{"id":122438,"date":"2026-03-28T03:45:38","date_gmt":"2026-03-28T03:45:38","guid":{"rendered":"https:\/\/www.dumpsbase.com\/freedumps\/?p=122438"},"modified":"2026-04-08T06:45:31","modified_gmt":"2026-04-08T06:45:31","slug":"aws-scs-c03-dumps-v11-02-are-the-updated-materials-for-learning-check-aws-certified-security-specialty-scs-c03-free-dumps-part-1-q1-q40-today","status":"publish","type":"post","link":"https:\/\/www.dumpsbase.com\/freedumps\/aws-scs-c03-dumps-v11-02-are-the-updated-materials-for-learning-check-aws-certified-security-specialty-scs-c03-free-dumps-part-1-q1-q40-today.html","title":{"rendered":"AWS SCS-C03 Dumps (V11.02) Are the Updated Materials for Learning &#8211; Check AWS Certified Security &#8211; Specialty SCS-C03 Free Dumps (Part 1, Q1-Q40) Today"},"content":{"rendered":"<p>When searching for reliable study materials to prepare for the AWS Certified Security &#8211; Specialty (SCS-C03) exam, come to DumpsBase and choose the most updated SCS-C03 dumps (V11.02) today. We have 179 practice questions and answers in V11.02, designed to simulate real exam conditions, helping you build confidence through realistic practice tests that mirror the actual format, timing, and question styles. All these questions are regularly updated to reflect the latest exam changes, ensuring accuracy and relevance. By combining realistic simulations, adaptive learning methods, and continuously refreshed content, DumpsBase equips you with everything needed to pass the SCS-C03 AWS Certified Security &#8211; Specialty exam confidently on the first attempt and advance your AWS security career without unnecessary stress.<\/p>\n<h2>You can read our <span style=\"background-color: #ccffcc;\"><em>SCS-C03 free dumps (Part 1, Q1-Q40) of V11.02 below<\/em><\/span> to check quality:<\/h2>\n<script>\n\t  window.fbAsyncInit = function() {\n\t    FB.init({\n\t      appId            : '622169541470367',\n\t      autoLogAppEvents : true,\n\t      xfbml            : true,\n\t      version          : 'v3.1'\n\t    });\n\t  };\n\t\n\t  (function(d, s, id){\n\t     var js, fjs = d.getElementsByTagName(s)[0];\n\t     if (d.getElementById(id)) {return;}\n\t     js = d.createElement(s); js.id = id;\n\t     js.src = \"https:\/\/connect.facebook.net\/en_US\/sdk.js\";\n\t     fjs.parentNode.insertBefore(js, fjs);\n\t   }(document, 'script', 'facebook-jssdk'));\n\t<\/script><script type=\"text\/javascript\" >\ndocument.addEventListener(\"DOMContentLoaded\", function(event) { \nif(!window.jQuery) alert(\"The important jQuery library is not properly loaded in your site. Your WordPress theme is probably missing the essential wp_head() call. You can switch to another theme and you will see that the plugin works fine and this notice disappears. If you are still not sure what to do you can contact us for help.\");\n});\n<\/script>  \n  \n<div  id=\"watupro_quiz\" class=\"quiz-area single-page-quiz\">\n<p id=\"submittingExam11860\" style=\"display:none;text-align:center;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/img\/loading.gif\" width=\"16\" height=\"16\"><\/p>\n\n<div class=\"watupro-exam-description\" id=\"description-quiz-11860\"><\/div>\n\n<form action=\"\" method=\"post\" class=\"quiz-form\" id=\"quiz-11860\"  enctype=\"multipart\/form-data\" >\n<div class='watu-question ' id='question-1' style=';'><div id='questionWrap-1'  class='   watupro-question-id-464701'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>1. <\/span>A company stores infrastructure and application code in web-based, third-party, Git-compatible code repositories outside of AWS. The company wants to give the code repositories the ability to securely authenticate and assume an existing IAM role within the company's AWS account by using OpenID Connect (OIDC). <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_1' value='464701' \/><input type='hidden' id='answerType464701' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464701[]' id='answer-id-1796025' class='answer   answerof-464701 ' value='1796025'   \/><label for='answer-id-1796025' id='answer-label-1796025' class=' answer'><span>Create an OIDC identity provider (IdP) by using AWS Identity and Access Management (IAM) federation. Modify the trust policy of the IAM role to allow the code repositories to assume the IAM role.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464701[]' id='answer-id-1796026' class='answer   answerof-464701 ' value='1796026'   \/><label for='answer-id-1796026' id='answer-label-1796026' class=' answer'><span>Use AWS Identity and Access Management (IAM) Roles Anywhere to create a trust anchor that uses OID<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464701[]' id='answer-id-1796027' class='answer   answerof-464701 ' value='1796027'   \/><label for='answer-id-1796027' id='answer-label-1796027' class=' answer'><span>Modify the trust policy of the IAM role to allow the code repositories to assume the IAM role.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464701[]' id='answer-id-1796028' class='answer   answerof-464701 ' value='1796028'   \/><label for='answer-id-1796028' id='answer-label-1796028' class=' answer'><span>Set up an account instance of AWS IAM Identity Center. Configure access to the code repositories as a customer managed OIDC application. Grant the application access to the IAM role.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464701[]' id='answer-id-1796029' class='answer   answerof-464701 ' value='1796029'   \/><label for='answer-id-1796029' id='answer-label-1796029' class=' answer'><span>Use AWS Resource Access Manager (AWS RAM) to create a new resource share that uses OID<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464701[]' id='answer-id-1796030' class='answer   answerof-464701 ' value='1796030'   \/><label for='answer-id-1796030' id='answer-label-1796030' class=' answer'><span>Limit the resource share to the specified code repositories. Grant the IAM role access to the resource share.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-2' style=';'><div id='questionWrap-2'  class='   watupro-question-id-464702'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>2. <\/span>A company's security team wants to receive near-real-time email notifications about AWS abuse reports related to DoS attacks. An Amazon SNS topic already exists and is subscribed to by the security team. <br \/>\r<br>What should the security engineer do next?<\/div><input type='hidden' name='question_id[]' id='qID_2' value='464702' \/><input type='hidden' id='answerType464702' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464702[]' id='answer-id-1796031' class='answer   answerof-464702 ' value='1796031'   \/><label for='answer-id-1796031' id='answer-label-1796031' class=' answer'><span>Poll Trusted Advisor for abuse notifications by using a Lambda function.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464702[]' id='answer-id-1796032' class='answer   answerof-464702 ' value='1796032'   \/><label for='answer-id-1796032' id='answer-label-1796032' class=' answer'><span>Create an Amazon EventBridge rule that matches AWS Health events for \r\nAWS_ABUSE_DOS_REPORT and publishes to SN<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464702[]' id='answer-id-1796033' class='answer   answerof-464702 ' value='1796033'   \/><label for='answer-id-1796033' id='answer-label-1796033' class=' answer'><span>Poll the AWS Support API for abuse cases by using a Lambda function.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464702[]' id='answer-id-1796034' class='answer   answerof-464702 ' value='1796034'   \/><label for='answer-id-1796034' id='answer-label-1796034' class=' answer'><span>Detect abuse reports by using CloudTrail logs and CloudWatch alarms.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-3' style=';'><div id='questionWrap-3'  class='   watupro-question-id-464703'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>3. <\/span>A company runs a global ecommerce website using Amazon CloudFront. The company must block traffic from specific countries to comply with data regulations. <br \/>\r<br>Which solution will meet these requirements MOST cost-effectively?<\/div><input type='hidden' name='question_id[]' id='qID_3' value='464703' \/><input type='hidden' id='answerType464703' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464703[]' id='answer-id-1796035' class='answer   answerof-464703 ' value='1796035'   \/><label for='answer-id-1796035' id='answer-label-1796035' class=' answer'><span>Use AWS WAF IP match rules.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464703[]' id='answer-id-1796036' class='answer   answerof-464703 ' value='1796036'   \/><label for='answer-id-1796036' id='answer-label-1796036' class=' answer'><span>Use AWS WAF geo match rules.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464703[]' id='answer-id-1796037' class='answer   answerof-464703 ' value='1796037'   \/><label for='answer-id-1796037' id='answer-label-1796037' class=' answer'><span>Use CloudFront geo restriction to deny the countries.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464703[]' id='answer-id-1796038' class='answer   answerof-464703 ' value='1796038'   \/><label for='answer-id-1796038' id='answer-label-1796038' class=' answer'><span>Use geolocation headers in CloudFront.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-4' style=';'><div id='questionWrap-4'  class='   watupro-question-id-464704'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>4. <\/span>A company is running an application in the eu-west-1 Region. The application uses an AWS Key Management Service (AWS KMS) customer managed key to encrypt sensitive data. The company plans to deploy the application in the eu-north-1 Region. A security engineer needs to implement a key management solution for the application deployment in the new Region. The security engineer must minimize changes to the application code. <br \/>\r<br>Which change should the security engineer make to the AWS KMS configuration to meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_4' value='464704' \/><input type='hidden' id='answerType464704' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464704[]' id='answer-id-1796039' class='answer   answerof-464704 ' value='1796039'   \/><label for='answer-id-1796039' id='answer-label-1796039' class=' answer'><span>Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same customer managed key as the application in eu-west-1.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464704[]' id='answer-id-1796040' class='answer   answerof-464704 ' value='1796040'   \/><label for='answer-id-1796040' id='answer-label-1796040' class=' answer'><span>Allocate a new customer managed key to eu-north-1 to be used by the application that is deployed in that Region.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464704[]' id='answer-id-1796041' class='answer   answerof-464704 ' value='1796041'   \/><label for='answer-id-1796041' id='answer-label-1796041' class=' answer'><span>Allocate a new customer managed key to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464704[]' id='answer-id-1796042' class='answer   answerof-464704 ' value='1796042'   \/><label for='answer-id-1796042' id='answer-label-1796042' class=' answer'><span>Allocate a new customer managed key to eu-north-1. Create an alias for eu--1. Change the application code to point to the alias for eu--1.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-5' style=';'><div id='questionWrap-5'  class='   watupro-question-id-464705'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>5. <\/span>A company\u2019s security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue. All the company\u2019s accounts are within an organization in AWS Organizations. The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools outside of AWS. <br \/>\r<br>What should the security engineer do to meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_5' value='464705' \/><input type='hidden' id='answerType464705' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464705[]' id='answer-id-1796043' class='answer   answerof-464705 ' value='1796043'   \/><label for='answer-id-1796043' id='answer-label-1796043' class=' answer'><span>Create security groups and attach them to all SQS queues.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464705[]' id='answer-id-1796044' class='answer   answerof-464705 ' value='1796044'   \/><label for='answer-id-1796044' id='answer-label-1796044' class=' answer'><span>Modify network ACLs in all VPCs to restrict inbound traffic.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464705[]' id='answer-id-1796045' class='answer   answerof-464705 ' value='1796045'   \/><label for='answer-id-1796045' id='answer-label-1796045' class=' answer'><span>Create interface VPC endpoints for Amazon SQ<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464705[]' id='answer-id-1796046' class='answer   answerof-464705 ' value='1796046'   \/><label for='answer-id-1796046' id='answer-label-1796046' class=' answer'><span>Restrict access using aws:SourceVpce and \r\naws:PrincipalOrgId conditions.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464705[]' id='answer-id-1796047' class='answer   answerof-464705 ' value='1796047'   \/><label for='answer-id-1796047' id='answer-label-1796047' class=' answer'><span>Use a third-party cloud access security broker (CASB).<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-6' style=';'><div id='questionWrap-6'  class='   watupro-question-id-464706'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>6. <\/span>A company has an AWS account that hosts a production application. The company receives an email notification that Amazon GuardDuty has detected an Impact:IAMUser\/AnomalousBehavior finding in the account. A security engineer needs to run the investigation playbook for this security incident and must collect and analyze the information without affecting the application. <br \/>\r<br>Which solution will meet these requirements MOST quickly?<\/div><input type='hidden' name='question_id[]' id='qID_6' value='464706' \/><input type='hidden' id='answerType464706' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464706[]' id='answer-id-1796048' class='answer   answerof-464706 ' value='1796048'   \/><label for='answer-id-1796048' id='answer-label-1796048' class=' answer'><span>Log in to the AWS account by using read-only credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464706[]' id='answer-id-1796049' class='answer   answerof-464706 ' value='1796049'   \/><label for='answer-id-1796049' id='answer-label-1796049' class=' answer'><span>Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use Amazon Detective to review the API calls in context.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464706[]' id='answer-id-1796050' class='answer   answerof-464706 ' value='1796050'   \/><label for='answer-id-1796050' id='answer-label-1796050' class=' answer'><span>Log in to the AWS account by using administrator credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464706[]' id='answer-id-1796051' class='answer   answerof-464706 ' value='1796051'   \/><label for='answer-id-1796051' id='answer-label-1796051' class=' answer'><span>Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-7' style=';'><div id='questionWrap-7'  class='   watupro-question-id-464707'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>7. <\/span>A company creates AWS Lambda functions from container images that are stored in Amazon Elastic Container Registry (Amazon ECR). The company needs to identify any software vulnerabilities in the container images and any code vulnerabilities in the Lambda functions. <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_7' value='464707' \/><input type='hidden' id='answerType464707' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464707[]' id='answer-id-1796052' class='answer   answerof-464707 ' value='1796052'   \/><label for='answer-id-1796052' id='answer-label-1796052' class=' answer'><span>Enable Amazon GuardDuty. Configure Amazon ECR scanning and Lambda code scanning in GuardDuty.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464707[]' id='answer-id-1796053' class='answer   answerof-464707 ' value='1796053'   \/><label for='answer-id-1796053' id='answer-label-1796053' class=' answer'><span>Enable Amazon GuardDuty. Configure Runtime Monitoring and Lambda Protection in GuardDuty.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464707[]' id='answer-id-1796054' class='answer   answerof-464707 ' value='1796054'   \/><label for='answer-id-1796054' id='answer-label-1796054' class=' answer'><span>Enable Amazon Inspector. Configure Amazon ECR enhanced scanning and Lambda code scanning in Amazon Inspector.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464707[]' id='answer-id-1796055' class='answer   answerof-464707 ' value='1796055'   \/><label for='answer-id-1796055' id='answer-label-1796055' class=' answer'><span>Enable AWS Security Hub. Configure Runtime Monitoring and Lambda Protection in Security Hub.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-8' style=';'><div id='questionWrap-8'  class='   watupro-question-id-464708'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>8. <\/span>A security team manages a company\u2019s AWS Key Management Service (AWS KMS) customer managed keys. Only members of the security team can administer the KMS keys. The company's application team has a software process that needs temporary access to the keys occasionally. The security team needs to provide the application team's software process with access to the keys. <br \/>\r<br>Which solution will meet these requirements with the LEAST operational overhead?<\/div><input type='hidden' name='question_id[]' id='qID_8' value='464708' \/><input type='hidden' id='answerType464708' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464708[]' id='answer-id-1796056' class='answer   answerof-464708 ' value='1796056'   \/><label for='answer-id-1796056' id='answer-label-1796056' class=' answer'><span>Export the KMS key material to an on-premises hardware security module (HSM). Give the application team access to the key material.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464708[]' id='answer-id-1796057' class='answer   answerof-464708 ' value='1796057'   \/><label for='answer-id-1796057' id='answer-label-1796057' class=' answer'><span>Edit the key policy that grants the security team access to the KMS keys by adding the application team as principals. Revert this change when the application team no longer needs access.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464708[]' id='answer-id-1796058' class='answer   answerof-464708 ' value='1796058'   \/><label for='answer-id-1796058' id='answer-label-1796058' class=' answer'><span>Create a key grant to allow the application team to use the KMS keys. Revoke the grant when the application team no longer needs access.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464708[]' id='answer-id-1796059' class='answer   answerof-464708 ' value='1796059'   \/><label for='answer-id-1796059' id='answer-label-1796059' class=' answer'><span>Create a new KMS key by generating key material on premises. Import the key material to AWS KMS whenever the application team needs access. Grant the application team permissions to use the key.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-9' style=';'><div id='questionWrap-9'  class='   watupro-question-id-464709'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>9. <\/span>CloudFormation stack deployments fail for some users due to permission inconsistencies. <br \/>\r<br>Which combination of steps will ensure consistent deployments MOST securely? (Select THREE.)<\/div><input type='hidden' name='question_id[]' id='qID_9' value='464709' \/><input type='hidden' id='answerType464709' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464709[]' id='answer-id-1796060' class='answer   answerof-464709 ' value='1796060'   \/><label for='answer-id-1796060' id='answer-label-1796060' class=' answer'><span>Create a composite principal service role.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464709[]' id='answer-id-1796061' class='answer   answerof-464709 ' value='1796061'   \/><label for='answer-id-1796061' id='answer-label-1796061' class=' answer'><span>Create a service role with cloudformation.amazonaws.com as the principal.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464709[]' id='answer-id-1796062' class='answer   answerof-464709 ' value='1796062'   \/><label for='answer-id-1796062' id='answer-label-1796062' class=' answer'><span>Attach scoped policies to the service role.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464709[]' id='answer-id-1796063' class='answer   answerof-464709 ' value='1796063'   \/><label for='answer-id-1796063' id='answer-label-1796063' class=' answer'><span>Attach service ARNs in policy resources.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464709[]' id='answer-id-1796064' class='answer   answerof-464709 ' value='1796064'   \/><label for='answer-id-1796064' id='answer-label-1796064' class=' answer'><span>Update each stack to use the service role.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464709[]' id='answer-id-1796065' class='answer   answerof-464709 ' value='1796065'   \/><label for='answer-id-1796065' id='answer-label-1796065' class=' answer'><span>Allow iam:PassRole to the service role.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-10' style=';'><div id='questionWrap-10'  class='   watupro-question-id-464710'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>10. <\/span>A company\u2019s web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. Instance logs are lost after reboots. The operations team suspects malicious activity targeting a specific PHP file. <br \/>\r<br>Which set of actions will identify the suspect attacker\u2019s IP address for future occurrences?<\/div><input type='hidden' name='question_id[]' id='qID_10' value='464710' \/><input type='hidden' id='answerType464710' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464710[]' id='answer-id-1796066' class='answer   answerof-464710 ' value='1796066'   \/><label for='answer-id-1796066' id='answer-label-1796066' class=' answer'><span>Configure VPC Flow Logs and search for PHP file activity.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464710[]' id='answer-id-1796067' class='answer   answerof-464710 ' value='1796067'   \/><label for='answer-id-1796067' id='answer-label-1796067' class=' answer'><span>Install the CloudWatch agent on the ALB and export application logs.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464710[]' id='answer-id-1796068' class='answer   answerof-464710 ' value='1796068'   \/><label for='answer-id-1796068' id='answer-label-1796068' class=' answer'><span>Export ALB access logs to Amazon OpenSearch Service and search them.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464710[]' id='answer-id-1796069' class='answer   answerof-464710 ' value='1796069'   \/><label for='answer-id-1796069' id='answer-label-1796069' class=' answer'><span>Configure the web ACL to send logs to Amazon Kinesis Data Firehose. Deliver logs to Amazon S3 and query them with Amazon Athena.