Free SCS-C02 Exam Braindumps (page: 23)

Page 23 of 63

A company is running an application in The eu-west-1 Region. The application uses an IAM Key Management Service (IAM KMS) CMK to encrypt sensitive dat.

  1. The company plans to deploy the application in the eu-north-1 Region.
    A security engineer needs to implement a key management solution for the application deployment in the new Region. The security engineer must minimize changes to the application code.
    Which change should the security engineer make to the IAM KMS configuration to meet these requirements?
  2. Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same CMK as the application in eu-west-1.
  3. Allocate a new CMK to eu-north-1 to be used by the application that is deployed in that Region.
  4. Allocate a new CMK to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias.
  5. Allocate a new CMK to eu-north-1. Create an alias for eu-'-1. Change the application code to point to the alias for eu-'-1.

Answer(s): B



A development team is using an IAM Key Management Service (IAM KMS) CMK to try to encrypt and decrypt a secure string parameter from IAM Systems Manager Parameter Store. However, the development team receives an error message on each attempt.

Which issues that are related to the CMK could be reasons for the error? (Select TWO.)

  1. The CMK that is used in the attempt does not exist.
  2. The CMK that is used in the attempt needs to be rotated.
  3. The CMK that is used in the attempt is using the CMK's key ID instead of the CMK ARN.
  4. The CMK that is used in the attempt is not enabled.
  5. The CMK that is used in the attempt is using an alias.

Answer(s): A,D



A company wants to ensure that its IAM resources can be launched only in the us-east-1 and us-west- 2 Regions.

What is the MOST operationally efficient solution that will prevent developers from launching Amazon EC2 instances in other Regions?

  1. Enable Amazon GuardDuty in all Regions. Create alerts to detect unauthorized activity outside us- east-1 and us-west-2.
  2. Use an organization in IAM Organizations. Attach an SCP that allows all actions when the IAM:
    Requested Region condition key is either us-east-1 or us-west-2. Delete the FullIAMAccess policy.
  3. Provision EC2 resources by using IAM Cloud Formation templates through IAM CodePipeline.
    Allow only the values of us-east-1 and us-west-2 in the IAM CloudFormation template's parameters.
  4. Create an IAM Config rule to prevent unauthorized activity outside us-east-1 and us-west-2.

Answer(s): C



A company is implementing a new application in a new IAM account. A VPC and subnets have been created for the application. The application has been peered to an existing VPC in another account in the same IAM Region for database access. Amazon EC2 instances will regularly be created and terminated in the application VPC, but only some of them will need access to the databases in the peered VPC over TCP port 1521. A security engineer must ensure that only the EC2 instances that need access to the databases can access them through the network.

How can the security engineer implement this solution?

  1. Create a new security group in the database VPC and create an inbound rule that allows all traffic from the IP address range of the application VPC. Add a new network ACL rule on the database subnets. Configure the rule to TCP port 1521 from the IP address range of the application VPC. Attach the new security group to the database instances that the application instances need to access.
  2. Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Create a new security group in the database VPC with an inbound rule that allows the IP address range of the application VPC over port 1521. Attach the new security group to the database instances and the application instances that need database access.
  3. Create a new security group in the application VPC with no inbound rules. Create a new security group in the database VPC with an inbound rule that allows TCP port 1521 from the new application security group in the application VP Attach the application security group to the application instances that need database access, and attach the database security group to the database instances.
  4. Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Add a new network ACL rule on the database subnets. Configure the rule to allow all traffic from the IP address range of the application VPC.
    Attach the new security group to the application instances that need database access.

Answer(s): C



Page 23 of 63



Post your Comments and Discuss Amazon SCS-C02 exam with other Community members:

Mohammed Haque commented on October 04, 2024
very useful site for exam prep
UNITED STATES
upvote