Use High-Quality Amazon SCS-C02 Dumps- Try Free Demo

[Infrastructure Security]

A business stores website images in an Amazon S3 bucket. The firm serves the photos to end users through Amazon CloudFront. The firm learned lately that the photographs are being accessible from nations in which it does not have a distribution license.

Which steps should the business take to safeguard the photographs and restrict their distribution? (Select two.)

AUpdate the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).

BUpdate the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.

CAdd a CloudFront geo restriction deny list of countries where the company lacks a license.

DUpdate the S3 bucket policy with a deny list of countries where the company lacks a license.

EEnable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.

Question 2

[Identity and Access Management]

A company has an organization in AWS Organizations. The organization consists of multiple OUs. The company must prevent 1AM principals from outside the organization from accessing the organization's Amazon S3 buckets. The solution must not affect the existing access that the OUs have to the S3 buckets.

Which solution will meet these requirements?

AConfigure S3 Block Public Access for all S3 buckets.

BConfigure S3 Block Public Access for all AWS accounts.

CDeploy an SCP that includes the 'awsiResourceOrgPaths': '${aws:PrincipalOrgPaths}' condition.

DDeploy an SCP that includes the 'aws:ResourceOrglD': '${aws:PrincipalOrglD}' condition.

Question 3

[Infrastructure Security]

A website currently runs on Amazon EC2, wan mostly statics content on the site. Recently the site was subjected to a DDoS attack a security engineer was (asked was redesigning the edge security to help

Mitigate this risk in the future.

What are some ways the engineer could achieve this (Select THREE)?

AUse IAM X-Ray to inspect the trafc going to the EC2 instances.

BMove the static content to Amazon S3, and front this with an Amazon Cloud Front distribution.

CChange the security group conguration to block the source of the attack trafc

DUse IAM WAF security rules to inspect the inbound trafc.

EUse Amazon Inspector assessment templates to inspect the inbound traffic.

FUse Amazon Route 53 to distribute trafc.

Question 4

[Identity and Access Management]

You have an S3 bucket defined in IAM. You want to ensure that you encrypt the data before sending it across the wire. What is the best way to achieve this.

Please select:

AEnable server side encryption for the S3 bucket. This request will ensure that the data is encrypted first.

BUse the IAM Encryption CLI to encrypt the data first

CUse a Lambda function to encrypt the data before sending it to the S3 bucket.

DEnable client encryption for the bucket

Question 5

[Incident Response]

A security engineer receives an IAM abuse email message. According to the message, an Amazon EC2 instance that is running in the security engineer's IAM account is sending phishing email messages.

The EC2 instance is part of an application that is deployed in production. The application runs on many EC2 instances behind an Application Load Balancer. The instances run in an AmazonEC2 Auto Scaling group across multiple subnets and multiple Availability Zones.

The instances normally communicate only over the HTTP. HTTPS, and MySQL protocols. Upon investigation, the security engineer discovers that email messages are being sent over port 587. All other traffic is normal.

The security engineer must create a solution that contains the compromised EC2 instance, preserves forensic evidence for analysis, and minimizes application downtime. Which combination of steps must the security engineer take to meet these requirements? (Select THREE.)

AAdd an outbound rule to the security group that is attached to the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.

BAdd an outbound rule to the network ACL for the subnet that contains the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.

CGather volatile memory from the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then take a snapshot of the compromised EC2 instance. v

DTake a snapshot of the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then gather volatile memory from the compromised EC2 instance.

EMove the compromised EC2 instance to an isolated subnet that has a network ACL that has no inbound rules or outbound rules.

FReplace the existing security group that is attached to the compromised EC2 instance with a new security group that has no inbound rules or outbound rules.

Unlock All Features of Amazon SCS-C02 Dumps Software

Just have a look at the best and updated features of our SCS-C02 dumps which are described in detail in the following tabs. We are very confident that you will get the best deal on this platform.

Select Question
Types you want

Set your desired
pass percentage

Allocate Time
(Hours: Minutes)

Create Multiple
Practice test with
limited questions

Customer
Support

Latest Success Metrics For actual SCS-C02 Exam

This is the best time to verify your skills and accelerate your career. Check out last week's results, more than 90% of students passed their exam with good scores. You may be the Next successful Candidate.

95%

Average Passing Scores in final Exam

91%

Exactly Same Questions from these dumps

90%

Customers Passed Amazon SCS-C02 exam