Question # 1
A company has implemented IAM WAF and Amazon CloudFront for an application. The application runs on Amazon EC2 instances that are part of an Auto Scaling group. The Auto Scaling group is behind an Application Load Balancer (ALB).
The IAM WAF web ACL uses an IAM Managed Rules rule group and is associated with the CloudFront distribution. CloudFront receives the request from IAM WAF and then uses the ALB as the distribution's origin.
During a security review, a security engineer discovers that the infrastructure is susceptible to a large, layer 7 DDoS attack.
How can the security engineer improve the security at the edge of the solution to defend against this type of attack? | | A. Configure the CloudFront distribution to use the Lambda@Edge feature. Create an IAM Lambda function that imposes a rate limit on CloudFront viewer requests. Block the request if the rate limit is exceeded. | | B. Configure the IAM WAF web ACL so that the web ACL has more capacity units to process all IAM WAF rules faster. | | C. Configure IAM WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded. | | D. Configure the CloudFront distribution to use IAM WAF as its origin instead of the ALB. |
C. Configure IAM WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.
Explanation:
To improve the security at the edge of the solution to defend against a large, layer 7 DDoS attack, the security engineer should do the following:
Configure AWS WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded. This allows the security engineer to use a rule that tracks the number of requests from a single IP address and blocks subsequent requests if they exceed a specified threshold within a specified time period.
Question # 2
A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance. What should the security engineer do to resolve this error? | | A. Import the key material into AWS Key Management Service (AWS KMS). | | B. Manually upload the new host key to the AWS trusted host keys database. | | C. Ensure that the AmazonSSMManagedInstanceCore policy is attached to the EC2 instance profile. | | D. Create a new SSH key pair for the EC2 instance. |
B. Manually upload the new host key to the AWS trusted host keys database.
Explanation: To set up a CloudFront distribution for an S3 bucket that hosts a static website, and to allow only specified IP addresses to access the website, the following steps are required:
Create a CloudFront origin access identity (OAI), which is a special CloudFront user that you can associate with your distribution. An OAI allows you to restrict access to your S3 content by using signed URLs or signed cookies. For more information, see Using an origin access identity to restrict access to your Amazon S3 content.
Create the S3 bucket policy so that only the OAI has access. This will prevent users from accessing the website directly by using S3 URLs, as they will receive an Access Denied error. To do this, use the AWS Policy Generator to create a bucket policy that grants s3:GetObject permission to the OAI, and attach it to the S3 bucket. For more information, see Restricting access to Amazon S3 content by using an origin access identity.
Create an AWS WAF web ACL and add an IP set rule. AWS WAF is a web application firewall service that lets you control access to your web applications.
An IP set is a condition that specifies a list of IP addresses or IP address ranges that requests originate from. You can use an IP set rule to allow or block requests based on the IP addresses of the requesters. For more information, see Working with IP match conditions.
Associate the web ACL with the CloudFront distribution. This will ensure that the web ACL filters all requests for your website before they reach your origin. You can do this by using the AWS WAF console, API, or CLI. For more information, see Associating or disassociating a web ACL with a CloudFront distribution.
This solution will meet the requirements of allowing only specified IP addresses to access the website and preventing direct access by using S3 URLs. The other options are incorrect because they either do not create a CloudFront distribution for the S3 bucket (A), do not use an OAI to restrict access to the S3 bucket ©, or do not use AWS WAF to block traffic from outside the specified IP addresses (D).
Verified References:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/privatecontent-restricting-access-to-s3.html
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-ip-conditions.html
Question # 3
A company needs a forensic-logging solution for hundreds of applications running in Docker on Amazon EC2 The solution must perform real-time analytics on the togs must support the replay of messages and must persist the logs. Which IAM services should be used to meet these requirements? (Select TWO) | | A. Amazon Athena | | B. Amazon Kinesis | | C. Amazon SQS | | D. Amazon Elasticsearch | | E. Amazon EMR |
B. Amazon Kinesis D. Amazon Elasticsearch
Explanation: Amazon Kinesis and Amazon Elasticsearch are both suitable for forensiclogging solutions. Amazon Kinesis can collect, process, and analyze streaming data in real time3. Amazon Elasticsearch can store, search, and analyze log data using the popular open-source tool Elasticsearch. The other options are not designed for forensic-logging purposes. Amazon Athena is a query service that can analyze data in S3, Amazon SQS is a message queue service that can decouple and scale microservices, and Amazon EMR is a big data platform that can run Apache Spark and Hadoop clusters.
