CertsTopics Logo

Weekend Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Amazon Web Services SCS-C01 Based on Real Exam Environment

Page: 35 / 44
Total 589 questions
Get SCS-C01 Full Access Download SCS-C01 PDF

AWS Certified Security - Specialty Questions and Answers

Question 137

An IAM user with fill EC2 permissions could bot start an Amazon EC2 instance after it was stopped for a maintenance task. Upon starting the instance, the instance state would change to “Pending”, but after a few seconds, it would switch back to “Stopped”.

An inspection revealed that the instance has attached Amazon EBS volumes that were encrypted by using a Customer Master Key (CMK). When these encrypted volumes were detached, the IAM user was able to start the EC2 instances.

The IAM user policy is as follows:

What additional items need to be added to the IAM user policy? (Choose two.)

Options:

A.

kms:GenerateDataKey

B.

kms:Decrypt

C.

kms:CreateGrant

D.

“Condition”: {“Bool”: {“kms:ViaService”: “ec2.us-west-2.amazonIAM.com”}}

E.

“Condition”: {“Bool”: {“kms:GrantIsForIAMResource”: true}}

Question 138

IAM CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected.

What initial actions should be taken to allow delivery of CloudTrail events to S3? (Select two.)

Options:

A.

Verify that the S3 bucket policy allow CloudTrail to write objects.

B.

Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs.

C.

Remove any lifecycle policies on the S3 bucket that are archiving objects to Amazon Glacier.

D.

Verify that the S3 bucket defined in CloudTrail exists.

E.

Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.

Question 139

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements:

  • Encryption in transit
  • Encryption at rest
  • Logging of all object retrievals in IAM CloudTrail

Which of the following meet these security requirements? (Choose three.)

Options:

A.

Specify “IAM:SecureTransport”: “true” within a condition in the S3 bucket policy.

B.

Enable a security group for the S3 bucket that allows port 443, but not port 80.

C.

Set up default encryption for the S3 bucket.

D.

Enable Amazon CloudWatch Logs for the IAM account.

E.

Enable API logging of data events for all S3 objects.

F.

Enable S3 object versioning for the S3 bucket.

Question 140

A Systems Engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the Development team wants to use security groups and network ACLs to accomplish various security requirements in the environment.

What configuration is necessary to allow the virtual security appliance to route the traffic?

Options:

A.

Disable network ACLs.

B.

Configure the security appliance's elastic network interface for promiscuous mode.

C.

Disable the Network Source/Destination check on the security appliance's elastic network interface

D.

Place the security appliance in the public subnet with the internet gateway

Page: 35 / 44
Total 589 questions
Get SCS-C01 Full Access Download SCS-C01 PDF