A company uses an organization in AWS Organizations to manage multiple AWS accounts. A security engineer creates a WAF policy in AWS Firewall Manager in the us-east-1 Region. The security engineer sets the policy scope to apply to resources that are tagged withWAF-protected:truein one of the member
accounts in the organization. The security engineer sets up a configuration to automatically remediate any noncompliant resources. In a member account, the security engineer attempts to protect an Amazon API Gateway REST API in the us-east-1 Region by using a web ACL. However, after several minutes, the REST API is still not associated with the web ACL.
What is the likely cause of this issue?
A. Web ACLs cannot be applied to REST APIs.A consulting firm needs temporary access to a company's production account to perform a security assessment. The firm has its own AWS account. The company requires MFA and does not allow long-term IAM users in the production account for consultants.
A. Create an IAM user in the production account for each consultant and email the initial passwords.A security engineer needs to configure DDoS protection for a Network Load Balancer (NLB) with an Elastic IP address. The security engineer wants to set up an AWS WAF web ACL with a rate-based rule statement to protect the NLB.
The security engineer needs to determine a rate limit that will not block legitimate traffic. The security engineer has configured the rule statement to aggregate based on the source IP address.
How should the security engineer configure the rule to protect the NLB?
A. Configure the rule to use theCountaction.A security team manages a company's AWS Key Management Service (AWS KMS) customer managed keys. Only members of the security team can administer the KMS keys. The company ' s application team has a software process that needs temporary access to the keys occasionally. The security team needs to provide the application team ' s software process with access to the keys.
Which solution will meet these requirements with the LEAST operational overhead?
A. Export the KMS key material to an on-premises hardware security module (HSM). Give the application team access to the key material.A CloudFormation template needs to configure an application with database credentials. The company already stores the credentials in AWS Secrets Manager and uses AWS KMS for encryption. The template must not contain plaintext credentials.
A. Store the plaintext password in a template parameter and mark the parameter description as confidential.A company is using an organization with all features enabled in AWS Organizations. The organization contains OUs. The company has configured a delegated administrator account for AWS IAM Identity Center.
In this delegated administrator account, the company has deployed an AWS CloudFormation stack that contains permission sets.
A security engineer must implement a solution to prevent the deletion of the CloudFormation stack.
Which solution will meet this requirement?
A. Enable termination protection for the CloudFormation stack. Create an SCP that denies the cloudformation:UpdateTerminationProtection action for the stack's ARN. Apply the SCP to the root of the organization.A company ' s public website consists of an Application Load Balancer (ALB), a set of Amazon EC2 instances that run a stateless application behind the ALB, and an Amazon DynamoDB table from which the application reads data. The company is concerned about malicious scanning and DDoS attacks. The company wants to impose a restriction in which each client IP address can read the data only3 times in any 5-minute period.
Which solution will meet this requirement with the LEAST effort?
A. Set up AWS WAF in front of the ALB. Create a rule that blocks requests that exceed the limit of 3 requests in any 5-minute period for each IP address.A platform team creates application roles for developers in multiple accounts. The security team wants developers to create and manage resources only within an approved permission envelope, even if a developer can attach policies to roles that the developer creates.
A. Store all developer credentials in AWS Secrets Manager and rotate them daily.A company is using AWS to run a long-running analysis process on data that is stored in Amazon S3 buckets. The process runs on a fleet of Amazon EC2 instances in an Auto Scaling group. The EC2 instances are deployed in a private subnet that does not have internet access.
The EC2 instances access Amazon S3 through an S3 gateway endpoint that has the default access policy.
Each EC2 instance uses an instance profile role that allows s3:GetObject and s3:PutObject only for required
S3 buckets.
The company learns that one or more EC2 instances are compromised and are exfiltrating data to an S3 bucket that isoutside the company's AWS Organization. The processing job must continue to function.
Which solution will meet these requirements?
A. Update the policy on the S3 gateway endpoint to allow S3 actions only if aws:ResourceOrgId and aws: PrincipalOrgId match the company's organization.A company ' s security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue. All the company ' s accounts are within an organization in AWS Organizations. The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools that are outside of AWS.
What should the security engineer do to meet these requirements?
A. Create security groups that only accept inbound traffic from the CIDR blocks of all the VPCs in the organization. Attach the security groups to all the SQS queues in all the VPCs in the organization.Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.