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-11' style=';'><div id='questionWrap-11'  class='   watupro-question-id-464711'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>11. <\/span>A company\u2019s application team needs a new AWS Key Management Service (AWS KMS) customer managed key to use with Amazon S3. The company\u2019s security policy requires separate keys for different AWS services to limit security exposure. <br \/>\r<br>How can a security engineer limit the KMS customer managed key to work with only Amazon S3?<\/div><input type='hidden' name='question_id[]' id='qID_11' value='464711' \/><input type='hidden' id='answerType464711' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464711[]' id='answer-id-1796070' class='answer   answerof-464711 ' value='1796070'   \/><label for='answer-id-1796070' id='answer-label-1796070' class=' answer'><span>Configure the key policy to allow only Amazon S3 to perform the kms:Encrypt action.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464711[]' id='answer-id-1796071' class='answer   answerof-464711 ' value='1796071'   \/><label for='answer-id-1796071' id='answer-label-1796071' class=' answer'><span>Configure the key policy to allow KMS actions only when the value for the kms:ViaService condition key matches the Amazon S3 service name.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464711[]' id='answer-id-1796072' class='answer   answerof-464711 ' value='1796072'   \/><label for='answer-id-1796072' id='answer-label-1796072' class=' answer'><span>Configure the application\u2019s IAM role policy to allow Amazon S3 to perform the iam:PassRole action.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464711[]' id='answer-id-1796073' class='answer   answerof-464711 ' value='1796073'   \/><label for='answer-id-1796073' id='answer-label-1796073' class=' answer'><span>Configure the application\u2019s IAM role policy to allow only S3 operations when the operations are combined with the KMS customer managed key.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-12' style=';'><div id='questionWrap-12'  class='   watupro-question-id-464712'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>12. <\/span>A company needs to deploy AWS CloudFormation templates that configure sensitive database credentials. The company already uses AWS Key Management Service (AWS KMS) and AWS Secrets Manager. <br \/>\r<br>Which solution will meet the requirements?<\/div><input type='hidden' name='question_id[]' id='qID_12' value='464712' \/><input type='hidden' id='answerType464712' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464712[]' id='answer-id-1796074' class='answer   answerof-464712 ' value='1796074'   \/><label for='answer-id-1796074' id='answer-label-1796074' class=' answer'><span>Use a dynamic reference in the CloudFormation template to reference the database credentials in Secrets Manager.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464712[]' id='answer-id-1796075' class='answer   answerof-464712 ' value='1796075'   \/><label for='answer-id-1796075' id='answer-label-1796075' class=' answer'><span>Use encrypted parameters in the CloudFormation template.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464712[]' id='answer-id-1796076' class='answer   answerof-464712 ' value='1796076'   \/><label for='answer-id-1796076' id='answer-label-1796076' class=' answer'><span>Use SecureString parameters to reference Secrets Manager.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464712[]' id='answer-id-1796077' class='answer   answerof-464712 ' value='1796077'   \/><label for='answer-id-1796077' id='answer-label-1796077' class=' answer'><span>Use SecureString parameters encrypted by AWS KM<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-13' style=';'><div id='questionWrap-13'  class='   watupro-question-id-464713'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>13. <\/span>A company wants to establish separate AWS Key Management Service (AWS KMS) keys to use for different AWS services. The company's security engineer created the following key policy to allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructureDeployment IAM role: <br \/>\r<br>{ <br \/>\r<br>&quot;Version&quot;: &quot;2012-10-17&quot;, <br \/>\r<br>&quot;Id&quot;: &quot;key-policy-ebs&quot;, <br \/>\r<br>&quot;Statement&quot;: [ <br \/>\r<br>{ <br \/>\r<br>&quot;Sid&quot;: &quot;Enable IAM User Permissions&quot;, <br \/>\r<br>&quot;Effect&quot;: &quot;Allow&quot;, <br \/>\r<br>&quot;Principal&quot;: { <br \/>\r<br>&quot;AWS&quot;: &quot;arn:aws:iam::123456789012:root&quot; <br \/>\r<br>}, <br \/>\r<br>&quot;Action&quot;: &quot;kms:*&quot;, <br \/>\r<br>&quot;Resource&quot;: &quot;*&quot; <br \/>\r<br>}, <br \/>\r<br>{ <br \/>\r<br>&quot;Sid&quot;: &quot;Allow use of the key&quot;, <br \/>\r<br>&quot;Effect&quot;: &quot;Allow&quot;, <br \/>\r<br>&quot;Principal&quot;: { <br \/>\r<br>&quot;AWS&quot;: &quot;arn:aws:iam::123456789012:role\/aws-reserved\/sso.amazonaws.com\/InfrastructureDeployment&quot; <br \/>\r<br>}, <br \/>\r<br>&quot;Action&quot;: [ <br \/>\r<br>&quot;kms:Encrypt&quot;, <br \/>\r<br>&quot;kms:Decrypt&quot;, <br \/>\r<br>&quot;kms:ReEncrypt*&quot;, <br \/>\r<br>&quot;kms:GenerateDataKey*&quot;, <br \/>\r<br>&quot;kms:DescribeKey&quot;, <br \/>\r<br>&quot;kms:CreateGrant&quot;, <br \/>\r<br>&quot;kms:ListGrants&quot;, <br \/>\r<br>&quot;kms:RevokeGrant&quot; <br \/>\r<br>], <br \/>\r<br>&quot;Resource&quot;: &quot;*&quot;, <br \/>\r<br>&quot;Condition&quot;: { <br \/>\r<br>&quot;StringEquals&quot;: { <br \/>\r<br>&quot;kms:ViaService&quot;: &quot;ec2.us-west-2.amazonaws.com&quot; <br \/>\r<br>} <br \/>\r<br>} <br \/>\r<br>} <br \/>\r<br>] <br \/>\r<br>} <br \/>\r<br>The security engineer recently discovered that IAM rolesother thanthe InfrastructureDeployment role used this key for other services. <br \/>\r<br>Which change to the policy should the security engineer make to resolve these issues?<\/div><input type='hidden' name='question_id[]' id='qID_13' value='464713' \/><input type='hidden' id='answerType464713' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464713[]' id='answer-id-1796078' class='answer   answerof-464713 ' value='1796078'   \/><label for='answer-id-1796078' id='answer-label-1796078' class=' answer'><span>In the statement block that contains the Sid&quot;Allow use of the key&quot;, under theConditionblock, change StringEquals to StringLike.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464713[]' id='answer-id-1796079' class='answer   answerof-464713 ' value='1796079'   \/><label for='answer-id-1796079' id='answer-label-1796079' class=' answer'><span>In the policy document, remove the statement block that contains the Sid&quot;Enable IAM User Permissions&quot;. Add key management policies to the KMS policy.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464713[]' id='answer-id-1796080' class='answer   answerof-464713 ' value='1796080'   \/><label for='answer-id-1796080' id='answer-label-1796080' class=' answer'><span>In the statement block that contains the Sid&quot;Allow use of the key&quot;, under theConditionblock, change the kms:ViaService value to ec2.us-east-1.amazonaws.com.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464713[]' id='answer-id-1796081' class='answer   answerof-464713 ' value='1796081'   \/><label for='answer-id-1796081' id='answer-label-1796081' class=' answer'><span>In the policy document, add a new statement block that grants the kms:Disable* permission to the \r\nsecurity engineer's IAM role.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-14' style=';'><div id='questionWrap-14'  class='   watupro-question-id-464714'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>14. <\/span>A company is attempting to conduct forensic analysis on an Amazon EC2 instance, but the company is unable to connect to the instance by using AWS Systems Manager Session Manager. The company has installed AWS Systems Manager Agent (SSM Agent) on the EC2 instance. <br \/>\r<br>The EC2 instance is in a subnet in a VPC that does not have an internet gateway attached. The company has associated a security group with the EC2 instance. The security group does not have inbound or outbound rules. The subnet\u2019s network ACL allows all inbound and outbound traffic. <br \/>\r<br>Which combination of actions will allow the company to conduct forensic analysis on the EC2 instance without compromising forensic data? (Select THREE.)<\/div><input type='hidden' name='question_id[]' id='qID_14' value='464714' \/><input type='hidden' id='answerType464714' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464714[]' id='answer-id-1796082' class='answer   answerof-464714 ' value='1796082'   \/><label for='answer-id-1796082' id='answer-label-1796082' class=' answer'><span>Update the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0\/0.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464714[]' id='answer-id-1796083' class='answer   answerof-464714 ' value='1796083'   \/><label for='answer-id-1796083' id='answer-label-1796083' class=' answer'><span>Update the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC's CIDR range.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464714[]' id='answer-id-1796084' class='answer   answerof-464714 ' value='1796084'   \/><label for='answer-id-1796084' id='answer-label-1796084' class=' answer'><span>Create an EC2 key pair. Associate the key pair with the EC2 instance.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464714[]' id='answer-id-1796085' class='answer   answerof-464714 ' value='1796085'   \/><label for='answer-id-1796085' id='answer-label-1796085' class=' answer'><span>Create a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance is located.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464714[]' id='answer-id-1796086' class='answer   answerof-464714 ' value='1796086'   \/><label for='answer-id-1796086' id='answer-label-1796086' class=' answer'><span>Attach a security group to the VPC interface endpoint. Allow inbound traffic on port 443 to the VPC's CIDR range.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464714[]' id='answer-id-1796087' class='answer   answerof-464714 ' value='1796087'   \/><label for='answer-id-1796087' id='answer-label-1796087' class=' answer'><span>Create a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-15' style=';'><div id='questionWrap-15'  class='   watupro-question-id-464715'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>15. <\/span>A security engineer wants to forward custom application-security logs from an Amazon EC2 instance to Amazon CloudWatch. The security engineer installs the CloudWatch agent on the EC2 instance and adds the path of the logs to the CloudWatch configuration file. <br \/>\r<br>However, CloudWatch does not receive the logs. The security engineer verifies that the awslogs service is running on the EC2 instance. <br \/>\r<br>What should the security engineer do next to resolve the issue?<\/div><input type='hidden' name='question_id[]' id='qID_15' value='464715' \/><input type='hidden' id='answerType464715' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464715[]' id='answer-id-1796088' class='answer   answerof-464715 ' value='1796088'   \/><label for='answer-id-1796088' id='answer-label-1796088' class=' answer'><span>Add AWS CloudTrail to the trust policy of the EC2 instance. Send the custom logs to CloudTrail instead of CloudWatch.