没有合适的资源?快使用搜索试试~ 我知道了~
AWS Certified Security - Specialty 安全专家 题库ExamShoot 公开版
需积分: 0 0 下载量 101 浏览量
2024-03-04
10:02:11
上传
评论
收藏 572KB PDF 举报
温馨提示
试读
23页
AWS Certified Security - Specialty 安全专家 题库ExamShoot 公开版
资源推荐
资源详情
资源评论
Wish You PASS The Exam \(@^O^@)/
1/50Thank you for choosing ExamShoot.com product!
AWS SCS C02 Exam Questions
Question: 1
Company A has an AWS account that is named Account A. Company A recently acquired Company B, which has
an AWS account that is named Account B. Company B stores its files in an Amazon S3 bucket. The administrators
need to give a user from Account A full access to the S3 bucket in Account B.
After the administrators adjust the IAM permissions for the user in Account A to access the S3 bucket in Account
B, the user still cannot access any files in the S3 bucket.
Which solution will resolve this issue?
Answer: C
A: In Account B, create a bucket ACL to allow the user from Account A to access the S3 bucket in Account B.
B: In Account B, create an object ACL to allow the user from Account A to access all the objects in the S3
bucket in Account B.
C: In Account B, create a bucket policy to allow the user from Account A to access the S3 bucket in Account B.
D: In Account B, create a user policy to allow the user from Account A to access the S3 bucket in Account B.
Question: 2
A company has a guideline that mandates the encryption of all Amazon S3 bucket data in transit. A security
engineer must implement an S3 bucket policy that denies any S3 operations if data is not encrypted.
Which S3 bucket policy will meet this requirement?
Answer: B
A: <img src="https://cache.madadm.com/wx_madadm_com/images/2024/1/31/img_17067290832270.png">
<br>
B: <img src="https://cache.madadm.com/wx_madadm_com/images/2024/1/31/img_17067290833611.png">
<br>
C: <img src="https://cache.madadm.com/wx_madadm_com/images/2024/1/31/img_17067290834432.png">
<br>
D: <img src="https://cache.madadm.com/wx_madadm_com/images/2024/1/31/img_17067290836613.png">
Question: 3
A security engineer wants to use Amazon Simple Notification Service (Amazon SNS) to send email alerts to a
company's security team for Amazon GuardDuty findings that have a High severity level. The security engineer
also wants to deliver these findings to a visualization tool for further examination.
Which solution will meet these requirements?
A: Set up GuardDuty to send notifications to an Amazon CloudWatch alarm with two targets in CloudWatch.
From CloudWatch, stream the findings through Amazon Kinesis Data Streams into an Amazon Open Search
Service domain as the first target for delivery. Use Amazon QuickSight to visualize the findings. Use
OpenSearch queries for further analysis. Deliver email alerts to the security team by configuring an SNS topic
as a second target for the CloudWatch alarm. Use event pattern matching with an Amazon EventBridge event
rule to send only High severity findings in the alerts.
Wish You PASS The Exam \(@^O^@)/
2/50Thank you for choosing ExamShoot.com product!
Answer: C
B: Set up GuardDuty to send notifications to AWS CloudTrail with two targets in CloudTrail. From CloudTrail,
stream the findings through Amazon Kinesis Data Firehose into an Amazon OpenSearch Service domain as
the first target for delivery. Use OpenSearch Dashboards to visualize the findings. Use OpenSearch queries
for further analysis. Deliver email alerts to the security team by configuring an SNS topic as a second target
for CloudTrail. Use event pattern matching with a CloudTrail event rule to send only High severity findings in
the alerts.
C: Set up GuardDuty to send notifications to Amazon EventBridge with two targets. From EventBridge, stream
the findings through Amazon Kinesis Data Firehose into an Amazon OpenSearch Service domain as the first
target for delivery. Use OpenSearch Dashboards to visualize the findings. Use OpenSearch queries for further
analysis. Deliver email alerts to the security team by configuring an SNS topic as a second target for
EventBridge. Use event pattern matching with an EventBridge event rule to send only High severity findings
in the alerts.
