PDF + Testing Engine
Testing Engine (only)
PDF (only)
Full-fledged training is necessary to attest you are a professional with skills in creating and implementing AWS Cloud security solutions. Our SCS-C02 question answers will help you decode your Amazon Web Services (AWS) certification exam. DumpsGenious.com has exceptionally crafted these SCS-C02 braindumps sets to replicate the classic exam structure: a worthwhile stimulation to test our record and our website’s testimonials. With SCS-C02 dumps experience, you’ll solve the AWS Certified Security - Specialty real exam questions. It’s time to take your future in your hands.
En route to becoming an application designer who can secure applications on the AWS platform and knows how to implement them and their infrastructure. The SCS-C02 practice test can cover your training so you get to be ready for your skills and knowledge assessment. We offer an extensive list of SCS-C02 question answers entailing all types of exam questions across all your exam domains. Our aim is for you to understand the SCS-C02 real exam questions context and the purpose for the answers being the answers. The SCS-C02 braindumps help you get ready for what’s coming.
The AWS Certified Security - Specialty exam tests its candidates on these key domains: threat detection and incident response, security logging and monitoring, infrastructure security, identity and access management, data protection, and management and security governance. With our SCS-C02 dumps, you can learn to attend all SCS-C02 real exam questions. Our team has put their best work into action to produce the SCS-C02 practice test. These practice tests bring out your best traits and help you manage when you go wrong. Our personalized learning path makes every mistake during SCS-C02 braindumps training turn into excellence.
Before anything else, knowing what you need to pass the exam is essential. Five years of IT security experience and a deep understanding of AWS security services and features is an AWS recommendation. If you search, you can find tons of AWS dumps resources for exam preparation. But the progress report feature of SCS-C02 question answers at DumpsGenious.com sets them apart. We keep you updated on every step of your SCS-C02 practice test training. So you can grasp your readiness for the SCS-C02 real exam questions.
AWS targets individuals with at least two years of hands-on experience securing AWS workloads. Plus, proficient in security controls for workloads on AWS. If you have already earned these experiences, then only problem stands solving the SCS-C02 question answers. The good news is that our team of experienced SCS-C02 dumps experts understands what you need to train in an exam-like atmosphere. DumpsGenious.com is your one-place stop to gain valuable insights during SCS-C02 braindumps training accompanied by realistic SCS-C02 practice test simulations. Get them now!
A company that uses AWS Organizations is using AWS 1AM Identity Center (AWS SingleSign-On) to administer access to AWS accounts. A security engineer is creating a custompermission set in 1AM Identity Center. The company will use the permission set acrossmultiple accounts. An AWS managed policy and a customer managed policy are attachedto the permission set. The security engineer has full administrative permissions and isoperating in the management account.When the security engineer attempts to assign the permission set to an 1AM IdentityCenter user who has access to multiple accounts, the assignment fails.What should the security engineer do to resolve this failure?
A. Create the customer managed policy in every account where the permission set isassigned. Give the customer managed policy the same name and same permissions ineach account.
B. Remove either the AWS managed policy or the customer managed policy from thepermission set. Create a second permission set that includes the removed policy. Apply thepermission sets separately to the user.
C. Evaluate the logic of the AWS managed policy and the customer managed policy.Resolve any policy conflicts in the permission set before deployment.
D. Do not add the new permission set to the user. Instead, edit the user's existingpermission set to include the AWS managed policy and the customer managed policy.
A company suspects that an attacker has exploited an overly permissive role to exportcredentials from Amazon EC2 instance metadata. The company uses Amazon GuardDutyand AWS Audit Manager. The company has enabled AWS CloudTrail logging and AmazonCloudWatch logging for all of its AWS accounts. A security engineer must determine if the credentials were used to access the company'sresources from an external account.Which solution will provide this information?
A. Review GuardDuty findings to find InstanceCredentialExfiltration events.
B. Review assessment reports in the Audit Manager console to findInstanceCredentialExfiltration events.
C. Review CloudTrail logs for GetSessionToken API calls to AWS Security Token Service(AWS STS) that come from an acount ID from outside the company.
D. Review CloudWatch logs for GetSessionToken API calls to AWS Security TokenService (AWS STS) that come from an account ID from outside the company.