Question # 4
An organization must establish the ability to delete an IAM KMS Customer Master Key (CMK) within a 24-hour timeframe to keep it from being used for encrypt or decrypt operations Which of tne following actions will address this requirement? | | A. Manually rotate a key within KMS to create a new CMK immediately | | B. Use the KMS import key functionality to execute a delete key operation | | C. Use the schedule key deletion function within KMS to specify the minimum wait period for deletion | | D. Change the KMS CMK alias to immediately prevent any services from using the CMK. |
C. Use the schedule key deletion function within KMS to specify the minimum wait period for deletion
Explanation: the schedule key deletion function within KMS allows you to specify a waiting period before deleting a customer master key (CMK)4. The minimum waiting period is 7 days and the maximum is 30 days5. This function prevents the CMK from being used for encryption or decryption operations during the waiting period4. The other options are either invalid or ineffective for deleting a CMK within a 24-hour timeframe.
Question # 5
A company's security team is building a solution for logging and visualization. The solution will assist the company with the large variety and velocity of data that it receives from IAM across multiple accounts. The security team has enabled IAM CloudTrail and VPC Flow Logs in all of its accounts. In addition, the company has an organization in IAM Organizations and has an IAM Security Hub master account.
The security team wants to use Amazon Detective However the security team cannot enable Detective and is unsure why What must the security team do to enable Detective? | | A. Enable Amazon Macie so that Secunty H jb will allow Detective to process findings from Macie. | | B. Disable IAM Key Management Service (IAM KMS) encryption on CtoudTrail logs in every member account of the organization | | C. Enable Amazon GuardDuty on all member accounts Try to enable Detective in 48 hours | | D. Ensure that the principal that launches Detective has the organizations ListAccounts permission |
D. Ensure that the principal that launches Detective has the organizations ListAccounts permission
Question # 6
An IAM user receives an Access Denied message when the user attempts to access objects in an Amazon S3 bucket. The user and the S3 bucket are in the same AWS account. The S3 bucket is configured to use server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all of its objects at rest by using a customer managed key from the same AWS account. The S3 bucket has no bucket policy defined. The IAM user has been granted permissions through an IAM policy that allows the kms:Decrypt permission to the customer managed key. The IAM policy also allows the s3:List* and s3:Get* permissions for the S3 bucket and its objects.
Which of the following is a possible reason that the IAM user cannot access the objects in the S3 bucket? | | A. The IAM policy needs to allow the kms:DescribeKey permission. | | B. The S3 bucket has been changed to use the AWS managed key to encrypt objects at rest. | | C. An S3 bucket policy needs to be added to allow the IAM user to access the objects. | | D. The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key. |
D. The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key.
Explanation:
The possible reason that the IAM user cannot access the objects in the S3 bucket is D. The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key.
This answer is correct because the KMS key policy is the primary way to control access to the KMS key, and it must explicitly allow the AWS account to have full access to the key. If the KMS key policy has been edited to remove this permission, then the IAM policy that grants kms:Decrypt permission to the IAM user has no effect, and the IAM user cannot decrypt the objects in the S3 bucket12. The other options are incorrect because:
A. The IAM policy does not need to allow the kms:DescribeKey permission, because this permission is not required for decrypting objects in S3 using SSEKMS.
The kms:DescribeKey permission allows getting information about a KMS key, such as its creation date, description, and key state3.
B. The S3 bucket has not been changed to use the AWS managed key to encrypt objects at rest, because this would not cause an Access Denied message for the IAM user. The AWS managed key is a default KMS key that is created and managed by AWS for each AWS account and Region. The IAM user does not need any permissions on this key to use it for SSE-KMS4.
C. An S3 bucket policy does not need to be added to allow the IAM user to access the objects, because the IAM user already has s3:List* and s3:Get* permissions for the S3 bucket and its objects through an IAM policy. An S3 bucket policy is an optional way to grant cross-account access or public access to an S3 bucket5.
