Summer Certification Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: force70

Pass the Amazon Web Services AWS Certified Specialty SCS-C03 Questions and answers with CertsForce

Viewing page 3 out of 7 pages
Viewing questions 21-30 out of questions
Questions # 21:

A company needs to detect unauthenticated access to its Amazon Elastic Kubernetes Service (Amazon EKS) clusters. The solution must require no additional configuration of the existing EKS deployment.

Which solution will meet these requirements with the LEAST operational effort?

Options:

A.

Install a third-party security add-on.


B.

Enable AWS Security Hub and monitor Kubernetes findings.


C.

Monitor CloudWatch Container Insights metrics for EKS.


D.

Enable Amazon GuardDuty and use EKS Audit Log Monitoring.


Expert Solution
Questions # 22:

An application is running on an Amazon EC2 instance that has an IAM role attached. The IAM role provides access to an AWS Key Management Service (AWS KMS) customer managed key and an Amazon S3 bucket. The key is used to access 2 TB of sensitive data that is stored in the S3 bucket. A security engineer discovers a potential vulnerability on the EC2 instance that could result in the compromise of the sensitive data. Due to other critical operations, the security engineer cannot immediately shut down the EC2 instance for vulnerability patching.

What is the FASTEST way to prevent the sensitive data from being exposed?

Options:

A.

Download the data from the existing S3 bucket to a new EC2 instance. Then delete the data from the S3 bucket. Re-encrypt the data with a client-based key. Upload the data to a new S3 bucket.


B.

Block access to the public range of S3 endpoint IP addresses by using a host-based firewall. Ensure that internet-bound traffic from the affected EC2 instance is routed through the host-based firewall.


C.

Revoke the IAM role’s active session permissions. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile.


D.

Disable the current key. Create a new KMS key that the IAM role does not have access to, and re-encrypt all the data with the new key. Schedule the compromised key for deletion.


Expert Solution
Questions # 23:

A security engineer has designed a VPC to segment private traffic from public traffic. The VPC includes two Availability Zones. Each Availability Zone contains one public subnet and one private subnet. Three route tables exist: one for the public subnets and one for each private subnet.

The security engineer discovers that all four subnets are routing traffic through the internet gateway that is attached to the VPC.

Which combination of steps should the security engineer take to remediate this scenario? (Select TWO.)

Options:

A.

Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.


B.

Verify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.


C.

Modify the route tables for the public subnets to add a local route to the VPC CIDR range.


D.

Modify the route tables for the private subnets to route 0.0.0.0/0 to the NAT gateway in the public subnet of the same Availability Zone.


E.

Modify the route tables for the private subnets to route 0.0.0.0/0 to the internet gateway.


Expert Solution
Questions # 24:

A company has installed a third-party application that is distributed on several Amazon EC2 instances and on-premises servers. Occasionally, the company ' s IT team needs to use SSH to connect to each machine to perform software maintenance tasks. Outside these time slots, the machines must be completely isolated from the rest of the network. The company does not want to maintain any SSH keys. Additionally, the company wants to pay only for machine hours when there is an SSH connection.

Which solution will meet these requirements?

Options:

A.

Create a bastion host with port forwarding to connect to the machines.


B.

Set up AWS Systems Manager Session Manager to allow temporary connections.


C.

Use AWS CloudShell to create serverless connections.


D.

Set up an interface VPC endpoint for each machine for private connection.


Expert Solution
Questions # 25:

A security engineer discovers that a company ' s user passwords have no required minimum length. The company uses the following identity providers (IdPs):

• AWS Identity and Access Management (IAM) federated with on-premises Active Directory

• Amazon Cognito user pools that contain the user database for an AWS Cloud application

Which combination of actions should the security engineer take to implement a required minimum password length? (Select TWO.)

Options:

A.

Update the password length policy in the IAM configuration.


B.

Update the password length policy in the Amazon Cognito configuration.


C.

Update the password length policy in the on-premises Active Directory configuration.


D.

Create an SCP in AWS Organizations to enforce minimum password length.


E.

Create an IAM policy with a minimum password length condition.


