New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Legit SCS-C02 Exam Download

Page: 20 / 24
Total 327 questions

AWS Certified Security - Specialty Questions and Answers

Question 77

Amazon GuardDuty has detected communications to a known command and control endpoint from a company's Amazon EC2 instance. The instance was found to be running a vulnerable version of a common web framework. The company's security operations team wants to quickly identity other compute resources with the specific version of that framework installed.

Which approach should the team take to accomplish this task?

Options:

A.

Scan all the EC2 instances for noncompliance with IAM Config. Use Amazon Athena to query IAM CloudTrail logs for the framework installation

B.

Scan all the EC2 instances with the Amazon Inspector Network Reachability rules package to identity instances running a web server with RecognizedPortWithListener findings

C.

Scan all the EC2 instances with IAM Systems Manager to identify the vulnerable version of the web framework

D.

Scan an the EC2 instances with IAM Resource Access Manager to identify the vulnerable version of the web framework

Question 78

An organization wants to log all IAM API calls made within all of its IAM accounts, and must have a central place to analyze these logs. What steps should be taken to meet these requirements in the MOST secure manner? (Select TWO)

Options:

A.

Turn on IAM CloudTrail in each IAM account

B.

Turn on CloudTrail in only the account that will be storing the logs

C.

Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it

D.

Create a service-based role for CloudTrail and associate it with CloudTrail in each account

E.

Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it

Question 79

An Amazon API Gateway API invokes an AWS Lambda function that needs to interact with a software-as-a-service (SaaS) platform. A unique client token is generated in the SaaS platform to grant access to the Lambda function. A security engineer needs to design a solution to encrypt the access token at rest and pass the token to the Lambda function at runtime.

Which solution will meet these requirements MOST cost-effectively?

Options:

A.

Store the client token as a secret in AWS Secrets Manager. Use th^AWS SDK to retneve the secret in the Lambda function.

B.

Configure a token-based Lambda authorizer in API Gateway.

C.

Store the client token as a SecureString parameter in AWS Systems Manager Parameter Store. Use the AWS SDK to retrieve the value of the SecureString parameter in the Lambda function.

D.

Use AWS Key Management Service (AWS KMS) to encrypt the client token. Pass the token to the Lambda function at runtime through an environment variable.

Question 80

A security engineer needs to create an Amazon S3 bucket policy to grant least privilege read access to IAM user accounts that are named User=1, User2. and User3. These IAM user accounts are members of the AuthorizedPeople IAM group. The security engineer drafts the following S3 bucket policy:

When the security engineer tries to add the policy to the S3 bucket, the following error message appears: "Missing required field Principal." The security engineer is adding a Principal element to the policy. The addition must provide read access to only User1. User2, and User3. Which solution meets these requirements?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Page: 20 / 24
Total 327 questions