A company uploads data files as objects into an Amazon S3 bucket. A vendor downloads the objects to perform data processing.
A security engineer must implement a solution that prevents objects from residing in the S3 bucket for longer than 72 hours.
A. Configure S3 Versioning to expire object versions that have been in the bucket for 72 hours.A security engineer for a company is investigating suspicious traffic on a web application in the AWS Cloud.
The web application is protected by an Application Load Balancer (ALB) behind an Amazon CloudFront distribution. There is an AWS WAF web ACL associated with the ALB. The company stores AWS WAF logs in an Amazon S3 bucket.
The engineer notices that all incoming requests in the AWS WAF logs originate from a small number of IP addresses that correspond to CloudFront edge locations. The security engineer must identify the source IP addresses of the clients that are initiating the suspicious requests.
Which solution will meet this requirement?
A. Enable VPC Flow Logs in the VPC where the ALB is deployed. Examine the source field to capture the client IP addresses.A company needs centralized log monitoring with automatic detection across hundreds of AWS accounts.
Which solution meets these requirements with the LEAST operational effort?
A. Designate a GuardDuty administrator account and enable protections.A company wants to use a suite of AWS Lambda functions to automatically remediate noncompliant resources. The company packages the suite of Lambda functions into an AWS CloudFormation template.
The company wants to deploy the suite of Lambda functions to all AWS Organizations accounts. However, the company cannot use the Organizations management account for deployment.
Which solution provides centralized deployment of the Lambda function suite to all accounts in the organization?
A. Register a delegated administrator for CloudFormation. Deploy the template to every account in the organization by using StackSets.A company is building a secure solution that relies on an AWS Key Management Service (AWS KMS) customer managed key. The company wants to allow AWS Lambda to use the KMS key. However, the company wants to prevent Amazon EC2 from using the key.
Which solution will meet these requirements?
A. Use IAM explicit deny for EC2 instance profiles and allow for Lambda roles.A company uses AWS Organizations to manage the company's AWS accounts. The company's security team needs to implement preventive controls to deny the use of account-level root credentials. The solution must minimize the risk that an AWS account root user could be compromised. The solution must also minimize the effort needed to manage root access.
Which solution will meet these requirements?
A. Create an AWS Lambda function to disable the root user in every member account. Enable the root account only if the company needs it to modify settings related to centralized billing or the recovery of AWS KMS keys.A company's application team needs a new AWS Key Management Service (AWS KMS) customer managed key to use with Amazon S3. The company's security policy requires separate keys for different AWS services to limit security exposure.
How can a security engineer limit the KMS customer managed key to work with only Amazon S3?
A. Configure the key policy to allow only Amazon S3 to perform the kms:Encrypt action.A company has a PHP-based web application that uses Amazon S3 as an object store for user files. The S3 bucket is configured for server-side encryption with Amazon S3 managed keys (SSE-S3). New requirements mandate full control of encryption keys.
Which combination of steps must a security engineer take to meet these requirements? (Select THREE.)
A. Create a new customer managed key in AWS Key Management Service (AWS KMS).A company uses an external identity provider with IAM Identity Center. The security team needs emergency access if the identity provider is unavailable. Emergency activity must be attributable to individual administrators and must allow cross-account recovery actions.
A. Share a single root user password among the incident response team and rotate it after each incident.A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB).
The website is experiencing a global DDoS attack by a specific IoT device brand that has a unique user agent.
A security engineer is creating an AWS WAF web ACL and will associate the web ACL with the ALB. The security engineer must implement a rule statement as part of the web ACL to block the requests. The rule statement must mitigate the current attack and future attacks from these IoT devices without blocking requests from customers.
Which rule statement will meet these requirements?
A. Use an IP set match rule statement that includes the IP address for IoT devices from the user agent.Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.