerof-447029 ' value='1729573'   \/><label for='answer-id-1729573' id='answer-label-1729573' class=' answer'><span>Create an Application Load Balancer for me caching solution Select the newly requested certificate from ACM to be used for secure connections<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447029[]' id='answer-id-1729574' class='answer   answerof-447029 ' value='1729574'   \/><label for='answer-id-1729574' id='answer-label-1729574' class=' answer'><span>Create an Amazon CloudFront distribution for the caching solution Enter the main CNAME record as the Origin Name Enter the subdomain names or alternate names in the Alternate Domain Names Distribution Settings Select the newly requested certificate from ACM to be used for secure connections<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447029[]' id='answer-id-1729575' class='answer   answerof-447029 ' value='1729575'   \/><label for='answer-id-1729575' id='answer-label-1729575' class=' answer'><span>Request a certificate from ACM in the us-east-1 Region Add the domain names that the certificate wil secure<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-8' style=';'><div id='questionWrap-8'  class='   watupro-question-id-447030'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>8. <\/span>An AWS account that is used for development projects has a VPC that contains two subnets. The first subnet is named public-subnet-1 and has the CIDR block 192.168.1.0\/24 assigned. The other subnet is named private-subnet-2 and has the CIDR block 192.168.2.0\/24 assigned. Each subnet contains Amazon EC2 instances. <br \/>\r<br>Each subnet is currently using the VPC's default network ACL. The security groups that the EC2 instances in these subnets use have rules that allow traffic between each instance where required. Currently, all network traffic flow is working as expected between the EC2 instances that are using these subnets. <br \/>\r<br>A security engineer creates a new network ACL that is named subnet-2-NACL with default entries. The security engineer immediately configures private-subnet-2 to use the new network ACL and makes no other changes to the infrastructure. The security engineer starts to receive reports that the EC2 instances in public-subnet-1 and public-subnet-2 cannot communicate with each other. <br \/>\r<br>Which combination of steps should the security engineer take to allow the EC2 instances that are running in these two subnets to communicate again? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_8' value='447030' \/><input type='hidden' id='answerType447030' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447030[]' id='answer-id-1729576' class='answer   answerof-447030 ' value='1729576'   \/><label for='answer-id-1729576' id='answer-label-1729576' class=' answer'><span>Add an outbound allow rule for 192.168.2.0\/24 in the VPC's default network AC<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447030[]' id='answer-id-1729577' class='answer   answerof-447030 ' value='1729577'   \/><label for='answer-id-1729577' id='answer-label-1729577' class=' answer'><span>Add an inbound allow rule for 192.168.2.0\/24 in the VPC's default network AC<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447030[]' id='answer-id-1729578' class='answer   answerof-447030 ' value='1729578'   \/><label for='answer-id-1729578' id='answer-label-1729578' class=' answer'><span>Add an outbound allow rule for 192.168.2.0\/24 in subnet-2-NAC<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447030[]' id='answer-id-1729579' class='answer   answerof-447030 ' value='1729579'   \/><label for='answer-id-1729579' id='answer-label-1729579' class=' answer'><span>Add an inbound allow rule for 192.168.1.0\/24 in subnet-2-NAC<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447030[]' id='answer-id-1729580' class='answer   answerof-447030 ' value='1729580'   \/><label for='answer-id-1729580' id='answer-label-1729580' class=' answer'><span>Add an outbound allow rule for 192.168.1.0\/24 in subnet-2-NAC<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-9' style=';'><div id='questionWrap-9'  class='   watupro-question-id-447031'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>9. <\/span>A company is using AWS Organizations to manage multiple AWS accounts for its hu-man resources, finance, software development, and production departments. All the company's developers are part of the software development AWS account. <br \/>\r<br>The company discovers that developers have launched Amazon EC2 instances that were preconfigured with software that the company has not approved for use. The company wants to implement a solution to ensure that developers can launch EC2 instances with only approved software applications and only in the software development AWS account. <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_9' value='447031' \/><input type='hidden' id='answerType447031' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447031[]' id='answer-id-1729581' class='answer   answerof-447031 ' value='1729581'   \/><label for='answer-id-1729581' id='answer-label-1729581' class=' answer'><span>In the software development account, create AMIS of preconfigured instanc-es that include only approved software. Include the AMI IDs in the condition section of an AWS CloudFormation template to launch the appropriate AMI based on the AWS Region. Provide the developers with the CloudFor-mation template to launch EC2 instances in the software development account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447031[]' id='answer-id-1729582' class='answer   answerof-447031 ' value='1729582'   \/><label for='answer-id-1729582' id='answer-label-1729582' class=' answer'><span>Create an Amazon EventBridge rule that runs when any EC2 Runlnstances API event occurs in the software development account. Specify AWS Systems Man-ager Run Command as a target of the rule. Configure Run Command to run a script that will install all approved software onto the instances that the developers launch.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447031[]' id='answer-id-1729583' class='answer   answerof-447031 ' value='1729583'   \/><label for='answer-id-1729583' id='answer-label-1729583' class=' answer'><span>Use an AWS Service Catalog portfolio that contains EC2 products with ap-propriate AMIS that include only approved software. Grant the developers permission to portfolio access only the Service Catalog to launch a product in the software development account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447031[]' id='answer-id-1729584' class='answer   answerof-447031 ' value='1729584'   \/><label for='answer-id-1729584' id='answer-label-1729584' class=' answer'><span>In the management account, create AMIS of preconfigured instances that include only approved software. Use AWS CloudFormation StackSets to launch the AMIS across any AWS account in the organization. Grant the developers permission to launch the stack sets within the management account.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-10' style=';'><div id='questionWrap-10'  class='   watupro-question-id-447032'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>10. <\/span>You work at a company that makes use of IAM resources. One of the key security policies is to ensure that all data i encrypted both at rest and in transit. <br \/>\r<br>Which of the following is one of the right ways to implement this.<\/div><input type='hidden' name='question_id[]' id='qID_10' value='447032' \/><input type='hidden' id='answerType447032' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447032[]' id='answer-id-1729585' class='answer   answerof-447032 ' value='1729585'   \/><label for='answer-id-1729585' id='answer-label-1729585' class=' answer'><span>Use S3 SSE and use SSL for data in transit<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447032[]' id='answer-id-1729586' class='answer   answerof-447032 ' value='1729586'   \/><label for='answer-id-1729586' id='answer-label-1729586' class=' answer'><span>SSL termination on the ELB<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447032[]' id='answer-id-1729587' class='answer   answerof-447032 ' value='1729587'   \/><label for='answer-id-1729587' id='answer-label-1729587' class=' answer'><span>Enabling Proxy Protocol<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447032[]' id='answer-id-1729588' class='answer   answerof-447032 ' value='1729588'   \/><label for='answer-id-1729588' id='answer-label-1729588' class=' answer'><span>Enabling sticky sessions on your load balancer<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-11' style=';'><div id='questionWrap-11'  class='   watupro-question-id-447033'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>11. <\/span>A company needs to use HTTPS when connecting to its web applications to meet compliance requirements. These web applications run in Amazon VPC on Amazon EC2 instances behind an Application Load Balancer (ALB). A security engineer wants to ensure that the load balancer win only accept connections over port 443. even if the ALB is mistakenly configured with an HTTP listener <br \/>\r<br>Which configuration steps should the security engineer take to accomplish this task?<\/div><input type='hidden' name='question_id[]' id='qID_11' value='447033' \/><input type='hidden' id='answerType447033' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447033[]' id='answer-id-1729589' class='answer   answerof-447033 ' value='1729589'   \/><label for='answer-id-1729589' id='answer-label-1729589' class=' answer'><span>Create a security group with a rule that denies Inbound connections from 0.0.0 0\/0 on port 00. Attach this security group to the ALB to overwrite more permissive rules from the ALB's default security \r\ngroup.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447033[]' id='answer-id-1729590' class='answer   answerof-447033 ' value='1729590'   \/><label for='answer-id-1729590' id='answer-label-1729590' class=' answer'><span>Create a network ACL that denies inbound connections from 0 0.0.0\/0 on port 80 Associate the network ACL with the VPC s internet gateway<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447033[]' id='answer-id-1729591' class='answer   answerof-447033 ' value='1729591'   \/><label for='answer-id-1729591' id='answer-label-1729591' class=' answer'><span>Create a network ACL that allows outbound connections to the VPC IP range on port 443 only. Associate the network ACL with the VPC's internet gateway.