Question 1

A company has configured federation between an on-premises identity provider (IdP) and AWS. Developers authenticate into an identity account and assume an IAM role named IdPUsersRole. The developers then access a production account by assuming a role named ProdDevRole in the production account.

Developers are unable to assume the IAM role in the production account. The policy attached to the role in the identity account is:

2023-01-05-03-21-58-1df8c3f4bcc13f6e7590603358e86056

What needs to be done to enable the developers to assume the appropriate role in the production account?

Options :

A : Update the IAM policy attached to the role in the target account to allow the “sts: AssumeRole” API action for the ProdDevRole principal in the production account.

B : Update the IAM policy attached to the role in the identity account to allow the “sts: AssumeRole” API action for the ProdDevRole principal in the production account.

C : Update the trust policy on the role in the identity account to allow the “sts: AssumeRole” API action for the IdPUsersRole principal in the identity account.

D : Update the trust policy on the role in the production account to allow the “sts: AssumeRole” API action for the IdPUsersRole principal in the identity account

Answer: D

Question 2

A security engineer is working with the development team to design an application that encrypts data using an AWS KMS key. Various users with accounts in AWS IAM will need to be provided with temporary access to decrypt data using the KMS key.

What is the MOST efficient way to manage access control for the KMS key?

Options :

A : Use an IAM group. Programmatically add and remove users from the group and attach a policy that grants key access

B : Use an IAM role. Programmatically update the IAM role policies to manage access

C : Use KMS grants. Programmatically create and revoke grants to manage access.

D : Use KMS key policies. Programmatically update the KMS key policies to manage access

Answer: C

Question 3

A company requires data encryption for sensitive data. The security has requested that the solution must allow cryptographic erasure of all resources protected by the encryption key within 15 minutes.

Which AWS Key Management Service (AWS KMS) key solution will allow the security engineer to meet these requirements?

Options :

A : Use imported key material with an AWS KMS key.

B : Use an AWS owned KMS key.

C : Use an AWS managed KMS key.

D : Use an AWS KMS customer managed KMS key.

Answer: A

Question 4

A company wants to ensure that its IAM resources can be launched only in the us-east-1 and us-west-2 Regions. What is the MOST operationally efficient solution that will prevent developers from launching Amazon EC2 instances in other Regions?

Options :

A : Enable Amazon GuardDuty in all Regions. Create alerts to detect unauthorized activity outside us-east-1 and us-west-2.

B : Use an organization in IAM Organizations. Attach an SCP that allows all actions when the IAM: Requested Region condition key is either us-east-1 or us-west-2. Delete the FullIAMAccess policy.

C : Provision EC2 resources by using IAM Cloud Formation templates through IAM CodePipeline. Allow only the values of us-east-1 and us-west-2 in the IAM CloudFormation template-s parameters.

D : Create an IAM Config rule to prevent unauthorized activity outside us-east-1 and us-west-2.

Answer: C

Question 5

A company deployed an Amazon EC2 instance to a VPC on AWS. A recent alert indicates that the EC2 instance is receiving a suspicious number of requests over an open TCP port from an external source. The TCP port remains open for long periods of time. The company's security team needs to stop all activity to this port from the external source to ensure that the EC2 instance is not being compromised. The application must remain available to other users. Which solution will mefet these requirements?

Options :

A :

Update the network ACL that is attached to the subnet that is associated with the EC2 instance. Add a Deny statement for the port and the source IP addresses.

B :

Update the elastic network interface security group that is attached to the EC2 instance to remove the port from theinbound rule list.

C :

Update the elastic network interface security group that is attached to the EC2 instance by adding a Deny entry in the inbound list for the port and the source IP addresses.

D :

Create a new network ACL for the subnet. Deny all traffic from the EC2 instance to prevent data from being removed.

Answer: A

Higher Test Marks with Free Online SCS-C02 Exam Practice

Buying Options: