Question 1

A company is extending a secure development environment from an on-premises data center into AWS. They have secured the VPC by removing the Internet Gateway and configuring security groups and network ACLs. An AWS Direct Connect connection has been established between the data center and the Amazon VPC.

What else needs to be done to add encryption in transit?

Options :

A : Configure an AWS Direct Connect Gateway.

B : Add an AWS KMS key to the Direct Connect configuration.

C : Setup a Virtual Private Gateway (VGW).

D : Enable IPSec encryption on the Direct Connect connection.

Answer: C

Question 2

A financial firm receives a warning from the AWS Trust and Safety team about a potential security threat. An IAM access key linked to an IT administrator seems to have been compromised. This key is employed in an automated process that uses AWS Lambda functions to launch AWS Elastic Beanstalk environments.

The firm's security engineer is tasked with addressing this security issue, preventing further use of the exposed access key, and bolstering security practices.

Which of the following steps would be the most appropriate in this scenario?

Options :

A : Track down the exposed IAM access key and deactivate or remove it. Establish new access keys for the Lambda automation process and integrate them into the system. In the AWS account associated with the exposed key, create a new support case in AWS Support detailing the remediation measures.

B :

Find the exposed IAM access key and remove the associated IAM user. Generate a new access key, store it in AWS Systems Manager Parameter Store, and encrypt it using an AWS KMS customer-managed key. Modify the AWS Lambda functions to fetch the access key from Parameter Store during execution. Log a new support case with AWS Support providing the details of the remediation steps.

C : Deactivate or delete the compromised IAM access key. Generate a new access key and save it as an environment variable within the configuration settings of the automation system-s Lambda functions. Respond to the AWS Trust and Safety team detailing the remediation actions taken.

D : Disable or delete the compromised IAM access key. Stop using static IAM access keys and instead, create a new IAM role for the Lambda automation process. Assign this role to the AWS Lambda functions. Respond to the AWS Trust and Safety team detailing the remediation actions.

Answer: D

Question 3

A company wants to ensure that its IAM resources can be launched only in the us-east-1 and us-west-2 Regions. What is the MOST operationally efficient solution that will prevent developers from launching Amazon EC2 instances in other Regions?

Options :

A : Enable Amazon GuardDuty in all Regions. Create alerts to detect unauthorized activity outside us-east-1 and us-west-2.

B : Use an organization in IAM Organizations. Attach an SCP that allows all actions when the IAM: Requested Region condition key is either us-east-1 or us-west-2. Delete the FullIAMAccess policy.

C : Provision EC2 resources by using IAM Cloud Formation templates through IAM CodePipeline. Allow only the values of us-east-1 and us-west-2 in the IAM CloudFormation template-s parameters.

D : Create an IAM Config rule to prevent unauthorized activity outside us-east-1 and us-west-2.

Answer: C

Question 4

A company uses AWS Signer with all of the company’s AWS Lambda functions. A developer recently stopped working for the company. The company wants to ensure that all the code that the developer wrote can no longer be deployed to the Lambda functions. Which solution will meet this requirement?

Options :

A : Revoke all versions of the signing profile assigned to the developer.

B : Examine the developer’s IAM roles. Remove all permissions that grant access to Signer.

C : Re-encrypt all source code with a new AWS Key Management Service (AWS KMS) key.

D : Use Amazon CodeGuru to profile all the code that the Lambda functions use.

Answer: A

Question 5

A security engineer is working with the development team to design an application that encrypts data using an AWS KMS key. Various users with accounts in AWS IAM will need to be provided with temporary access to decrypt data using the KMS key.

What is the MOST efficient way to manage access control for the KMS key?

Options :

A : Use an IAM group. Programmatically add and remove users from the group and attach a policy that grants key access

B : Use an IAM role. Programmatically update the IAM role policies to manage access

C : Use KMS grants. Programmatically create and revoke grants to manage access.

D : Use KMS key policies. Programmatically update the KMS key policies to manage access

Answer: C

Smartly Prepare Exam with Free Online SCS-C02 Practice Test

Buying Options: