CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SCS-C02

Free SCS-C02 Exam Braindumps (page: 7)

Page 7 of 63
PDF with 249 Questions

An organization must establish the ability to delete an IAM KMS Customer Master Key (CMK) within a 24-hour timeframe to keep it from being used for encrypt or decrypt operations Which of tne following actions will address this requirement?

  1. Manually rotate a key within KMS to create a new CMK immediately.
  2. Use the KMS import key functionality to execute a delete key operation.
  3. Use the schedule key deletion function within KMS to specify the minimum wait period for deletion.
  4. Change the KMS CMK alias to immediately prevent any services from using the CMK.

Answer(s): C

Explanation:

the schedule key deletion function within KMS allows you to specify a waiting period before deleting a customer master key (CMK)4. The minimum waiting period is 7 days and the maximum is 30 days5. This function prevents the CMK from being used for encryption or decryption operations during the waiting period4. The other options are either invalid or ineffective for deleting a CMK within a 24-hour timeframe.



An Application team has requested a new IAM KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different IAM services to limit blast radius.

How can an IAM KMS customer master key (CMK) be constrained to work with only Amazon S3?

  1. Configure the CMK key policy to allow only the Amazon S3 service to use the kms Encrypt action
  2. Configure the CMK key policy to allow IAM KMS actions only when the kms ViaService condition matches the Amazon S3 service name.
  3. Configure the IAM user's policy lo allow KMS to pass a rote lo Amazon S3
  4. Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK

Answer(s): B

Explanation:

the kms:ViaService condition key can be used to restrict a CMK to work with only a specific AWS service6. By configuring the CMK key policy to allow KMS actions only when the kms:ViaService condition matches the Amazon S3 service name, you can ensure that only Amazon S3 can use the CMK7. The other options are either incorrect or insufficient for constraining a CMK to work with only Amazon S3.



A Development team has built an experimental environment to test a simple stale web application It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer a NAT gateway, and an internet gateway. The private subnet holds ail of the Amazon EC2 instances.

There are 3 different types of servers Each server type has its own Security Group that limits access lo only required connectivity. The Security Groups nave both inbound and outbound rules applied Each subnet has both inbound and outbound network ACls applied to limit access to only required connectivity.

Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Select THREE.)

  1. The route tables and the outbound rules on the appropriate private subnet security group.
  2. The outbound network ACL rules on the private subnet and the Inbound network ACL rules on the public subnet.
  3. The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet.
  4. The rules on any host-based firewall that may be applied on the Amazon EC2 instances.
  5. The Security Group applied to the Application Load Balancer and NAT gateway.
  6. That the 0.0.0./0 route in the private subnet route table points to the internet gateway in the public subnet.

Answer(s): C,E,F

Explanation:

because these are the factors that could affect the outbound connection to the internet from a server in a private subnet. The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet must allow the traffic to pass through8. The security group applied to the application load balancer and NAT gateway must also allow the traffic from the private subnet9. The 0.0.0.0/0 route in the private subnet route table must point to the NAT gateway in the public subnet, not the internet gateway10. The other options are either irrelevant or incorrect for troubleshooting the outbound connection issue.



A company uses a third-party application to store encrypted data in Amazon S3. The company uses another third-party application trial decrypts the data from Amazon S3 to ensure separation of duties Between the applications A Security Engineer warns to separate the permissions using IAM roles attached to Amazon EC2 instances. The company prefers to use native IAM services.

Which encryption method will meet these requirements?

  1. Use encrypted Amazon EBS volumes with Amazon default keys (IAM EBS)
  2. Use server-side encryption with customer-provided keys (SSE-C)
  3. Use server-side encryption with IAM KMS managed keys (SSE-KMS)
  4. Use server-side encryption with Amazon S3 managed keys (SSE-S3)

Answer(s): C



Page 7 of 63



Post your Comments and Discuss Amazon SCS-C02 exam with other Community members:

Mohammed Haque commented on October 04, 2024
very useful site for exam prep
UNITED STATES
upvote