D: Set up GuardDuty to send notifications to Amazon EventBridge with two targets. From EventBridge,
stream the findings through Amazon Kinesis Data Streams into an Amazon OpenSearch Service domain as
the first target for delivery. Use Amazon QuickSight to visualize the findings. Use OpenSearch queries for
further analysis. Deliver email alerts to the security team by configuring an SNS topic as a second target for
EventBridge. Use event pattern matching with an EventBridge event rule to send only High severity findings
in the alerts.
Question: 4
A security engineer needs to implement a write-once-read-many (WORM) model for data that a company will
store in Amazon S3 buckets. The company uses the S3 Standard storage class for all of its S3 buckets. The
security engineer must ensure that objects cannot be overwritten or deleted by any user, including the AWS
account root user.
Which solution will meet these requirements?
Answer: A
A: Create new S3 buckets with S3 Object Lock enabled in compliance mode. Place objects in the S3 buckets.
B: Use S3 Glacier Vault Lock to attach a Vault Lock policy to new S3 buckets. Wait 24 hours to complete the
Vault Lock process. Place objects in the S3 buckets.
C: Create new S3 buckets with S3 Object Lock enabled in governance mode. Place objects in the S3 buckets.
D: Create new S3 buckets with S3 Object Lock enabled in governance mode. Add a legal hold to the S3
buckets. Place objects in the S3 buckets.<br>
Question: 5
A company needs complete encryption of the traffic between external users and an application. The company
hosts the application on a fleet of Amazon EC2 instances that run in an Auto Scaling group behind an Application
Load Balancer (ALB).
How can a security engineer meet these requirements?
A: Create a new Amazon-issued certificate in AWS Secrets Manager. Export the certificate from Secrets
Manager. Import the certificate into the ALB and the EC2 instances.
B: Create a new Amazon-issued certificate in AWS Certificate Manager (ACM). Associate the certificate with
the ALExport the certificate from ACM. Install the certificate on the EC2 instances.
C: Import a new third-party certificate into AWS Identity and Access Management (IAM). Export the certificate
from IAM. Associate the certificate with the ALB and the EC2 instances.
Wish You PASS The Exam \(@^O^@)/
3/50Thank you for choosing ExamShoot.com product!
Answer: D
D: Import a new third-party certificate into AWS Certificate Manager (ACM). Associate the certificate with the
ALB. Install the certificate on the EC2 instances.
Question: 6
A company has an organization with SCPs in AWS Organizations. The root SCP for the organization is as follows:
The company's developers are members of a group that has an IAM policy that allows access to Amazon Simple
Email Service (Amazon SES) by allowing ses:* actions. The account is a child to an OU that has an SCP that allows
Amazon SES. The developers are receiving a not-authorized error when they try to access Amazon SES through
the AWS Management Console.
Which change must a security engineer implement so that the developers can access Amazon SES?
Answer: D
A: Add a resource policy that allows each member of the group to access Amazon SES.
B: Add a resource policy that allows "Principal": {"AWS": "arn:aws:iam::account-number:group/Dev"}.
C: Remove the AWS Control Tower control (guardrail) that restricts access to Amazon SES.
D: Remove Amazon SES from the root SCP.
Question: 7
A company hosts a public website on an Amazon EC2 instance. HTTPS traffic must be able to access the website.
The company uses SSH for management of the web server.
The website is on the subnet 10.0.1.0/24. The management subnet is 192.168.100.0/24. A security engineer
must create a security group for the EC2 instance.
Which combination of steps should the security engineer take to meet these requirements in the MOST secure
manner? (Choose two.)
A: Allow port 22 from source 0.0.0.0/0.
B: Allow port 443 from source 0.0 0 0/0.
C: Allow port 22 from 192.168.100.0/24.