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464715[]' id='answer-id-1796089' class='answer   answerof-464715 ' value='1796089'   \/><label for='answer-id-1796089' id='answer-label-1796089' class=' answer'><span>Add Amazon S3 to the trust policy of the EC2 instance. Configure the application to write the custom logs to an S3 bucket that CloudWatch can use to ingest the logs.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464715[]' id='answer-id-1796090' class='answer   answerof-464715 ' value='1796090'   \/><label for='answer-id-1796090' id='answer-label-1796090' class=' answer'><span>Add Amazon Inspector to the trust policy of the EC2 instance. Use Amazon Inspector instead of the CloudWatch agent to collect the custom logs.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464715[]' id='answer-id-1796091' class='answer   answerof-464715 ' value='1796091'   \/><label for='answer-id-1796091' id='answer-label-1796091' class=' answer'><span>Attach the CloudWatchAgentServerPolicy AWS managed policy to the EC2 instance role.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-16' style=';'><div id='questionWrap-16'  class='   watupro-question-id-464716'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>16. <\/span>A security engineer needs to control access to data that is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. The security engineer also needs to use additional authenticated data (AAD) to prevent tampering with ciphertext. <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_16' value='464716' \/><input type='hidden' id='answerType464716' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464716[]' id='answer-id-1796092' class='answer   answerof-464716 ' value='1796092'   \/><label for='answer-id-1796092' id='answer-label-1796092' class=' answer'><span>Pass the key alias to AWS KMS when calling the Encrypt and Decrypt API actions.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464716[]' id='answer-id-1796093' class='answer   answerof-464716 ' value='1796093'   \/><label for='answer-id-1796093' id='answer-label-1796093' class=' answer'><span>Use IAM policies to restrict access to the Encrypt and Decrypt API actions.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464716[]' id='answer-id-1796094' class='answer   answerof-464716 ' value='1796094'   \/><label for='answer-id-1796094' id='answer-label-1796094' class=' answer'><span>Use the kms:EncryptionContext condition key when defining IAM policies for the customer managed key.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464716[]' id='answer-id-1796095' class='answer   answerof-464716 ' value='1796095'   \/><label for='answer-id-1796095' id='answer-label-1796095' class=' answer'><span>Use key policies to restrict access to the appropriate IAM groups.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-17' style=';'><div id='questionWrap-17'  class='   watupro-question-id-464717'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>17. <\/span>A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region that uses an AWS KMS customer managed key. The company must copy a DB snapshot to the us-west-1 Region but cannot access the encryption key across Regions. <br \/>\r<br>What should the company do to properly encrypt the snapshot in us-west-1?<\/div><input type='hidden' name='question_id[]' id='qID_17' value='464717' \/><input type='hidden' id='answerType464717' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464717[]' id='answer-id-1796096' class='answer   answerof-464717 ' value='1796096'   \/><label for='answer-id-1796096' id='answer-label-1796096' class=' answer'><span>Store the customer managed key in AWS Secrets Manager in us-west-1.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464717[]' id='answer-id-1796097' class='answer   answerof-464717 ' value='1796097'   \/><label for='answer-id-1796097' id='answer-label-1796097' class=' answer'><span>Create a new customer managed key in us-west-1 and use it to encrypt the snapshot.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464717[]' id='answer-id-1796098' class='answer   answerof-464717 ' value='1796098'   \/><label for='answer-id-1796098' id='answer-label-1796098' class=' answer'><span>Create an IAM policy to allow access to the key in us-east-1 from us-west-1.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464717[]' id='answer-id-1796099' class='answer   answerof-464717 ' value='1796099'   \/><label for='answer-id-1796099' id='answer-label-1796099' class=' answer'><span>Create an IAM policy that allows RDS in us-west-1 to access the key in us-east-1.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-18' style=';'><div id='questionWrap-18'  class='   watupro-question-id-464718'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>18. <\/span>A company uses AWS to run a web application that manages ticket sales in several countries. The company recently migrated the application to an architecture that includes Amazon API Gateway, AWS Lambda, and Amazon Aurora Serverless. The company needs the application to comply with Payment Card Industry Data Security Standard (PCI DSS) v4.0. A security engineer must generate a report that shows the effectiveness of the PCI DSS v4.0 controls that apply to the application. The company's compliance team must be able to add manual evidence to the report. <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_18' value='464718' \/><input type='hidden' id='answerType464718' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464718[]' id='answer-id-1796100' class='answer   answerof-464718 ' value='1796100'   \/><label for='answer-id-1796100' id='answer-label-1796100' class=' answer'><span>Enable AWS Trusted Advisor. Configure all the Trusted Advisor checks. Manually map the checks against the PCI DSS v4.0 standard to generate the report.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464718[]' id='answer-id-1796101' class='answer   answerof-464718 ' value='1796101'   \/><label for='answer-id-1796101' id='answer-label-1796101' class=' answer'><span>Enable and configure AWS Config. Deploy the Operational Best Practices for PCI DSS conformance pack in AWS Config. Use AWS Config to generate the report.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464718[]' id='answer-id-1796102' class='answer   answerof-464718 ' value='1796102'   \/><label for='answer-id-1796102' id='answer-label-1796102' class=' answer'><span>Enable AWS Security Hub. Enable the Security Hub PCI DSS security standard. Use the AWS Management Console to download the report from the security standard.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464718[]' id='answer-id-1796103' class='answer   answerof-464718 ' value='1796103'   \/><label for='answer-id-1796103' id='answer-label-1796103' class=' answer'><span>Create an AWS Audit Manager assessment that uses the AWS managed PCI DSS v4.0 standard framework. Add all evidence to the assessment. Generate the report in Audit Manager for download.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-19' style=';'><div id='questionWrap-19'  class='   watupro-question-id-464719'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>19. <\/span>A company must capture AWS CloudTrail data events and must retain the logs for 7 years. The logs must be immutable and must be available to be searched by complex queries. The company also needs to visualize the data from the logs. <br \/>\r<br>Which solution will meet these requirements MOST cost-effectively?<\/div><input type='hidden' name='question_id[]' id='qID_19' value='464719' \/><input type='hidden' id='answerType464719' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464719[]' id='answer-id-1796104' class='answer   answerof-464719 ' value='1796104'   \/><label for='answer-id-1796104' id='answer-label-1796104' class=' answer'><span>Create a CloudTrail Lake data store. Implement CloudTrail Lake dashboards to visualize and query the results.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464719[]' id='answer-id-1796105' class='answer   answerof-464719 ' value='1796105'   \/><label for='answer-id-1796105' id='answer-label-1796105' class=' answer'><span>Use the CloudTrail Event History feature in the AWS Management Console. Visualize and query the results in the console.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464719[]' id='answer-id-1796106' class='answer   answerof-464719 ' value='1796106'   \/><label for='answer-id-1796106' id='answer-label-1796106' class=' answer'><span>Send the CloudTrail logs to an Amazon S3 bucket. Provision a persistent Amazon EMR cluster that has access to the S3 bucket. Enable S3 Object Lock on the S3 bucket. Use Apache Spark to perform queries. Use Amazon QuickSight for visualizations.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464719[]' id='answer-id-1796107' class='answer   answerof-464719 ' value='1796107'   \/><label for='answer-id-1796107' id='answer-label-1796107' class=' answer'><span>Send the CloudTrail logs to a log group in Amazon CloudWatch Logs. Set the CloudWatch Logs stream to send the data to an Amazon OpenSearch Service domain. Enable cold storage for the OpenSearch Service domain. Use OpenSearch Dashboards for visualizations and queries.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-20' style=';'><div id='questionWrap-20'  class='   watupro-question-id-464720'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>20. <\/span>A company has a large fleet of Amazon Linux 2 Amazon EC2 instances that run an application processing sensitive data. Compliance requirements include no exposed management ports, full session logging, and authentication through AWS IAM Identity Center. DevOps engineers occasionally need access for troubleshooting. <br \/>\r<br>Which solution will provide remote access while meeting these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_20' value='464720' \/><input type='hidden' id='answerType464720' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464720[]' id='answer-id-1796108' class='answer   answerof-464720 ' value='1796108'   \/><label for='answer-id-1796108' id='answer-label-1796108' class=' answer'><span>Grant access to the EC2 serial console and allow IAM role access.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464720[]' id='answer-id-1796109' class='answer   answerof-464720 ' value='1796109'   \/><label for='answer-id-1796109' id='answer-label-1796109' class=' answer'><span>Enable EC2 Instance Connect and configure security groups accordingly.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464720[]' id='answer-id-1796110' class='answer   answerof-464720 ' value='1796110'   \/><label for='answer-id-1796110' id='answer-label-1796110' class=' answer'><span>Assign an EC2 instance role that allows access to AWS Systems Manager. Create an IAM policy that grants access to Systems Manager Session Manager and assign it to an IAM Identity Center role.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464720[]' id='answer-id-1796111' class='answer   answerof-464720 ' value='1796111'   \/><label for='answer-id-1796111' id='answer-label-1796111' class=' answer'><span>Use Systems Manager Automation to temporarily open remote access ports.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-21' style=';'><div id='questionWrap-21'  class='   watupro-question-id-464721'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>21. <\/span>A company runs a web application on a fleet of Amazon EC2 instances in an Auto Scaling group. Amazon GuardDuty and AWS Security Hub are enabled. The security engineer needs an automated response to anomalous traffic that follows AWS best practices and minimizes application disruption. <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_21' value='464721' \/><input type='hidden' id='answerType464721' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464721[]' id='answer-id-1796112' class='answer   answerof-464721 ' value='1796112'   \/><label for='answer-id-1796112' id='answer-label-1796112' class=' answer'><span>Use EventBridge to disable the instance profile access keys.