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447033[]' id='answer-id-1729592' class='answer   answerof-447033 ' value='1729592'   \/><label for='answer-id-1729592' id='answer-label-1729592' class=' answer'><span>Create a security group with a single inbound rule that allows connections from 0.0.0 0\/0 on port 443. Ensure this security group is the only one associated with the ALB<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-12' style=';'><div id='questionWrap-12'  class='   watupro-question-id-447034'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>12. <\/span>A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running on IAM. <br \/>\r<br>Which combination of IAM services and features will provide protection in this scenario? (Select THREE).<\/div><input type='hidden' name='question_id[]' id='qID_12' value='447034' \/><input type='hidden' id='answerType447034' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447034[]' id='answer-id-1729593' class='answer   answerof-447034 ' value='1729593'   \/><label for='answer-id-1729593' id='answer-label-1729593' class=' answer'><span>Amazon Route 53<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447034[]' id='answer-id-1729594' class='answer   answerof-447034 ' value='1729594'   \/><label for='answer-id-1729594' id='answer-label-1729594' class=' answer'><span>IAM Certificate Manager (ACM)<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447034[]' id='answer-id-1729595' class='answer   answerof-447034 ' value='1729595'   \/><label for='answer-id-1729595' id='answer-label-1729595' class=' answer'><span>Amazon S3<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447034[]' id='answer-id-1729596' class='answer   answerof-447034 ' value='1729596'   \/><label for='answer-id-1729596' id='answer-label-1729596' class=' answer'><span>IAM Shield<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447034[]' id='answer-id-1729597' class='answer   answerof-447034 ' value='1729597'   \/><label for='answer-id-1729597' id='answer-label-1729597' class=' answer'><span>Elastic Load Balancer<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447034[]' id='answer-id-1729598' class='answer   answerof-447034 ' value='1729598'   \/><label for='answer-id-1729598' id='answer-label-1729598' class=' answer'><span>Amazon Guard Duty<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-13' style=';'><div id='questionWrap-13'  class='   watupro-question-id-447035'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>13. <\/span>A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code In the company's source code repository <br \/>\r<br>A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates. The solution must also minimize administrate overhead <br \/>\r<br>Which solution meets these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_13' value='447035' \/><input type='hidden' id='answerType447035' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447035[]' id='answer-id-1729599' class='answer   answerof-447035 ' value='1729599'   \/><label for='answer-id-1729599' id='answer-label-1729599' class=' answer'><span>Use the IAM Systems Manager Parameter Store to generate database credentials. Use an IAM profile for ECS tasks to restrict access to database credentials to specific containers only.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447035[]' id='answer-id-1729600' class='answer   answerof-447035 ' value='1729600'   \/><label for='answer-id-1729600' id='answer-label-1729600' class=' answer'><span>Use IAM Secrets Manager to store database credentials. Use an IAM inline policy for ECS tasks to restrict access to database credentials to specific containers only.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447035[]' id='answer-id-1729601' class='answer   answerof-447035 ' value='1729601'   \/><label for='answer-id-1729601' id='answer-label-1729601' class=' answer'><span>Use the IAM Systems Manager Parameter Store to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials lo specific containers only<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447035[]' id='answer-id-1729602' class='answer   answerof-447035 ' value='1729602'   \/><label for='answer-id-1729602' id='answer-label-1729602' class=' answer'><span>Use IAM Secrets Manager to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-14' style=';'><div id='questionWrap-14'  class='   watupro-question-id-447036'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>14. <\/span>A security engineer is configuring a new website that is named example.com. The security engineer wants to secure communications with the website by requiring users to connect to example.com through HTTPS. <br \/>\r<br>Which of the following is a valid option for storing SSL\/TLS certificates?<\/div><input type='hidden' name='question_id[]' id='qID_14' value='447036' \/><input type='hidden' id='answerType447036' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447036[]' id='answer-id-1729603' class='answer   answerof-447036 ' value='1729603'   \/><label for='answer-id-1729603' id='answer-label-1729603' class=' answer'><span>Custom SSL certificate that is stored in AWS Key Management Service (AWS KMS)<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447036[]' id='answer-id-1729604' class='answer   answerof-447036 ' value='1729604'   \/><label for='answer-id-1729604' id='answer-label-1729604' class=' answer'><span>Default SSL certificate that is stored in Amazon CloudFront.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447036[]' id='answer-id-1729605' class='answer   answerof-447036 ' value='1729605'   \/><label for='answer-id-1729605' id='answer-label-1729605' class=' answer'><span>Custom SSL certificate that is stored in AWS Certificate Manager (ACM)<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447036[]' id='answer-id-1729606' class='answer   answerof-447036 ' value='1729606'   \/><label for='answer-id-1729606' id='answer-label-1729606' class=' answer'><span>Default SSL certificate that is stored in Amazon S3<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-15' style=';'><div id='questionWrap-15'  class='   watupro-question-id-447037'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>15. <\/span>A company developed an application by using AWS Lambda, Amazon S3, Amazon Simple Notification Service (Amazon SNS), and Amazon DynamoDB. An external application puts objects into the company's S3 bucket and tags the objects with date and time. A Lambda function periodically pulls data from the company's S3 bucket based on date and time tags and inserts specific values into a DynamoDB table for further processing. <br \/>\r<br>The data includes personally identifiable information (Pll). The company must remove data that is older than 30 days from the S3 bucket and the DynamoDB table. <br \/>\r<br>Which solution will meet this requirement with the MOST operational efficiency?<\/div><input type='hidden' name='question_id[]' id='qID_15' value='447037' \/><input type='hidden' id='answerType447037' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447037[]' id='answer-id-1729607' class='answer   answerof-447037 ' value='1729607'   \/><label for='answer-id-1729607' id='answer-label-1729607' class=' answer'><span>Update the Lambda function to add a TTL S3 flag to S3 objects. Create an S3 Lifecycle policy to expire objects that are older than 30 days by using the TTL S3 flag.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447037[]' id='answer-id-1729608' class='answer   answerof-447037 ' value='1729608'   \/><label for='answer-id-1729608' id='answer-label-1729608' class=' answer'><span>Create an S3 Lifecycle policy to expire objects that are older than 30 days. Update the Lambda function to add the TTL attribute in the DynamoDB table. Enable TTL on the DynamoDB table to expire entires that are older than 30 days based on the TTL attribute.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447037[]' id='answer-id-1729609' class='answer   answerof-447037 ' value='1729609'   \/><label for='answer-id-1729609' id='answer-label-1729609' class=' answer'><span>Create an S3 Lifecycle policy to expire objects that are older than 30 days and to add all prefixes to the S3 bucket. Update the Lambda function to delete entries that are older than 30 days.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447037[]' id='answer-id-1729610' class='answer   answerof-447037 ' value='1729610'   \/><label for='answer-id-1729610' id='answer-label-1729610' class=' answer'><span>Create an S3 Lifecycle policy to expire objects that are older than 30 days by using object tags. Update the Lambda function to delete entries that are older than 30 days.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-16' style=';'><div id='questionWrap-16'  class='   watupro-question-id-447038'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>16. <\/span>A company wants to prevent SSH access through the use of SSH key pairs for any Amazon Linux 2 Amazon EC2 instances in its AWS account. However, a system administrator occasionally will need to access these EC2 instances through SSH in an emergency. For auditing purposes, the company needs to record any commands that a user runs in an EC2 instance. <br \/>\r<br>What should a security engineer do to configure access to these EC2 instances to meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_16' value='447038' \/><input type='hidden' id='answerType447038' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447038[]' id='answer-id-1729611' class='answer   answerof-447038 ' value='1729611'   \/><label for='answer-id-1729611' id='answer-label-1729611' class=' answer'><span>Use the EC2 serial console Configure the EC2 serial console to save all commands that are entered to an Amazon S3 bucket. Provide the EC2 instances with an IAM role that allows the EC2 serial console to access Amazon S3. Configure an IAM account for the system administrator. Provide an IAM policy that allows the IAM account to use the EC2 serial console.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447038[]' id='answer-id-1729612' class='answer   answerof-447038 ' value='1729612'   \/><label for='answer-id-1729612' id='answer-label-1729612' class=' answer'><span>Use EC2 Instance Connect Configure EC2 Instance Connect to save all commands that are entered to Amazon CloudWatch Logs. Provide the EC2 instances with an IAM role that allows the EC2 instances to access CloudWatch Logs Configure an IAM account for the system administrator. Provide an IAM policy that allows the IAM account to use EC2 Instance Connect.