New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Online SCS-C02 Questions Video

Page: 24 / 24
Total 327 questions

AWS Certified Security - Specialty Questions and Answers

Question 93

A systems engineer deployed containers from several custom-built images that an application team provided through a QA workflow The systems engineer used Amazon Elastic Container Service (Amazon ECS) with the Fargate launch type as the target platform The system engineer now needs to collect logs from all containers into an existing Amazon CloudWatch log group

Which solution will meet this requirement?

Options:

A.

Turn on the awslogs log driver by specifying parameters for awslogs-group and awslogs-region m the LogConfiguration property

B.

Download and configure the CloudWatch agent on the container instances

C.

Set up Fluent Bit and FluentO as a DaemonSet to send logs to Amazon CloudWatch Logs

D.

Configure an 1AM policy that includes the togs CreateLogGroup action Assign the policy to the container instances

Question 94

A recent security audit found that IAM CloudTrail logs are insufficiently protected from tampering and unauthorized access Which actions must the Security Engineer take to address these audit findings? (Select THREE )

Options:

A.

Ensure CloudTrail log file validation is turned on

B.

Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage

C.

Use an S3 bucket with tight access controls that exists m a separate account

D.

Use Amazon Inspector to monitor the file integrity of CloudTrail log files.

E.

Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files

F.

Encrypt the CloudTrail log files with server-side encryption with IAM KMS-managed keys (SSE-KMS)

Question 95

A company has several petabytes of data. The company must preserve this data for 7 years to comply with regulatory requirements. The company's compliance team asks a security officer to develop a strategy that will prevent anyone from changing or deleting the data.

Which solution will meet this requirement MOST cost-effectively?

Options:

A.

Create an Amazon S3 bucket. Configure the bucket to use S3 Object Lock in compliance mode. Upload the data to the bucket. Create a resource-based bucket policy that meets all the regulatory requirements.

B.

Create an Amazon S3 bucket. Configure the bucket to use S3 Object Lock in governance mode. Upload the data to the bucket. Create a user-based IAM policy that meets all the regulatory requirements.

C.

Create a vault in Amazon S3 Glacier. Create a Vault Lock policy in S3 Glacier that meets all the regulatory requirements. Upload the data to the vault.

D.

Create an Amazon S3 bucket. Upload the data to the bucket. Use a lifecycle rule to transition the data to a vault in S3 Glacier. Create a Vault Lock policy that meets all the regulatory requirements.

Question 96

A security engineer is configuring account-based access control (ABAC) to allow only specific principals to put objects into an Amazon S3 bucket. The principals already have access to Amazon S3.

The security engineer needs to configure a bucket policy that allows principals to put objects into the S3 bucket only if the value of the Team tag on the object matches the value of the Team tag that is associated with the principal. During testing, the security engineer notices that a principal can still put objects into the S3 bucket when the tag values do not match.

Which combination of factors are causing the PutObject operation to succeed when the tag values are different? (Select TWO.)

Options:

A.

The principal's identity-based policy grants access to put objects into the S3 bucket with no conditions.

B.

The principal's identity-based policy overrides the condition because the identity-based policy contains an explicit allow.

C.

The S3 bucket's resource policy does not deny access to put objects.

D.

The S3 bucket's resource policy cannot allow actions to the principal.

E.

The bucket policy does not apply to principals in the same zone of trust.

Page: 24 / 24
Total 327 questions