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464721[]' id='answer-id-1796113' class='answer   answerof-464721 ' value='1796113'   \/><label for='answer-id-1796113' id='answer-label-1796113' class=' answer'><span>Use EventBridge to invoke a Lambda function that removes the affected instance from the Auto Scaling group and isolates it with a restricted security group.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464721[]' id='answer-id-1796114' class='answer   answerof-464721 ' value='1796114'   \/><label for='answer-id-1796114' id='answer-label-1796114' class=' answer'><span>Use Security Hub to update the subnet network ACL to block traffic.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464721[]' id='answer-id-1796115' class='answer   answerof-464721 ' value='1796115'   \/><label for='answer-id-1796115' id='answer-label-1796115' class=' answer'><span>Send GuardDuty findings to Amazon SNS for email notification.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-22' style=';'><div id='questionWrap-22'  class='   watupro-question-id-464722'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>22. <\/span>A security administrator is setting up a new AWS account. The security administrator wants to secure the data that a company stores in an Amazon S3 bucket. The security administrator also wants to reduce the chance of unintended data exposure and the potential for misconfiguration of objects that are in the S3 bucket.<br \/>\r\n<br \/>\r\nWhich solution will meet these requirements with the LEAST operational overhead?<\/div><input type='hidden' name='question_id[]' id='qID_22' value='464722' \/><input type='hidden' id='answerType464722' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464722[]' id='answer-id-1796116' class='answer   answerof-464722 ' value='1796116'   \/><label for='answer-id-1796116' id='answer-label-1796116' class=' answer'><span>Configure the S3 Block Public Access feature for the AWS account.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464722[]' id='answer-id-1796117' class='answer   answerof-464722 ' value='1796117'   \/><label for='answer-id-1796117' id='answer-label-1796117' class=' answer'><span>Configure the S3 Block Public Access feature for all objects that are in the bucket.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464722[]' id='answer-id-1796118' class='answer   answerof-464722 ' value='1796118'   \/><label for='answer-id-1796118' id='answer-label-1796118' class=' answer'><span>Deactivate ACLs for objects that are in the bucket.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464722[]' id='answer-id-1796119' class='answer   answerof-464722 ' value='1796119'   \/><label for='answer-id-1796119' id='answer-label-1796119' class=' answer'><span>Use AWS PrivateLink for Amazon S3 to access the bucket.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-23' style=';'><div id='questionWrap-23'  class='   watupro-question-id-464723'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>23. <\/span>A company has decided to move its fleet of Linux-based web server instances to an Amazon EC2 Auto Scaling group. Currently, the instances are static and are launched manually. When an administrator needs to view log files, the administrator uses SSH to establish a connection to the instances and retrieves the logs manually. <br \/>\r<br>The company often needs to query the logs to produce results about application sessions and user issues. The company does not want its new automatically scaling architecture to result in the loss of any log files when instances are scaled in. <br \/>\r<br>Which combination of steps should a security engineer take to meet these requirements MOST cost-effectively? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_23' value='464723' \/><input type='hidden' id='answerType464723' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464723[]' id='answer-id-1796120' class='answer   answerof-464723 ' value='1796120'   \/><label for='answer-id-1796120' id='answer-label-1796120' class=' answer'><span>Configure a cron job on the instances to forward the log files to Amazon S3 periodically.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464723[]' id='answer-id-1796121' class='answer   answerof-464723 ' value='1796121'   \/><label for='answer-id-1796121' id='answer-label-1796121' class=' answer'><span>Configure AWS Glue and Amazon Athena to query the log files.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464723[]' id='answer-id-1796122' class='answer   answerof-464723 ' value='1796122'   \/><label for='answer-id-1796122' id='answer-label-1796122' class=' answer'><span>Configure the Amazon CloudWatch agent on the instances to forward the logs to Amazon \r\nCloudWatch Logs.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464723[]' id='answer-id-1796123' class='answer   answerof-464723 ' value='1796123'   \/><label for='answer-id-1796123' id='answer-label-1796123' class=' answer'><span>Configure Amazon CloudWatch Logs Insights to query the log files.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464723[]' id='answer-id-1796124' class='answer   answerof-464723 ' value='1796124'   \/><label for='answer-id-1796124' id='answer-label-1796124' class=' answer'><span>Configure the instances to write the logs to an Amazon Elastic File System (Amazon EFS) volume.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-24' style=';'><div id='questionWrap-24'  class='   watupro-question-id-464724'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>24. <\/span>A company\u2019s data scientists use Amazon SageMaker with datasets stored in Amazon S3. Data older than 45 days must be removed according to policy. <br \/>\r<br>Which action should enforce this policy?<\/div><input type='hidden' name='question_id[]' id='qID_24' value='464724' \/><input type='hidden' id='answerType464724' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464724[]' id='answer-id-1796125' class='answer   answerof-464724 ' value='1796125'   \/><label for='answer-id-1796125' id='answer-label-1796125' class=' answer'><span>Configure an S3 Lifecycle rule to delete objects after 45 days.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464724[]' id='answer-id-1796126' class='answer   answerof-464724 ' value='1796126'   \/><label for='answer-id-1796126' id='answer-label-1796126' class=' answer'><span>Create a Lambda function triggered on object upload to delete old data.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464724[]' id='answer-id-1796127' class='answer   answerof-464724 ' value='1796127'   \/><label for='answer-id-1796127' id='answer-label-1796127' class=' answer'><span>Create a scheduled Lambda function to delete old objects monthly.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464724[]' id='answer-id-1796128' class='answer   answerof-464724 ' value='1796128'   \/><label for='answer-id-1796128' id='answer-label-1796128' class=' answer'><span>Configure S3 Intelligent-Tiering.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-25' style=';'><div id='questionWrap-25'  class='   watupro-question-id-464725'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>25. <\/span>A company has a PHP-based web application that uses Amazon S3 as an object store for user files. The S3 bucket is configured for server-side encryption with Amazon S3 managed keys (SSE-S3). New requirements mandate full control of encryption keys. <br \/>\r<br>Which combination of steps must a security engineer take to meet these requirements? (Select THREE.)<\/div><input type='hidden' name='question_id[]' id='qID_25' value='464725' \/><input type='hidden' id='answerType464725' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464725[]' id='answer-id-1796129' class='answer   answerof-464725 ' value='1796129'   \/><label for='answer-id-1796129' id='answer-label-1796129' class=' answer'><span>Create a new customer managed key in AWS Key Management Service (AWS KMS).<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464725[]' id='answer-id-1796130' class='answer   answerof-464725 ' value='1796130'   \/><label for='answer-id-1796130' id='answer-label-1796130' class=' answer'><span>Change the SSE-S3 configuration on the S3 bucket to server-side encryption with customer-provided keys (SSE-C).<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464725[]' id='answer-id-1796131' class='answer   answerof-464725 ' value='1796131'   \/><label for='answer-id-1796131' id='answer-label-1796131' class=' answer'><span>Configure the PHP SDK to use the SSE-S3 key before upload.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464725[]' id='answer-id-1796132' class='answer   answerof-464725 ' value='1796132'   \/><label for='answer-id-1796132' id='answer-label-1796132' class=' answer'><span>Create an AWS managed key for Amazon S3 in AWS KM<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464725[]' id='answer-id-1796133' class='answer   answerof-464725 ' value='1796133'   \/><label for='answer-id-1796133' id='answer-label-1796133' class=' answer'><span>Change the SSE-S3 configuration on the S3 bucket to server-side encryption with AWS KMS managed keys (SSE-KMS).<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464725[]' id='answer-id-1796134' class='answer   answerof-464725 ' value='1796134'   \/><label for='answer-id-1796134' id='answer-label-1796134' class=' answer'><span>Change all the S3 objects in the bucket to use the new encryption key.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-26' style=';'><div id='questionWrap-26'  class='   watupro-question-id-464726'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>26. <\/span>A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running in Amazon Elastic Container Service (Amazon ECS). This solution must also handle volatile traffic patterns. <br \/>\r<br>Which solution would have the MOST scalability and LOWEST latency?<\/div><input type='hidden' name='question_id[]' id='qID_26' value='464726' \/><input type='hidden' id='answerType464726' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464726[]' id='answer-id-1796135' class='answer   answerof-464726 ' value='1796135'   \/><label for='answer-id-1796135' id='answer-label-1796135' class=' answer'><span>Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464726[]' id='answer-id-1796136' class='answer   answerof-464726 ' value='1796136'   \/><label for='answer-id-1796136' id='answer-label-1796136' class=' answer'><span>Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464726[]' id='answer-id-1796137' class='answer   answerof-464726 ' value='1796137'   \/><label for='answer-id-1796137' id='answer-label-1796137' class=' answer'><span>Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464726[]' id='answer-id-1796138' class='answer   answerof-464726 ' value='1796138'   \/><label for='answer-id-1796138' id='answer-label-1796138' class=' answer'><span>Configure Amazon Route 53 to use multivalue answer routing to send traffic to the containers.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-27' style=';'><div id='questionWrap-27'  class='   watupro-question-id-464727'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>27. <\/span>A company runs ECS services behind an internet-facing ALB that is the origin for CloudFront. An AWS WAF web ACL is associated with CloudFront, but clients can bypass it by accessing the ALB directly. <br \/>\r<br>Which solution will prevent direct access to the ALB?