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447038[]' id='answer-id-1729613' class='answer   answerof-447038 ' value='1729613'   \/><label for='answer-id-1729613' id='answer-label-1729613' class=' answer'><span>Use an EC2 key pair with an EC2 instance that needs SSH access Access the EC2 instance with this key pair by using SS<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447038[]' id='answer-id-1729614' class='answer   answerof-447038 ' value='1729614'   \/><label for='answer-id-1729614' id='answer-label-1729614' class=' answer'><span>Configure the EC2 instance to save all commands that are entered to Amazon CloudWatch Logs. Provide the EC2 instance with an IAM role that allows the EC2 instance to access Amazon S3 and CloudWatch Logs.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447038[]' id='answer-id-1729615' class='answer   answerof-447038 ' value='1729615'   \/><label for='answer-id-1729615' id='answer-label-1729615' class=' answer'><span>Use AWS Systems Manager Session Manager Configure Session Manager to save all commands that are entered in a session to an Amazon S3 bucket. Provide the EC2 instances with an IAM role that allows Systems Manager to manage the EC2 instances. Configure an IAM account for the system administrator Provide an IAM policy that allows the IAM account to use Session Manager.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-17' style=';'><div id='questionWrap-17'  class='   watupro-question-id-447039'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>17. <\/span>A company is running internal microservices on Amazon Elastic Container Service (Amazon ECS) with the Amazon EC2 launch type. The company is using Amazon Elastic Container Registry (Amazon ECR) private repositories. <br \/>\r<br>A security engineer needs to encrypt the private repositories by using AWS Key Management Service (AWS KMS). The security engineer also needs to analyze the container images for any common vulnerabilities and exposures (CVEs). <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_17' value='447039' \/><input type='hidden' id='answerType447039' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447039[]' id='answer-id-1729616' class='answer   answerof-447039 ' value='1729616'   \/><label for='answer-id-1729616' id='answer-label-1729616' class=' answer'><span>Enable KMS encryption on the existing ECR repositories. Install Amazon Inspector Agent from the ECS container instances\u2019 user data. Run an assessment with the CVE rules.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447039[]' id='answer-id-1729617' class='answer   answerof-447039 ' value='1729617'   \/><label for='answer-id-1729617' id='answer-label-1729617' class=' answer'><span>Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Analyze the scan report after the next push of images.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447039[]' id='answer-id-1729618' class='answer   answerof-447039 ' value='1729618'   \/><label for='answer-id-1729618' id='answer-label-1729618' class=' answer'><span>Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Install AWS Systems \r\nManager Agent on the ECS container instances. Run an inventory report.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447039[]' id='answer-id-1729619' class='answer   answerof-447039 ' value='1729619'   \/><label for='answer-id-1729619' id='answer-label-1729619' class=' answer'><span>Enable KMS encryption on the existing ECR repositories. Use AWS Trusted Advisor to check the ECS container instances and to verily the findings against a list of current CVEs.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-18' style=';'><div id='questionWrap-18'  class='   watupro-question-id-447040'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>18. <\/span>Example.com is hosted on Amazon EC2 instances behind an Application Load Balancer (ALB). Third-party host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host. The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers. <br \/>\r<br>What is the MOST secure way to meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_18' value='447040' \/><input type='hidden' id='answerType447040' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447040[]' id='answer-id-1729620' class='answer   answerof-447040 ' value='1729620'   \/><label for='answer-id-1729620' id='answer-label-1729620' class=' answer'><span>Enable TLS pass through on the ALB, and handle decryption at the server using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447040[]' id='answer-id-1729621' class='answer   answerof-447040 ' value='1729621'   \/><label for='answer-id-1729621' id='answer-label-1729621' class=' answer'><span>Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447040[]' id='answer-id-1729622' class='answer   answerof-447040 ' value='1729622'   \/><label for='answer-id-1729622' id='answer-label-1729622' class=' answer'><span>Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do not enable Perfect Forward Secrecy (PFS).<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447040[]' id='answer-id-1729623' class='answer   answerof-447040 ' value='1729623'   \/><label for='answer-id-1729623' id='answer-label-1729623' class=' answer'><span>Create a listener on the ALB that does not enable Perfect Forward Secrecy (PFS) cipher suites, and use encrypted connections to the servers using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-19' style=';'><div id='questionWrap-19'  class='   watupro-question-id-447041'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>19. <\/span>A company finds that one of its Amazon EC2 instances suddenly has a high CPU usage. The company does not know whether the EC2 instance is compromised or whether the operating system is performing background cleanup. <br \/>\r<br>Which combination of steps should a security engineer take before investigating the issue? (Select THREE.)<\/div><input type='hidden' name='question_id[]' id='qID_19' value='447041' \/><input type='hidden' id='answerType447041' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447041[]' id='answer-id-1729624' class='answer   answerof-447041 ' value='1729624'   \/><label for='answer-id-1729624' id='answer-label-1729624' class=' answer'><span>Disable termination protection for the EC2 instance if termination protection has not been disabled.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447041[]' id='answer-id-1729625' class='answer   answerof-447041 ' value='1729625'   \/><label for='answer-id-1729625' id='answer-label-1729625' class=' answer'><span>Enable termination protection for the EC2 instance if termination protection has not been enabled.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447041[]' id='answer-id-1729626' class='answer   answerof-447041 ' value='1729626'   \/><label for='answer-id-1729626' id='answer-label-1729626' class=' answer'><span>Take snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447041[]' id='answer-id-1729627' class='answer   answerof-447041 ' value='1729627'   \/><label for='answer-id-1729627' id='answer-label-1729627' class=' answer'><span>Remove all snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447041[]' id='answer-id-1729628' class='answer   answerof-447041 ' value='1729628'   \/><label for='answer-id-1729628' id='answer-label-1729628' class=' answer'><span>Capture the EC2 instance metadata, and then tag the EC2 instance as under quarantine.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447041[]' id='answer-id-1729629' class='answer   answerof-447041 ' value='1729629'   \/><label for='answer-id-1729629' id='answer-label-1729629' class=' answer'><span>Immediately remove any entries in the EC2 instance metadata that contain sensitive information.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-20' style=';'><div id='questionWrap-20'  class='   watupro-question-id-447042'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>20. <\/span>A developer has created an AWS Lambda function in a company's development account. The Lambda function requires the use of an AWS Key Management Service (AWS KMS) customer managed key that exists in a security account that the company's security team controls. The developer obtains the ARN of the KMS key from a previous Lambda function in the development account. The previous Lambda function had been working properly with the KMS key. <br \/>\r<br>When the developer uses the ARN and tests the new Lambda function an error message states that access is denied to the KMS key in the security account. The developer tests the previous Lambda function that uses the same KMS key and discovers that the previous Lambda function still can encrypt data as expected. <br \/>\r<br>A security engineer must resolve the problem so that the new Lambda function in the development account can use the KMS key from the security account. <br \/>\r<br>Which combination of steps should the security engineer take to meet these requirements? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_20' value='447042' \/><input type='hidden' id='answerType447042' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447042[]' id='answer-id-1729630' class='answer   answerof-447042 ' value='1729630'   \/><label for='answer-id-1729630' id='answer-label-1729630' class=' answer'><span>In the security account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447042[]' id='answer-id-1729631' class='answer   answerof-447042 ' value='1729631'   \/><label for='answer-id-1729631' id='answer-label-1729631' class=' answer'><span>In the development account configure an IAM role for the new Lambda function. Attach a key policy that allows access to the KMS key in the security account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447042[]' id='answer-id-1729632' class='answer   answerof-447042 ' value='1729632'   \/><label for='answer-id-1729632' id='answer-label-1729632' class=' answer'><span>In the development account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447042[]' id='answer-id-1729633' class='answer   answerof-447042 ' value='1729633'   \/><label for='answer-id-1729633' id='answer-label-1729633' class=' answer'><span>Configure a key policy for the KMS key m the security account to allow access to the IAM role of the new Lambda function in the security account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447042[]' id='answer-id-1729634' class='answer   answerof-447042 ' value='1729634'   \/><label for='answer-id-1729634' id='answer-label-1729634' class=' answer'><span>Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-21' style=';'><div id='questionWrap-21'  class='   watupro-question-id-447043'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>21. <\/span>A company is using IAM Secrets Manager to store secrets for its production Amazon RDS database. The Security Officer has asked that secrets be rotated every 3 months. <br \/>\r<br>Which solution would allow the company to securely rotate the secrets? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_21' value='447043' \/><input type='hidden' id='answerType447043' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447043[]' id='answer-id-1729635' class='answer   answerof-447043 ' value='1729635'   \/><label for='answer-id-1729635' id='answer-label-1729635' class=' answer'><span>Place the RDS instance in a public subnet and an IAM Lambda function outside the VP<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447043[]' id='answer-id-1729636' class='answer   answerof-447043 ' value='1729636'   \/><label for='answer-id-1729636' id='answer-label-1729636' class=' answer'><span>Schedule the Lambda function to run every 3 months to rotate the secrets.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447043[]' id='answer-id-1729637' class='answer   answerof-447043 ' value='1729637'   \/><label for='answer-id-1729637' id='answer-label-1729637' class=' answer'><span>Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure the private subnet to use a NAT gateway. Schedule the Lambda function to run every 3 months to rotate the secrets.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447043[]' id='answer-id-1729638' class='answer   answerof-447043 ' value='1729638'   \/><label for='answer-id-1729638' id='answer-label-1729638' class=' answer'><span>Place the RDS instance in a private subnet and an IAM Lambda function outside the VP<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447043[]' id='answer-id-1729639' class='answer   answerof-447043 ' value='1729639'   \/><label for='answer-id-1729639' id='answer-label-1729639' class=' answer'><span>Configure the private subnet to use an internet gateway. Schedule the Lambda function to run every 3 months lo rotate the secrets.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447043[]' id='answer-id-1729640' class='answer   answerof-447043 ' value='1729640'   \/><label for='answer-id-1729640' id='answer-label-1729640' class=' answer'><span>Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Schedule the Lambda function to run quarterly to rotate the secrets.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447043[]' id='answer-id-1729641' class='answer   answerof-447043 ' value='1729641'   \/><label for='answer-id-1729641' id='answer-label-1729641' class=' answer'><span>Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure a Secrets Manager interface endpoint. Schedule the Lambda function to run every 3 months to rotate the secrets.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-22' style=';'><div id='questionWrap-22'  class='   watupro-question-id-447044'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>22. <\/span>A Security Engineer receives alerts that an Amazon EC2 instance on a public subnet is under an SFTP brute force attack from a specific IP address, which is a known malicious bot. <br \/>\r<br>What should the Security Engineer do to block the malicious bot?<\/div><input type='hidden' name='question_id[]' id='qID_22' value='447044' \/><input type='hidden' id='answerType447044' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447044[]' id='answer-id-1729642' class='answer   answerof-447044 ' value='1729642'   \/><label for='answer-id-1729642' id='answer-label-1729642' class=' answer'><span>Add a deny rule to the public VPC security group to block the malicious IP<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447044[]' id='answer-id-1729643' class='answer   answerof-447044 ' value='1729643'   \/><label for='answer-id-1729643' id='answer-label-1729643' class=' answer'><span>Add the malicious IP to IAM WAF backhsted IPs<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447044[]' id='answer-id-1729644' class='answer   answerof-447044 ' value='1729644'   \/><label for='answer-id-1729644' id='answer-label-1729644' class=' answer'><span>Configure Linux iptables or Windows Firewall to block any traffic from the malicious IP<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447044[]' id='answer-id-1729645' class='answer   answerof-447044 ' value='1729645'   \/><label for='answer-id-1729645' id='answer-label-1729645' class=' answer'><span>Modify the hosted zone in Amazon Route 53 and create a DNS sinkhole for the malicious IP<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-23' style=';'><div id='questionWrap-23'  class='   watupro-question-id-447045'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>23. <\/span>A company wants to monitor the deletion of customer managed CMKs A security engineer must create an alarm that will notify the company before a CMK is deleted. The security engineer has configured the integration of IAM CloudTrail with Amazon CloudWatch <br \/>\r<br>What should the security engineer do next to meet this requirement?<\/div><input type='hidden' name='question_id[]' id='qID_23' value='447045' \/><input type='hidden' id='answerType447045' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447045[]' id='answer-id-1729646' class='answer   answerof-447045 ' value='1729646'   \/><label for='answer-id-1729646' id='answer-label-1729646' class=' answer'><span>Use inbound rule 100 to allow traffic on TCP port 443 Use inbound rule 200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447045[]' id='answer-id-1729647' class='answer   answerof-447045 ' value='1729647'   \/><label for='answer-id-1729647' id='answer-label-1729647' class=' answer'><span>Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port 443<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447045[]' id='answer-id-1729648' class='answer   answerof-447045 ' value='1729648'   \/><label for='answer-id-1729648' id='answer-label-1729648' class=' answer'><span>Use inbound rule 100 to allow traffic on TCP port range 1024-65535 Use inbound rule 200 to deny \r\ntraffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447045[]' id='answer-id-1729649' class='answer   answerof-447045 ' value='1729649'   \/><label for='answer-id-1729649' id='answer-label-1729649' class=' answer'><span>Use inbound rule 100 to deny traffic on TCP port 3306 Use inbound rule 200 to allow traffic on TCP port 443 Use outbound rule 100 to allow traffic on TCP port 443<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-24' style=';'><div id='questionWrap-24'  class='   watupro-question-id-447046'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>24. <\/span>A company uses AWS Organizations to manage a small number of AWS accounts. However, the company plans to add 1 000 more accounts soon. The company allows only a centralized security team to create IAM roles for all AWS accounts and teams. Application teams submit requests for IAM roles to the security team. The security team has a backlog of IAM role requests and cannot review and provision the IAM roles quickly. <br \/>\r<br>The security team must create a process that will allow application teams to provision their own IAM roles. <br \/>\r<br>The process must also limit the scope of IAM roles and prevent privilege escalation. <br \/>\r<br>Which solution will meet these requirements with the LEAST operational overhead?<\/div><input type='hidden' name='question_id[]' id='qID_24' value='447046' \/><input type='hidden' id='answerType447046' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447046[]' id='answer-id-1729650' class='answer   answerof-447046 ' value='1729650'   \/><label for='answer-id-1729650' id='answer-label-1729650' class=' answer'><span>Create an IAM group for each application team. Associate policies with each IAM group. Provision IAM users for each application team member. Add the new IAM users to the appropriate IAM group by using role-based access control (RBAC).<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447046[]' id='answer-id-1729651' class='answer   answerof-447046 ' value='1729651'   \/><label for='answer-id-1729651' id='answer-label-1729651' class=' answer'><span>Delegate application team leads to provision IAM rotes for each team. Conduct a quarterly review of the IAM rotes the team leads have provisioned. Ensure that the application team leads have the appropriate training to review IAM roles.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447046[]' id='answer-id-1729652' class='answer   answerof-447046 ' value='1729652'   \/><label for='answer-id-1729652' id='answer-label-1729652' class=' answer'><span>Put each AWS account in its own O<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447046[]' id='answer-id-1729653' class='answer   answerof-447046 ' value='1729653'   \/><label for='answer-id-1729653' id='answer-label-1729653' class=' answer'><span>Add an SCP to each OU to grant access to only the AWS services that the teams plan to use. Include conditions tn the AWS account of each team.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447046[]' id='answer-id-1729654' class='answer   answerof-447046 ' value='1729654'   \/><label for='answer-id-1729654' id='answer-label-1729654' class=' answer'><span>Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-25' style=';'><div id='questionWrap-25'  class='   watupro-question-id-447047'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>25. <\/span>Auditors for a health care company have mandated that all data volumes be encrypted at rest Infrastructure is deployed mainly via IAM CloudFormation however third-party frameworks and manual deployment are required on some legacy systems <br \/>\r<br>What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?