A pharmaceutical company has digitized versions of historical prescriptions stored on premises. The company would like to move these prescriptions to IAM and perform analytics on the data in them. Any operation with this data requires that the data be encrypted in transit and at rest.
Which application flow would meet the data protection requirements on IAM?

ADigitized files -> Amazon Kinesis Data Analytics

BDigitized files -> Amazon Kinesis Data Firehose -> Amazon S3 -> Amazon Athena

CDigitized files -> Amazon Kinesis Data Streams -> Kinesis Client Library consumer -> Amazon S3 -> Athena

DDigitized files -> Amazon Kinesis Data Firehose -> Amazon Elasticsearch

1 answers

97 votes

1169

Answer Link

A company manages multiple IAM accounts using IAM Organizations. The company's security team notices that some member accounts are not sending IAM CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured (or all existing accounts and for any account that is created in the future.
Which set of actions should the security team implement to accomplish this?

ACreate a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.

BDeploy an IAM Lambda function in every account to check if there is an existing trail and create a new trail, if needed.

CEdit the existing trail in the Organizations master account and apply it to the organization.

DCreate an SCP to deny the cloudtrail:Delete' and cloudtrail:Stop' actions. Apply the SCP to all accounts.

1 answers

82 votes

1208

Answer Link

During a recent security audit, it was discovered that multiple teams in a large organization have placed restricted data in multiple Amazon S3 buckets, and the data may have been exposed. The auditor has requested that the organization identify all possible objects that contain personally identifiable information (PII) and then determine whether this information has been accessed.
What solution will allow the Security team to complete this request?

AUsing Amazon Athena, query the impacted S3 buckets by using the PII query identifier function. Then, create a new Amazon CloudWatch metric for Amazon S3 object access to alert when the objects are accessed.

BEnable Amazon Macie on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, use the research function for auditing IAM CloudTrail logs and S3 bucket logs for GET operations.

CEnable Amazon GuardDuty and enable the PII rule set on the S3 buckets that were impacted, then perform data classification. Using the PII findings report from GuardDuty, query the S3 bucket logs by using Athena for GET operations.

DEnable Amazon Inspector on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, query the S3 bucket logs by using Athena for GET operations.

1 answers

78 votes

976

Answer Link

A Security Administrator is restricting the capabilities of company root user accounts. The company uses IAM Organizations and has enabled it for all feature sets, including consolidated billing. The top-level account is used for billing and administrative purposes, not for operational IAM resource purposes.
How can the Administrator restrict usage of member root user accounts across the organization?

ADisable the use of the root user account at the organizational root. Enable multi-factor authentication of the root user account for each organizational member account.

BConfigure IAM user policies to restrict root account capabilities for each Organizations member account.

CCreate an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU.

DConfigure IAM CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric filter for RootAccountUsage.

1 answers

74 votes

1048

Answer Link

Auditors tor a health care company have mandated mat all data volumes be encrypted at rest Infrastructure is deployed mainly via AWS CloudFormation however third-party frameworks and manual deployment are required on some legacy systems
What is the BEST way to monitor, on a recurring basis, whether a> E6S volumes are encrypted?

AOn a recurring basis, update an 1AM user policies to require that EC2 instances are created with an encrypted volume

BConfigure an AWS Config rule lo run on a recurring basis 'or volume encryption

CSet up Amazon Inspector rules tor volume encryption to run on a recurring schedule

DUse CloudWatch Logs to determine whether instances were created with an encrypted volume

1 answers

97 votes

991

Answer Link

Amazon SCS-C01 Quiz:6 Topic:4 Questions:26-30

Free Practice Mock Questions Set 26-30 (Quiz # 6) for Amazon SCS-C01 Exam, according to official Amazon AWS Certified Security - Specialty Exam syllabus topic # 4

Quiz 2

Quiz 3

Quiz 4

Quiz 5

Quiz 6

Quiz 7