{"id":116731,"date":"2026-01-01T03:57:45","date_gmt":"2026-01-01T03:57:45","guid":{"rendered":"https:\/\/www.dumpsbase.com\/freedumps\/?p=116731"},"modified":"2025-12-31T03:59:28","modified_gmt":"2025-12-31T03:59:28","slug":"continue-to-read-the-scs-c03-free-dumps-part-2-q41-q80-get-the-scs-c03-dumps-v8-02-to-make-preparations","status":"publish","type":"post","link":"https:\/\/www.dumpsbase.com\/freedumps\/continue-to-read-the-scs-c03-free-dumps-part-2-q41-q80-get-the-scs-c03-dumps-v8-02-to-make-preparations.html","title":{"rendered":"Continue to Read the SCS-C03 Free Dumps (Part 2, Q41-Q80): Get the SCS-C03 Dumps (V8.02) to Make Preparations"},"content":{"rendered":"<p>DumpsBase\u2019s SCS-C03 dumps (V8.02) are available for improving the AWS Certified Security &#8211; Specialty certification exam preparation. Our dumps offer real exam questions and answers, which will help you solve your problem with the complexities of difficult exam concepts. They make concepts simple and easy to understand. If you feel it would be difficult to pass the SCS-C03 test, then you can go through our SCS-C03 dumps (V8.02) that will help you to pass your AWS Certified Security &#8211; Specialty exam on the first attempt. You may have read our <a href=\"https:\/\/www.dumpsbase.com\/freedumps\/new-scs-c03-dumps-v8-02-for-your-aws-certified-security-specialty-certification-preparation-check-the-scs-c03-free-dumps-part-1-q1-q40-first.html\"><em><strong>SCS-C03 free dumps (Part 1, Q1-Q40) of V8.02<\/strong><\/em><\/a> to check the quality first. And please believe that our SCS-C03 dumps (V8.02) are reliable and authentic because all questions are prepared by experts, which are more comfortable for you to appear successfully in the actual exam.<\/p>\n<h2>Continue to read our <span style=\"background-color: #ffff00;\"><em>SCS-C03 free dumps (Part 2, Q41-Q80) of V8.02 below<\/em><\/span>:<\/h2>\n<script>\n\t  window.fbAsyncInit = function() {\n\t    FB.init({\n\t      appId            : '622169541470367',\n\t      autoLogAppEvents : true,\n\t      xfbml            : true,\n\t      version          : 'v3.1'\n\t    });\n\t  };\n\t\n\t  (function(d, s, id){\n\t     var js, fjs = d.getElementsByTagName(s)[0];\n\t     if (d.getElementById(id)) {return;}\n\t     js = d.createElement(s); js.id = id;\n\t     js.src = \"https:\/\/connect.facebook.net\/en_US\/sdk.js\";\n\t     fjs.parentNode.insertBefore(js, fjs);\n\t   }(document, 'script', 'facebook-jssdk'));\n\t<\/script><script type=\"text\/javascript\" >\ndocument.addEventListener(\"DOMContentLoaded\", function(event) { \nif(!window.jQuery) alert(\"The important jQuery library is not properly loaded in your site. Your WordPress theme is probably missing the essential wp_head() call. You can switch to another theme and you will see that the plugin works fine and this notice disappears. If you are still not sure what to do you can contact us for help.\");\n});\n<\/script>  \n  \n<div  id=\"watupro_quiz\" class=\"quiz-area single-page-quiz\">\n<p id=\"submittingExam11375\" style=\"display:none;text-align:center;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/img\/loading.gif\" width=\"16\" height=\"16\"><\/p>\n\n<div class=\"watupro-exam-description\" id=\"description-quiz-11375\"><\/div>\n\n<form action=\"\" method=\"post\" class=\"quiz-form\" id=\"quiz-11375\"  enctype=\"multipart\/form-data\" >\n<div class='watu-question ' id='question-1' style=';'><div id='questionWrap-1'  class='   watupro-question-id-447063'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>1. <\/span>A company hosts an application on Amazon EC2 that is subject to specific rules for regulatory compliance. One rule states that traffic to and from the workload must be inspected for network-level attacks. This involves inspecting the whole packet. <br \/>\r<br>To comply with this regulatory rule, a security engineer must install intrusion detection software on a c5n.4xlarge EC2 instance. The engineer must then configure the software to monitor traffic to and from the application instances. <br \/>\r<br>What should the security engineer do next?<\/div><input type='hidden' name='question_id[]' id='qID_1' value='447063' \/><input type='hidden' id='answerType447063' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447063[]' id='answer-id-1729728' class='answer   answerof-447063 ' value='1729728'   \/><label for='answer-id-1729728' id='answer-label-1729728' class=' answer'><span>Place the network interface in promiscuous mode to capture the traffic.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447063[]' id='answer-id-1729729' class='answer   answerof-447063 ' value='1729729'   \/><label for='answer-id-1729729' id='answer-label-1729729' class=' answer'><span>Configure VPC Flow Logs to send traffic to the monitoring EC2 instance using a Network Load Balancer.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447063[]' id='answer-id-1729730' class='answer   answerof-447063 ' value='1729730'   \/><label for='answer-id-1729730' id='answer-label-1729730' class=' answer'><span>Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447063[]' id='answer-id-1729731' class='answer   answerof-447063 ' value='1729731'   \/><label for='answer-id-1729731' id='answer-label-1729731' class=' answer'><span>Use Amazon Inspector to detect network-level attacks and trigger an IAM Lambda function to send the suspicious packets to the EC2 instance.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-2' style=';'><div id='questionWrap-2'  class='   watupro-question-id-447064'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>2. <\/span>A business stores website images in an Amazon S3 bucket. The firm serves the photos to end users through Amazon CloudFront. The firm learned lately that the photographs are being accessible from nations in which it does not have a distribution license. <br \/>\r<br>Which steps should the business take to safeguard the photographs and restrict their distribution? (Select two.)<\/div><input type='hidden' name='question_id[]' id='qID_2' value='447064' \/><input type='hidden' id='answerType447064' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447064[]' id='answer-id-1729732' class='answer   answerof-447064 ' value='1729732'   \/><label for='answer-id-1729732' id='answer-label-1729732' class=' answer'><span>Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447064[]' id='answer-id-1729733' class='answer   answerof-447064 ' value='1729733'   \/><label for='answer-id-1729733' id='answer-label-1729733' class=' answer'><span>Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447064[]' id='answer-id-1729734' class='answer   answerof-447064 ' value='1729734'   \/><label for='answer-id-1729734' id='answer-label-1729734' class=' answer'><span>Add a CloudFront geo restriction deny list of countries where the company lacks a license.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447064[]' id='answer-id-1729735' class='answer   answerof-447064 ' value='1729735'   \/><label for='answer-id-1729735' id='answer-label-1729735' class=' answer'><span>Update the S3 bucket policy with a deny list of countries where the company lacks a license.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447064[]' id='answer-id-1729736' class='answer   answerof-447064 ' value='1729736'   \/><label for='answer-id-1729736' id='answer-label-1729736' class=' answer'><span>Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-3' style=';'><div id='questionWrap-3'  class='   watupro-question-id-447065'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>3. <\/span>A company is using AWS Organizations to manage multiple accounts. The company needs to allow an IAM user to use a role to access resources that are in another organization's AWS account. <br \/>\r<br>Which combination of steps must the company perform to meet this requirement? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_3' value='447065' \/><input type='hidden' id='answerType447065' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447065[]' id='answer-id-1729737' class='answer   answerof-447065 ' value='1729737'   \/><label for='answer-id-1729737' id='answer-label-1729737' class=' answer'><span>Create an identity policy that allows the sts: AssumeRole action in the AWS account that contains the resources. Attach the identity policy to the IAM user.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447065[]' id='answer-id-1729738' class='answer   answerof-447065 ' value='1729738'   \/><label for='answer-id-1729738' id='answer-label-1729738' class=' answer'><span>Ensure that the sts: AssumeRole action is allowed by the SCPs of the organization that owns the resources that the IAM user needs to access.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447065[]' id='answer-id-1729739' class='answer   answerof-447065 ' value='1729739'   \/><label for='answer-id-1729739' id='answer-label-1729739' class=' answer'><span>Create a role in the AWS account that contains the resources. Create an entry in the role's trust policy that allows the IAM user to assume the role. Attach the trust policy to the role.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447065[]' id='answer-id-1729740' class='answer   answerof-447065 ' value='1729740'   \/><label for='answer-id-1729740' id='answer-label-1729740' class=' answer'><span>Establish a trust relationship between the IAM user and the AWS account that contains the resources.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447065[]' id='answer-id-1729741' class='answer   answerof-447065 ' value='1729741'   \/><label for='answer-id-1729741' id='answer-label-1729741' class=' answer'><span>Create a role in the IAM user's AWS account. Create an identity policy that allows the sts: AssumeRole action. Attach the identity policy to the role.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-4' style=';'><div id='questionWrap-4'  class='   watupro-question-id-447066'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>4. <\/span>A company plans to create individual child accounts within an existing organization in IAM Organizations for each of its DevOps teams. IAM CloudTrail has been enabled and configured on all accounts to write audit logs to an Amazon S3 bucket in a centralized IAM account. A security engineer needs to ensure that DevOps team members are unable to modify or disable this configuration. <br \/>\r<br>How can the security engineer meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_4' value='447066' \/><input type='hidden' id='answerType447066' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447066[]' id='answer-id-1729742' class='answer   answerof-447066 ' value='1729742'   \/><label for='answer-id-1729742' id='answer-label-1729742' class=' answer'><span>Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the IAM account root user.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447066[]' id='answer-id-1729743' class='answer   answerof-447066 ' value='1729743'   \/><label for='answer-id-1729743' id='answer-label-1729743' class=' answer'><span>Create an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the IAM account root user in the source account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447066[]' id='answer-id-1729744' class='answer   answerof-447066 ' value='1729744'   \/><label for='answer-id-1729744' id='answer-label-1729744' class=' answer'><span>Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447066[]' id='answer-id-1729745' class='answer   answerof-447066 ' value='1729745'   \/><label for='answer-id-1729745' id='answer-label-1729745' class=' answer'><span>Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to a \r\nnew IAM group. Have team members use individual IAM accounts that are members of the new IAM group.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-5' style=';'><div id='questionWrap-5'  class='   watupro-question-id-447067'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>5. <\/span>A company discovers a billing anomaly in its AWS account. A security consultant investigates the anomaly and discovers that an employee who left the company 30 days ago still has access to the account. <br \/>\r<br>The company has not monitored account activity in the past. <br \/>\r<br>The security consultant needs to determine which resources have been deployed or reconfigured by the employee as quickly as possible. <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_5' value='447067' \/><input type='hidden' id='answerType447067' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447067[]' id='answer-id-1729746' class='answer   answerof-447067 ' value='1729746'   \/><label for='answer-id-1729746' id='answer-label-1729746' class=' answer'><span>In AWS Cost Explorer, filter chart data to display results from the past 30 days. Export the results to a data table. Group the data table by re-source.