← Back to exam page

SCS-C02 AWS Certified SecuritySpecialty

Loading demo links...

Showing 10–12 of 15 questions

Question 10

A developer signed in to a new account within an IAM Organization organizational unit (OU) containing multiple accounts. Access to the Amazon $3 service is restricted with the following SCP.

How can the security engineer provide the developer with Amazon $3 access without affecting other account? A. Move the SCP to the root OU of organization to remove the restriction to access Amazon $3.

B. Add an IAM policy for the developer, which grants $3 access.

C. Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU.

D. Add an allow list for the developer account for the $3 service.

Answer: C

Explanation:

Select an option, then click Submit answer.

  • Add an IAM policy for the developer, which grants $3 access.

  • Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU.

  • Add an allow list for the developer account for the $3 service.
Question 11

A company's security engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other IAM services The contractors IAM account must not be able to gain access to any other IAM service, even it the IAM account rs assigned additional permissions based on IAM group membership

What should the security engineer do to meet these requirements''

Select an option, then click Submit answer.

  • Create an mime IAM user policy that allows for Amazon EC2 access for the contractor's IAM user

  • Create an IAM permissions boundary policy that allows Amazon EC2 access Associate the contractor's IAM account with the IAM permissions boundary policy

  • Create an IAM group with an attached policy that allows for Amazon EC2 access Associate the contractor's IAM account with the IAM group

  • Create a IAM role that allows for EC2 and explicitly denies all other services Instruct the contractor to always assume this role
Question 12

A company's policy requires that all API keys be encrypted and stored separately from source code in a centralized security account. This security account is managed by the company's security team However, an audit revealed that an API key is steed with the source code of an IAM Lambda function m an IAM CodeCommit repository in the DevOps account

How should the security learn securely store the API key?

Select an option, then click Submit answer.

  • Create a CodeCommit repository in the security account using IAM Key Management Service (IAM KMS) tor encryption Require the development team to migrate the Lambda source code to this repository

  • Store the API key in an Amazon S3 bucket in the security account using server-side encryption with
    Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Create a resigned URL tor the S3
    key. and specify the URL m a Lambda environmental variable in the IAM CloudFormation template Update the Lambda function code to retrieve the key using the URL and call the API

  • Create a secret in IAM Secrets Manager in the security account to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API

  • Create an encrypted environment variable for the Lambda function to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can decrypt the key at runtime