A security team is working on a solution that will use Amazon EventBridge (AmazonCloudWatch Events) to monitor new Amazon S3 objects. The solution will monitor forpublic access and for changes to any S3 bucket policy or setting that result in publicaccess. The security team configures EventBridge to watch for specific API calls that arelogged from AWS CloudTrail. EventBridge has an action to send an email notificationthrough Amazon Simple Notification Service (Amazon SNS) to the security team immediately with details of the API call.Specifically, the security team wants EventBridge to watch for the s3:PutObjectAcl,s3:DeleteBucketPolicy, and s3:PutBucketPolicy API invocation logs from CloudTrail. Whiledeveloping the solution in a single account, the security team discovers that thes3:PutObjectAcl API call does not invoke an EventBridge event. However, thes3:DeleteBucketPolicy API call and the s3:PutBucketPolicy API call do invoke an event.The security team has enabled CloudTrail for AWS management events with a basicconfiguration in the AWS Region in which EventBridge is being tested. Verification of theEventBridge event pattern indicates that the pattern is set up correctly. The security teammust implement a solution so that the s3:PutObjectAcl API call will invoke an EventBridgeevent. The solution must not generate false notifications.Which solution will meet these requirements?
A. Modify the EventBridge event pattern by selecting Amazon S3. Select All Events as theevent type.
B. Modify the EventBridge event pattern by selecting Amazon S3. Select Bucket LevelOperations as the event type.
C. Enable CloudTrail Insights to identify unusual API activity.
D. Enable CloudTrail to monitor data events for read and write operations to S3 buckets.
A company runs an online game on AWS. When players sign up for the game, theirusername and password credentials are stored in an Amazon Aurora database.The number of users has grown to hundreds of thousands of players. The number ofrequests for password resets and login assistance has become a burden for the company’scustomer service team.The company needs to implement a solution to give players another way to log in to thegame. The solution must remove the burden of password resets and login assistance whilesecurely protecting each player's credentials.Which solution will meet these requirements?
A. When a new player signs up, use an AWS Lambda function to automatically create an1AM access key and a secret access key. Program the Lambda function to store thecredentials on the player's device. Create 1AM keys for existing players. B Migrate the player credentials from the Aurora database to AWS Secrets Manager. Whena new player signs up. create a key-value pair in Secrets Manager for the player's user IDand password.
B. Configure Amazon Cognito user pools to federate access to the game with third-partyidentity providers (IdPs), such as social IdPs Migrate the game's authentication mechanismto Cognito.
C. Instead of using usernames and passwords for authentication, issue API keys to newand existing players. Create an Amazon API Gateway API to give the game client accessto the game's functionality.
A company wants to receive automated email notifications when AWS access keys fromdeveloper AWS accounts are detected on code repository sites.Which solution will provide the required email notifications?
A. Create an Amazon EventBridge rule to send Amazon Simple Notification Service(Amazon SNS) email notifications for Amazon GuardDutyUnauthorizedAccesslAMUser/lnstanceCredentialExfiltration OutsideAWS findings.
B. Change the AWS account contact information for the Operations type to a separateemail address. Periodically poll this email address for notifications.
C. Create an Amazon EventBridge rule that reacts to AWS Health events that have a valueof Risk for the service category Configure email notifications by using Amazon SimpleNotification Service (Amazon SNS).
D. D. Implement new anomaly detection software. Ingest AWS CloudTrail logs. Configuremonitoring for ConsoleLogin events in the AWS Management Console. Configure emailnotifications from the anomaly detection software.
A company’s security team needs to receive a notification whenever an AWS access keyhas not been rotated in 90 or more days. A security engineer must develop a solution thatprovides these notifications automatically.Which solution will meet these requirements with the LEAST amount of effort?
A. Deploy an AWS Config managed rule to run on a periodic basis of 24 hours. Select theaccess-keys-rotated managed rule, and set the maxAccessKeyAge parameter to 90 days.Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event patternthat matches the compliance type of NON_COMPLIANT from AWS Config for themanaged rule. Configure EventBridge (CloudWatch Events) to send an Amazon SimpleNotification Service (Amazon SNS) notification to the security team.
B. Create a script to export a .csv file from the AWS Trusted Advisor check for IAM accesskey rotation. Load the script into an AWS Lambda function that will upload the .csv file toan Amazon S3 bucket. Create an Amazon Athena table query that runs when the .csv fileis uploaded to the S3 bucket. Publish the results for any keys older than 90 days by usingan invocation of an Amazon Simple Notification Service (Amazon SNS) notification to thesecurity team.