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447067[]' id='answer-id-1729747' class='answer   answerof-447067 ' value='1729747'   \/><label for='answer-id-1729747' id='answer-label-1729747' class=' answer'><span>Use AWS Cost Anomaly Detection to create a cost monitor. Access the detection history. Set the time frame to Last 30 days. In the search area, choose the service category.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447067[]' id='answer-id-1729748' class='answer   answerof-447067 ' value='1729748'   \/><label for='answer-id-1729748' id='answer-label-1729748' class=' answer'><span>In AWS CloudTrail, filter the event history to display results from the past 30 days. Create an Amazon Athena table that contains the data. Partition the table by event source.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447067[]' id='answer-id-1729749' class='answer   answerof-447067 ' value='1729749'   \/><label for='answer-id-1729749' id='answer-label-1729749' class=' answer'><span>Use AWS Audit Manager to create an assessment for the past 30 days. Apply a usage-based framework to the assessment. Configure the assessment to assess by resource.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-6' style=';'><div id='questionWrap-6'  class='   watupro-question-id-447068'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>6. <\/span>A Development team has built an experimental environment to test a simple stale web application It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer a NAT gateway, and an internet gateway. The private subnet holds ail of the Amazon EC2 instances <br \/>\r<br>There are 3 different types of servers Each server type has its own Security Group that limits access lo only required connectivity. The Security Groups nave both inbound and outbound rules applied Each subnet has both inbound and outbound network ACls applied to limit access to only required connectivity <br \/>\r<br>Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Select THREE.)<\/div><input type='hidden' name='question_id[]' id='qID_6' value='447068' \/><input type='hidden' id='answerType447068' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447068[]' id='answer-id-1729750' class='answer   answerof-447068 ' value='1729750'   \/><label for='answer-id-1729750' id='answer-label-1729750' class=' answer'><span>The route tables and the outbound rules on the appropriate private subnet security group<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447068[]' id='answer-id-1729751' class='answer   answerof-447068 ' value='1729751'   \/><label for='answer-id-1729751' id='answer-label-1729751' class=' answer'><span>The outbound network ACL rules on the private subnet and the Inbound network ACL rules on the public subnet<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447068[]' id='answer-id-1729752' class='answer   answerof-447068 ' value='1729752'   \/><label for='answer-id-1729752' id='answer-label-1729752' class=' answer'><span>The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447068[]' id='answer-id-1729753' class='answer   answerof-447068 ' value='1729753'   \/><label for='answer-id-1729753' id='answer-label-1729753' class=' answer'><span>The rules on any host-based firewall that may be applied on the Amazon EC2 instances<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447068[]' id='answer-id-1729754' class='answer   answerof-447068 ' value='1729754'   \/><label for='answer-id-1729754' id='answer-label-1729754' class=' answer'><span>The Security Group applied to the Application Load Balancer and NAT gateway<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447068[]' id='answer-id-1729755' class='answer   answerof-447068 ' value='1729755'   \/><label for='answer-id-1729755' id='answer-label-1729755' class=' answer'><span>That the 0.0.0.\/0 route in the private subnet route table points to the internet gateway in the public subnet<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-7' style=';'><div id='questionWrap-7'  class='   watupro-question-id-447069'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>7. <\/span>A company has a web-based application using Amazon CloudFront and running on Amazon Elastic Container Service (Amazon ECS) behind an Application Load Balancer (ALB). The ALB is terminating TLS and balancing load across ECS service tasks A security engineer needs to design a solution to ensure that application content is accessible only through CloudFront and that I is never accessible directly. <br \/>\r<br>How should the security engineer build the MOST secure solution?<\/div><input type='hidden' name='question_id[]' id='qID_7' value='447069' \/><input type='hidden' id='answerType447069' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447069[]' id='answer-id-1729756' class='answer   answerof-447069 ' value='1729756'   \/><label for='answer-id-1729756' id='answer-label-1729756' class=' answer'><span>Add an origin custom header Set the viewer protocol policy to HTTP and HTTPS Set the origin protocol pokey to HTTPS only Update the application to validate the CloudFront custom header<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447069[]' id='answer-id-1729757' class='answer   answerof-447069 ' value='1729757'   \/><label for='answer-id-1729757' id='answer-label-1729757' class=' answer'><span>Add an origin custom header Set the viewer protocol policy to HTTPS only Set the origin protocol policy to match viewer Update the application to validate the CloudFront custom header.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447069[]' id='answer-id-1729758' class='answer   answerof-447069 ' value='1729758'   \/><label for='answer-id-1729758' id='answer-label-1729758' class=' answer'><span>Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS Set the origin protocol policy to HTTP only Update the application to validate the CloudFront custom header.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447069[]' id='answer-id-1729759' class='answer   answerof-447069 ' value='1729759'   \/><label for='answer-id-1729759' id='answer-label-1729759' class=' answer'><span>Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTP<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447069[]' id='answer-id-1729760' class='answer   answerof-447069 ' value='1729760'   \/><label for='answer-id-1729760' id='answer-label-1729760' class=' answer'><span>Set the origin protocol policy to HTTPS only Update the application to validate the CloudFront custom header<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-8' style=';'><div id='questionWrap-8'  class='   watupro-question-id-447070'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>8. <\/span>A company uses an Amazon S3 bucket to store reports Management has mandated that all new objects stored in this bucket must be encrypted at rest using server-side encryption with a client-specified IAM Key Management Service (IAM KMS) CMK owned by the same account as the S3 bucket. The IAM account number is 111122223333, and the bucket name Is report bucket. The company's security specialist must write the S3 bucket policy to ensure the mandate can be Implemented <br \/>\r<br>Which statement should the security specialist include in the policy? <br \/>\r<br>A) <br \/>\r<br><br><img decoding=\"async\" width=342 height=145 id=\"\u56fe\u7247 42\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/12\/image023.png\"><br><br \/>\r<br>B) <br \/>\r<br><br><img decoding=\"async\" width=598 height=145 id=\"\u56fe\u7247 41\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/12\/image024.png\"><br><br \/>\r<br>C) <br \/>\r<br><br><img decoding=\"async\" width=349 height=144 id=\"\u56fe\u7247 40\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/12\/image025.png\"><br><br \/>\r<br>D) <br \/>\r<br><br><img decoding=\"async\" width=599 height=145 id=\"\u56fe\u7247 39\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/12\/image026.png\"><br><\/div><input type='hidden' name='question_id[]' id='qID_8' value='447070' \/><input type='hidden' id='answerType447070' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447070[]' id='answer-id-1729761' class='answer   answerof-447070 ' value='1729761'   \/><label for='answer-id-1729761' id='answer-label-1729761' class=' answer'><span>Option A<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447070[]' id='answer-id-1729762' class='answer   answerof-447070 ' value='1729762'   \/><label for='answer-id-1729762' id='answer-label-1729762' class=' answer'><span>Option B<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447070[]' id='answer-id-1729763' class='answer   answerof-447070 ' value='1729763'   \/><label for='answer-id-1729763' id='answer-label-1729763' class=' answer'><span>Option C<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447070[]' id='answer-id-1729764' class='answer   answerof-447070 ' value='1729764'   \/><label for='answer-id-1729764' id='answer-label-1729764' class=' answer'><span>Option D<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-9' style=';'><div id='questionWrap-9'  class='   watupro-question-id-447071'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>9. <\/span>A company has an AWS Lambda function that creates image thumbnails from larger images. The Lambda function needs read and write access to an Amazon S3 bucket in the same AWS account. <br \/>\r<br>Which solutions will provide the Lambda function this access? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_9' value='447071' \/><input type='hidden' id='answerType447071' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447071[]' id='answer-id-1729765' class='answer   answerof-447071 ' value='1729765'   \/><label for='answer-id-1729765' id='answer-label-1729765' class=' answer'><span>Create an IAM user that has only programmatic access. Create a new access key pair. Add environmental variables to the Lambda function with the access key ID and secret access key. Modify the Lambda function to use the environmental variables at run time during communication with Amazon S3.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447071[]' id='answer-id-1729766' class='answer   answerof-447071 ' value='1729766'   \/><label for='answer-id-1729766' id='answer-label-1729766' class=' answer'><span>Generate an Amazon EC2 key pair. Store the private key in AWS Secrets Man-ager. Modify the Lambda function to retrieve the private key from Secrets Manager and to use the private key during communication with Amazon S3.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447071[]' id='answer-id-1729767' class='answer   answerof-447071 ' value='1729767'   \/><label for='answer-id-1729767' id='answer-label-1729767' class=' answer'><span>Create an IAM role for the Lambda function. Attach an IAM policy that al-lows access to the S3 bucket.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447071[]' id='answer-id-1729768' class='answer   answerof-447071 ' value='1729768'   \/><label for='answer-id-1729768' id='answer-label-1729768' class=' answer'><span>Create an IAM role for the Lambda function. Attach a bucket policy to the S3 bucket to allow access. Specify the function's IAM role as the principal.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447071[]' id='answer-id-1729769' class='answer   answerof-447071 ' value='1729769'   \/><label for='answer-id-1729769' id='answer-label-1729769' class=' answer'><span>Create a security group. Attach the security group to the Lambda function. Attach a bucket policy that allows access to the S3 bucket through the security group I<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-10' style=';'><div id='questionWrap-10'  class='   watupro-question-id-447072'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>10. <\/span>A security engineer is designing an IAM policy for a script that will use the AWS CLI. The script currently assumes an IAM role that is attached to three AWS managed IAM policies: AmazonEC2FullAccess, AmazonDynamoDBFullAccess, and Ama-zonVPCFull Access. <br \/>\r<br>The security engineer needs to construct a least privilege IAM policy that will replace the AWS managed IAM policies that are attached to this role. <br \/>\r<br>Which solution will meet these requirements in the MOST operationally efficient way?<\/div><input type='hidden' name='question_id[]' id='qID_10' value='447072' \/><input type='hidden' id='answerType447072' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447072[]' id='answer-id-1729770' class='answer   answerof-447072 ' value='1729770'   \/><label for='answer-id-1729770' id='answer-label-1729770' class=' answer'><span>In AWS CloudTrail, create a trail for management events. Run the script with the existing AWS managed IAM policies. Use IAM Access Analyzer to generate a new IAM policy that is based on access activity in the trail. Replace the existing AWS managed IAM policies with the generated IAM poli-cy for the role.