Amazon SCS-C03 Practice Questions

Which of the following are valid event sources that are associated with web access control lists that trigger AWS WAF rules? (Choose two.)

A. Amazon S3 static web hosting

B. Amazon CloudFront distribution

C. Application Load Balancer

B, C.

AWS WAF is a LAYER 7 web application firewall that lets you monitor web requests that are forwarded to Amazon CloudFront distributions, an Application Load Balancer or an Amazon API Gateway

A company uses identity federation to authenticate users into an identity account (987654321987) where the users assume an IAM role named IdentityRole. The users then assume an IAM role named JobFunctionRole in the target AWS account (123456789123) to perform their job functions.

A user is unable to assume the IAM role in the target account. The policy attached to the role in the identity account is:

What should be done to enable the user to assume the appropriate role in the target account?

Answer B is correct.

Wrong options:

A, D - JobFunctionRole does NOT exist in the target account.

C - Only allow root and NOT IAM role IdentityRole.

A Security Engineer is working with the development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an AWS KMS customer master key (CMK) to encrypt the data on Amazon S3. The inventory data on Amazon S3 will be shared of vendors. All vendors will use AWS principals from their own AWS accounts to access the data on Amazon S3. The vendor list may change weekly, and the solution must support cross-account access.

What is the MOST efficient way to manage access control for the KMS CMK7?

A. Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.

B. Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.

C. Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access.

D. Use delegated access across AWS accounts by using IAM roles to manage key access. Programmatically update the IAM trust policy to manage cross- account vendor access.

A is correct.

AWS KMS supports two resource-based access control mechanisms: key policies and grants.

With grants you can programmatically delegate the use of KMS customer master keys (CMKs) to other AWS principals. IAM Policies are optional - Requires additional steps.

A Security Engineer is setting up an AWS CloudTrail trail for all regions in an AWS account. For added security, the logs are stored using server-side encryption with AWS KMS-managed keys (SSE-KMS) and have log integrity validation enabled.

While testing the solution, the Security Engineer discovers that the digest files are readable, but the log files are not.

What is the MOST likely cause?

A. The log files fail integrity validation and automatically are marked as unavailable.

B. The KMS key policy does not grant the Security Engineer's IAM user or role permissions to decrypt with it.

C. The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.

D. An IAM policy applicable to the Security Engineer's IAM user or role denies access to the "CloudTrail/" prefix in the Amazon S3 bucket.

B is correct, because the other answers are unreasonable.

The files can be placed anywhere and the files should be allowed for inspection if the failed validation.