CertsTopics Logo

New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

SCS-C01 Premium Exam Questions

Page: 36 / 44
Total 589 questions
Get SCS-C01 Full Access Download SCS-C01 PDF

AWS Certified Security - Specialty Questions and Answers

Question 141

A company has five IAM accounts and wants to use IAM CloudTrail to log API calls. The log files must be stored in an Amazon S3 bucket that resides in a new account specifically built for centralized services with a unique top-level prefix for each trail. The configuration must also enable detection of any modification to the logs.

Which of the following steps will implement these requirements? (Choose three.)

Options:

A.

Create a new S3 bucket in a separate IAM account for centralized storage of CloudTrail logs, and enable “Log File Validation” on all trails.

B.

Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.

C.

Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.

D.

Use unique log file prefixes for trails in each IAM account.

E.

Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.

F.

Enable encryption of the log files by using IAM Key Management Service

Question 142

A Security Engineer is working with the development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an IAM KMS customer master key (CMK) to encrypt the data on Amazon S3. The inventory data on Amazon S3 will be shared of vendors. All vendors will use IAM principals from their own IAM accounts to access the data on Amazon S3. The vendor list may change weekly, and the solution must support cross-account access.

What is the MOST efficient way to manage access control for the KMS CMK7?

Options:

A.

Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.

B.

Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.

C.

Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access.

D.

Use delegated access across IAM accounts by using IAM roles to manage key access. Programmatically update the IAM trust policy to manage cross-account vendor access.

Question 143

Which of the following are valid event sources that are associated with web access control lists that trigger IAM WAF rules? (Choose two.)

Options:

A.

Amazon S3 static web hosting

B.

Amazon CloudFront distribution

C.

Application Load Balancer

D.

Amazon Route 53

E.

VPC Flow Logs

Question 144

A company has multiple VPCs in their account that are peered, as shown in the diagram. A Security Engineer wants to perform penetration tests of the Amazon EC2 instances in all three VPCs.

How can this be accomplished? (Choose two.)

Options:

A.

Deploy a pre-authorized scanning engine from the IAM Marketplace into VPC B, and use it to scan instances in all three VPCs. Do not complete the penetration test request form.

B.

Deploy a pre-authorized scanning engine from the Marketplace into each VPC, and scan instances in each VPC from the scanning engine in that VPC. Do not complete the penetration test request form.

C.

Create a VPN connection from the data center to VPC A. Use an on-premises scanning engine to scan the instances in all three VPCs. Complete the penetration test request form for all three VPCs.

D.

Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Do not complete the penetration test request form.

E.

Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Complete the penetration test request form for all three VPCs.

Page: 36 / 44
Total 589 questions
Get SCS-C01 Full Access Download SCS-C01 PDF