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447072[]' id='answer-id-1729771' class='answer   answerof-447072 ' value='1729771'   \/><label for='answer-id-1729771' id='answer-label-1729771' class=' answer'><span>Remove the existing AWS managed IAM policies from the role. Attach the IAM Access Analyzer Role Policy Generator to the role. Run the script. Return to IAM Access Analyzer and generate a least privilege IAM policy. Attach the new IAM policy to the role.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447072[]' id='answer-id-1729772' class='answer   answerof-447072 ' value='1729772'   \/><label for='answer-id-1729772' id='answer-label-1729772' class=' answer'><span>Create an account analyzer in IAM Access Analyzer. Create an archive rule that has a filter that checks whether the Principal Arn value matches the ARN of the role. Run the script. Remove the existing AWS managed IAM policies from the role.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447072[]' id='answer-id-1729773' class='answer   answerof-447072 ' value='1729773'   \/><label for='answer-id-1729773' id='answer-label-1729773' class=' answer'><span>In AWS CloudTrail, create a trail for management events. Remove the existing AWS managed IAM policies from the role. Run the script. Find the authorization failure in the trail event that is associated with the script. Create a new IAM policy that includes the action and resource that caused the authorization failure. Repeat the process until the script succeeds. Attach the new IAM policy to the role.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-11' style=';'><div id='questionWrap-11'  class='   watupro-question-id-447073'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>11. <\/span>A company has enabled Amazon GuardDuty in all AWS Regions as part of its security monitoring strategy. In one of its VPCs, the company hosts an Amazon EC2 instance that works as an FTP server. A high number of clients from multiple locations contact the FTP server. GuardDuty identifies this activity as a brute force attack because of the high number of connections that happen every hour. <br \/>\r<br>The company has flagged the finding as a false positive, but GuardDuty continues to raise the issue. A security engineer must improve the signal-to-noise ratio without compromising the companys visibility of potential anomalous behavior. <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_11' value='447073' \/><input type='hidden' id='answerType447073' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447073[]' id='answer-id-1729774' class='answer   answerof-447073 ' value='1729774'   \/><label for='answer-id-1729774' id='answer-label-1729774' class=' answer'><span>Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447073[]' id='answer-id-1729775' class='answer   answerof-447073 ' value='1729775'   \/><label for='answer-id-1729775' id='answer-label-1729775' class=' answer'><span>Add the FTP server to a trusted IP list. Deploy the list to GuardDuty to stop receiving the notifications.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447073[]' id='answer-id-1729776' class='answer   answerof-447073 ' value='1729776'   \/><label for='answer-id-1729776' id='answer-label-1729776' class=' answer'><span>Create a suppression rule in GuardDuty to filter findings by automatically archiving new findings that match the specified criteria.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447073[]' id='answer-id-1729777' class='answer   answerof-447073 ' value='1729777'   \/><label for='answer-id-1729777' id='answer-label-1729777' class=' answer'><span>Create an AWS Lambda function that has the appropriate permissions to de-lete the finding whenever a new occurrence is reported.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-12' style=';'><div id='questionWrap-12'  class='   watupro-question-id-447074'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>12. <\/span>A security engineer configures Amazon S3 Cross-Region Replication (CRR) for all objects that are in an S3 bucket in the us-east-1. Region Some objects in this S3 bucket use server-side encryption with AWS KMS keys (SSE-KMS) for encryption at test. The security engineer creates a destination S3 bucket in the us-west-2 Region. The destination S3 bucket is in the same AWS account as the source S3 bucket. <br \/>\r<br>The security engineer also creates a customer managed key in us-west-2 to encrypt objects at rest in the destination S3 bucket. The replication configuration is set to use the key in us-west-2 to encrypt objects in the destination S3 bucket. The security engineer has provided the S3 replication configuration with an IAM role to perform the replication in Amazon S3. <br \/>\r<br>After a day, the security engineer notices that no encrypted objects from the source S3 bucket are replicated to the destination S3 bucket. However, all the unencrypted objects are replicated. <br \/>\r<br>Which combination of steps should the security engineer take to remediate this issue? (Select THREE.)<\/div><input type='hidden' name='question_id[]' id='qID_12' value='447074' \/><input type='hidden' id='answerType447074' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447074[]' id='answer-id-1729778' class='answer   answerof-447074 ' value='1729778'   \/><label for='answer-id-1729778' id='answer-label-1729778' class=' answer'><span>Change the replication configuration to use the key in us-east-1 to encrypt the objects that are in the destination S3 bucket.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447074[]' id='answer-id-1729779' class='answer   answerof-447074 ' value='1729779'   \/><label for='answer-id-1729779' id='answer-label-1729779' class=' answer'><span>Grant the IAM role the kms. Encrypt permission for the key in us-east-1 that encrypts source objects.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447074[]' id='answer-id-1729780' class='answer   answerof-447074 ' value='1729780'   \/><label for='answer-id-1729780' id='answer-label-1729780' class=' answer'><span>Grant the IAM role the s3 GetObjectVersionForReplication permission for objects that are in the source S3 bucket.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447074[]' id='answer-id-1729781' class='answer   answerof-447074 ' value='1729781'   \/><label for='answer-id-1729781' id='answer-label-1729781' class=' answer'><span>Grant the IAM role the kms. Decrypt permission for the key in us-east-1 that encrypts source objects.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447074[]' id='answer-id-1729782' class='answer   answerof-447074 ' value='1729782'   \/><label for='answer-id-1729782' id='answer-label-1729782' class=' answer'><span>Change the key policy of the key in us-east-1 to grant the kms. Decrypt permission to the security engineer's IAM account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447074[]' id='answer-id-1729783' class='answer   answerof-447074 ' value='1729783'   \/><label for='answer-id-1729783' id='answer-label-1729783' class=' answer'><span>Grant the IAM role the kms Encrypt permission for the key in us-west-2 that encrypts objects that are in the destination S3 bucket.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-13' style=';'><div id='questionWrap-13'  class='   watupro-question-id-447075'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>13. <\/span>A company has multiple accounts in the AWS Cloud. Users in the developer account need to have access to specific resources in the production account. <br \/>\r<br>What is the MOST secure way to provide this access?<\/div><input type='hidden' name='question_id[]' id='qID_13' value='447075' \/><input type='hidden' id='answerType447075' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447075[]' id='answer-id-1729784' class='answer   answerof-447075 ' value='1729784'   \/><label for='answer-id-1729784' id='answer-label-1729784' class=' answer'><span>Create one IAM user in the production account. Grant the appropriate permissions to the resources that are needed. Share the password only with the users that need access.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447075[]' id='answer-id-1729785' class='answer   answerof-447075 ' value='1729785'   \/><label for='answer-id-1729785' id='answer-label-1729785' class=' answer'><span>Create cross account access with an IAM role in the developer account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447075[]' id='answer-id-1729786' class='answer   answerof-447075 ' value='1729786'   \/><label for='answer-id-1729786' id='answer-label-1729786' class=' answer'><span>Create cross-account access with an IAM user account in the production account. Grant the appropriate permissions to this user account. Allow users in the developer account to use this user account to access the production resources.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447075[]' id='answer-id-1729787' class='answer   answerof-447075 ' value='1729787'   \/><label for='answer-id-1729787' id='answer-label-1729787' class=' answer'><span>Create cross-account access with an IAM role in the production account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-14' style=';'><div id='questionWrap-14'  class='   watupro-question-id-447076'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>14. <\/span>There are currently multiple applications hosted in a VPC. During monitoring it has been noticed that multiple port scans are coming in from a specific IP Address block. The internal security team has requested that all offending IP Addresses be denied for the next 24 hours. <br \/>\r<br>Which of the following is the best method to quickly and temporarily deny access from the specified IP Address's.<\/div><input type='hidden' name='question_id[]' id='qID_14' value='447076' \/><input type='hidden' id='answerType447076' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447076[]' id='answer-id-1729788' class='answer   answerof-447076 ' value='1729788'   \/><label for='answer-id-1729788' id='answer-label-1729788' class=' answer'><span>Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447076[]' id='answer-id-1729789' class='answer   answerof-447076 ' value='1729789'   \/><label for='answer-id-1729789' id='answer-label-1729789' class=' answer'><span>Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447076[]' id='answer-id-1729790' class='answer   answerof-447076 ' value='1729790'   \/><label for='answer-id-1729790' id='answer-label-1729790' class=' answer'><span>Add a rule to all of the VPC Security Groups to deny access from the IP Address block.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447076[]' id='answer-id-1729791' class='answer   answerof-447076 ' value='1729791'   \/><label for='answer-id-1729791' id='answer-label-1729791' class=' answer'><span>Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-15' style=';'><div id='questionWrap-15'  class='   watupro-question-id-447077'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>15. <\/span>A company Is planning to use Amazon Elastic File System (Amazon EFS) with its on-premises servers. The company has an existing IAM Direct Connect connection established between its on-premises data center and an IAM Region Security policy states that the company's on-premises firewall should only have specific IP addresses added to the allow list and not a CIDR range. The company also wants to restrict access so that only certain data center-based servers have access to Amazon EFS <br \/>\r<br>How should a security engineer implement this solution''<\/div><input type='hidden' name='question_id[]' id='qID_15' value='447077' \/><input type='hidden' id='answerType447077' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447077[]' id='answer-id-1729792' class='answer   answerof-447077 ' value='1729792'   \/><label for='answer-id-1729792' id='answer-label-1729792' class=' answer'><span>Add the file-system-id efs IAM-region amazonIAM com URL to the allow list for the data center firewall Install the IAM CLI on the data center-based servers to mount the EFS file system in the EFS security group add the data center IP range to the allow list Mount the EFS using the EFS file system name<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447077[]' id='answer-id-1729793' class='answer   answerof-447077 ' value='1729793'   \/><label for='answer-id-1729793' id='answer-label-1729793' class=' answer'><span>Assign an Elastic IP address to Amazon EFS and add the Elastic IP address to the allow list for the data center firewall Install the IAM CLI on the data center-based servers to mount the EFS file system In the EFS security group, add the IP addresses of the data center servers to the allow list Mount the EFS using the Elastic IP address<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447077[]' id='answer-id-1729794' class='answer   answerof-447077 ' value='1729794'   \/><label for='answer-id-1729794' id='answer-label-1729794' class=' answer'><span>Add the EFS file system mount target IP addresses to the allow list for the data center firewall In the EFS security group, add the data center server IP addresses to the allow list Use the Linux terminal to mount the EFS file system using the IP address of one of the mount targets<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447077[]' id='answer-id-1729795' class='answer   answerof-447077 ' value='1729795'   \/><label for='answer-id-1729795' id='answer-label-1729795' class=' answer'><span>Assign a static range of IP addresses for the EFS file system by contacting IAM Support In the EFS security group add the data center server IP addresses to the allow list Use the Linux terminal to mount the EFS file system using one of the static IP addresses<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-16' style=';'><div id='questionWrap-16'  class='   watupro-question-id-447078'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>16. <\/span>A company is building a data processing application mat uses AWS Lambda functions. The application's Lambda functions need to communicate with an Amazon RDS OB instance that is deployed within a VPC in the same AWS account <br \/>\r<br>Which solution meets these requirements in the MOST secure way?<\/div><input type='hidden' name='question_id[]' id='qID_16' value='447078' \/><input type='hidden' id='answerType447078' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447078[]' id='answer-id-1729796' class='answer   answerof-447078 ' value='1729796'   \/><label for='answer-id-1729796' id='answer-label-1729796' class=' answer'><span>Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447078[]' id='answer-id-1729797' class='answer   answerof-447078 ' value='1729797'   \/><label for='answer-id-1729797' id='answer-label-1729797' class=' answer'><span>Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0.0.0.0\/0<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447078[]' id='answer-id-1729798' class='answer   answerof-447078 ' value='1729798'   \/><label for='answer-id-1729798' id='answer-label-1729798' class=' answer'><span>Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447078[]' id='answer-id-1729799' class='answer   answerof-447078 ' value='1729799'   \/><label for='answer-id-1729799' id='answer-label-1729799' class=' answer'><span>Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-17' style=';'><div id='questionWrap-17'  class='   watupro-question-id-447079'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>17. <\/span>A company that uses AWS Organizations wants to see AWS Security Hub findings for many AWS accounts and AWS Regions. Some of the accounts are in the company's organization, and some accounts are in organizations that the company manages for customers. Although the company can see findings in the Security Hub administrator account for accounts in the company's organization, there are no findings from accounts in other organizations. <br \/>\r<br>Which combination of steps should the company take to see findings from accounts that are outside the organization that includes the Security Hub administrator account? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_17' value='447079' \/><input type='hidden' id='answerType447079' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447079[]' id='answer-id-1729800' class='answer   answerof-447079 ' value='1729800'   \/><label for='answer-id-1729800' id='answer-label-1729800' class=' answer'><span>Use a designated administration account to automatically set up member accounts.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447079[]' id='answer-id-1729801' class='answer   answerof-447079 ' value='1729801'   \/><label for='answer-id-1729801' id='answer-label-1729801' class=' answer'><span>Create the AWS Service Role ForSecurrty Hub service-linked rote for Security Hub.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447079[]' id='answer-id-1729802' class='answer   answerof-447079 ' value='1729802'   \/><label for='answer-id-1729802' id='answer-label-1729802' class=' answer'><span>Send an administration request from the member accounts.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447079[]' id='answer-id-1729803' class='answer   answerof-447079 ' value='1729803'   \/><label for='answer-id-1729803' id='answer-label-1729803' class=' answer'><span>Enable Security Hub for all member accounts.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447079[]' id='answer-id-1729804' class='answer   answerof-447079 ' value='1729804'   \/><label for='answer-id-1729804' id='answer-label-1729804' class=' answer'><span>Send invitations to accounts that are outside the company's organization from the Security Hub administrator account.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-18' style=';'><div id='questionWrap-18'  class='   watupro-question-id-447080'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>18. <\/span>A company needs a forensic-logging solution for hundreds of applications running in Docker on Amazon EC2 The solution must perform real-time analytics on the togs must support the replay of messages and must persist the logs. <br \/>\r<br>Which IAM services should be used to meet these requirements? (Select TWO)<\/div><input type='hidden' name='question_id[]' id='qID_18' value='447080' \/><input type='hidden' id='answerType447080' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447080[]' id='answer-id-1729805' class='answer   answerof-447080 ' value='1729805'   \/><label for='answer-id-1729805' id='answer-label-1729805' class=' answer'><span>Amazon Athena<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447080[]' id='answer-id-1729806' class='answer   answerof-447080 ' value='1729806'   \/><label for='answer-id-1729806' id='answer-label-1729806' class=' answer'><span>Amazon Kinesis<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447080[]' id='answer-id-1729807' class='answer   answerof-447080 ' value='1729807'   \/><label for='answer-id-1729807' id='answer-label-1729807' class=' answer'><span>Amazon SQS<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447080[]' id='answer-id-1729808' class='answer   answerof-447080 ' value='1729808'   \/><label for='answer-id-1729808' id='answer-label-1729808' class=' answer'><span>Amazon Elasticsearch<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447080[]' id='answer-id-1729809' class='answer   answerof-447080 ' value='1729809'   \/><label for='answer-id-1729809' id='answer-label-1729809' class=' answer'><span>Amazon EMR<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-19' style=';'><div id='questionWrap-19'  class='   watupro-question-id-447081'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>19. <\/span>Company A has an AWS account that is named Account A. Company A recently acquired Company B, which has an AWS account that is named Account B. Company B stores its files in an Amazon S3 bucket. <br \/>\r<br>The administrators need to give a user from Account A full access to the S3 bucket in Account B. <br \/>\r<br>After the administrators adjust the IAM permissions for the user in Account A to access the S3 bucket in Account B, the user still cannot access any files in the S3 bucket. <br \/>\r<br>Which solution will resolve this issue?<\/div><input type='hidden' name='question_id[]' id='qID_19' value='447081' \/><input type='hidden' id='answerType447081' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447081[]' id='answer-id-1729810' class='answer   answerof-447081 ' value='1729810'   \/><label for='answer-id-1729810' id='answer-label-1729810' class=' answer'><span>In Account B, create a bucket ACL to allow the user from Account A to access the S3 bucket in Account<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447081[]' id='answer-id-1729811' class='answer   answerof-447081 ' value='1729811'   \/><label for='answer-id-1729811' id='answer-label-1729811' class=' answer'><span>In Account B, create an object ACL to allow the user from Account A to access all the objects in the S3 bucket in Account<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447081[]' id='answer-id-1729812' class='answer   answerof-447081 ' value='1729812'   \/><label for='answer-id-1729812' id='answer-label-1729812' class=' answer'><span>In Account B, create a bucket policy to allow the user from Account A to access the S3 bucket in Account<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447081[]' id='answer-id-1729813' class='answer   answerof-447081 ' value='1729813'   \/><label for='answer-id-1729813' id='answer-label-1729813' class=' answer'><span>In Account B, create a user policy to allow the user from Account A to access the S3 bucket in Account<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-20' style=';'><div id='questionWrap-20'  class='   watupro-question-id-447082'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>20. <\/span>A security engineer is using AWS Organizations and wants to optimize SCPs. The security engineer needs to ensure that the SCPs conform to best practices. <br \/>\r<br>Which approach should the security engineer take to meet this requirement?<\/div><input type='hidden' name='question_id[]' id='qID_20' value='447082' \/><input type='hidden' id='answerType447082' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447082[]' id='answer-id-1729814' class='answer   answerof-447082 ' value='1729814'   \/><label for='answer-id-1729814' id='answer-label-1729814' class=' answer'><span>Use AWS IAM Access Analyzer to analyze the policies. View the findings from policy validation checks.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447082[]' id='answer-id-1729815' class='answer   answerof-447082 ' value='1729815'   \/><label for='answer-id-1729815' id='answer-label-1729815' class=' answer'><span>Review AWS Trusted Advisor checks for all accounts in the organization.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447082[]' id='answer-id-1729816' class='answer   answerof-447082 ' value='1729816'   \/><label for='answer-id-1729816' id='answer-label-1729816' class=' answer'><span>Set up AWS Audit Manager. Run an assessment for all AWS Regions for all accounts.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447082[]' id='answer-id-1729817' class='answer   answerof-447082 ' value='1729817'   \/><label for='answer-id-1729817' id='answer-label-1729817' class=' answer'><span>Ensure that Amazon Inspector agents are installed on all Amazon EC2 in-stances in all accounts.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-21' style=';'><div id='questionWrap-21'  class='   watupro-question-id-447083'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>21. <\/span>A company has a large fleet of Linux Amazon EC2 instances and Windows EC2 instances that run in private subnets. The company wants all remote administration to be performed as securely as possible in the AWS Cloud. <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_21' value='447083' \/><input type='hidden' id='answerType447083' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447083[]' id='answer-id-1729818' class='answer   answerof-447083 ' value='1729818'   \/><label for='answer-id-1729818' id='answer-label-1729818' class=' answer'><span>Do not use SSH-RSA private keys during the launch of new instances. Implement AWS Systems Manager Session Manager.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447083[]' id='answer-id-1729819' class='answer   answerof-447083 ' value='1729819'   \/><label for='answer-id-1729819' id='answer-label-1729819' class=' answer'><span>Generate new SSH-RSA private keys for existing instances. Implement AWS Systems Manager Session Manager.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447083[]' id='answer-id-1729820' class='answer   answerof-447083 ' value='1729820'   \/><label for='answer-id-1729820' id='answer-label-1729820' class=' answer'><span>Do not use SSH-RSA private keys during the launch of new instances. Configure EC2 Instance Connect.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447083[]' id='answer-id-1729821' class='answer   answerof-447083 ' value='1729821'   \/><label for='answer-id-1729821' id='answer-label-1729821' class=' answer'><span>Generate new SSH-RSA private keys for existing instances. Configure EC2 Instance Connect.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-22' style=';'><div id='questionWrap-22'  class='   watupro-question-id-447084'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>22. <\/span>A company uses AWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open. The company must secure access management and implement a centralized togging solution. <br \/>\r<br>Which solution will meet these requirements MOST securely?<\/div><input type='hidden' name='question_id[]' id='qID_22' value='447084' \/><input type='hidden' id='answerType447084' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447084[]' id='answer-id-1729822' class='answer   answerof-447084 ' value='1729822'   \/><label for='answer-id-1729822' id='answer-label-1729822' class=' answer'><span>Configure trusted access for AWS System Manager in Organizations Configure a bastion host from the management account Replace SSH and RDP by using Systems Manager Session Manager from the management account Configure Session Manager logging to Amazon CloudWatch Logs<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447084[]' id='answer-id-1729823' class='answer   answerof-447084 ' value='1729823'   \/><label for='answer-id-1729823' id='answer-label-1729823' class=' answer'><span>Replace SSH and RDP with AWS Systems Manager Session Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447084[]' id='answer-id-1729824' class='answer   answerof-447084 ' value='1729824'   \/><label for='answer-id-1729824' id='answer-label-1729824' class=' answer'><span>AmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudWatch Logs Create a separate logging account that has appropriate cross-account permissions to audit the log data<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447084[]' id='answer-id-1729825' class='answer   answerof-447084 ' value='1729825'   \/><label for='answer-id-1729825' id='answer-label-1729825' class=' answer'><span>Install a bastion host in the management account Reconfigure all SSH and RDP to allow access only from the bastion host Install AWS Systems Manager Agent (SSM Agent) on the bastion host Attach the AmazonSSMManagedlnstanceCore role to the bastion host Configure session data streaming to Amazon CloudWatch Logs in a separate logging account to audit log data<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447084[]' id='answer-id-1729826' class='answer   answerof-447084 ' value='1729826'   \/><label for='answer-id-1729826' id='answer-label-1729826' class=' answer'><span>Replace SSH and RDP with AWS Systems Manager State Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the AmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudTrail Use CloudTrail Insights to analyze the trail data<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-23' style=';'><div id='questionWrap-23'  class='   watupro-question-id-447085'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>23. <\/span>A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message. <br \/>\r<br>What is the likely cause of this access denial?<\/div><input type='hidden' name='question_id[]' id='qID_23' value='447085' \/><input type='hidden' id='answerType447085' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447085[]' id='answer-id-1729827' class='answer   answerof-447085 ' value='1729827'   \/><label for='answer-id-1729827' id='answer-label-1729827' class=' answer'><span>The ACL in the bucket needs to be updated<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447085[]' id='answer-id-1729828' class='answer   answerof-447085 ' value='1729828'   \/><label for='answer-id-1729828' id='answer-label-1729828' class=' answer'><span>The IAM policy does not allow the user to access the bucket<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447085[]' id='answer-id-1729829' class='answer   answerof-447085 ' value='1729829'   \/><label for='answer-id-1729829' id='answer-label-1729829' class=' answer'><span>It takes a few minutes for a bucket policy to take effect<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447085[]' id='answer-id-1729830' class='answer   answerof-447085 ' value='1729830'   \/><label for='answer-id-1729830' id='answer-label-1729830' class=' answer'><span>The allow permission is being overridden by the deny<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-24' style=';'><div id='questionWrap-24'  class='   watupro-question-id-447086'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>24. <\/span>A recent security audit found that IAM CloudTrail logs are insufficiently protected from tampering and unauthorized access <br \/>\r<br>Which actions must the Security Engineer take to address these audit findings? (Select THREE)<\/div><input type='hidden' name='question_id[]' id='qID_24' value='447086' \/><input type='hidden' id='answerType447086' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447086[]' id='answer-id-1729831' class='answer   answerof-447086 ' value='1729831'   \/><label for='answer-id-1729831' id='answer-label-1729831' class=' answer'><span>Ensure CloudTrail log file validation is turned on<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447086[]' id='answer-id-1729832' class='answer   answerof-447086 ' value='1729832'   \/><label for='answer-id-1729832' id='answer-label-1729832' class=' answer'><span>Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447086[]' id='answer-id-1729833' class='answer   answerof-447086 ' value='1729833'   \/><label for='answer-id-1729833' id='answer-label-1729833' class=' answer'><span>Use an S3 bucket with tight access controls that exists m a separate account<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447086[]' id='answer-id-1729834' class='answer   answerof-447086 ' value='1729834'   \/><label for='answer-id-1729834' id='answer-label-1729834' class=' answer'><span>Use Amazon Inspector to monitor the file integrity of CloudTrail log files.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447086[]' id='answer-id-1729835' class='answer   answerof-447086 ' value='1729835'   \/><label for='answer-id-1729835' id='answer-label-1729835' class=' answer'><span>Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447086[]' id='answer-id-1729836' class='answer   answerof-447086 ' value='1729836'   \/><label for='answer-id-1729836' id='answer-label-1729836' class=' answer'><span>Encrypt the CloudTrail log files with server-side encryption with IAM KMS-managed keys (SSE-KMS)<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-25' style=';'><div id='questionWrap-25'  class='   watupro-question-id-447087'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>25. <\/span>A company's security engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other IAM services The contractors IAM account must not be able to gain access to any other IAM service, even it the IAM account rs assigned additional permissions based on IAM group membership <br \/>\r<br>What should the security engineer do to meet these requirements''<\/div><input type='hidden' name='question_id[]' id='qID_25' value='447087' \/><input type='hidden' id='answerType447087' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447087[]' id='answer-id-1729837' class='answer   answerof-447087 ' value='1729837'   \/><label for='answer-id-1729837' id='answer-label-1729837' class=' answer'><span>Create an mime IAM user policy that allows for Amazon EC2 access for the contractor's IAM user<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447087[]' id='answer-id-1729838' class='answer   answerof-447087 ' value='1729838'   \/><label for='answer-id-1729838' id='answer-label-1729838' class=' answer'><span>Create an IAM permissions boundary policy that allows Amazon EC2 access Associate the contractor's IAM account with the IAM permissions boundary policy<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447087[]' id='answer-id-1729839' class='answer   answerof-447087 ' value='1729839'   \/><label for='answer-id-1729839' id='answer-label-1729839' class=' answer'><span>Create an IAM group with an attached policy that allows for Amazon EC2 access Associate the contractor's IAM account with the IAM group<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447087[]' id='answer-id-1729840' class='answer   answerof-447087 ' value='1729840'   \/><label for='answer-id-1729840' id='answer-label-1729840' class=' answer'><span>Create a IAM role that allows for EC2 and explicitly denies all other services Instruct the contractor to always assume this role<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-26' style=';'><div id='questionWrap-26'  class='   watupro-question-id-447088'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>26. <\/span>A company uses a third-party identity provider and SAML-based SSO for its AWS accounts. After the third-party identity provider renewed an expired signing certificate, users saw the following message when trying to log in: <br \/>\r<br>Error: Response Signature Invalid (Service: AWSSecurityTokenService; Status Code: 400; Error Code: <br \/>\r<br>InvalidldentityToken) <br \/>\r<br>A security engineer needs to provide a solution that corrects the error and minimizes operational overhead. <br \/>\r<br>Which solution meets these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_26' value='447088' \/><input type='hidden' id='answerType447088' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447088[]' id='answer-id-1729841' class='answer   answerof-447088 ' value='1729841'   \/><label for='answer-id-1729841' id='answer-label-1729841' class=' answer'><span>Upload the third-party signing certificate's new private key to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS Management Console.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447088[]' id='answer-id-1729842' class='answer   answerof-447088 ' value='1729842'   \/><label for='answer-id-1729842' id='answer-label-1729842' class=' answer'><span>Sign the identity provider's metadata file with the new public key. Upload the signature to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS C<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447088[]' id='answer-id-1729843' class='answer   answerof-447088 ' value='1729843'   \/><label for='answer-id-1729843' id='answer-label-1729843' class=' answer'><span>Download the updated SAML metadata file from the identity service provider. Update the file in the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CL<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447088[]' id='answer-id-1729844' class='answer   answerof-447088 ' value='1729844'   \/><label for='answer-id-1729844' id='answer-label-1729844' class=' answer'><span>Configure the AWS identity provider entity defined in AWS Identity and Access Management (IAM) to synchronously fetch the new public key by using the AWS Management Console.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-27' style=';'><div id='questionWrap-27'  class='   watupro-question-id-447089'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>27. <\/span>A company's on-premises networks are connected to VPCs using an IAM Direct Connect gateway. The company's on-premises application needs to stream data using an existing Amazon Kinesis Data Firehose delivery stream. The company's security policy requires that data be encrypted in transit using a private network. <br \/>\r<br>How should the company meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_27' value='447089' \/><input type='hidden' id='answerType447089' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447089[]' id='answer-id-1729845' class='answer   answerof-447089 ' value='1729845'   \/><label for='answer-id-1729845' id='answer-label-1729845' class=' answer'><span>Create a VPC endpoint tor Kinesis Data Firehose. Configure the application to connect to the VPC endpoint.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447089[]' id='answer-id-1729846' class='answer   answerof-447089 ' value='1729846'   \/><label for='answer-id-1729846' id='answer-label-1729846' class=' answer'><span>Configure an IAM policy to restrict access to Kinesis Data Firehose using a source IP condition. Configure the application to connect to the existing Firehose delivery stream.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447089[]' id='answer-id-1729847' class='answer   answerof-447089 ' value='1729847'   \/><label for='answer-id-1729847' id='answer-label-1729847' class=' answer'><span>Create a new TLS certificate in IAM Certificate Manager (ACM). Create a public-facing Network Load Balancer (NLB) and select the newly created TLS certificate. Configure the NLB to forward all traffic to Kinesis Data Firehose. Configure the application to connect to the NL<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447089[]' id='answer-id-1729848' class='answer   answerof-447089 ' value='1729848'   \/><label for='answer-id-1729848' id='answer-label-1729848' class=' answer'><span>Peer the on-premises network with the Kinesis Data Firehose VPC using Direct Connect. Configure the application to connect to the existing Firehose delivery stream.