Expert Solution
Questions # 26:

A security engineer for a company wants to maintain all IAM users and roles according to the principle of least privilege. The security engineer plans to audit the IAM permissions once every 365 days. The security engineer must view the permissions that each IAM identity used in the last 365 days and must remove any unused permissions.

Which solution will meet these requirements?

Options:

A.

Use AWS CloudTrail logs to review IAM identity actions and to remove unused permissions.


B.

Use AWS Config to review configuration changes by each IAM identity and to remove unused permissions.


C.

Use AWS Identity and Access Management Access Analyzer to review last accessed information and to remove unused permissions.


D.

Use AWS Trusted Advisor to check the IAM identities that have elevated permissions and to remove unused permissions.


Expert Solution
Questions # 27:

A company has a compliance requirement to encrypt all data in transit. The company recently discovered an Amazon Aurora cluster that does not meet this requirement.

How can the company enforce encryption for all connections to the Aurora cluster?

Options:

A.

In the Aurora cluster configuration, set therequire_secure_transportDB cluster parameter toON.


B.

Use AWS Directory Service for Microsoft Active Directory to create a user directory and to enforce Kerberos authentication with Aurora.


C.

Configure the Aurora cluster to use AWS Certificate Manager (ACM) to provide encryption certificates.


D.

Create an Amazon RDS proxy. Connect the proxy to the Aurora cluster to enable encryption.


Expert Solution
Questions # 28:

A company has enabled AWS Config for its organization in AWS Organizations. The company has deployed hundreds of Amazon S3 buckets across the organization. A security engineer needs to identify any S3 buckets that are not encrypted with AWS Key Management Service (AWS KMS). The security engineer also must prevent objects that are not encrypted with AWS KMS from being uploaded to the S3 buckets.

Which solution will meet these requirements?

Options:

A.

Use thes3-default-encryption-kmsAWS Config managed rule to identify unencrypted S3 buckets. Create an SCP to allow thes3:PutObjectaction only when the object is encrypted with AWS KMS.


B.

Use thes3-default-encryption-kmsAWS Config managed rule to identify unencrypted S3 buckets. Create bucket policies for each S3 bucket to deny thes3:PutObjectaction only when the object has server-side encryption with S3 managed keys (SSE-S3).


C.

Use thes3-bucket-ssl-requests-onlyAWS Config managed rule to identify unencrypted S3 buckets. Create an SCP to allow thes3:PutObjectaction only when the object is encrypted with AWS KMS.


D.

Use thes3-bucket-ssl-requests-onlyAWS Config managed rule to identify unencrypted S3 buckets. Create bucket policies for each S3 bucket to allow thes3:PutObjectaction only when the object is encrypted with AWS KMS.


Expert Solution
Questions # 29:

A company needs to implement data lifecycle management for Amazon RDS snapshots. The company will use AWS Backup to manage the snapshots. The company must retain RDS automated snapshots for 5 years and will use Amazon S3 for long-term archival storage.

Which solution will meet these requirements?

Options:

A.

Use AWS Backup to apply a 5-year retention tag to the RDS snapshots.


B.

Enable versioning on the S3 bucket that AWS Backup uses for the RDS snapshots. Configure a 5-year retention period.


C.

Create an S3 Lifecycle policy. Include a 5-year retention period for the S3 bucket that AWS Backup uses for the RDS snapshots.


D.

Create a backup plan in AWS Backup. Configure a 5-year retention period.


Expert Solution
Questions # 30:

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company wants to centrally give users the ability to access Amazon Q Developer.

Which solution will meet this requirement?

Options:

A.

Enable AWS IAM Identity Center and set up Amazon Q Developer as an AWS managed application.


B.

Enable Amazon Cognito and create a new identity pool for Amazon Q Developer.


C.

Enable Amazon Cognito and set up Amazon Q Developer as an AWS managed application.


D.

Enable AWS IAM Identity Center and create a new identity pool for Amazon Q Developer.


Expert Solution
Viewing page 3 out of 7 pages
Viewing questions 21-30 out of questions