Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70track

Free Amazon Web Services SCS-C03 Practice Exam with Questions & Answers | Set: 4

Questions 31

A company is using AWS Organizations with the default SCP. The company needs to restrict AWS usage for all AWS accounts that are in a specific OU. Except for some desired global services, the AWS usage must occur only in theeu-west-1Region for all accounts in the OU. A security engineer must create an SCP that applies the restriction to existing accounts and any new accounts in the OU.

Which SCP will meet these requirements?

Options:
A.

Deny with NotAction, but uses StringEquals for aws:RequestedRegion = eu-west-1

B.

Allow with Action, scoped to desired global services in eu-west-1

C.

Deny with NotAction for desired global services, and StringNotEquals aws:RequestedRegion = eu-west-1

D.

Allow with NotAction and StringNotEquals aws:RequestedRegion = eu-west-1

Amazon Web Services SCS-C03 Premium Access
Questions 32

A security engineer discovers that a company ' s user passwords have no required minimum length. The company uses the following identity providers (IdPs):

• AWS Identity and Access Management (IAM) federated with on-premises Active Directory

• Amazon Cognito user pools that contain the user database for an AWS Cloud application

Which combination of actions should the security engineer take to implement a required minimum password length? (Select TWO.)

Options:
A.

Update the password length policy in the IAM configuration.

B.

Update the password length policy in the Amazon Cognito configuration.

C.

Update the password length policy in the on-premises Active Directory configuration.

D.

Create an SCP in AWS Organizations to enforce minimum password length.

E.

Create an IAM policy with a minimum password length condition.

Questions 33

A company has decided to move its fleet of Linux-based web server instances to an Amazon EC2 Auto Scaling group. Currently, the instances are static and are launched manually. When an administrator needs to view log files, the administrator uses SSH to establish a connection to the instances and retrieves the logs manually.

The company often needs to query the logs to produce results about application sessions and user issues. The company does not want its new automatically scaling architecture to result in the loss of any log files when instances are scaled in.

Which combination of steps should a security engineer take to meet these requirements MOST cost-effectively? (Select TWO.)

Options:
A.

Configure a cron job on the instances to forward the log files to Amazon S3 periodically.

B.

Configure AWS Glue and Amazon Athena to query the log files.

C.

Configure the Amazon CloudWatch agent on the instances to forward the logs to Amazon CloudWatch Logs.

D.

Configure Amazon CloudWatch Logs Insights to query the log files.

E.

Configure the instances to write the logs to an Amazon Elastic File System (Amazon EFS) volume.

Questions 34

A company’s developers are using AWS Lambda function URLs to invoke functions directly. Thecompany must ensure that developers cannot configure or deploy unauthenticated functions in production accounts. The company wants to meet this requirement by using AWS Organizations. The solution must not require additional work for the developers.

Which solution will meet these requirements?

Options:
A.

Require the developers to configure all function URLs to support cross-origin resource sharing (CORS) when the functions are called from a different domain.

B.

Use an AWS WAF delegated administrator account to view and block unauthenticated access to function URLs in production accounts, based on the OU of accounts that are using the functions.

C.

Use SCPs to allow all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of AWS_IAM.

D.

Use SCPs to deny all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of NONE.

Questions 35

A security engineer uses Amazon Macie to scan a company ' s Amazon S3 buckets for sensitive data. The company has many S3 buckets and many objects stored in the S3 buckets. The security engineer must identify S3 buckets that contain sensitive data and must perform additional scanning on those S3 buckets.

Which solution will meet these requirements with the LEAST administrative overhead?

Options:
A.

Configure S3 Cross-Region Replication (CRR) on the S3 buckets to replicate the objects to a second AWS Region. Configure Macie in the second Region to scan the replicated objects daily.

B.

Create an AWS Lambda function as an S3 event destination for the S3 buckets. Configure the Lambda function to start a Macie scan of an object when the object is uploaded to an S3 bucket.

C.

Configure Macie automated discovery to continuously sample data from the S3 buckets. Perform full scans of the S3 buckets where Macie discovers sensitive data.

D.

Configure Macie scans to run on the S3 buckets. Aggregate the results of the scans in an Amazon DynamoDB table. Use the DynamoDB table for queries.

Questions 36

CloudFormation stack deployments fail for some users due to permission inconsistencies.

Which combination of steps will ensure consistent deployments MOST securely? (Select THREE.)

Options:
A.

Create a composite principal service role.

B.

Create a service role with cloudformation.amazonaws.com as the principal.

C.

Attach scoped policies to the service role.

D.

Attach service ARNs in policy resources.

E.

Update each stack to use the service role.

F.

Allow iam:PassRole to the service role.

Questions 37

A company’s security policy requires all Amazon EC2 instances to use the Amazon Time Sync Service. AWS CloudTrail trails are enabled in all of the company’s AWS accounts. VPC Flow Logs are enabled for all VPCs.

A security engineer must identify any EC2 instances that attempt to use Network Time Protocol (NTP) servers on the internet.

Which solution will meet these requirements?

Options:
A.

Monitor CloudTrail logs for API calls to non-standard time servers.

B.

Monitor CloudTrail logs for API calls to the Amazon Time Sync Service.

C.

Monitor VPC Flow Logs for traffic to non-standard time servers.

D.

Monitor VPC Flow Logs for traffic to the Amazon Time Sync Service.

Questions 38

A company is using an organization with all features enabled in AWS Organizations. The organization contains OUs. The company has configured a delegated administrator account for AWS IAM Identity Center. In this delegated administrator account, the company has deployed an AWS CloudFormation stack that contains permission sets.

A security engineer must implement a solution to prevent the deletion of the CloudFormation stack.

Which solution will meet this requirement?

Options:
A.

Enable termination protection for the CloudFormation stack. Create an SCP that denies the cloudformation:UpdateTerminationProtection action for the stack’s ARN. Apply the SCP to the root of the organization.

B.

Enable termination protection for the CloudFormation stack. Create an SCP that denies the cloudformation:DeleteStack action for the stack’s ARN. Apply the SCP to all OUs except the OU that contains the delegated administrator account.

C.

Set the DeletionPolicy attribute to Retain for all resources in the CloudFormation stack. Create an IAM policy that denies the cloudformation:DeleteStack action for the stack’s ARN. Attach the IAM policy to all IAM users and roles in the organization’s management account.

D.

Assign a stack policy to deny updates to stack resources. Create an SCP that denies the cloudformation:UpdateStack action for the stack’s ARN. Apply the SCP to all OUs and the organization’s management account.

Questions 39

A company is migrating one of its legacy systems from an on-premises data center to AWS. The application server will run on AWS, but the database must remain in the on-premises data center for compliance reasons. The database is sensitive to network latency. Additionally, the data that travels between the on-premises data center and AWS must have IPsec encryption.

Which combination of AWS solutions will meet these requirements? (Select TWO.)

Options:
A.

AWS Site-to-Site VPN

B.

AWS Direct Connect

C.

AWS VPN CloudHub

D.

VPC peering

E.

NAT gateway

Questions 40

A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1, the company cannot access the key that was used to encrypt the original database.

What should the company do to set up the snapshot in us-west-1 with proper encryption?

Options:
A.

Use AWS Secrets Manager to store the customer managed key in us-west-1 as a secret. Use this secret to encrypt the snapshot in us-west-1.

B.

Create a new customer managed key in us-west-1. Use this new key to encrypt the snapshot in us-west-1.

C.

Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn:aws:kms:us-west-1:* as the principal.

D.

Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn:aws:rds:us-west-1:* as the principal.