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-28' style=';'><div id='questionWrap-28'  class='   watupro-question-id-447090'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>28. <\/span>An ecommerce website was down for 1 hour following a DDoS attack Users were unable to connect to the website during the attack period. The ecommerce company's security team is worried about future potential attacks and wants to prepare for such events The company needs to minimize downtime in its response to similar attacks in the future. <br \/>\r<br>Which steps would help achieve this9 (Select TWO)<\/div><input type='hidden' name='question_id[]' id='qID_28' value='447090' \/><input type='hidden' id='answerType447090' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447090[]' id='answer-id-1729849' class='answer   answerof-447090 ' value='1729849'   \/><label for='answer-id-1729849' id='answer-label-1729849' class=' answer'><span>Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447090[]' id='answer-id-1729850' class='answer   answerof-447090 ' value='1729850'   \/><label for='answer-id-1729850' id='answer-label-1729850' class=' answer'><span>Subscribe to IAM Shield Advanced and reach out to IAM Support in the event of an attack.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447090[]' id='answer-id-1729851' class='answer   answerof-447090 ' value='1729851'   \/><label for='answer-id-1729851' id='answer-label-1729851' class=' answer'><span>Use VPC Flow Logs to monitor network: traffic and an IAM Lambda function to automatically block an attacker's IP using security groups.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447090[]' id='answer-id-1729852' class='answer   answerof-447090 ' value='1729852'   \/><label for='answer-id-1729852' id='answer-label-1729852' class=' answer'><span>Set up an Amazon CloudWatch Events rule to monitor the IAM CloudTrail events in real time use IAM Config rules to audit the configuration, and use IAM Systems Manager for remediation.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447090[]' id='answer-id-1729853' class='answer   answerof-447090 ' value='1729853'   \/><label for='answer-id-1729853' id='answer-label-1729853' class=' answer'><span>Use IAM WAF to create rules to respond to such attacks<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-29' style=';'><div id='questionWrap-29'  class='   watupro-question-id-447091'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>29. <\/span>A company wants to remove all SSH keys permanently from a specific subset of its Amazon Linux 2 Amazon EC2 instances that are using the same 1AM instance profile However three individuals who have IAM user accounts will need to access these instances by using an SSH session to perform critical duties <br \/>\r<br>How can a security engineer provide the access to meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_29' value='447091' \/><input type='hidden' id='answerType447091' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447091[]' id='answer-id-1729854' class='answer   answerof-447091 ' value='1729854'   \/><label for='answer-id-1729854' id='answer-label-1729854' class=' answer'><span>Assign an 1AM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the 1AM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Inventory to select the EC2 instance and connect<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447091[]' id='answer-id-1729855' class='answer   answerof-447091 ' value='1729855'   \/><label for='answer-id-1729855' id='answer-label-1729855' class=' answer'><span>Assign an 1AM policy to the 1AM user accounts to provide permission to use AWS Systems Manager Run Command Remove the SSH keys from the EC2 instances Use Run Command to open an SSH connection to the EC2 instance<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447091[]' id='answer-id-1729856' class='answer   answerof-447091 ' value='1729856'   \/><label for='answer-id-1729856' id='answer-label-1729856' class=' answer'><span>Assign an 1AM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the 1AM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Session Manager to select the EC2 instance and connect<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447091[]' id='answer-id-1729857' class='answer   answerof-447091 ' value='1729857'   \/><label for='answer-id-1729857' id='answer-label-1729857' class=' answer'><span>Assign an 1AM policy to the 1AM user accounts to provide permission to use the EC2 service in the AWS Management Console Remove the SSH keys from the EC2 instances Connect to the EC2 instance as the ec2-user through the AWS Management Console's EC2 SSH client method<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-30' style=';'><div id='questionWrap-30'  class='   watupro-question-id-447092'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>30. <\/span>A company hosts a web application on an Apache web server. The application runs on Amazon EC2 instances that are in an Auto Scaling group. The company configured the EC2 instances to send the Apache web server logs to an Amazon CloudWatch Logs group that the company has configured to expire after 1 year. <br \/>\r<br>Recently, the company discovered in the Apache web server logs that a specific IP address is sending suspicious requests to the web application. A security engineer wants to analyze the past week of Apache web server logs to determine how many requests that the IP address sent and the corresponding URLs that the IP address requested. <br \/>\r<br>What should the security engineer do to meet these requirements with the LEAST effort?<\/div><input type='hidden' name='question_id[]' id='qID_30' value='447092' \/><input type='hidden' id='answerType447092' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447092[]' id='answer-id-1729858' class='answer   answerof-447092 ' value='1729858'   \/><label for='answer-id-1729858' id='answer-label-1729858' class=' answer'><span>Export the CloudWatch Logs group data to Amazon S3. Use Amazon Macie to query the logs for the specific IP address and the requested URLs.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447092[]' id='answer-id-1729859' class='answer   answerof-447092 ' value='1729859'   \/><label for='answer-id-1729859' id='answer-label-1729859' class=' answer'><span>Configure a CloudWatch Logs subscription to stream the log group to an Amazon OpenSearch Service cluster. Use OpenSearch Service to analyze the logs for the specific IP address and the requested URLs.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447092[]' id='answer-id-1729860' class='answer   answerof-447092 ' value='1729860'   \/><label for='answer-id-1729860' id='answer-label-1729860' class=' answer'><span>Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested URLs.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447092[]' id='answer-id-1729861' class='answer   answerof-447092 ' value='1729861'   \/><label for='answer-id-1729861' id='answer-label-1729861' class=' answer'><span>Export the CloudWatch Logs group data to Amazon S3. Use AWS Glue to crawl the S3 bucket for only the log entries that contain the specific IP ad-dress. Use AWS Glue to view the results.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-31' style=';'><div id='questionWrap-31'  class='   watupro-question-id-447093'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>31. <\/span>A company needs to store multiple years of financial records. The company wants to use Amazon S3 to store copies of these documents. The company must implement a solution to prevent the documents from being edited, replaced, or deleted for 7 years after the documents are stored in Amazon S3. The solution must also encrypt the documents at rest. <br \/>\r<br>A security engineer creates a new S3 bucket to store the documents. <br \/>\r<br>What should the security engineer do next to meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_31' value='447093' \/><input type='hidden' id='answerType447093' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447093[]' id='answer-id-1729862' class='answer   answerof-447093 ' value='1729862'   \/><label for='answer-id-1729862' id='answer-label-1729862' class=' answer'><span>Configure S3 server-side encryption. Create an S3 bucket policy that has an explicit deny rule for all users for s3:DeleteObject and s3:PutObject API calls. Configure S3 Object Lock to use governance mode with a retention period of 7 years.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447093[]' id='answer-id-1729863' class='answer   answerof-447093 ' value='1729863'   \/><label for='answer-id-1729863' id='answer-label-1729863' class=' answer'><span>Configure S3 server-side encryption. Configure S3 Versioning on the S3 bucket. Configure S3 Object Lock to use compliance mode with a retention period of 7 years.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447093[]' id='answer-id-1729864' class='answer   answerof-447093 ' value='1729864'   \/><label for='answer-id-1729864' id='answer-label-1729864' class=' answer'><span>Configure S3 Versioning. Configure S3 Intelligent-Tiering on the S3 bucket to move the documents to S3 Glacier Deep Archive storage. Use S3 server-side encryption immediately. Expire the objects after 7 years.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447093[]' id='answer-id-1729865' class='answer   answerof-447093 ' value='1729865'   \/><label for='answer-id-1729865' id='answer-label-1729865' class=' answer'><span>Set up S3 Event Notifications and use S3 server-side encryption. Configure S3 Event Notifications to target an AWS Lambda function that will review any S3 API call to the S3 bucket and deny the s3:DeleteObject and s3:PutObject API calls. Remove the S3 event notification after 7 years.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-32' style=';'><div id='questionWrap-32'  class='   watupro-question-id-447094'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>32. <\/span>A company's security engineer is developing an incident response plan to detect suspicious activity in an AWS account for VPC hosted resources. The security engineer needs to provide visibility for as many AWS Regions as possible. <br \/>\r<br>Which combination of steps will meet these requirements MOST cost-effectively? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_32' value='447094' \/><input type='hidden' id='answerType447094' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447094[]' id='answer-id-1729866' class='answer   answerof-447094 ' value='1729866'   \/><label for='answer-id-1729866' id='answer-label-1729866' class=' answer'><span>Turn on VPC Flow Logs for all VPCs in the account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447094[]' id='answer-id-1729867' class='answer   answerof-447094 ' value='1729867'   \/><label for='answer-id-1729867' id='answer-label-1729867' class=' answer'><span>Activate Amazon GuardDuty across all AWS Regions.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447094[]' id='answer-id-1729868' class='answer   answerof-447094 ' value='1729868'   \/><label for='answer-id-1729868' id='answer-label-1729868' class=' answer'><span>Activate Amazon Detective across all AWS Regions.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447094[]' id='answer-id-1729869' class='answer   answerof-447094 ' value='1729869'   \/><label for='answer-id-1729869' id='answer-label-1729869' class=' answer'><span>Create an Amazon Simple Notification Service (Amazon SNS) topic. Create an Amazon EventBridge rule that responds to findings and publishes the findings to the SNS topic.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447094[]' id='answer-id-1729870' class='answer   answerof-447094 ' value='1729870'   \/><label for='answer-id-1729870' id='answer-label-1729870' class=' answer'><span>Create an AWS Lambda function. Create an Amazon EventBridge rule that invokes the Lambda function to publish findings to Amazon Simple Email Ser-vice (Amazon SES).