D: Allow port 22 from 10.0.1.0/24.
Wish You PASS The Exam \(@^O^@)/
4/50Thank you for choosing ExamShoot.com product!
Answer: BC
E: Allow port 443 from 10.0.1.0/24.
Question: 8
A security engineer wants to forward custom application-security logs from an Amazon EC2 instance to Amazon
CloudWatch. The security engineer installs the CloudWatch agent on the EC2 instance and adds the path of the
logs to the CloudWatch configuration file.
However, CloudWatch does not receive the logs. The security engineer verifies that the awslogs service is
running on the EC2 instance.
What should the security engineer do next to resolve the issue?
Answer: D
A: Add AWS CloudTrail to the trust policy of the EC2 in stance. Send the custom logs to CloudTrail instead of
CloudWatch.
B: Add Amazon S3 to the trust policy of the EC2 instance. Configure the application to write the custom logs
to an S3 bucket that CloudWatch can use to ingest the logs.
C: Add Amazon Inspector to the trust policy of the EC2 instance. Use Amazon Inspector instead of the
CloudWatch agent to collect the custom logs.
D: Attach the CloudWatchAgentServerPolicy AWS managed policy to the EC2 instance role.
Question: 9
A systems engineer is troubleshooting the connectivity of a test environment that includes a virtual security
appliance deployed inline. In addition to using the virtual security appliance, the development team wants to use
security groups and network ACLs to accomplish various security requirements in the environment.
What configuration is necessary to allow the virtual security appliance to route the traffic?
Answer: C
A: Disable network ACLs.
B: Configure the security appliance's elastic network interface for promiscuous mode.
C: Disable the Network Source/Destination check on the security appliance's elastic network interface.
D: Place the security appliance in the public subnet with the internet gateway.
Question: 10
A security engineer needs to create an Amazon S3 bucket policy to grant least privilege read access to IAM user
accounts that are named User1, User2, and User3. These IAM user accounts are members of the
AuthorizedPeople IAM group. The security engineer drafts the following S3 bucket policy:
Wish You PASS The Exam \(@^O^@)/
5/50Thank you for choosing ExamShoot.com product!
When the security engineer tries to add the policy to the S3 bucket, the following error message appears:
"Missing required field Principal."
The security engineer is adding a Principal element to the policy. The addition must provide read access to only
User1, User2, and User3.
Which solution meets these requirements?
Answer: A
A: <img src="https://cache.madadm.com/wx_madadm_com/images/2024/1/31/img_17067290217021.png">
<br>
B: <img src="https://cache.madadm.com/wx_madadm_com/images/2024/1/31/img_17067290218722.png">
<br>
C: <img src="https://cache.madadm.com/wx_madadm_com/images/2024/1/31/img_17067290219393.png">
<br>
D: <img src="https://cache.madadm.com/wx_madadm_com/images/2024/1/31/img_17067290220714.png">
Question: 11
A security engineer recently rotated all IAM access keys in an AWS account. The security engineer then
configured AWS Config and enabled the following AWS Config managed rules: mfa-enabled-for-iam-console-
access, iam-user-mfa-enabled, access-keys-rotated, and iam-user-unused-credentials-check.
The security engineer notices that all resources are displaying as noncompliant after the IAM
GenerateCredentialReport API operation is invoked.
What could be the reason for the noncompliant status?
Answer: A
A: The IAM credential report was generated within the past 4 hours.
B: The security engineer does not have the GenerateCredentialReport permission.
C: The security engineer does not have the GetCredenlialReport permission.
D: The AWS Config rules have a MaximumExecutionFrequency value of 24 hours.
Question: 12
A company wants to receive an email notification about critical findings in AWS Security Hub. The company does
not have an existing architecture that supports this functionality.
Which solution will meet the requirement?
剩余22页未读,继续阅读
资源评论
customservice
- 粉丝: 225
- 资源: 12
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功