CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SCS-C02

Free SCS-C02 Exam Braindumps (page: 25)

Page 25 of 63
PDF with 249 Questions

A security engineer needs to build a solution to turn IAM CloudTrail back on in multiple IAM Regions in case it is ever turned off.

What is the MOST efficient way to implement this solution?

  1. Use IAM Config with a managed rule to trigger the IAM-EnableCloudTrail remediation.
  2. Create an Amazon EventBridge (Amazon CloudWatch Events) event with a cloudtrail.amazonIAM.com event source and a StartLogging event name to trigger an IAM Lambda function to call the StartLogging API.
  3. Create an Amazon CloudWatch alarm with a cloudtrail.amazonIAM.com event source and a StopLogging event name to trigger an IAM Lambda function to call the StartLogging API.
  4. Monitor IAM Trusted Advisor to ensure CloudTrail logging is enabled.

Answer(s): B



A company hosts an application on Amazon EC2 that is subject to specific rules for regulatory compliance. One rule states that traffic to and from the workload must be inspected for network- level attacks. This involves inspecting the whole packet.

To comply with this regulatory rule, a security engineer must install intrusion detection software on a c5n.4xlarge EC2 instance. The engineer must then configure the software to monitor traffic to and from the application instances.

What should the security engineer do next?

  1. Place the network interface in promiscuous mode to capture the traffic.
  2. Configure VPC Flow Logs to send traffic to the monitoring EC2 instance using a Network Load Balancer.
  3. Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer.
  4. Use Amazon Inspector to detect network-level attacks and trigger an IAM Lambda function to send the suspicious packets to the EC2 instance.

Answer(s): D



A company deploys a set of standard IAM roles in AWS accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented AWS Organizations SCPs to restrict access to critical security services in all company accounts.

All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and AWS Security Hub. The security engineer also must not override other permissions that are granted by IAM policies that are defined in the accounts.

Which SCP should the security engineer attach to the root of the organization to meet these requirements?

A)



B)



C)



D)

  1. Option.
  2. Option.
  3. Option.
  4. Option D

Answer(s): A



A company has developed a new Amazon RDS database application. The company must secure the ROS database credentials for encryption in transit and encryption at rest. The company also must rotate the credentials automatically on a regular basis.

Which solution meets these requirements?

  1. Use IAM Systems Manager Parameter Store to store the database credentiais. Configure automatic rotation of the credentials.
  2. Use IAM Secrets Manager to store the database credentials. Configure automat* rotation of the credentials.
  3. Store the database credentials in an Amazon S3 bucket that is configured with server-side encryption with S3 managed encryption keys (SSE-S3) Rotate the credentials with IAM database authentication.
  4. Store the database credentials m Amazon S3 Glacier, and use S3 Glacier Vault Lock Configure an IAM Lambda function to rotate the credentials on a scheduled basts.

Answer(s): A



Page 25 of 63



Post your Comments and Discuss Amazon SCS-C02 exam with other Community members:

Mohammed Haque commented on October 04, 2024
very useful site for exam prep
UNITED STATES
upvote