<\/div><input type='hidden' name='question_id[]' id='qID_27' value='464727' \/><input type='hidden' id='answerType464727' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464727[]' id='answer-id-1796139' class='answer   answerof-464727 ' value='1796139'   \/><label for='answer-id-1796139' id='answer-label-1796139' class=' answer'><span>Use AWS PrivateLink with the AL<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464727[]' id='answer-id-1796140' class='answer   answerof-464727 ' value='1796140'   \/><label for='answer-id-1796140' id='answer-label-1796140' class=' answer'><span>Replace the ALB with an internal AL<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464727[]' id='answer-id-1796141' class='answer   answerof-464727 ' value='1796141'   \/><label for='answer-id-1796141' id='answer-label-1796141' class=' answer'><span>Restrict ALB listener rules to CloudFront IP ranges.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464727[]' id='answer-id-1796142' class='answer   answerof-464727 ' value='1796142'   \/><label for='answer-id-1796142' id='answer-label-1796142' class=' answer'><span>Require a custom header from CloudFront and validate it at the AL<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-28' style=';'><div id='questionWrap-28'  class='   watupro-question-id-464728'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>28. <\/span>A company is planning to deploy a new log analysis environment. The company needs to analyze logs from multiple AWS services in near real time. The solution must provide the ability to search the logs <br \/>\r<br>and must send alerts to an existing Amazon Simple Notification Service (Amazon SNS) topic when specific logs match detection rules. <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_28' value='464728' \/><input type='hidden' id='answerType464728' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464728[]' id='answer-id-1796143' class='answer   answerof-464728 ' value='1796143'   \/><label for='answer-id-1796143' id='answer-label-1796143' class=' answer'><span>Analyze the logs by using Amazon OpenSearch Service. Search the logs from the OpenSearch AP<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464728[]' id='answer-id-1796144' class='answer   answerof-464728 ' value='1796144'   \/><label for='answer-id-1796144' id='answer-label-1796144' class=' answer'><span>Use OpenSearch Service Security Analytics to match logs with detection rules and to send alerts to the SNS topic.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464728[]' id='answer-id-1796145' class='answer   answerof-464728 ' value='1796145'   \/><label for='answer-id-1796145' id='answer-label-1796145' class=' answer'><span>Analyze the logs by using AWS Security Hub. Search the logs from the Findings page in Security Hub. Create custom actions to match logs with detection rules and to send alerts to the SNS topic.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464728[]' id='answer-id-1796146' class='answer   answerof-464728 ' value='1796146'   \/><label for='answer-id-1796146' id='answer-label-1796146' class=' answer'><span>Analyze the logs by using Amazon CloudWatch Logs. Use a subscription filter to match logs with detection rules and to send alerts to the SNS topic. Search the logs manually by using CloudWatch Logs Insights.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464728[]' id='answer-id-1796147' class='answer   answerof-464728 ' value='1796147'   \/><label for='answer-id-1796147' id='answer-label-1796147' class=' answer'><span>Analyze the logs by using Amazon QuickSight. Search the logs by listing the query results in a dashboard. Run queries to match logs with detection rules and to send alerts to the SNS topic.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-29' style=';'><div id='questionWrap-29'  class='   watupro-question-id-464729'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>29. <\/span>A company has a VPC that has no internet access and has the private DNS hostnames option enabled. An Amazon Aurora database is running inside the VPC. A security engineer wants to use AWS Secrets Manager to automatically rotate the credentials for the Aurora database. The security engineer configures the Secrets Manager default AWS Lambda rotation function to run inside the same VPC that the Aurora database uses. However, the security engineer determines that the password cannot be rotated properly because the Lambda function cannot communicate with the Secrets Manager endpoint. <br \/>\r<br>What is the MOST secure way that the security engineer can give the Lambda function the ability to communicate with the Secrets Manager endpoint?<\/div><input type='hidden' name='question_id[]' id='qID_29' value='464729' \/><input type='hidden' id='answerType464729' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464729[]' id='answer-id-1796148' class='answer   answerof-464729 ' value='1796148'   \/><label for='answer-id-1796148' id='answer-label-1796148' class=' answer'><span>Add a NAT gateway to the VPC to allow access to the Secrets Manager endpoint.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464729[]' id='answer-id-1796149' class='answer   answerof-464729 ' value='1796149'   \/><label for='answer-id-1796149' id='answer-label-1796149' class=' answer'><span>Add a gateway VPC endpoint to the VPC to allow access to the Secrets Manager endpoint.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464729[]' id='answer-id-1796150' class='answer   answerof-464729 ' value='1796150'   \/><label for='answer-id-1796150' id='answer-label-1796150' class=' answer'><span>Add an interface VPC endpoint to the VPC to allow access to the Secrets Manager endpoint.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464729[]' id='answer-id-1796151' class='answer   answerof-464729 ' value='1796151'   \/><label for='answer-id-1796151' id='answer-label-1796151' class=' answer'><span>Add an internet gateway for the VPC to allow access to the Secrets Manager endpoint.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-30' style=';'><div id='questionWrap-30'  class='   watupro-question-id-464730'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>30. <\/span>A company must immediately disable compromised IAM users across all AWS accounts and collect all actions performed by the user in the last 7 days. <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_30' value='464730' \/><input type='hidden' id='answerType464730' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464730[]' id='answer-id-1796152' class='answer   answerof-464730 ' value='1796152'   \/><label for='answer-id-1796152' id='answer-label-1796152' class=' answer'><span>Disable the IAM user and query CloudTrail logs in Amazon S3 using Athena.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464730[]' id='answer-id-1796153' class='answer   answerof-464730 ' value='1796153'   \/><label for='answer-id-1796153' id='answer-label-1796153' class=' answer'><span>Remove IAM policies and query logs in Security Hub.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464730[]' id='answer-id-1796154' class='answer   answerof-464730 ' value='1796154'   \/><label for='answer-id-1796154' id='answer-label-1796154' class=' answer'><span>Remove permission sets and query logs using CloudWatch Logs Insights.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464730[]' id='answer-id-1796155' class='answer   answerof-464730 ' value='1796155'   \/><label for='answer-id-1796155' id='answer-label-1796155' class=' answer'><span>Disable the user in IAM Identity Center and query the organizational event data store.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-31' style=';'><div id='questionWrap-31'  class='   watupro-question-id-464731'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>31. <\/span>An AWS Lambda function was misused to alter data, and a security engineer must identify who invoked the function and what output was produced. The engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs. <br \/>\r<br>Which of the following explains why the logs are not available?<\/div><input type='hidden' name='question_id[]' id='qID_31' value='464731' \/><input type='hidden' id='answerType464731' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464731[]' id='answer-id-1796156' class='answer   answerof-464731 ' value='1796156'   \/><label for='answer-id-1796156' id='answer-label-1796156' class=' answer'><span>The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464731[]' id='answer-id-1796157' class='answer   answerof-464731 ' value='1796157'   \/><label for='answer-id-1796157' id='answer-label-1796157' class=' answer'><span>The Lambda function was invoked by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464731[]' id='answer-id-1796158' class='answer   answerof-464731 ' value='1796158'   \/><label for='answer-id-1796158' id='answer-label-1796158' class=' answer'><span>The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464731[]' id='answer-id-1796159' class='answer   answerof-464731 ' value='1796159'   \/><label for='answer-id-1796159' id='answer-label-1796159' class=' answer'><span>The version of the Lambda function that was invoked was not current.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-32' style=';'><div id='questionWrap-32'  class='   watupro-question-id-464732'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>32. <\/span>A security engineer has designed a VPC to segment private traffic from public traffic. The VPC includes two Availability Zones. Each Availability Zone contains one public subnet and one private subnet. Three route tables exist: one for the public subnets and one for each private subnet. <br \/>\r<br>The security engineer discovers that all four subnets are routing traffic through the internet gateway that is attached to the VPC. <br \/>\r<br>Which combination of steps should the security engineer take to remediate this scenario? (Select TWO.)<\/div><input type='hidden' name='question_id[]' id='qID_32' value='464732' \/><input type='hidden' id='answerType464732' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464732[]' id='answer-id-1796160' class='answer   answerof-464732 ' value='1796160'   \/><label for='answer-id-1796160' id='answer-label-1796160' class=' answer'><span>Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464732[]' id='answer-id-1796161' class='answer   answerof-464732 ' value='1796161'   \/><label for='answer-id-1796161' id='answer-label-1796161' class=' answer'><span>Verify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464732[]' id='answer-id-1796162' class='answer   answerof-464732 ' value='1796162'   \/><label for='answer-id-1796162' id='answer-label-1796162' class=' answer'><span>Modify the route tables for the public subnets to add a local route to the VPC CIDR range.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464732[]' id='answer-id-1796163' class='answer   answerof-464732 ' value='1796163'   \/><label for='answer-id-1796163' id='answer-label-1796163' class=' answer'><span>Modify the route tables for the private subnets to route 0.0.0.0\/0 to the NAT gateway in the public subnet of the same Availability Zone.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464732[]' id='answer-id-1796164' class='answer   answerof-464732 ' value='1796164'   \/><label for='answer-id-1796164' id='answer-label-1796164' class=' answer'><span>Modify the route tables for the private subnets to route 0.0.0.0\/0 to the internet gateway.