CertsTopics Logo

New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Amazon Web Services SCS-C01 Online Access

Page: 37 / 44
Total 589 questions
Get SCS-C01 Full Access Download SCS-C01 PDF

AWS Certified Security - Specialty Questions and Answers

Question 145

A Security Administrator has a website hosted in Amazon S3. The Administrator has been given the following requirements:

  • Users may access the website by using an Amazon CloudFront distribution.
  • Users may not access the website directly by using an Amazon S3 URL.

Which configurations will support these requirements? (Choose two.)

Options:

A.

Associate an origin access identity with the CloudFront distribution.

B.

Implement a “Principal”: “cloudfront.amazonIAM.com” condition in the S3 bucket policy.

C.

Modify the S3 bucket permissions so that only the origin access identity can access the bucket contents.

D.

Implement security groups so that the S3 bucket can be accessed only by using the intended CloudFront distribution.

E.

Configure the S3 bucket policy so that it is accessible only through VPC endpoints, and place the CloudFront distribution into the specified VPC.

Question 146

A security team is responsible for reviewing IAM API call activity in the cloud environment for security violations. These events must be recorded and retained in a centralized location for both current and future IAM regions.

What is the SIMPLEST way to meet these requirements?

Options:

A.

Enable IAM Trusted Advisor security checks in the IAM Console, and report all security incidents for all regions.

B.

Enable IAM CloudTrail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later analysis.

C.

Enable IAM CloudTrail by creating a new trail and applying the trail to all regions. Specify a single Amazon S3 bucket as the storage location.

D.

Enable Amazon CloudWatch logging for all IAM services across all regions, and aggregate them to a single Amazon S3 bucket for later analysis.

Question 147

Example.com hosts its internal document repository on Amazon EC2 instances. The application runs on EC2 instances and previously stored the documents on encrypted Amazon EBS volumes. To optimize the application for scale, example.com has moved the files to Amazon S3. The security team has mandated that all the files are securely deleted from the EBS volume, and it must certify that the data is unreadable before releasing the underlying disks.

Which of the following methods will ensure that the data is unreadable by anyone else?

Options:

A.

Change the volume encryption on the EBS volume to use a different encryption mechanism. Then, release the EBS volumes back to IAM.

B.

Release the volumes back to IAM. IAM immediately wipes the disk after it is deprovisioned.

C.

Delete the encryption key used to encrypt the EBS volume. Then, release the EBS volumes back to IAM.

D.

Delete the data by using the operating system delete commands. Run Quick Format on the drive and then release the EBS volumes back to IAM.

Question 148

An organization has three applications running on IAM, each accessing the same data on Amazon S3. The data on Amazon S3 is server-side encrypted by using an IAM KMS Customer Master Key (CMK).

What is the recommended method to ensure that each application has its own programmatic access control permissions on the KMS CMK?

Options:

A.

Change the key policy permissions associated with the KMS CMK for each application when it must access the data in Amazon S3.

B.

Have each application assume an IAM role that provides permissions to use the IAM Certificate Manager CMK.

C.

Have each application use a grant on the KMS CMK to add or remove specific access controls on the KMS CMK.

D.

Have each application use an IAM policy in a user context to have specific access permissions on the KMS CMK.

Page: 37 / 44
Total 589 questions
Get SCS-C01 Full Access Download SCS-C01 PDF