Free SCS-C02 Exam Braindumps (page: 20)

Page 20 of 63

A company deployed Amazon GuardDuty In the us-east-1 Region. The company wants all DNS logs that relate to the company's Amazon EC2 instances to be inspected.
What should a security engineer do to ensure that the EC2 instances are logged?

  1. Use IPv6 addresses that are configured for hostnames.
  2. Configure external DNS resolvers as internal resolvers that are visible only to IAM.
  3. Use IAM DNS resolvers for all EC2 instances.
  4. Configure a third-party DNS resolver with logging for all EC2 instances.

Answer(s): C

Explanation:

To ensure that the EC2 instances are logged, the security engineer should do the following:

Use AWS DNS resolvers for all EC2 instances. This allows the security engineer to use Amazon- provided DNS servers that resolve public DNS hostnames to private IP addresses within their VPC, and that log DNS queries in Amazon CloudWatch Logs.



A company wants to establish separate IAM Key Management Service (IAM KMS) keys to use for different IAM services. The company's security engineer created the following key policy lo allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructureDeployment IAM role:



The security engineer recently discovered that IAM roles other than the InfrastructureDeployment role used this key (or other services.
Which change to the policy should the security engineer make to resolve these issues?

  1. In the statement block that contains the Sid "Allow use of the key", under the "Condition" block, change StringEquals to StringLike.
  2. In the policy document, remove the statement Dlock that contains the Sid "Enable IAM User Permissions". Add key management policies to the KMS policy.
  3. In the statement block that contains the Sid "Allow use of the Key", under the "Condition" block, change the Kms:ViaService value to ec2.us-east-1 .amazonIAM com.
  4. In the policy document, add a new statement block that grants the kms:Disable' permission to the security engineer's IAM role.

Answer(s): C

Explanation:

To resolve the issues, the security engineer should make the following change to the policy:

In the statement block that contains the Sid "Allow use of the key", under the "Condition" block, change the Kms:ViaService value to ec2.us-east-1.amazonaws.com. This allows the security engineer to restrict the use of the key to only EC2 service in the us-east-1 region, and prevent other services from using the key.



A company stores images for a website in an Amazon S3 bucket. The company is using Amazon CloudFront to serve the images to end users. The company recently discovered that the images are being accessed from countries where the company does not have a distribution license.

Which actions should the company take to secure the images to limit their distribution? (Select TWO.)

  1. Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).
  2. Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.
  3. Add a CloudFront geo restriction deny list of countries where the company lacks a license.
  4. Update the S3 bucket policy with a deny list of countries where the company lacks a license.
  5. Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.

Answer(s): A,C

Explanation:

To secure the images to limit their distribution, the company should take the following actions:

Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI). This allows the company to use a special CloudFront user that can access objects in their S3 bucket, and prevent anyone else from accessing them directly.

Add a CloudFront geo restriction deny list of countries where the company lacks a license. This allows the company to use a feature that controls access to their content based on the geographic location of their viewers, and block requests from countries where they do not have a distribution license.



A company maintains an open-source application that is hosted on a public GitHub repository.
While creating a new commit to the repository, an engineer uploaded their IAM access key and secret access key. The engineer reported the mistake to a manager, and the manager immediately disabled the access key.

The company needs to assess the impact of the exposed access key. A security engineer must recommend a solution that requires the least possible managerial overhead.

Which solution meets these requirements?

  1. Analyze an IAM Identity and Access Management (IAM) use report from IAM Trusted Advisor to see when the access key was last used.
  2. Analyze Amazon CloudWatch Logs for activity by searching for the access key.
  3. Analyze VPC flow logs for activity by searching for the access key.
  4. Analyze a credential report in IAM Identity and Access Management (IAM) to see when the access key was last used.

Answer(s): A

Explanation:

To assess the impact of the exposed access key, the security engineer should recommend the following solution:

Analyze an IAM use report from AWS Trusted Advisor to see when the access key was last used. This allows the security engineer to use a tool that provides information about IAM entities and credentials in their account, and check if there was any unauthorized activity with the exposed access key.



Page 20 of 63



Post your Comments and Discuss Amazon SCS-C02 exam with other Community members:

Mohammed Haque commented on October 04, 2024
very useful site for exam prep
UNITED STATES
upvote