<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-33' style=';'><div id='questionWrap-33'  class='   watupro-question-id-447095'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>33. <\/span>A security engineer receives an IAM abuse email message. According to the message, an Amazon EC2 instance that is running in the security engineer's IAM account is sending phishing email messages. <br \/>\r<br>The EC2 instance is part of an application that is deployed in production. The application runs on many EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple subnets and multiple Availability Zones. <br \/>\r<br>The instances normally communicate only over the HTTP. HTTPS, and MySQL protocols. Upon investigation, the security engineer discovers that email messages are being sent over port 587. All other traffic is normal. <br \/>\r<br>The security engineer must create a solution that contains the compromised EC2 instance, preserves forensic evidence for analysis, and minimizes application downtime. <br \/>\r<br>Which combination of steps must the security engineer take to meet these requirements? (Select THREE.)<\/div><input type='hidden' name='question_id[]' id='qID_33' value='447095' \/><input type='hidden' id='answerType447095' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447095[]' id='answer-id-1729871' class='answer   answerof-447095 ' value='1729871'   \/><label for='answer-id-1729871' id='answer-label-1729871' class=' answer'><span>Add an outbound rule to the security group that is attached to the compromised EC2 instance to deny traffic to 0.0.0.0\/0 and port 587.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447095[]' id='answer-id-1729872' class='answer   answerof-447095 ' value='1729872'   \/><label for='answer-id-1729872' id='answer-label-1729872' class=' answer'><span>Add an outbound rule to the network ACL for the subnet that contains the compromised EC2 instance to deny traffic to 0.0.0.0\/0 and port 587.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447095[]' id='answer-id-1729873' class='answer   answerof-447095 ' value='1729873'   \/><label for='answer-id-1729873' id='answer-label-1729873' class=' answer'><span>Gather volatile memory from the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then take a snapshot of the compromised EC2 instance.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447095[]' id='answer-id-1729874' class='answer   answerof-447095 ' value='1729874'   \/><label for='answer-id-1729874' id='answer-label-1729874' class=' answer'><span>Take a snapshot of the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then gather volatile memory from the compromised EC2 instance.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447095[]' id='answer-id-1729875' class='answer   answerof-447095 ' value='1729875'   \/><label for='answer-id-1729875' id='answer-label-1729875' class=' answer'><span>Move the compromised EC2 instance to an isolated subnet that has a network ACL that has no inbound rules or outbound rules.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447095[]' id='answer-id-1729876' class='answer   answerof-447095 ' value='1729876'   \/><label for='answer-id-1729876' id='answer-label-1729876' class=' answer'><span>Replace the existing security group that is attached to the compromised EC2 instance with a new security group that has no inbound rules or outbound rules.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-34' style=';'><div id='questionWrap-34'  class='   watupro-question-id-447096'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>34. <\/span>A company uses AWS Organizations to manage a multi-account AWS environment in a single AWS Region. The organization's management account is named management-01. The company has turned on AWS Config in all accounts in the organization. The company has designated an account named security-01 as the delegated administrator for AWS Config. <br \/>\r<br>All accounts report the compliance status of each account's rules to the AWS Config delegated administrator account by using an AWS Config aggregator. Each account administrator can configure and manage the account's own AWS Config rules to handle each account's unique compliance requirements. <br \/>\r<br>A security engineer needs to implement a solution to automatically deploy a set of 10 AWS Config rules to all existing and future AWS accounts in the organization. The solution must turn on AWS Config automatically during account creation. <br \/>\r<br>Which combination of steps will meet these requirements? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_34' value='447096' \/><input type='hidden' id='answerType447096' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447096[]' id='answer-id-1729877' class='answer   answerof-447096 ' value='1729877'   \/><label for='answer-id-1729877' id='answer-label-1729877' class=' answer'><span>Create an AWS CloudFormation template that contains the 1 0 required AVVS Config rules. Deploy the template by using CloudFormation StackSets in the security-01 account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447096[]' id='answer-id-1729878' class='answer   answerof-447096 ' value='1729878'   \/><label for='answer-id-1729878' id='answer-label-1729878' class=' answer'><span>Create a conformance pack that contains the 10 required AWS Config rules. Deploy the conformance pack from the security-01 account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447096[]' id='answer-id-1729879' class='answer   answerof-447096 ' value='1729879'   \/><label for='answer-id-1729879' id='answer-label-1729879' class=' answer'><span>Create a conformance pack that contains the 10 required AWS Config rules. Deploy the conformance pack from the management-01 account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447096[]' id='answer-id-1729880' class='answer   answerof-447096 ' value='1729880'   \/><label for='answer-id-1729880' id='answer-label-1729880' class=' answer'><span>Create an AWS CloudFormation template that will activate AWS Config. De-ploy the template by using CloudFormation StackSets in the security-01 ac-count.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447096[]' id='answer-id-1729881' class='answer   answerof-447096 ' value='1729881'   \/><label for='answer-id-1729881' id='answer-label-1729881' class=' answer'><span>Create an AWS CloudFormation template that will activate AWS Config. De-ploy the template by using CloudFormation StackSets in the management-01 account.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-35' style=';'><div id='questionWrap-35'  class='   watupro-question-id-447097'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>35. <\/span>A company has two AWS accounts. One account is for development workloads. The other account is for production workloads. For compliance reasons the production account contains all the AWS Key Management. Service (AWS KMS) keys that the company uses for encryption. <br \/>\r<br>The company applies an IAM role to an AWS Lambda function in the development account to allow secure access to AWS resources. The Lambda function must access a specific KMS customer managed key that exists in the production account to encrypt the Lambda function's data. <br \/>\r<br>Which combination of steps should a security engineer take to meet these requirements? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_35' value='447097' \/><input type='hidden' id='answerType447097' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447097[]' id='answer-id-1729882' class='answer   answerof-447097 ' value='1729882'   \/><label for='answer-id-1729882' id='answer-label-1729882' class=' answer'><span>Configure the key policy for the customer managed key in the production account to allow access to the Lambda service.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447097[]' id='answer-id-1729883' class='answer   answerof-447097 ' value='1729883'   \/><label for='answer-id-1729883' id='answer-label-1729883' class=' answer'><span>Configure the key policy for the customer managed key in the production account to allow access to the IAM role of the Lambda function in the development account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447097[]' id='answer-id-1729884' class='answer   answerof-447097 ' value='1729884'   \/><label for='answer-id-1729884' id='answer-label-1729884' class=' answer'><span>Configure a new IAM policy in the production account with permissions to use the customer managed key. Apply the IAM policy to the IAM role that the Lambda function in the development account uses.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447097[]' id='answer-id-1729885' class='answer   answerof-447097 ' value='1729885'   \/><label for='answer-id-1729885' id='answer-label-1729885' class=' answer'><span>Configure a new key policy in the development account with permissions to use the customer managed key. Apply the key policy to the IAM role that the Lambda function in the development account uses.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447097[]' id='answer-id-1729886' class='answer   answerof-447097 ' value='1729886'   \/><label for='answer-id-1729886' id='answer-label-1729886' class=' answer'><span>Configure the IAM role for the Lambda function in the development account by attaching an IAM policy that allows access to the customer managed key in the production account.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-36' style=';'><div id='questionWrap-36'  class='   watupro-question-id-447098'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>36. <\/span>A security engineer receives a notice from the AWS Abuse team about suspicious activity from a Linux-based Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS&gt;-based storage The instance is making connections to known malicious addresses <br \/>\r<br>The instance is in a development account within a VPC that is in the us-east-1 Region The VPC contains an internet gateway and has a subnet in us-east-1a and useasMb Each subnet is associate with a route table that uses the internet gateway as a default route Each subnet also uses the default network ACL The suspicious EC2 instance runs within the us-east-1 b subnet. During an initial investigation a security engineer discovers that the suspicious instance is the only instance that runs in the subnet <br \/>\r<br>Which response will immediately mitigate the attack and help investigate the root cause?<\/div><input type='hidden' name='question_id[]' id='qID_36' value='447098' \/><input type='hidden' id='answerType447098' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447098[]' id='answer-id-1729887' class='answer   answerof-447098 ' value='1729887'   \/><label for='answer-id-1729887' id='answer-label-1729887' class=' answer'><span>Log in to the suspicious instance and use the netstat command to identify remote connections Use the IP addresses from these remote connections to create deny rules in the security group of the instance Install diagnostic tools on the instance for investigation Update the outbound network ACL for the subnet in us-east- lb to explicitly deny all connections as the first rule during the investigation of the instance<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447098[]' id='answer-id-1729888' class='answer   answerof-447098 ' value='1729888'   \/><label for='answer-id-1729888' id='answer-label-1729888' class=' answer'><span>Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule Replace the security group with a new security group that allows connections only from a diagnostics security group Update the outbound network ACL for the us-east-1b subnet to remove the deny all rule Launch a new EC2 instance that has diagnostic tools Assign the new security group to the new EC2 instance Use the new EC2 instance to investigate the suspicious instance<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447098[]' id='answer-id-1729889' class='answer   answerof-447098 ' value='1729889'   \/><label for='answer-id-1729889' id='answer-label-1729889' class=' answer'><span>Ensure that the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the suspicious EC2 instance will not delete upon termination Terminate the instance Launch a new EC2 instance in us-east-1a that has diagnostic tools Mount the EBS volumes from the terminated instance for investigation<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447098[]' id='answer-id-1729890' class='answer   answerof-447098 ' value='1729890'   \/><label for='answer-id-1729890' id='answer-label-1729890' class=' answer'><span>Create an AWS WAF web ACL that denies traffic to and from the suspicious instance Attach the AWS WAF web ACL to the instance to mitigate the attack Log in to the instance and install diagnostic tools to investigate the instance<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-37' style=';'><div id='questionWrap-37'  class='   watupro-question-id-447099'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>37. <\/span>A company has a set of EC2 Instances hosted in IAM. The EC2 Instances have EBS volumes which is used to store critical information. There is a business continuity requirement to ensure high availability for the EBS volumes. <br \/>\r<br>How can you achieve this?