References:
1: Key policies in AWS KMS 2: Using server-side encryption with AWS KMS keys (SSEKMS)
3: AWS KMS API Permissions Reference 4: Using server-side encryption with Amazon S3 managed keys (SSE-S3) 5: Bucket policy examples
Question # 7
A company manages multiple IAM accounts using IAM Organizations. The company's security team notices that some member accounts are not sending IAM CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured (or all existing accounts and for any account that is created in the future. Which set of actions should the security team implement to accomplish this? | | A. Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped. | | B. Deploy an IAM Lambda function in every account to check if there is an existing trail and create a new trail, if needed. | | C. Edit the existing trail in the Organizations master account and apply it to the organization. | | D. Create an SCP to deny the cloudtrail:Delete" and cloudtrail:Stop' actions. Apply the SCP to all accounts. |
C. Edit the existing trail in the Organizations master account and apply it to the organization.
Amazon Web Services SCS-C02 Exam Dumps
5 out of 5
Pass Your AWS Certified Security - Specialty Exam in First Attempt With SCS-C02 Exam Dumps. Real AWS Certified Specialty Exam Questions As in Actual Exam!
— 327 Questions With Valid Answers
— Updation Date : 16-Jan-2025
— Free SCS-C02 Updates for 90 Days
— 98% AWS Certified Security - Specialty Exam Passing Rate
PDF Only Price 99.99$
19.99$
Buy PDF
Speciality
Additional Information
Testimonials
Related Exams
- Number 1 Amazon Web Services AWS Certified Specialty study material online
- Regular SCS-C02 dumps updates for free.
- AWS Certified Security - Specialty Practice exam questions with their answers and explaination.
- Our commitment to your success continues through your exam with 24/7 support.
- Free SCS-C02 exam dumps updates for 90 days
- 97% more cost effective than traditional training
- AWS Certified Security - Specialty Practice test to boost your knowledge
- 100% correct AWS Certified Specialty questions answers compiled by senior IT professionals
Amazon Web Services SCS-C02 Braindumps
Realbraindumps.com is providing AWS Certified Specialty SCS-C02 braindumps which are accurate and of high-quality verified by the team of experts. The Amazon Web Services SCS-C02 dumps are comprised of AWS Certified Security - Specialty questions answers available in printable PDF files and online practice test formats. Our best recommended and an economical package is AWS Certified Specialty PDF file + test engine discount package along with 3 months free updates of SCS-C02 exam questions. We have compiled AWS Certified Specialty exam dumps question answers pdf file for you so that you can easily prepare for your exam. Our Amazon Web Services braindumps will help you in exam. Obtaining valuable professional Amazon Web Services AWS Certified Specialty certifications with SCS-C02 exam questions answers will always be beneficial to IT professionals by enhancing their knowledge and boosting their career.
Yes, really its not as tougher as before. Websites like Realbraindumps.com are playing a significant role to make this possible in this competitive world to pass exams with help of AWS Certified Specialty SCS-C02 dumps questions. We are here to encourage your ambition and helping you in all possible ways. Our excellent and incomparable Amazon Web Services AWS Certified Security - Specialty exam questions answers study material will help you to get through your certification SCS-C02 exam braindumps in the first attempt.
Pass Exam With Amazon Web Services AWS Certified Specialty Dumps. We at Realbraindumps are committed to provide you AWS Certified Security - Specialty braindumps questions answers online. We recommend you to prepare from our study material and boost your knowledge. You can also get discount on our Amazon Web Services SCS-C02 dumps. Just talk with our support representatives and ask for special discount on AWS Certified Specialty exam braindumps. We have latest SCS-C02 exam dumps having all Amazon Web Services AWS Certified Security - Specialty dumps questions written to the highest standards of technical accuracy and can be instantly downloaded and accessed by the candidates when once purchased. Practicing Online AWS Certified Specialty SCS-C02 braindumps will help you to get wholly prepared and familiar with the real exam condition. Free AWS Certified Specialty exam braindumps demos are available for your satisfaction before purchase order.
Send us mail if you want to check Amazon Web Services SCS-C02 AWS Certified Security - Specialty DEMO before your purchase and our support team will send you in email.
If you don't find your dumps here then you can request what you need and we shall provide it to you.
Bulk Packages
$60
- Get 3 Exams PDF
- Get $33 Discount
- Mention Exam Codes in Payment Description.
Buy 3 Exams PDF
$90
- Get 5 Exams PDF
- Get $65 Discount
- Mention Exam Codes in Payment Description.
Buy 5 Exams PDF
$110
- Get 5 Exams PDF + Test Engine
- Get $105 Discount
- Mention Exam Codes in Payment Description.
Buy 5 Exams PDF + Engine
 Jessica Doe
AWS Certified Specialty
We are providing Amazon Web Services SCS-C02 Braindumps with practice exam question answers. These will help you to prepare your AWS Certified Security - Specialty exam. Buy AWS Certified Specialty SCS-C02 dumps and boost your knowledge.
| 