<\/div><input type='hidden' name='question_id[]' id='qID_25' value='447047' \/><input type='hidden' id='answerType447047' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447047[]' id='answer-id-1729655' class='answer   answerof-447047 ' value='1729655'   \/><label for='answer-id-1729655' id='answer-label-1729655' class=' answer'><span>On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447047[]' id='answer-id-1729656' class='answer   answerof-447047 ' value='1729656'   \/><label for='answer-id-1729656' id='answer-label-1729656' class=' answer'><span>Configure an IAM Config rule lo run on a recurring basis 'or volume encryption<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447047[]' id='answer-id-1729657' class='answer   answerof-447047 ' value='1729657'   \/><label for='answer-id-1729657' id='answer-label-1729657' class=' answer'><span>Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447047[]' id='answer-id-1729658' class='answer   answerof-447047 ' value='1729658'   \/><label for='answer-id-1729658' id='answer-label-1729658' class=' answer'><span>Use CloudWatch Logs to determine whether instances were created with an encrypted volume<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-26' style=';'><div id='questionWrap-26'  class='   watupro-question-id-447048'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>26. <\/span>A development team is using an IAM Key Management Service (IAM KMS) CMK to try to encrypt and decrypt a secure string parameter from IAM Systems Manager Parameter Store. However, the development team receives an error message on each attempt. <br \/>\r<br>Which issues that are related to the CMK could be reasons for the error? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_26' value='447048' \/><input type='hidden' id='answerType447048' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447048[]' id='answer-id-1729659' class='answer   answerof-447048 ' value='1729659'   \/><label for='answer-id-1729659' id='answer-label-1729659' class=' answer'><span>The CMK that is used in the attempt does not exist.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447048[]' id='answer-id-1729660' class='answer   answerof-447048 ' value='1729660'   \/><label for='answer-id-1729660' id='answer-label-1729660' class=' answer'><span>The CMK that is used in the attempt needs to be rotated.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447048[]' id='answer-id-1729661' class='answer   answerof-447048 ' value='1729661'   \/><label for='answer-id-1729661' id='answer-label-1729661' class=' answer'><span>The CMK that is used in the attempt is using the CMK's key ID instead of the CMK AR<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447048[]' id='answer-id-1729662' class='answer   answerof-447048 ' value='1729662'   \/><label for='answer-id-1729662' id='answer-label-1729662' class=' answer'><span>The CMK that is used in the attempt is not enabled.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447048[]' id='answer-id-1729663' class='answer   answerof-447048 ' value='1729663'   \/><label for='answer-id-1729663' id='answer-label-1729663' class=' answer'><span>The CMK that is used in the attempt is using an alias.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-27' style=';'><div id='questionWrap-27'  class='   watupro-question-id-447049'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>27. <\/span>A developer is building a serverless application hosted on AWS that uses Amazon Redshift as a data store The application has separate modules for readwrite and read-only functionality The modules need their own database users for compliance reasons <br \/>\r<br>Which combination of steps should a security engineer implement to grant appropriate access? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_27' value='447049' \/><input type='hidden' id='answerType447049' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447049[]' id='answer-id-1729664' class='answer   answerof-447049 ' value='1729664'   \/><label for='answer-id-1729664' id='answer-label-1729664' class=' answer'><span>Configure cluster security groups for each application module to control access to database users that are required for read-only and readwrite<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447049[]' id='answer-id-1729665' class='answer   answerof-447049 ' value='1729665'   \/><label for='answer-id-1729665' id='answer-label-1729665' class=' answer'><span>Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read\/write<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447049[]' id='answer-id-1729666' class='answer   answerof-447049 ' value='1729666'   \/><label for='answer-id-1729666' id='answer-label-1729666' class=' answer'><span>Configure an 1AM policy for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447049[]' id='answer-id-1729667' class='answer   answerof-447049 ' value='1729667'   \/><label for='answer-id-1729667' id='answer-label-1729667' class=' answer'><span>Create local database users for each module<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447049[]' id='answer-id-1729668' class='answer   answerof-447049 ' value='1729668'   \/><label for='answer-id-1729668' id='answer-label-1729668' class=' answer'><span>Configure an 1AM policy for each module Specify the ARN of an 1AM user that allows the GetClusterCredentials API call<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-28' style=';'><div id='questionWrap-28'  class='   watupro-question-id-447050'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>28. <\/span>A systems engineer deployed containers from several custom-built images that an application team provided through a QA workflow The systems engineer used Amazon Elastic Container Service (Amazon ECS) with the Fargate launch type as the target platform The system engineer now needs to collect logs from all containers into an existing Amazon CloudWatch log group <br \/>\r<br>Which solution will meet this requirement?<\/div><input type='hidden' name='question_id[]' id='qID_28' value='447050' \/><input type='hidden' id='answerType447050' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447050[]' id='answer-id-1729669' class='answer   answerof-447050 ' value='1729669'   \/><label for='answer-id-1729669' id='answer-label-1729669' class=' answer'><span>Turn on the awslogs log driver by specifying parameters for awslogs-group and awslogs-region m the LogConfiguration property<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447050[]' id='answer-id-1729670' class='answer   answerof-447050 ' value='1729670'   \/><label for='answer-id-1729670' id='answer-label-1729670' class=' answer'><span>Download and configure the CloudWatch agent on the container instances<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447050[]' id='answer-id-1729671' class='answer   answerof-447050 ' value='1729671'   \/><label for='answer-id-1729671' id='answer-label-1729671' class=' answer'><span>Set up Fluent Bit and FluentO as a DaemonSet to send logs to Amazon CloudWatch Logs<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447050[]' id='answer-id-1729672' class='answer   answerof-447050 ' value='1729672'   \/><label for='answer-id-1729672' id='answer-label-1729672' class=' answer'><span>Configure an 1AM policy that includes the togs CreateLogGroup action Assign the policy to the container instances<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-29' style=';'><div id='questionWrap-29'  class='   watupro-question-id-447051'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>29. <\/span>A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances. The application will store highly sensitive user data in Amazon RDS tables <br \/>\r<br>The application must <br \/>\r<br>&#8226; Include migration to a different IAM Region in the application disaster recovery plan. <br \/>\r<br>&#8226; Provide a full audit trail of encryption key administration events <br \/>\r<br>&#8226; Allow only company administrators to administer keys. <br \/>\r<br>&#8226; Protect data at rest using application layer encryption <br \/>\r<br>A Security Engineer is evaluating options for encryption key management <br \/>\r<br>Why should the Security Engineer choose IAM CloudHSM over IAM KMS for encryption key management in this situation?<\/div><input type='hidden' name='question_id[]' id='qID_29' value='447051' \/><input type='hidden' id='answerType447051' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447051[]' id='answer-id-1729673' class='answer   answerof-447051 ' value='1729673'   \/><label for='answer-id-1729673' id='answer-label-1729673' class=' answer'><span>The key administration event logging generated by CloudHSM is significantly more extensive than IAM KM<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447051[]' id='answer-id-1729674' class='answer   answerof-447051 ' value='1729674'   \/><label for='answer-id-1729674' id='answer-label-1729674' class=' answer'><span>CloudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447051[]' id='answer-id-1729675' class='answer   answerof-447051 ' value='1729675'   \/><label for='answer-id-1729675' id='answer-label-1729675' class=' answer'><span>The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by IAM KMS<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447051[]' id='answer-id-1729676' class='answer   answerof-447051 ' value='1729676'   \/><label for='answer-id-1729676' id='answer-label-1729676' class=' answer'><span>CloudHSM provides the ability to copy keys to a different Region, whereas IAM KMS does not<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-30' style=';'><div id='questionWrap-30'  class='   watupro-question-id-447052'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>30. <\/span>A company uses Amazon API Gateway to present REST APIs to users. An API developer wants to analyze API access patterns without the need to parse the log files. <br \/>\r<br>Which combination of steps will meet these requirements with the LEAST effort? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_30' value='447052' \/><input type='hidden' id='answerType447052' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447052[]' id='answer-id-1729677' class='answer   answerof-447052 ' value='1729677'   \/><label for='answer-id-1729677' id='answer-label-1729677' class=' answer'><span>Configure access logging for the required API stage.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447052[]' id='answer-id-1729678' class='answer   answerof-447052 ' value='1729678'   \/><label for='answer-id-1729678' id='answer-label-1729678' class=' answer'><span>Configure an AWS CloudTrail trail destination for API Gateway events. Configure filters on the userldentity, userAgent, and sourcelPAddress fields.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447052[]' id='answer-id-1729679' class='answer   answerof-447052 ' value='1729679'   \/><label for='answer-id-1729679' id='answer-label-1729679' class=' answer'><span>Configure an Amazon S3 destination for API Gateway logs. Run Amazon Athena queries to analyze API access information.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447052[]' id='answer-id-1729680' class='answer   answerof-447052 ' value='1729680'   \/><label for='answer-id-1729680' id='answer-label-1729680' class=' answer'><span>Use Amazon CloudWatch Logs Insights to analyze API access information.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447052[]' id='answer-id-1729681' class='answer   answerof-447052 ' value='1729681'   \/><label for='answer-id-1729681' id='answer-label-1729681' class=' answer'><span>Select the Enable Detailed CloudWatch Metrics option on the required API stage.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-31' style=';'><div id='questionWrap-31'  class='   watupro-question-id-447053'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>31. <\/span>A company stores sensitive documents in Amazon S3 by using server-side encryption with an IAM Key Management Service (IAM KMS) CMK. A new requirement mandates that the CMK that is used for these documents can be used only for S3 actions. <br \/>\r<br>Which statement should the company add to the key policy to meet this requirement? <br \/>\r<br>A) <br \/>\r<br><br><img decoding=\"async\" width=369 height=192 id=\"\u56fe\u7247 38\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/12\/image027.png\"><br><br \/>\r<br>B) <br \/>\r<br><br><img decoding=\"async\" width=360 height=191 id=\"\u56fe\u7247 37\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/12\/image028.png\"><br><br \/>\r<br>C <br \/>\r<br><br><img decoding=\"async\" width=440 height=227 id=\"\u56fe\u7247 1\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/12\/image029.png\"><br><\/div><input type='hidden' name='question_id[]' id='qID_31' value='447053' \/><input type='hidden' id='answerType447053' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447053[]' id='answer-id-1729682' class='answer   answerof-447053 ' value='1729682'   \/><label for='answer-id-1729682' id='answer-label-1729682' class=' answer'><span>Option A<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447053[]' id='answer-id-1729683' class='answer   answerof-447053 ' value='1729683'   \/><label for='answer-id-1729683' id='answer-label-1729683' class=' answer'><span>Option B<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447053[]' id='answer-id-1729684' class='answer   answerof-447053 ' value='1729684'   \/><label for='answer-id-1729684' id='answer-label-1729684' class=' answer'><span>Option C<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-32' style=';'><div id='questionWrap-32'  class='   watupro-question-id-447054'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>32. <\/span>A company has an application that uses an Amazon RDS PostgreSQL database. The company is developing an application feature that will store sensitive information for an individual in the database. <br \/>\r<br>During a security review of the environment, the company discovers that the RDS DB instance is not encrypting data at rest. The company needs a solution that will provide encryption at rest for all the existing data and for any new data that is entered for an individual. <br \/>\r<br>Which combination of options can the company use to meet these requirements? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_32' value='447054' \/><input type='hidden' id='answerType447054' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447054[]' id='answer-id-1729685' class='answer   answerof-447054 ' value='1729685'   \/><label for='answer-id-1729685' id='answer-label-1729685' class=' answer'><span>Create a snapshot of the DB instance. Copy the snapshot to a new snapshot, and enable encryption for the copy process. Use the new snapshot to restore the DB instance.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447054[]' id='answer-id-1729686' class='answer   answerof-447054 ' value='1729686'   \/><label for='answer-id-1729686' id='answer-label-1729686' class=' answer'><span>Modify the configuration of the DB instance by enabling encryption. Create a snapshot of the DB instance. Use the snapshot to restore the DB instance.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447054[]' id='answer-id-1729687' class='answer   answerof-447054 ' value='1729687'   \/><label for='answer-id-1729687' id='answer-label-1729687' class=' answer'><span>Use IAM Key Management Service (IAM KMS) to create a new default IAM managed awards key. Select this key as the encryption key for operations with Amazon RD<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447054[]' id='answer-id-1729688' class='answer   answerof-447054 ' value='1729688'   \/><label for='answer-id-1729688' id='answer-label-1729688' class=' answer'><span>Use IAM Key Management Service (IAM KMS] to create a new CM<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447054[]' id='answer-id-1729689' class='answer   answerof-447054 ' value='1729689'   \/><label for='answer-id-1729689' id='answer-label-1729689' class=' answer'><span>Select this key as the encryption key for operations with Amazon RD<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447054[]' id='answer-id-1729690' class='answer   answerof-447054 ' value='1729690'   \/><label for='answer-id-1729690' id='answer-label-1729690' class=' answer'><span>Create a snapshot of the DB instance. Enable encryption on the snapshoVUse the snapshot to restore the DB instance.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-33' style=';'><div id='questionWrap-33'  class='   watupro-question-id-447055'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>33. <\/span>A company uses identity federation to authenticate users into an identity account (987654321987) where the users assume an IAM role named IdentityRole. The users then assume an IAM role named JobFunctionRole in the target IAM account (123456789123) to perform their job functions. <br \/>\r<br>A user is unable to assume the IAM role in the target account. <br \/>\r<br>The policy attached to the role in the identity account is: <br \/>\r<br><br><img decoding=\"async\" width=504 height=285 id=\"\u56fe\u7247 50\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/12\/image015.png\"><br><br \/>\r<br>What should be done to enable the user to assume the appropriate role in the target account? <br \/>\r<br><br><img decoding=\"async\" width=642 height=306 id=\"\u56fe\u7247 49\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/12\/image016-1.png\"><br><br \/>\r<br><br><img decoding=\"async\" width=650 height=525 id=\"\u56fe\u7247 48\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/12\/image017-1.png\"><br><br \/>\r<br><br><img decoding=\"async\" width=649 height=219 id=\"\u56fe\u7247 47\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/12\/image018-5.jpg\"><br><\/div><input type='hidden' name='question_id[]' id='qID_33' value='447055' \/><input type='hidden' id='answerType447055' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447055[]' id='answer-id-1729691' class='answer   answerof-447055 ' value='1729691'   \/><label for='answer-id-1729691' id='answer-label-1729691' class=' answer'><span>Option A<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447055[]' id='answer-id-1729692' class='answer   answerof-447055 ' value='1729692'   \/><label for='answer-id-1729692' id='answer-label-1729692' class=' answer'><span>Option B<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447055[]' id='answer-id-1729693' class='answer   answerof-447055 ' value='1729693'   \/><label for='answer-id-1729693' id='answer-label-1729693' class=' answer'><span>Option C<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447055[]' id='answer-id-1729694' class='answer   answerof-447055 ' value='1729694'   \/><label for='answer-id-1729694' id='answer-label-1729694' class=' answer'><span>Option D<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-34' style=';'><div id='questionWrap-34'  class='   watupro-question-id-447056'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>34. <\/span>A security engineer logs in to the AWS Lambda console with administrator permissions. The security engineer is trying to view logs in Amazon CloudWatch for a Lambda function that is named my Function. <br \/>\r<br>When the security engineer chooses the option in the Lambda console to view logs in CloudWatch, an \u201cerror loading Log Streams&quot; message appears. <br \/>\r<br>The IAM policy for the Lambda function's execution role contains the following: <br \/>\r<br><br><img decoding=\"async\" width=638 height=232 id=\"\u56fe\u7247 51\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/12\/image014.png\"><br><br \/>\r<br>How should the security engineer correct the error?<\/div><input type='hidden' name='question_id[]' id='qID_34' value='447056' \/><input type='hidden' id='answerType447056' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447056[]' id='answer-id-1729695' class='answer   answerof-447056 ' value='1729695'   \/><label for='answer-id-1729695' id='answer-label-1729695' class=' answer'><span>Move the logs:CreateLogGroup action to the second Allow statement.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447056[]' id='answer-id-1729696' class='answer   answerof-447056 ' value='1729696'   \/><label for='answer-id-1729696' id='answer-label-1729696' class=' answer'><span>Add the logs:PutDestination action to the second Allow statement.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447056[]' id='answer-id-1729697' class='answer   answerof-447056 ' value='1729697'   \/><label for='answer-id-1729697' id='answer-label-1729697' class=' answer'><span>Add the logs:GetLogEvents action to the second Allow statement.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447056[]' id='answer-id-1729698' class='answer   answerof-447056 ' value='1729698'   \/><label for='answer-id-1729698' id='answer-label-1729698' class=' answer'><span>Add the logs:CreateLogStream action to the second Allow statement.