Use High-Quality Amazon SCS-C02 Dumps- Try Free Demo

[Logging and Monitoring]

A company plans to create individual child accounts within an existing organization in IAM Organizations for each of its DevOps teams. IAM CloudTrail has been enabled and configured on all accounts to write audit logs to an Amazon S3 bucket in a centralized IAM account. A security engineer needs to ensure that DevOps team members are unable to modify or disable this configuration.

How can the security engineer meet these requirements?

ACreate an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the IAM account root user.

BCreate an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the IAM account root user in the source account.

CCreate an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to theappropriate organizational unit or account in Organizations.

DCreate an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to a new IAM group. Have team members use individual IAM accounts that are members of the new IAM group.

Question 2

[Infrastructure Security]

A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected.

Which combination of steps should the security engineer take to accomplish this? (Select TWO.)

ACreate an IAM Config rule to detect the creation of unencrypted RDS databases. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the IAM Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.

BUse IAM System Manager State Manager to detect RDS database encryption configuration drift. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.

CCreate a read replica for the existing unencrypted RDS database and enable replica encryption in the process. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.

DTake a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance.

EEnable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database

Question 3

[Incident Response]

A company has an AWS account that hosts a production application. The company receives an email notification that Amazon GuardDuty has detected an

Impact lAMUser/AnomalousBehavior finding in the account. A security engineer needs to run the investigation playbook for this secunty incident and must collect and analyze the information without affecting the application.

Which solution will meet these requirements MOST quickly?

ALog in to the AWS account by using read-only credentials Review the GuardDuty finding for details about the 1AM credentials that were used. Use the 1AM console to add a DenyAII policy to the 1AM pnncipal.

BLog in to the AWS account by using read-only credentials Review the GuardDuty finding to determine which API calls initiated the finding Use Amazon Detective to review the API calls in context.

CLog in to the AWS account by using administrator credentials Review the GuardDuty finding for details about the 1AM credentials that were used Use the 1AM console to add a DenyAII policy to the 1AM principal.

DLog in to the AWS account by using read-only credentials Review the GuardDuty finding to determine which API calls initiated the finding Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context.

Question 4

[Logging and Monitoring]

A startup company is using a single AWS account that has resources in a single AWS Region. A security engineer configures an AWS Cloud Trail trail in the same Region to deliver log files to an Amazon S3 bucket by using the AWS CLI.

Because of expansion, the company adds resources in multiple Regions. The secu-rity engineer notices that the logs from the new Regions are not reaching the S3 bucket.

What should the security engineer do to fix this issue with the LEAST amount of operational overhead?

ACreate a new CloudTrail trail. Select the new Regions where the company added resources.

BChange the S3 bucket to receive notifications to track all actions from all Regions.

CCreate a new CloudTrail trail that applies to all Regions.

DChange the existing CloudTrail trail so that it applies to all Regions.

Question 5

[Incident Response]

A company finds that one of its Amazon EC2 instances suddenly has a high CPU usage. The company does not know whether the EC2 instance is compromised or whether the operating system is performing background cleanup.

Which combination of steps should a security engineer take before investigating the issue? (Select THREE.)

ADisable termination protection for the EC2 instance if termination protection has not been disabled.

BEnable termination protection for the EC2 instance if termination protection has not been enabled.

CTake snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to theEC2 instance.

DRemove all snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.

ECapture the EC2 instance metadata, and then tag the EC2 instance as under quarantine.

FImmediately remove any entries in the EC2 instance metadata that contain sensitive information.

Unlock All Features of Amazon SCS-C02 Dumps Software

Just have a look at the best and updated features of our SCS-C02 dumps which are described in detail in the following tabs. We are very confident that you will get the best deal on this platform.

Select Question
Types you want

Set your desired
pass percentage

Allocate Time
(Hours: Minutes)

Create Multiple
Practice test with
limited questions

Customer
Support

Latest Success Metrics For actual SCS-C02 Exam

This is the best time to verify your skills and accelerate your career. Check out last week's results, more than 90% of students passed their exam with good scores. You may be the Next successful Candidate.

95%

Average Passing Scores in final Exam

91%

Exactly Same Questions from these dumps

90%

Customers Passed Amazon SCS-C02 exam