A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region that uses an AWS KMS customer managed key. The company must copy a DB snapshot to the us-west-1 Region but cannot access the encryption key across Regions.
What should the company do to properly encrypt the snapshot in us-west-1?
A. Store the customer managed key in AWS Secrets Manager in us-west-1.A security engineer is reducing excessive IAM permissions. The engineer needs to identify services and actions that IAM principals have used recently so unused permissions can be removed with minimal guesswork.
A. Use Amazon Macie to classify IAM policy documents as sensitive data.A company requires every new cloud resource to include a CostCenter tag with one of several approved values. The company also wants to prevent users from creating resources when the required tag is missing.
Which combination of controls should the company use? Choose two.
A. Use AWS Organizations tag policies to define approved tag keys and values.A company runs its microservices architecture in Kubernetes containers on AWS by using Amazon Elastic Kubernetes Service (Amazon EKS) and Amazon Aurora. The company has an organization in AWS Organizations to manage hundreds of AWS accounts that host different microservices.
The company needs to implement a monitoring solution for logs from all AWS resources across all accounts.
The solution must include automatic detection of security-related issues.
Which solution will meet these requirements with theLEAST operational effort?
A. Designate an Amazon GuardDuty administrator account in the organization's management account. Enable GuardDuty for all accounts. Enable EKS Protection and RDS Protection in the GuardDuty administrator account.A company manages multiple AWS accounts through an organization in AWS Organizations. The company enables all features in the organization.
A security team must implement a solution to centrally manage VPC security groups across the accounts.
The company uses an existing reference security group with the required configuration. The solution must detect if security group rules have been modified to deviate from the reference security group. The solution must automatically restore any noncompliant security groups to match the reference security group.
The security team needs to select a solution that does not require custom development or scripting.
Which solution will meet these requirements?
A. Use AWS Firewall Manager to manage security group rules through security group policy rules.An IAM user receives an Access Denied message when the user attempts to access objects in an Amazon
S3 bucket. The user and the S3 bucket are in the same AWS account. The S3 bucket is configured to use server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all of its objects at rest by using a customer managed key from the same AWS account. The S3 bucket has no bucket policy defined. The IAM user has been granted permissions through an IAM policy that allows thekms:Decryptpermission to the customer managed key. The IAM policy also allows thes3:List* ands3:Get* permissions for the S3 bucket
and its objects.
Which of the following is a possible reason that the IAM user cannot access the objects in the S3 bucket?
A. The IAM policy needs to allow thekms:DescribeKeypermission.A company is using Amazon Macie, AWS Firewall Manager, Amazon Inspector, and AWS Shield Advanced in its AWS account. The company wants to receive alerts if a DDoS attack occurs against the account.
Which solution will meet this requirement?
A. Use Amazon Macie to detect an active DDoS event and create Amazon CloudWatch alarms that respond to Macie findings.A security engineer needs to implement a logging solution that captures detailed information about objects in an Amazon S3 bucket. The solution must include details such as the IAM identity that makes the request and the time the object was accessed. The data must be structured and available in near real time.
Which solution meets these requirements?
A. Enable Amazon S3 server access logging on the S3 bucket. Create a new S3 bucket to store the logs. Analyze the logs from the logging S3 bucket.A company runs an application on an Amazon EC2 instance. The application generates invoices and stores them in an Amazon S3 bucket. The instance profile that is attached to the instance has appropriate access to the S3 bucket. The company needs to share each invoice with multiple clients that do not have AWS credentials. Each client must be able to download only the client ' s own invoices. Clients must download their invoices within 1 hour of invoice creation. Clients must use only temporary credentials to access the company ' s AWS resources.
Which additional step will meet these requirements?
A. Update the S3 bucket policy to ensure that clients that use pre-signed URLs have the S3:Get* permission and the S3:List* permission to access S3 objects in the bucket.A company wants to implement a content delivery network (CDN) for an upcoming product launch. The origin for distribution is a web server outside the AWS Cloud. The origin requires an authorization header from each request.
Which solution will meet these requirements?
A. Use AWS Global Accelerator to create a custom routing accelerator. Configure the accelerator to use TCP. Specify the web server's IP address. Include the required authorization header in the request. Configure the web server to respond to requests from authorized users by using a signed cookie in the response header.Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.