Free SCS-C02 Exam Braindumps (page: 27)

Page 27 of 63

A company is hosting multiple applications within a single VPC in its IAM account. The applications are running behind an Application Load Balancer that is associated with an IAM WAF web ACL. The company's security team has identified that multiple port scans are originating from a specific range of IP addresses on the internet.

A security engineer needs to deny access from the offending IP addresses.

Which solution will meet these requirements?

  1. Modify the IAM WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range.
  2. Add a rule to all security groups to deny the incoming requests from the IP address range.
  3. Modify the IAM WAF web ACL with a rate-based rule statement to deny the incoming requests from the IP address range.
  4. Configure the IAM WAF web ACL with regex match conditions. Specify a pattern set to deny the incoming requests based on the match condition.

Answer(s): A

Explanation:

Note that the IP is known and the question wants us to deny access from that particular address and so we can use IP set match policy of WAF to block access.



A company's application team needs to host a MySQL database on IAM. According to the company's security policy, all data that is stored on IAM must be encrypted at rest. In addition, all cryptographic material must be compliant with FIPS 140-2 Level 3 validation.

The application team needs a solution that satisfies the company's security requirements and minimizes operational overhead.

Which solution will meet these requirements?

  1. Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption.
    Use an IAM Key Management Service (IAM KMS) custom key store that is backed by IAM CloudHSM for key management.
  2. Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption.
    Use an IAM managed CMK in IAM Key Management Service (IAM KMS) for key management.
  3. Host the database on an Amazon EC2 instance. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use a customer managed CMK in IAM Key Management Service (IAM KMS) for key management.
  4. Host the database on an Amazon EC2 instance. Use Transparent Data Encryption (TDE) for encryption and key management.

Answer(s): B



A Network Load Balancer (NLB) target instance is not entering the InService state. A security engineer determines that health checks are failing.

Which factors could cause the health check failures? (Select THREE.)

  1. The target instance's security group does not allow traffic from the NLB.
  2. The target instance's security group is not attached to the NL
  3. The NLB's security group is not attached to the target instance.
  4. The target instance's subnet network ACL does not allow traffic from the NLB.
  5. The target instance's security group is not using IP addresses to allow traffic from the NLB.
  6. The target network ACL is not attached to the NLB.

Answer(s): A,C,D



A security engineer is working with a company to design an ecommerce application. The application will run on Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB). The application will use an Amazon RDS DB instance for its database.

The only required connectivity from the internet is for HTTP and HTTPS traffic to the application. The application must communicate with an external payment provider that allows traffic only from a preconfigured allow list of IP addresses. The company must ensure that communications with the external payment provider are not interrupted as the environment scales.

Which combination of actions should the security engineer recommend to meet these requirements? (Select THREE.)

  1. Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.
  2. Place the DB instance in a public subnet.
  3. Place the DB instance in a private subnet.
  4. Configure the Auto Scaling group to place the EC2 instances in a public subnet.
  5. Configure the Auto Scaling group to place the EC2 instances in a private subnet.
  6. Deploy the ALB in a private subnet.

Answer(s): A,C,E



Page 27 of 63



Post your Comments and Discuss Amazon SCS-C02 exam with other Community members:

Mohammed Haque commented on October 04, 2024
very useful site for exam prep
UNITED STATES
upvote