Summer Certification Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: force70

Pass the Amazon Web Services AWS Certified Specialty SCS-C03 Questions and answers with CertsForce

Viewing page 7 out of 7 pages
Viewing questions 61-70 out of questions
Questions # 61:

A company is using an organization with all features enabled in AWS Organizations. The organization contains OUs. The company has configured a delegated administrator account for AWS IAM Identity Center. In this delegated administrator account, the company has deployed an AWS CloudFormation stack that contains permission sets.

A security engineer must implement a solution to prevent the deletion of the CloudFormation stack.

Which solution will meet this requirement?

Options:

A.

Enable termination protection for the CloudFormation stack. Create an SCP that denies the cloudformation:UpdateTerminationProtection action for the stack’s ARN. Apply the SCP to the root of the organization.


B.

Enable termination protection for the CloudFormation stack. Create an SCP that denies the cloudformation:DeleteStack action for the stack’s ARN. Apply the SCP to all OUs except the OU that contains the delegated administrator account.


C.

Set the DeletionPolicy attribute to Retain for all resources in the CloudFormation stack. Create an IAM policy that denies the cloudformation:DeleteStack action for the stack’s ARN. Attach the IAM policy to all IAM users and roles in the organization’s management account.


D.

Assign a stack policy to deny updates to stack resources. Create an SCP that denies the cloudformation:UpdateStack action for the stack’s ARN. Apply the SCP to all OUs and the organization’s management account.


Expert Solution
Questions # 62:

A security engineer needs to build a solution to turn AWS CloudTrail back on in multiple AWS Regions in case it is ever turned off.

What is the MOST efficient way to implement this solution?

Options:

A.

Use AWS Config with a managed rule to initiate the AWS-EnableCloudTrail remediation.


B.

Create an Amazon EventBridge event with a cloudtrail.amazonaws.com event source and a StartLogging event name to invoke an AWS Lambda function to call the StartLogging API.


C.

Create an Amazon CloudWatch alarm with a cloudtrail.amazonaws.com event source and a StopLogging event name to invoke an AWS Lambda function to call the StartLogging API.


D.

Monitor AWS Trusted Advisor to ensure CloudTrail logging is enabled.


Expert Solution
Questions # 63:

A company has a platform that is divided into 12 AWS accounts under the same organization in AWS Organizations. Many of these accounts use Amazon API Gateway to expose APIs to the company ' s frontend applications. The company needs to protect the existing APIs and any resources that will be deployed in the future against common SQL injection and bot attacks.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Create an AWS WAF web ACL for each API. Include managed rules to block SQL injection and bot attacks. Use AWS Config to detect new resources that do not have a web ACL. Configure a remediation action to provision a web ACL for these resources.


B.

Use AWS Firewall Manager to create an AWS WAF policy. Configure the policy to include the AWS Bot Control and SQL database managed rule groups. Set the policy scope to include the API Gateway stage as the resource type.


C.

Create an AWS Service Catalog product for an AWS WAF web ACL that includes rules to block SQL injection and bot attacks. Use AWS Config to detect new resources that do not have this product applied. Configure a remediation action to provision a web ACL for these resources.


D.

Use AWS Security Hub to detect unprotected resources and to send the findings as custom action events to Amazon EventBridge. Create an AWS Lambda function for these events to provision an AWS WAF web ACL for the unprotected resources. Include managed rules to block SQL injection and bot attacks.


Expert Solution
Questions # 64:

A company uses AWS Config rules to identify Amazon S3 buckets that are not compliant with the company’s data protection policy. The S3 buckets are hosted in several AWS Regions and several AWS accounts. The accounts are in an organization in AWS Organizations. The company needs a solution to remediate the organization ' s existing noncompliant S3 buckets and any noncompliant S3 buckets that are created in the future.

Which solution will meet these requirements?

Options:

A.

Deploy an AWS Config aggregator with organization-wide resource data aggregation. Create an AWS Lambda function that responds to AWS Config findings of noncompliant S3 buckets by deleting or reconfiguring the S3 buckets.


B.

Deploy an AWS Config aggregator with organization-wide resource data aggregation. Create an SCP that contains a Deny statement that prevents the creation of new noncompliant S3 buckets. Apply the SCP to all OUs in the organization.


C.

Deploy an AWS Config aggregator that scopes only the accounts and Regions that the company currently uses. Create an AWS Lambda function that responds to AWS Config findings of noncompliant S3 buckets by deleting or reconfiguring the S3 buckets.


D.

Deploy an AWS Config aggregator that scopes only the accounts and Regions that the company currently uses. Create an SCP that contains a Deny statement that prevents the creation of new noncompliant S3 buckets. Apply the SCP to all OUs in the organization.


Expert Solution
Questions # 65:

A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1, the company cannot access the key that was used to encrypt the original database.

What should the company do to set up the snapshot in us-west-1 with proper encryption?

Options:

A.

Use AWS Secrets Manager to store the customer managed key in us-west-1 as a secret. Use this secret to encrypt the snapshot in us-west-1.


B.

Create a new customer managed key in us-west-1. Use this new key to encrypt the snapshot in us-west-1.


C.

Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn:aws:kms:us-west-1:* as the principal.


D.

Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn:aws:rds:us-west-1:* as the principal.


Expert Solution
Questions # 66:

A company uses AWS IAM Identity Center to manage access to its AWS accounts. The accounts are in an organization in AWS Organizations. A security engineer needs to set up delegated administration of IAM Identity Center in the organization ' s management account.

Which combination of steps should the security engineer perform in IAM Identity Center before configuring delegated administration? (Select THREE.)

Options:

A.

Grant least privilege access to the organization ' s management account.


B.

Create a new IAM Identity Center directory in the organization ' s management account.


C.

Set up a second AWS Region in the organization ' s management account.


D.

Create permission sets for use only in the organization ' s management account.


E.

Create IAM users for use only in the organization ' s management account.


F.

Create user assignments only in the organization ' s management account.


Expert Solution
Questions # 67:

A company’s platform has grown rapidly over the past 6 months. The company’s platform architecture evolved quickly to accommodate the growth. The company’s development team has been deploying features quickly by using different AWS services. The development team has not performed formal architecture reviews.

The company needs to evaluate its security posture against AWS security best practices.

Which solution will meet these requirements?

Options:

A.

Create a new workload in the AWS Well-Architected Tool. Work with the development team to answer security questions based on the team’s current state. Use the save milestone feature to track improvements against identified high-risk items.


B.

Use the cost recommendations in AWS Cost Explorer. Analyze the cost implications of security misconfigurations. Prioritize architectural changes based on potential cost savings as a result of implementing AWS security best practices.


C.

Enable AWS Security Hub CSPM. Create a Security Hub CSPM automation rule to map existing services to approved architecture patterns. Use the data to identify non-compliance against AWS best practices and generate a compliance report.


D.

Enable Amazon Detective. Create a Detective investigation for AWS security best practices. Use a behavior graph to visualize the data. Analyze the entities to identify architectural components that do not follow AWS security best practices.


Expert Solution
Viewing page 7 out of 7 pages
Viewing questions 61-70 out of questions