C. Create a script to download the IAM credentials report on a periodic basis. Load thescript into an AWS Lambda function that will run on a schedule through AmazonEventBridge (Amazon CloudWatch Events). Configure the Lambda script to load the reportinto memory and to filter the report for records in which the key was last rotated at least 90days ago. If any records are detected, send an Amazon Simple Notification Service(Amazon SNS) notification to the security team.
D. Create an AWS Lambda function that queries the IAM API to list all the users. Iteratethrough the users by using the ListAccessKeys operation. Verify that the value in the CreateDate field is not at least 90 days old. Send an Amazon Simple Notification Service(Amazon SNS) notification to the security team if the value is at least 90 days old. Createan Amazon EventBridge (Amazon CloudWatch Events) rule to schedule the Lambdafunction to run each day.
A company has an application that runs on Amazon EC2 instances behind an ApplicationLoad Balancer (ALB). The instances are in an Amazon EC2 Auto Scaling group and areattached to Amazon Elastic Blodfc Store (Amazon EBS) volumes.A security engineer needs to preserve all forensic evidence from one of the instances.Which order of steps should the security engineer use to meet this requirement?
A. Take an EBS volume snapshot of the instance and store the snapshot in an Amazon S3bucket. Take a memory snapshot of the instance and store the snapshot in an S3 bucket.Detach the instance from the Auto Scaling group. Deregister the instance from the ALB.Stop the instance.
B. Take a memory snapshot of the instance and store the snapshot in an Amazon S3bucket. Stop the instance. Take an EBS volume snapshot of the instanceand store the snapshot in an S3 bucket. Detach the instance from the Auto Scaling group.Deregister the instance from the ALB.
C. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB.Take an EBS volume snapshot of the instance and store the snapshotin an Amazon S3 bucket. Take a memory snapshot of the instance and store the snapshotin an S3 bucket. Stop the instance
D. Detach the instance from the Auto Scaling group Deregister the instance from the ALB.Stop the instance. Take a memory snapshot of the instance and store the snapshot in anAmazon S3 bucket. Take an EBS volume snapshot of the instance and store the snapshotin an S3 bucket.
A company manages multiple AWS accounts using AWS Organizations. The company'ssecurity team notices that some member accounts are not sending AWS CloudTrail logs toa centralized Amazon S3 logging bucket. The security team wants to ensure there is atleast one trail configured for all existing accounts and for any account that is created in thefuture.Which set of actions should the security team implement to accomplish this?
A. Create a new trail and configure it to send CloudTraiI logs to Amazon S3. Use AmazonEventBridge to send notification if a trail is deleted or stopped.
B. Deploy an AWS Lambda function in every account to check if there is an existing trailand create a new trail, if needed.
C. Edit the existing trail in the Organizations management account and apply it to theorganization.
D. Create an SCP to deny the cloudtraiI:DeIete• and cloudtraiI:Stop• actbns. Apply the SCPto all accounts.
A security engineer is implementing a solution to allow users to seamlessly encryptAmazon S3 objects without having to touch the keys directly. The solution must be highlyscalable without requiring continual management. Additionally, the organization must beable to immediately delete the encryption keys.Which solution meets these requirements?
A. Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with aPendingWindowInDays set to 0 to remove the keys if necessary.
B. B. Use KMS with AWS imported key material and then use theDeletelmportedKeyMaterial API to remove the key material if necessary.
C. Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11library to delete the keys if necessary.
D. Use the Systems Manager Parameter Store to store the keys and then use the serviceAPI operations to delete the keys if necessary.
A company needs to implement DNS Security Extensions (DNSSEC) for a specificsubdomain. The subdomain is already registered with Amazon Route 53. A securityengineer has enabled DNSSEC signing and has created a key-signing key (KSK). Whenthe security engineer tries to test the configuration, the security engineer receives an errorfor a broken trust chain.What should the security engineer do to resolve this error?
A. Replace the KSK with a zone-signing key (ZSK).
B. Deactivate and then activate the KSK.
C. Create a Delegation Signer (DS) record in the parent hosted zone.
D. Create a Delegation Signer (DS) record in the subdomain.
TESTED 28 October 2023