Pass the Amazon Web Services AWS Certified Specialty SCS-C02 Questions and answers with CertsForce

To allow cross-account access to resources using IAM roles, the following steps are required:

Create a role in the AWS account that contains the resources (the trusting account) and specify the AWS account that contains the IAM user (the trusted account) as a trusted entity in the role’s trust policy. This allows users from the trusted account to assume the role and access resources in the trusting account.

Ensure that the IAM user has permission to assume the role in their own AWS account. This can be done by creating an identity policy that allows the sts:AssumeRole action and attaching it to the IAM user or their group.

Ensure that there are no service control policies (SCPs) in the organization that owns the resources that deny or restrict access to the sts:AssumeRole action or the role itself. SCPs are applied to all accounts in an organization and can override any permissions granted by IAM policies.

Verified References:

https://repost.aws/knowledge-center/cross-account-access-iam

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

This SCP prevents users or roles in any affected account from disabling a CloudTrail log, either directly as a command or through the console.https://asecure.cloud/a/scp_cloudtrail/

these are the recommended actions to take when you receive an abuse notice fromAWS8. You shouldreview the abuse notice to see what content or activity was reported and detach the internet gateway from the VPC to isolate the affected instances from the internet. You should also remove any rules that allow inbound traffic from 0.0.0.0/0 from the security groups and create a network access control list (NACL) rule to deny all traffic inbound from the internet. You should then delete the compromised instances and any associated resources that you did not create. The other options are either inappropriate or unnecessary for responding to the abuse notice.

Comprehensive and Detailed Explanation From Exact Extract:

B. Amazon Inspector now supports Lambda scanning for vulnerabilities. Designating a delegated administrator provides centralized visibility into findings across the organization.

C. Tag-based suppression enables filtering of findings for non-production resources (e.g., test or dev Lambda functions). By using tags and configuring suppression filters in Inspector, only relevant production findings appear in the dashboard.

This approach provides continuous monitoring, centralized reporting, and filtering based on environment, fulfilling Infrastructure Security requirements.

To ensure that IAM users in Account B can only assume a role in Account A if they are authenticated with Multi-Factor Authentication (MFA), the recommended solution is to add anaws:MultiFactorAuthPresentcondition to the role's trust policy in Account A. The trust policy defines which principals (users, applications, services) can assume the role and under what conditions. By adding theaws:MultiFactorAuthPresentcondition, the policy explicitly requires MFA to be present for the assume role action to succeed. This ensures that only authenticated users with MFA can assume the role, enhancing the security posture with minimal operational overhead and without modifying permissions or session policies, which could affect the role's intended capabilities.

The correct answer is D. Remove Amazon SES from the root SCP.

This answer is correct because the root SCP is the most restrictive policy that applies to all accounts in the organization. The root SCP explicitly denies access to Amazon SES by using the NotAction element, which means that any action that is not listed in the element is denied. Therefore, removing Amazon SES from the root SCP will allow the developers to access it, as long as there are no other SCPs or IAM policies that deny it.

The other options are incorrect because:

A.Adding a resource policy that allows each member of the group to access Amazon SES is not a solution, because resource policies are not supported by Amazon SES1.Resource policies are policies that are attached to AWS resources, suchas S3 buckets or SNS topics, to control access to those resources2. Amazon SES does not have any resources that can have resource policies attached to them.

B.Adding a resource policy that allows “Principal”: {“AWS”: “arn:aws:iam::account-number:group/Dev”} is not a solution, because resource policies do not support IAM groups asprincipals3.Principals are entities that can perform actions on AWS resources, such as IAM users, roles, or AWSaccounts4.IAM groups are not principals, but collections of IAM users that share the same permissions5.

C.Removing the AWS Control Tower control (guardrail) that restricts access to Amazon SES is not a solution, because AWS Control Tower does not have any guardrails that restrict access to Amazon SES6.Guardrails are high-level rules that govern the overall behavior of an organization’s accounts7.AWS Control Tower provides a set of predefined guardrails that cover security, compliance, and operations domains8.

To quickly identify other compute resources with the specific version of the web framework installed, the team should do the following:

Scan all the EC2 instances with AWS Systems Manager to identify the vulnerable version of the web framework. This allows the team to use AWS Systems Manager Inventory to collect and query information about the software installed on their EC2 instances, and to filter the results by software name and version.