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-35' style=';'><div id='questionWrap-35'  class='   watupro-question-id-447057'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>35. <\/span>A company has a web server in the AWS Cloud. The company will store the content for the web server in an Amazon S3 bucket. A security engineer must use an Amazon CloudFront distribution to speed up delivery of the content. None of the files can be publicly accessible from the S3 bucket direct. <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_35' value='447057' \/><input type='hidden' id='answerType447057' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447057[]' id='answer-id-1729699' class='answer   answerof-447057 ' value='1729699'   \/><label for='answer-id-1729699' id='answer-label-1729699' class=' answer'><span>Configure the permissions on the individual files in the S3 bucket so that only the CloudFront distribution has access to them.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447057[]' id='answer-id-1729700' class='answer   answerof-447057 ' value='1729700'   \/><label for='answer-id-1729700' id='answer-label-1729700' class=' answer'><span>Create an origin access identity (OAI). Associate the OAI with the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI can access the files in the S3 bucket.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447057[]' id='answer-id-1729701' class='answer   answerof-447057 ' value='1729701'   \/><label for='answer-id-1729701' id='answer-label-1729701' class=' answer'><span>Create an S3 role in AWS Identity and Access Management (IAM). Allow only the CloudFront distribution to assume the role to access the files in the S3 bucket.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447057[]' id='answer-id-1729702' class='answer   answerof-447057 ' value='1729702'   \/><label for='answer-id-1729702' id='answer-label-1729702' class=' answer'><span>Create an S3 bucket policy that uses only the CloudFront distribution ID as the principal and the Amazon Resource Name (ARN) as the target.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-36' style=';'><div id='questionWrap-36'  class='   watupro-question-id-447058'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>36. <\/span>A company uses several AWS CloudFormation stacks to handle the deployment of a suite of applications. The leader of the company's application development team notices that the stack deployments fail with permission errors when some team members try to deploy the stacks. However, other team members can deploy the stacks successfully. <br \/>\r<br>The team members access the account by assuming a role that has a specific set of permissions that are necessary for the job responsibilities of the team members. All team members have permissions to perform operations on the stacks. <br \/>\r<br>Which combination of steps will ensure consistent deployment of the stacks MOST securely? (Select THREE.)<\/div><input type='hidden' name='question_id[]' id='qID_36' value='447058' \/><input type='hidden' id='answerType447058' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447058[]' id='answer-id-1729703' class='answer   answerof-447058 ' value='1729703'   \/><label for='answer-id-1729703' id='answer-label-1729703' class=' answer'><span>Create a service role that has a composite principal that contains each service that needs the necessary permissions. Configure the role to allow the sts:AssumeRole action.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447058[]' id='answer-id-1729704' class='answer   answerof-447058 ' value='1729704'   \/><label for='answer-id-1729704' id='answer-label-1729704' class=' answer'><span>Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts:AssumeRole action.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447058[]' id='answer-id-1729705' class='answer   answerof-447058 ' value='1729705'   \/><label for='answer-id-1729705' id='answer-label-1729705' class=' answer'><span>For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each CloudFormation stack in the resource field of each policy.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447058[]' id='answer-id-1729706' class='answer   answerof-447058 ' value='1729706'   \/><label for='answer-id-1729706' id='answer-label-1729706' class=' answer'><span>For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each service that needs the per-missions in the resource field of the corresponding policy.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447058[]' id='answer-id-1729707' class='answer   answerof-447058 ' value='1729707'   \/><label for='answer-id-1729707' id='answer-label-1729707' class=' answer'><span>Update each stack to use the service role.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447058[]' id='answer-id-1729708' class='answer   answerof-447058 ' value='1729708'   \/><label for='answer-id-1729708' id='answer-label-1729708' class=' answer'><span>Add a policy to each member role to allow the iam:PassRole action. Set the policy's resource field to the ARN of the service role.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-37' style=';'><div id='questionWrap-37'  class='   watupro-question-id-447059'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>37. <\/span>A developer 15 building a serverless application hosted on IAM that uses Amazon Redshift in a data store. The application has separate modules for read\/write and read-only functionality. The modules need their own database users tor compliance reasons. <br \/>\r<br>Which combination of steps should a security engineer implement to grant appropriate access' (Select TWO)<\/div><input type='hidden' name='question_id[]' id='qID_37' value='447059' \/><input type='hidden' id='answerType447059' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447059[]' id='answer-id-1729709' class='answer   answerof-447059 ' value='1729709'   \/><label for='answer-id-1729709' id='answer-label-1729709' class=' answer'><span>Configure cluster security groups for each application module to control access to database users that are required for read-only and read\/write.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447059[]' id='answer-id-1729710' class='answer   answerof-447059 ' value='1729710'   \/><label for='answer-id-1729710' id='answer-label-1729710' class=' answer'><span>Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read\/write<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447059[]' id='answer-id-1729711' class='answer   answerof-447059 ' value='1729711'   \/><label for='answer-id-1729711' id='answer-label-1729711' class=' answer'><span>Configure an IAM poky for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447059[]' id='answer-id-1729712' class='answer   answerof-447059 ' value='1729712'   \/><label for='answer-id-1729712' id='answer-label-1729712' class=' answer'><span>Create focal database users for each module<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447059[]' id='answer-id-1729713' class='answer   answerof-447059 ' value='1729713'   \/><label for='answer-id-1729713' id='answer-label-1729713' class=' answer'><span>Configure an IAM policy for each module Specify the ARN of an IAM user that allows the GetClusterCredentials API call<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-38' style=';'><div id='questionWrap-38'  class='   watupro-question-id-447060'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>38. <\/span>A company\u2019s public Application Load Balancer (ALB) recently experienced a DDoS attack. To mitigate this issue. the company deployed Amazon CloudFront in front of the ALB so that users would not directly access the Amazon EC2 instances behind the ALB. <br \/>\r<br>The company discovers that some traffic is still coming directly into the ALB and is still being handled by the EC2 instances. <br \/>\r<br>Which combination of steps should the company take to ensure that the EC2 instances will receive traffic only from CloudFront? (Choose two.)<\/div><input type='hidden' name='question_id[]' id='qID_38' value='447060' \/><input type='hidden' id='answerType447060' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447060[]' id='answer-id-1729714' class='answer   answerof-447060 ' value='1729714'   \/><label for='answer-id-1729714' id='answer-label-1729714' class=' answer'><span>Configure CloudFront to add a cache key policy to allow a custom HTTP header that CloudFront sends to the AL<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447060[]' id='answer-id-1729715' class='answer   answerof-447060 ' value='1729715'   \/><label for='answer-id-1729715' id='answer-label-1729715' class=' answer'><span>Configure CloudFront to add a custom: HTTP header to requests that CloudFront sends to the AL<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447060[]' id='answer-id-1729716' class='answer   answerof-447060 ' value='1729716'   \/><label for='answer-id-1729716' id='answer-label-1729716' class=' answer'><span>Configure the ALB to forward only requests that contain the custom HTTP header.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447060[]' id='answer-id-1729717' class='answer   answerof-447060 ' value='1729717'   \/><label for='answer-id-1729717' id='answer-label-1729717' class=' answer'><span>Configure the ALB and CloudFront to use the X-Forwarded-For header to check client IP addresses.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447060[]' id='answer-id-1729718' class='answer   answerof-447060 ' value='1729718'   \/><label for='answer-id-1729718' id='answer-label-1729718' class=' answer'><span>Configure the ALB and CloudFront to use the same<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447060[]' id='answer-id-1729719' class='answer   answerof-447060 ' value='1729719'   \/><label for='answer-id-1729719' id='answer-label-1729719' class=' answer'><span>509 certificate that is generated by AWS Certificate Manager (ACM).