<\/div><input type='hidden' name='question_id[]' id='qID_37' value='447099' \/><input type='hidden' id='answerType447099' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447099[]' id='answer-id-1729891' class='answer   answerof-447099 ' value='1729891'   \/><label for='answer-id-1729891' id='answer-label-1729891' class=' answer'><span>Use lifecycle policies for the EBS volumes<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447099[]' id='answer-id-1729892' class='answer   answerof-447099 ' value='1729892'   \/><label for='answer-id-1729892' id='answer-label-1729892' class=' answer'><span>Use EBS Snapshots<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447099[]' id='answer-id-1729893' class='answer   answerof-447099 ' value='1729893'   \/><label for='answer-id-1729893' id='answer-label-1729893' class=' answer'><span>Use EBS volume replication<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447099[]' id='answer-id-1729894' class='answer   answerof-447099 ' value='1729894'   \/><label for='answer-id-1729894' id='answer-label-1729894' class=' answer'><span>Use EBS volume encryption<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-38' style=';'><div id='questionWrap-38'  class='   watupro-question-id-447100'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>38. <\/span>A development team is attempting to encrypt and decode a secure string parameter from the IAM Systems Manager Parameter Store using an IAM Key Management Service (IAM KMS) CMK. However, each attempt results in an error message being sent to the development team. <br \/>\r<br>Which CMK-related problems possibly account for the error? (Select two.)<\/div><input type='hidden' name='question_id[]' id='qID_38' value='447100' \/><input type='hidden' id='answerType447100' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447100[]' id='answer-id-1729895' class='answer   answerof-447100 ' value='1729895'   \/><label for='answer-id-1729895' id='answer-label-1729895' class=' answer'><span>The CMK is used in the attempt does not exist.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447100[]' id='answer-id-1729896' class='answer   answerof-447100 ' value='1729896'   \/><label for='answer-id-1729896' id='answer-label-1729896' class=' answer'><span>The CMK is used in the attempt needs to be rotated.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447100[]' id='answer-id-1729897' class='answer   answerof-447100 ' value='1729897'   \/><label for='answer-id-1729897' id='answer-label-1729897' class=' answer'><span>The CMK is used in the attempt is using the CMK&#8482;s key ID instead of the CMK AR<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447100[]' id='answer-id-1729898' class='answer   answerof-447100 ' value='1729898'   \/><label for='answer-id-1729898' id='answer-label-1729898' class=' answer'><span>The CMK is used in the attempt is not enabled.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-447100[]' id='answer-id-1729899' class='answer   answerof-447100 ' value='1729899'   \/><label for='answer-id-1729899' id='answer-label-1729899' class=' answer'><span>The CMK is used in the attempt is using an alias.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-39' style=';'><div id='questionWrap-39'  class='   watupro-question-id-447101'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>39. <\/span>A company deployed IAM Organizations to help manage its increasing number of IAM accounts. A security engineer wants to ensure only principals in the Organization structure can access a specic Amazon S3 bucket. The solution must also minimize operational overhead <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_39' value='447101' \/><input type='hidden' id='answerType447101' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447101[]' id='answer-id-1729900' class='answer   answerof-447101 ' value='1729900'   \/><label for='answer-id-1729900' id='answer-label-1729900' class=' answer'><span>1 Put all users into an IAM group with an access policy granting access to the J bucket.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447101[]' id='answer-id-1729901' class='answer   answerof-447101 ' value='1729901'   \/><label for='answer-id-1729901' id='answer-label-1729901' class=' answer'><span>Have the account creation trigger an IAM Lambda function that manages the bucket policy, allowing access to accounts listed in the policy only.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447101[]' id='answer-id-1729902' class='answer   answerof-447101 ' value='1729902'   \/><label for='answer-id-1729902' id='answer-label-1729902' class=' answer'><span>Add an SCP to the Organizations master account, allowing all principals access to the bucket.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447101[]' id='answer-id-1729903' class='answer   answerof-447101 ' value='1729903'   \/><label for='answer-id-1729903' id='answer-label-1729903' class=' answer'><span>Specify the organization ID in the global key condition element of a bucket policy, allowing all principals access.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-40' style=';'><div id='questionWrap-40'  class='   watupro-question-id-447102'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>40. <\/span>Which of the following bucket policies will ensure that objects being uploaded to a bucket called 'demo' are encrypted. <br \/>\r<br>A) <br \/>\r<br><br><img decoding=\"async\" width=295 height=343 id=\"\u56fe\u7247 60\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/12\/image005.png\"><br><br \/>\r<br>B) <br \/>\r<br><br><img decoding=\"async\" width=294 height=343 id=\"\u56fe\u7247 59\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/12\/image006.png\"><br><br \/>\r<br>C) <br \/>\r<br><br><img decoding=\"async\" width=221 height=255 id=\"\u56fe\u7247 58\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/12\/image007.png\"><br><br \/>\r<br>D) <br \/>\r<br><br><img decoding=\"async\" width=223 height=255 id=\"\u56fe\u7247 57\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2025\/12\/image008.png\"><br><\/div><input type='hidden' name='question_id[]' id='qID_40' value='447102' \/><input type='hidden' id='answerType447102' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447102[]' id='answer-id-1729904' class='answer   answerof-447102 ' value='1729904'   \/><label for='answer-id-1729904' id='answer-label-1729904' class=' answer'><span>Option A<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447102[]' id='answer-id-1729905' class='answer   answerof-447102 ' value='1729905'   \/><label for='answer-id-1729905' id='answer-label-1729905' class=' answer'><span>Option B<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447102[]' id='answer-id-1729906' class='answer   answerof-447102 ' value='1729906'   \/><label for='answer-id-1729906' id='answer-label-1729906' class=' answer'><span>Option C<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-447102[]' id='answer-id-1729907' class='answer   answerof-447102 ' value='1729907'   \/><label for='answer-id-1729907' id='answer-label-1729907' class=' answer'><span>Option D<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div style='display:none' id='question-41'>\n\t<div class='question-content'>\n\t\t<img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/img\/loading.gif\" width=\"16\" height=\"16\" alt=\"Loading...\" title=\"Loading...\" \/>&nbsp;Loading...\t<\/div>\n<\/div>\n\n<br \/>\n\t\n\t\t\t<div class=\"watupro_buttons flex \" id=\"watuPROButtons11375\" >\n\t\t  <div id=\"prev-question\" style=\"display:none;\"><input type=\"button\" value=\"&lt; Previous\" onclick=\"WatuPRO.nextQuestion(event, 'previous');\"\/><\/div>\t\t  \t\t  \t\t   \n\t\t   \t  \t\t<div><input type=\"button\" name=\"action\" class=\"watupro-submit-button\" onclick=\"WatuPRO.submitResult(event)\" id=\"action-button\" value=\"View Results\"  \/>\n\t\t<\/div>\n\t\t<\/div>\n\t\t\n\t<input type=\"hidden\" name=\"quiz_id\" value=\"11375\" id=\"watuPROExamID\"\/>\n\t<input type=\"hidden\" name=\"start_time\" id=\"startTime\" value=\"2026-04-16 04:34:05\" \/>\n\t<input type=\"hidden\" name=\"start_timestamp\" id=\"startTimeStamp\" value=\"1776314045\" \/>\n\t<input type=\"hidden\" name=\"question_ids\" value=\"\" \/>\n\t<input type=\"hidden\" name=\"watupro_questions\" value=\"447063:1729728,1729729,1729730,1729731 | 447064:1729732,1729733,1729734,1729735,1729736 | 447065:1729737,1729738,1729739,1729740,1729741 | 447066:1729742,1729743,1729744,1729745 | 447067:1729746,1729747,1729748,1729749 | 447068:1729750,1729751,1729752,1729753,1729754,1729755 | 447069:1729756,1729757,1729758,1729759,1729760 | 447070:1729761,1729762,1729763,1729764 | 447071:1729765,1729766,1729767,1729768,1729769 | 447072:1729770,1729771,1729772,1729773 | 447073:1729774,1729775,1729776,1729777 | 447074:1729778,1729779,1729780,1729781,1729782,1729783 | 447075:1729784,1729785,1729786,1729787 | 447076:1729788,1729789,1729790,1729791 | 447077:1729792,1729793,1729794,1729795 | 447078:1729796,1729797,1729798,1729799 | 447079:1729800,1729801,1729802,1729803,1729804 | 447080:1729805,1729806,1729807,1729808,1729809 | 447081:1729810,1729811,1729812,1729813 | 447082:1729814,1729815,1729816,1729817 | 447083:1729818,1729819,1729820,1729821 | 447084:1729822,1729823,1729824,1729825,1729826 | 447085:1729827,1729828,1729829,1729830 | 447086:1729831,1729832,1729833,1729834,1729835,1729836 | 447087:1729837,1729838,1729839,1729840 | 447088:1729841,1729842,1729843,1729844 | 447089:1729845,1729846,1729847,1729848 | 447090:1729849,1729850,1729851,1729852,1729853 | 447091:1729854,1729855,1729856,1729857 | 447092:1729858,1729859,1729860,1729861 | 447093:1729862,1729863,1729864,1729865 | 447094:1729866,1729867,1729868,1729869,1729870 | 447095:1729871,1729872,1729873,1729874,1729875,1729876 | 447096:1729877,1729878,1729879,1729880,1729881 | 447097:1729882,1729883,1729884,1729885,1729886 | 447098:1729887,1729888,1729889,1729890 | 447099:1729891,1729892,1729893,1729894 | 447100:1729895,1729896,1729897,1729898,1729899 | 447101:1729900,1729901,1729902,1729903 | 447102:1729904,1729905,1729906,1729907\" \/>\n\t<input type=\"hidden\" name=\"no_ajax\" value=\"0\">\t\t\t<\/form>\n\t<p>&nbsp;<\/p>\n<\/div>\n\n<script type=\"text\/javascript\">\n\/\/jQuery(document).ready(function(){\ndocument.addEventListener(\"DOMContentLoaded\", function(event) { \t\nvar question_ids = \"447063,447064,447065,447066,447067,447068,447069,447070,447071,447072,447073,447074,447075,447076,447077,447078,447079,447080,447081,447082,447083,447084,447085,447086,447087,447088,447089,447090,447091,447092,447093,447094,447095,447096,447097,447098,447099,447100,447101,447102\";\nWatuPROSettings[11375] = {};\nWatuPRO.qArr = question_ids.split(',');\nWatuPRO.exam_id = 11375;\t    \nWatuPRO.post_id = 116731;\nWatuPRO.store_progress = 0;\nWatuPRO.curCatPage = 1;\nWatuPRO.requiredIDs=\"0\".split(\",\");\nWatuPRO.hAppID = \"0.44501500 1776314045\";\nvar url = \"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/show_exam.php\";\nWatuPRO.examMode = 1;\nWatuPRO.siteURL=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-admin\/admin-ajax.php\";\nWatuPRO.emailIsNotRequired = 0;\nWatuPROIntel.init(11375);\nWatuPRO.inCategoryPages=1;});    \t \n<\/script>\n","protected":false},"excerpt":{"rendered":"<p>DumpsBase\u2019s SCS-C03 dumps (V8.02) are available for improving the AWS Certified Security &#8211; Specialty certification exam preparation. Our dumps offer real exam questions and answers, which will help you solve your problem with the complexities of difficult exam concepts. They make concepts simple and easy to understand. If you feel it would be difficult to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[175,15758],"tags":[7453,20735],"class_list":["post-116731","post","type-post","status-publish","format-standard","hentry","category-amazon","category-aws-certified-specialty","tag-aws-certified-security-specialty","tag-scs-c03"],"_links":{"self":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/116731","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/comments?post=116731"}],"version-history":[{"count":1,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/116731\/revisions"}],"predecessor-version":[{"id":116732,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/116731\/revisions\/116732"}],"wp:attachment":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/media?parent=116731"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/categories?post=116731"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/tags?post=116731"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}