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-33' style=';'><div id='questionWrap-33'  class='   watupro-question-id-464733'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>33. <\/span>A company needs to build a code-signing solution using an AWS KMS asymmetric key and must store immutable evidence of key creation and usage for compliance and audit purposes. <br \/>\r<br>Which solution meets these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_33' value='464733' \/><input type='hidden' id='answerType464733' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464733[]' id='answer-id-1796165' class='answer   answerof-464733 ' value='1796165'   \/><label for='answer-id-1796165' id='answer-label-1796165' class=' answer'><span>Create an Amazon S3 bucket with S3 Object Lock enabled. Create an AWS CloudTrail trail with log file validation enabled for KMS events. Store logs in the bucket and grant auditors access.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464733[]' id='answer-id-1796166' class='answer   answerof-464733 ' value='1796166'   \/><label for='answer-id-1796166' id='answer-label-1796166' class=' answer'><span>Log application events to Amazon CloudWatch Logs and export them.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464733[]' id='answer-id-1796167' class='answer   answerof-464733 ' value='1796167'   \/><label for='answer-id-1796167' id='answer-label-1796167' class=' answer'><span>Capture KMS API calls using EventBridge and store them in DynamoD<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464733[]' id='answer-id-1796168' class='answer   answerof-464733 ' value='1796168'   \/><label for='answer-id-1796168' id='answer-label-1796168' class=' answer'><span>Track KMS usage with CloudWatch metrics and dashboards.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-34' style=';'><div id='questionWrap-34'  class='   watupro-question-id-464734'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>34. <\/span>A company runs an application on an Amazon EC2 instance. The application generates invoices and stores them in an Amazon S3 bucket. The instance profile that is attached to the instance has appropriate access to the S3 bucket. The company needs to share each invoice with multiple clients that do not have AWS credentials. Each client must be able to download only the client's own invoices. Clients must download their invoices within 1 hour of invoice creation. Clients must use only temporary credentials to access the company's AWS resources. <br \/>\r<br>Which additional step will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_34' value='464734' \/><input type='hidden' id='answerType464734' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464734[]' id='answer-id-1796169' class='answer   answerof-464734 ' value='1796169'   \/><label for='answer-id-1796169' id='answer-label-1796169' class=' answer'><span>Update the S3 bucket policy to ensure that clients that use pre-signed URLs have the S3:Get* permission and the S3:List* permission to access S3 objects in the bucket.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464734[]' id='answer-id-1796170' class='answer   answerof-464734 ' value='1796170'   \/><label for='answer-id-1796170' id='answer-label-1796170' class=' answer'><span>Add a StringEquals condition to the IAM role policy for the EC2 instance profile. Configure the policy condition to restrict access based on the s3:ResourceTag\/ClientId tag of each invoice. Tag each generated invoice with the ID of its corresponding client.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464734[]' id='answer-id-1796171' class='answer   answerof-464734 ' value='1796171'   \/><label for='answer-id-1796171' id='answer-label-1796171' class=' answer'><span>Update the script to use AWS Security Token Service (AWS STS) to obtain new credentials each time the script runs by assuming a new role that has S3:GetObject permissions. Use the credentials to generate the pre-signed URLs.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464734[]' id='answer-id-1796172' class='answer   answerof-464734 ' value='1796172'   \/><label for='answer-id-1796172' id='answer-label-1796172' class=' answer'><span>Generate an access key and a secret key for an IAM user that has S3:GetObject permissions on the S3 bucket. Embed the keys into the script. Use the keys to generate the pre-signed URLs.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-35' style=';'><div id='questionWrap-35'  class='   watupro-question-id-464735'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>35. <\/span>A company's security engineer receives an abuse notification from AWS indicating that malware is <br \/>\r<br>being hosted from the company\u2019s AWS account. The security engineer discovers that an IAM user created a new Amazon S3 bucket without authorization. <br \/>\r<br>Which combination of steps should the security engineer take to MINIMIZE the consequences of this compromise? (Select THREE.)<\/div><input type='hidden' name='question_id[]' id='qID_35' value='464735' \/><input type='hidden' id='answerType464735' value='checkbox'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464735[]' id='answer-id-1796173' class='answer   answerof-464735 ' value='1796173'   \/><label for='answer-id-1796173' id='answer-label-1796173' class=' answer'><span>Encrypt all AWS CloudTrail logs.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464735[]' id='answer-id-1796174' class='answer   answerof-464735 ' value='1796174'   \/><label for='answer-id-1796174' id='answer-label-1796174' class=' answer'><span>Turn on Amazon GuardDuty.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464735[]' id='answer-id-1796175' class='answer   answerof-464735 ' value='1796175'   \/><label for='answer-id-1796175' id='answer-label-1796175' class=' answer'><span>Change the password for all IAM users.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464735[]' id='answer-id-1796176' class='answer   answerof-464735 ' value='1796176'   \/><label for='answer-id-1796176' id='answer-label-1796176' class=' answer'><span>Rotate or delete all AWS access keys.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464735[]' id='answer-id-1796177' class='answer   answerof-464735 ' value='1796177'   \/><label for='answer-id-1796177' id='answer-label-1796177' class=' answer'><span>Take snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='checkbox' name='answer-464735[]' id='answer-id-1796178' class='answer   answerof-464735 ' value='1796178'   \/><label for='answer-id-1796178' id='answer-label-1796178' class=' answer'><span>Delete any resources that are unrecognized or unauthorized.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-36' style=';'><div id='questionWrap-36'  class='   watupro-question-id-464736'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>36. <\/span>A company needs a cloud-based, managed desktop solution for its workforce of remote employees. The company wants to ensure that the employees can access the desktops only by using company-provided devices. A security engineer must design a solution that will minimize cost and <br \/>\r<br>management overhead. <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_36' value='464736' \/><input type='hidden' id='answerType464736' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464736[]' id='answer-id-1796179' class='answer   answerof-464736 ' value='1796179'   \/><label for='answer-id-1796179' id='answer-label-1796179' class=' answer'><span>Deploy a custom virtual desktop infrastructure (VDI) solution with a restriction policy to allow access only from corporate devices.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464736[]' id='answer-id-1796180' class='answer   answerof-464736 ' value='1796180'   \/><label for='answer-id-1796180' id='answer-label-1796180' class=' answer'><span>Deploy a fleet of Amazon EC2 instances. Assign an instance to each employee with certificate-based device authentication that uses Windows Active Directory.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464736[]' id='answer-id-1796181' class='answer   answerof-464736 ' value='1796181'   \/><label for='answer-id-1796181' id='answer-label-1796181' class=' answer'><span>Deploy Amazon WorkSpaces. Set up a trusted device policy with IP blocking on the authentication gateway by using AWS Identity and Access Management (IAM).<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464736[]' id='answer-id-1796182' class='answer   answerof-464736 ' value='1796182'   \/><label for='answer-id-1796182' id='answer-label-1796182' class=' answer'><span>Deploy Amazon WorkSpaces. Create client certificates, and deploy them to trusted devices. Enable restricted access at the directory level.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-37' style=';'><div id='questionWrap-37'  class='   watupro-question-id-464737'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>37. <\/span>A company detects bot activity targeting Amazon Cognito user pool endpoints. The solution must block malicious requests while maintaining access for legitimate users. <br \/>\r<br>Which solution meets these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_37' value='464737' \/><input type='hidden' id='answerType464737' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464737[]' id='answer-id-1796183' class='answer   answerof-464737 ' value='1796183'   \/><label for='answer-id-1796183' id='answer-label-1796183' class=' answer'><span>Enable Amazon Cognito threat protection.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464737[]' id='answer-id-1796184' class='answer   answerof-464737 ' value='1796184'   \/><label for='answer-id-1796184' id='answer-label-1796184' class=' answer'><span>Restrict access to authenticated users only.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464737[]' id='answer-id-1796185' class='answer   answerof-464737 ' value='1796185'   \/><label for='answer-id-1796185' id='answer-label-1796185' class=' answer'><span>Associate AWS WAF with the Cognito user pool.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464737[]' id='answer-id-1796186' class='answer   answerof-464737 ' value='1796186'   \/><label for='answer-id-1796186' id='answer-label-1796186' class=' answer'><span>Monitor requests with CloudWatch.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-38' style=';'><div id='questionWrap-38'  class='   watupro-question-id-464738'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>38. <\/span>A security engineer receives a notice about suspicious activity from a Linux-based Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS)-based storage. The instance is making connections to known malicious addresses. <br \/>\r<br>The instance is in a development account within a VPC that is in the us-east-1 Region. The VPC contains an internet gateway and has a subnet in us-east-1a and us-east-1b. Each subnet is associated with a route table that uses the internet gateway as a default route. Each subnet also uses the default network ACL. The suspicious EC2 instance runs within the us-east-1b subnet. During an initial investigation, a security engineer discovers that the suspicious instance is the only instance that runs in the subnet. <br \/>\r<br>Which response will immediately mitigate the attack and help investigate the root cause?<\/div><input type='hidden' name='question_id[]' id='qID_38' value='464738' \/><input type='hidden' id='answerType464738' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464738[]' id='answer-id-1796187' class='answer   answerof-464738 ' value='1796187'   \/><label for='answer-id-1796187' id='answer-label-1796187' class=' answer'><span>Log in to the suspicious instance and use the netstat command to identify remote connections. Use the IP addresses from these remote connections to create deny rules in the security group of the instance. Install diagnostic tools on the instance for investigation. Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule during the investigation of the instance.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464738[]' id='answer-id-1796188' class='answer   answerof-464738 ' value='1796188'   \/><label for='answer-id-1796188' id='answer-label-1796188' class=' answer'><span>Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule. Replace the security group with a new security group that allows connections only from a diagnostics security group. Update the outbound network ACL for the us-east-1b subnet to remove the deny all rule. Launch a new EC2 instance that has diagnostic tools. Assign the new security group to the new EC2 instance. Use the new EC2 instance to investigate the suspicious instance.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464738[]' id='answer-id-1796189' class='answer   answerof-464738 ' value='1796189'   \/><label for='answer-id-1796189' id='answer-label-1796189' class=' answer'><span>Ensure that the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the suspicious EC2 instance will not delete upon termination. Terminate the instance. Launch a new EC2 instance in us-east-1a that has diagnostic tools. Mount the EBS volumes from the terminated instance for investigation.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464738[]' id='answer-id-1796190' class='answer   answerof-464738 ' value='1796190'   \/><label for='answer-id-1796190' id='answer-label-1796190' class=' answer'><span>Create an AWS WAF web ACL that denies traffic to and from the suspicious instance. Attach the AWS WAF web ACL to the instance to mitigate the attack. Log in to the instance and install diagnostic tools to investigate the instance.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-39' style=';'><div id='questionWrap-39'  class='   watupro-question-id-464739'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>39. <\/span>A company needs to identify the root cause of security findings and investigate IAM roles involved in those findings. The company has enabled VPC Flow Logs, Amazon GuardDuty, and AWS CloudTrail. <br \/>\r<br>Which solution will meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_39' value='464739' \/><input type='hidden' id='answerType464739' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464739[]' id='answer-id-1796191' class='answer   answerof-464739 ' value='1796191'   \/><label for='answer-id-1796191' id='answer-label-1796191' class=' answer'><span>Use Amazon Detective to investigate IAM roles and visualize findings.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464739[]' id='answer-id-1796192' class='answer   answerof-464739 ' value='1796192'   \/><label for='answer-id-1796192' id='answer-label-1796192' class=' answer'><span>Use Amazon Inspector and CloudWatch dashboards.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464739[]' id='answer-id-1796193' class='answer   answerof-464739 ' value='1796193'   \/><label for='answer-id-1796193' id='answer-label-1796193' class=' answer'><span>Export GuardDuty findings to S3 and analyze with Athena.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464739[]' id='answer-id-1796194' class='answer   answerof-464739 ' value='1796194'   \/><label for='answer-id-1796194' id='answer-label-1796194' class=' answer'><span>Use Security Hub custom actions to investigate IAM roles.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-40' style=';'><div id='questionWrap-40'  class='   watupro-question-id-464740'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>40. <\/span>A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon Route <br \/>\r<br>53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided. The company's security engineer must secure this system against SQL injection attacks within 24 hours. The solution must involve the least amount of effort and maintain normal operations during implementation. <br \/>\r<br>What should the security engineer do to meet these requirements?<\/div><input type='hidden' name='question_id[]' id='qID_40' value='464740' \/><input type='hidden' id='answerType464740' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464740[]' id='answer-id-1796195' class='answer   answerof-464740 ' value='1796195'   \/><label for='answer-id-1796195' id='answer-label-1796195' class=' answer'><span>Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the AL<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464740[]' id='answer-id-1796196' class='answer   answerof-464740 ' value='1796196'   \/><label for='answer-id-1796196' id='answer-label-1796196' class=' answer'><span>Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the AL<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464740[]' id='answer-id-1796197' class='answer   answerof-464740 ' value='1796197'   \/><label for='answer-id-1796197' id='answer-label-1796197' class=' answer'><span>Update security groups on the EC2 instances to prevent direct access from the internet.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464740[]' id='answer-id-1796198' class='answer   answerof-464740 ' value='1796198'   \/><label for='answer-id-1796198' id='answer-label-1796198' class=' answer'><span>Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464740[]' id='answer-id-1796199' class='answer   answerof-464740 ' value='1796199'   \/><label for='answer-id-1796199' id='answer-label-1796199' class=' answer'><span>Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-464740[]' id='answer-id-1796200' class='answer   answerof-464740 ' value='1796200'   \/><label for='answer-id-1796200' id='answer-label-1796200' class=' answer'><span>Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div style='display:none' id='question-41'>\n\t<div class='question-content'>\n\t\t<img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/img\/loading.gif\" width=\"16\" height=\"16\" alt=\"Loading...\" title=\"Loading...\" \/>&nbsp;Loading...\t<\/div>\n<\/div>\n\n<br \/>\n\t\n\t\t\t<div class=\"watupro_buttons flex \" id=\"watuPROButtons11860\" >\n\t\t  <div id=\"prev-question\" style=\"display:none;\"><input type=\"button\" value=\"&lt; Previous\" onclick=\"WatuPRO.nextQuestion(event, 'previous');\"\/><\/div>\t\t  \t\t  \t\t   \n\t\t   \t  \t\t<div><input type=\"button\" name=\"action\" class=\"watupro-submit-button\" onclick=\"WatuPRO.submitResult(event)\" id=\"action-button\" value=\"View Results\"  \/>\n\t\t<\/div>\n\t\t<\/div>\n\t\t\n\t<input type=\"hidden\" name=\"quiz_id\" value=\"11860\" id=\"watuPROExamID\"\/>\n\t<input type=\"hidden\" name=\"start_time\" id=\"startTime\" value=\"2026-05-20 05:17:03\" \/>\n\t<input type=\"hidden\" name=\"start_timestamp\" id=\"startTimeStamp\" value=\"1779254223\" \/>\n\t<input type=\"hidden\" name=\"question_ids\" value=\"\" \/>\n\t<input type=\"hidden\" name=\"watupro_questions\" value=\"464701:1796025,1796026,1796027,1796028,1796029,1796030 | 464702:1796031,1796032,1796033,1796034 | 464703:1796035,1796036,1796037,1796038 | 464704:1796039,1796040,1796041,1796042 | 464705:1796043,1796044,1796045,1796046,1796047 | 464706:1796048,1796049,1796050,1796051 | 464707:1796052,1796053,1796054,1796055 | 464708:1796056,1796057,1796058,1796059 | 464709:1796060,1796061,1796062,1796063,1796064,1796065 | 464710:1796066,1796067,1796068,1796069 | 464711:1796070,1796071,1796072,1796073 | 464712:1796074,1796075,1796076,1796077 | 464713:1796078,1796079,1796080,1796081 | 464714:1796082,1796083,1796084,1796085,1796086,1796087 | 464715:1796088,1796089,1796090,1796091 | 464716:1796092,1796093,1796094,1796095 | 464717:1796096,1796097,1796098,1796099 | 464718:1796100,1796101,1796102,1796103 | 464719:1796104,1796105,1796106,1796107 | 464720:1796108,1796109,1796110,1796111 | 464721:1796112,1796113,1796114,1796115 | 464722:1796116,1796117,1796118,1796119 | 464723:1796120,1796121,1796122,1796123,1796124 | 464724:1796125,1796126,1796127,1796128 | 464725:1796129,1796130,1796131,1796132,1796133,1796134 | 464726:1796135,1796136,1796137,1796138 | 464727:1796139,1796140,1796141,1796142 | 464728:1796143,1796144,1796145,1796146,1796147 | 464729:1796148,1796149,1796150,1796151 | 464730:1796152,1796153,1796154,1796155 | 464731:1796156,1796157,1796158,1796159 | 464732:1796160,1796161,1796162,1796163,1796164 | 464733:1796165,1796166,1796167,1796168 | 464734:1796169,1796170,1796171,1796172 | 464735:1796173,1796174,1796175,1796176,1796177,1796178 | 464736:1796179,1796180,1796181,1796182 | 464737:1796183,1796184,1796185,1796186 | 464738:1796187,1796188,1796189,1796190 | 464739:1796191,1796192,1796193,1796194 | 464740:1796195,1796196,1796197,1796198,1796199,1796200\" \/>\n\t<input type=\"hidden\" name=\"no_ajax\" value=\"0\">\t\t\t<\/form>\n\t<p>&nbsp;<\/p>\n<\/div>\n\n<script type=\"text\/javascript\">\n\/\/jQuery(document).ready(function(){\ndocument.addEventListener(\"DOMContentLoaded\", function(event) { \t\nvar question_ids = \"464701,464702,464703,464704,464705,464706,464707,464708,464709,464710,464711,464712,464713,464714,464715,464716,464717,464718,464719,464720,464721,464722,464723,464724,464725,464726,464727,464728,464729,464730,464731,464732,464733,464734,464735,464736,464737,464738,464739,464740\";\nWatuPROSettings[11860] = {};\nWatuPRO.qArr = question_ids.split(',');\nWatuPRO.exam_id = 11860;\t    \nWatuPRO.post_id = 122438;\nWatuPRO.store_progress = 0;\nWatuPRO.curCatPage = 1;\nWatuPRO.requiredIDs=\"0\".split(\",\");\nWatuPRO.hAppID = \"0.44278800 1779254223\";\nvar url = \"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/show_exam.php\";\nWatuPRO.examMode = 1;\nWatuPRO.siteURL=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-admin\/admin-ajax.php\";\nWatuPRO.emailIsNotRequired = 0;\nWatuPROIntel.init(11860);\nWatuPRO.inCategoryPages=1;});    \t \n<\/script>\n<p>&nbsp;<\/p>\n<h2>Continue to read our <a href=\"https:\/\/www.dumpsbase.com\/freedumps\/aws-scs-c03-free-dumps-part-2-q41-q60-of-v11-02-are-online-today-read-and-verify-the-amazon-scs-c03-dumps.html\"><em>SCS-C03 free dumps (Part 2, Q41-Q60) of V11.02<\/em><\/a> here.<\/h2>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When searching for reliable study materials to prepare for the AWS Certified Security &#8211; Specialty (SCS-C03) exam, come to DumpsBase and choose the most updated SCS-C03 dumps (V11.02) today. We have 179 practice questions and answers in V11.02, designed to simulate real exam conditions, helping you build confidence through realistic practice tests that mirror the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[175,15758],"tags":[20735],"class_list":["post-122438","post","type-post","status-publish","format-standard","hentry","category-amazon","category-aws-certified-specialty","tag-scs-c03"],"_links":{"self":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/122438","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/comments?post=122438"}],"version-history":[{"count":2,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/122438\/revisions"}],"predecessor-version":[{"id":123073,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/122438\/revisions\/123073"}],"wp:attachment":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/media?parent=122438"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/categories?post=122438"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/tags?post=122438"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}