<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-39' style=';'><div id='questionWrap-39'  class='   watupro-question-id-447061'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>39. <\/span>A System Administrator is unable to start an Amazon EC2 instance in the eu-west-1 Region using an IAM role The same System Administrator is able to start an EC2 instance in the eu-west-2 and eu-west-3 Regions. The IAMSystemAdministrator access policy attached to the System Administrator IAM role allows unconditional access to all IAM services and resources within the account <br \/>\r<br>Which configuration caused this issue? <br \/>\r<br>A) An SCP is attached to the account with the following permission statement: <br \/>\r<br><br><img decoding=\"async\" width=390 height=619 id=\"\u56fe\u7247 46\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/12\/image019-1.png\"><br><br \/>\r<br>B) A permission boundary policy is attached to the System Administrator role with the following permission statement: <br \/>\r<br><br><img decoding=\"async\" width=389 height=683 id=\"\u56fe\u7247 45\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/12\/image020-1.png\"><br><br \/>\r<br>C) A permission boundary is attached to the System Administrator role with the following permission statement: <br \/>\r<br><br><img decoding=\"async\" width=231 height=294 id=\"\u56fe\u7247 44\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/12\/image021-1.png\"><br><br \/>\r<br>D) An SCP is attached to the account with the following statement: <br \/>\r<br><br><img decoding=\"async\" width=233 height=342 id=\"\u56fe\u7247 43\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/12\/image022.png\"><br><\/div><input type='hidden' name='question_id[]' id='qID_39' value='447061' \/><input type='hidden' id='answerType447061' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447061[]' id='answer-id-1729720' class='answer   answerof-447061 ' value='1729720'   \/><label for='answer-id-1729720' id='answer-label-1729720' class=' answer'><span>Option A<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447061[]' id='answer-id-1729721' class='answer   answerof-447061 ' value='1729721'   \/><label for='answer-id-1729721' id='answer-label-1729721' class=' answer'><span>Option B<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447061[]' id='answer-id-1729722' class='answer   answerof-447061 ' value='1729722'   \/><label for='answer-id-1729722' id='answer-label-1729722' class=' answer'><span>Option C<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447061[]' id='answer-id-1729723' class='answer   answerof-447061 ' value='1729723'   \/><label for='answer-id-1729723' id='answer-label-1729723' class=' answer'><span>Option D<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-40' style=';'><div id='questionWrap-40'  class='   watupro-question-id-447062'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>40. <\/span>A company has implemented IAM WAF and Amazon CloudFront for an application. The application runs on Amazon EC2 instances that are part of an Auto Scaling group. The Auto Scaling group is behind an Application Load Balancer (ALB). <br \/>\r<br>The IAM WAF web ACL uses an IAM Managed Rules rule group and is associated with the CloudFront distribution. CloudFront receives the request from IAM WAF and then uses the ALB as the distribution's origin. <br \/>\r<br>During a security review, a security engineer discovers that the infrastructure is susceptible to a large, layer 7 DDoS attack. <br \/>\r<br>How can the security engineer improve the security at the edge of the solution to defend against this type of attack?<\/div><input type='hidden' name='question_id[]' id='qID_40' value='447062' \/><input type='hidden' id='answerType447062' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447062[]' id='answer-id-1729724' class='answer   answerof-447062 ' value='1729724'   \/><label for='answer-id-1729724' id='answer-label-1729724' class=' answer'><span>Configure the CloudFront distribution to use the Lambda@Edge feature. Create an IAM Lambda function that imposes a rate limit on CloudFront viewer requests. Block the request if the rate limit is exceeded.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447062[]' id='answer-id-1729725' class='answer   answerof-447062 ' value='1729725'   \/><label for='answer-id-1729725' id='answer-label-1729725' class=' answer'><span>Configure the IAM WAF web ACL so that the web ACL has more capacity units to process all IAM WAF rules faster.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447062[]' id='answer-id-1729726' class='answer   answerof-447062 ' value='1729726'   \/><label for='answer-id-1729726' id='answer-label-1729726' class=' answer'><span>Configure IAM WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447062[]' id='answer-id-1729727' class='answer   answerof-447062 ' value='1729727'   \/><label for='answer-id-1729727' id='answer-label-1729727' class=' answer'><span>Configure the CloudFront distribution to use IAM WAF as its origin instead of the AL<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div style='display:none' id='question-41'>\n\t<div class='question-content'>\n\t\t<img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/img\/loading.gif\" width=\"16\" height=\"16\" alt=\"Loading...\" title=\"Loading...\" \/>&nbsp;Loading...\t<\/div>\n<\/div>\n\n<br \/>\n\t\n\t\t\t<div class=\"watupro_buttons flex \" id=\"watuPROButtons11374\" >\n\t\t  <div id=\"prev-question\" style=\"display:none;\"><input type=\"button\" value=\"&lt; Previous\" onclick=\"WatuPRO.nextQuestion(event, 'previous');\"\/><\/div>\t\t  \t\t  \t\t   \n\t\t   \t  \t\t<div><input type=\"button\" name=\"action\" class=\"watupro-submit-button\" onclick=\"WatuPRO.submitResult(event)\" id=\"action-button\" value=\"View Results\"  \/>\n\t\t<\/div>\n\t\t<\/div>\n\t\t\n\t<input type=\"hidden\" name=\"quiz_id\" value=\"11374\" id=\"watuPROExamID\"\/>\n\t<input type=\"hidden\" name=\"start_time\" id=\"startTime\" value=\"2026-05-11 17:29:50\" \/>\n\t<input type=\"hidden\" name=\"start_timestamp\" id=\"startTimeStamp\" value=\"1778520590\" \/>\n\t<input type=\"hidden\" name=\"question_ids\" value=\"\" \/>\n\t<input type=\"hidden\" name=\"watupro_questions\" value=\"447023:1729542,1729543,1729544,1729545,1729546 | 447024:1729547,1729548,1729549,1729550,1729551 | 447025:1729552,1729553,1729554,1729555,1729556 | 447026:1729557,1729558,1729559,1729560 | 447027:1729561,1729562,1729563,1729564 | 447028:1729565,1729566,1729567,1729568,1729569 | 447029:1729570,1729571,1729572,1729573,1729574,1729575 | 447030:1729576,1729577,1729578,1729579,1729580 | 447031:1729581,1729582,1729583,1729584 | 447032:1729585,1729586,1729587,1729588 | 447033:1729589,1729590,1729591,1729592 | 447034:1729593,1729594,1729595,1729596,1729597,1729598 | 447035:1729599,1729600,1729601,1729602 | 447036:1729603,1729604,1729605,1729606 | 447037:1729607,1729608,1729609,1729610 | 447038:1729611,1729612,1729613,1729614,1729615 | 447039:1729616,1729617,1729618,1729619 | 447040:1729620,1729621,1729622,1729623 | 447041:1729624,1729625,1729626,1729627,1729628,1729629 | 447042:1729630,1729631,1729632,1729633,1729634 | 447043:1729635,1729636,1729637,1729638,1729639,1729640,1729641 | 447044:1729642,1729643,1729644,1729645 | 447045:1729646,1729647,1729648,1729649 | 447046:1729650,1729651,1729652,1729653,1729654 | 447047:1729655,1729656,1729657,1729658 | 447048:1729659,1729660,1729661,1729662,1729663 | 447049:1729664,1729665,1729666,1729667,1729668 | 447050:1729669,1729670,1729671,1729672 | 447051:1729673,1729674,1729675,1729676 | 447052:1729677,1729678,1729679,1729680,1729681 | 447053:1729682,1729683,1729684 | 447054:1729685,1729686,1729687,1729688,1729689,1729690 | 447055:1729691,1729692,1729693,1729694 | 447056:1729695,1729696,1729697,1729698 | 447057:1729699,1729700,1729701,1729702 | 447058:1729703,1729704,1729705,1729706,1729707,1729708 | 447059:1729709,1729710,1729711,1729712,1729713 | 447060:1729714,1729715,1729716,1729717,1729718,1729719 | 447061:1729720,1729721,1729722,1729723 | 447062:1729724,1729725,1729726,1729727\" \/>\n\t<input type=\"hidden\" name=\"no_ajax\" value=\"0\">\t\t\t<\/form>\n\t<p>&nbsp;<\/p>\n<\/div>\n\n<script type=\"text\/javascript\">\n\/\/jQuery(document).ready(function(){\ndocument.addEventListener(\"DOMContentLoaded\", function(event) { \t\nvar question_ids = \"447023,447024,447025,447026,447027,447028,447029,447030,447031,447032,447033,447034,447035,447036,447037,447038,447039,447040,447041,447042,447043,447044,447045,447046,447047,447048,447049,447050,447051,447052,447053,447054,447055,447056,447057,447058,447059,447060,447061,447062\";\nWatuPROSettings[11374] = {};\nWatuPRO.qArr = question_ids.split(',');\nWatuPRO.exam_id = 11374;\t    \nWatuPRO.post_id = 116484;\nWatuPRO.store_progress = 0;\nWatuPRO.curCatPage = 1;\nWatuPRO.requiredIDs=\"0\".split(\",\");\nWatuPRO.hAppID = \"0.95658600 1778520590\";\nvar url = \"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/show_exam.php\";\nWatuPRO.examMode = 1;\nWatuPRO.siteURL=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-admin\/admin-ajax.php\";\nWatuPRO.emailIsNotRequired = 0;\nWatuPROIntel.init(11374);\nWatuPRO.inCategoryPages=1;});    \t \n<\/script>\n<p>&nbsp;<\/p>\n<h3>You can continue to read the <a href=\"https:\/\/www.dumpsbase.com\/freedumps\/continue-to-read-the-scs-c03-free-dumps-part-2-q41-q80-get-the-scs-c03-dumps-v8-02-to-make-preparations.html\"><span style=\"background-color: #ffff99;\"><em>Amazon SCS-C03 ree dumps (Part 2, Q41-Q80) of V8.02<\/em><\/span><\/a> here to check more.<\/h3>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The AWS Certified Security &#8211; Specialty certification has been upgraded. You must pass the SCS-C03 exam to validate your expertise in creating and implementing security solutions in the AWS Cloud, not the SCS-C02 exam. To support your success, the new SCS-C03 dumps (V8.02) from DumpsBase are available online. With the SCS-C03 dumps (V8.02), you can [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[175,15758],"tags":[20697,20698],"class_list":["post-116484","post","type-post","status-publish","format-standard","hentry","category-amazon","category-aws-certified-specialty","tag-aws-certified-security-specialty-scs-c03","tag-scs-c03-exam-dumps"],"_links":{"self":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/116484","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/comments?post=116484"}],"version-history":[{"count":2,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/116484\/revisions"}],"predecessor-version":[{"id":116749,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/116484\/revisions\/116749"}],"wp:attachment":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/media?parent=116484"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/categories?post=116484"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/tags?post=116484"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}