Oct-2023 Download Free Latest Exam AWS-Security-Specialty Certified Sample Questions [Q317-Q341]

Oct-2023 Download Free Latest Exam AWS-Security-Specialty Certified Sample Questions

Prepare for your exam certification with our AWS-Security-Specialty Certified Amazon

The AWS Certified Security - Specialty (SCS-C01) certification exam is designed for professionals who want to demonstrate their expertise in securing applications and workloads on the AWS platform. AWS Certified Security - Specialty certification validates a candidate's knowledge of best practices for securing AWS infrastructure, identifying and mitigating security threats, implementing security controls, and designing security solutions. The SCS-C01 exam covers a range of security topics, such as network security, identity and access management, data protection, and incident response.

 

NEW QUESTION # 317
A financial institution has the following security requirements:
* Cloud-based users must be contained in a separate authentication domain.
* Cloud-based users cannot access on-premises systems.
As part of standing up a cloud environment, the financial institution is creating a number of Amazon managed databases and Amazon EC2 instances. An Active Directory service exists on-premises that has all the administrator accounts, and these must be able to access the databases and instances.
How would the organization manage its resources in the MOST secure manner? (Choose two.)

• A. Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service.
• B. Establish a two-way trust between the new and existing Active Directory services.
• C. Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service.
• D. Configure an AWS Managed Microsoft AD to manage the cloud resources.
• E. Configure an additional on-premises Active Directory service to manage the cloud resources.

Answer: D,E

Explanation:
Deploy a new forest/domain on AWS with one-way trust. If you are planning on leveraging credentials from an on-premises AD on AWS member servers, you must establish at least a one-way trust to the Active Directory running on AWS. In this model, the AWS domain becomes the resource domain where computer objects are located and on-premises domain becomes the account domain. Ref: https://d1.awsstatic.com/whitepapers/adds-on-aws.pdf

NEW QUESTION # 318
Your company has just started using AWS and created an AWS account. They are aware of the potential issues when root access is enabled. How can they best safeguard the account when it comes to root access?
Choose 2 answers fro the options given below
Please select:

• A. Delete the root access keys
• B. Delete the root access account
• C. Change the password for the root account.
• D. Create an Admin IAM user with the necessary permissions

Answer: A,D

Explanation:
Explanation
The AWS Documentation mentions the following
All AWS accounts have root user credentials (that is, the credentials of the account owner). These credentials allow full access to all resources in the account. Because you cant restrict permissions for root user credentials, we recommend that you delete your root user access keys. Then create AWS Identity and Access Management (IAM) user credentials for everyday interaction with AWS.
Option A is incorrect since you cannot delete the root access account
Option C is partially correct but cannot be used as the ideal solution for safeguarding the account For more information on root access vs admin IAM users, please refer to below URL:
https://docs.aws.amazon.com/eeneral/latest/er/root-vs-iam.html
The correct answers are: Create an Admin IAM user with the necessary permissions. Delete the root access keys Submit your Feedback/Queries to our Experts

NEW QUESTION # 319
A large organization is planning on AWS to host their resources. They have a number of autonomous departments that wish to use AWS. What could be the strategy to adopt for managing the accounts.
Please select:

• A. Use multiple 1AM groups, each group for each department
• B. Use multiple VPCs in the account each VPC for each department
• C. Use multiple AWS accounts, each account for each department
• D. Use multiple 1AM roles, each group for each department

Answer: C

Explanation:
Explanation
A recommendation for this is given in the AWS Security best practices

Option A is incorrect since this would be applicable for resources in a VPC Options B and C are incorrect since operationally it would be difficult to manage For more information on AWS Security best practices please refer to the below URL
https://d1.awsstatic.com/whitepapers/Security/AWS Security Best Practices.pdl The correct answer is: Use multiple AWS accounts, each account for each department Submit your Feedback/Queries to our Experts

NEW QUESTION # 320
What is the result of the following bucket policy?

Choose the correct answer:
Please select:

• A. It will allow all access to the bucket mybucket
• B. It will deny all access to the bucket mybucket
• C. None of these
• D. It will allow the user mark from IAM account number 111111111 all access to the bucket but deny everyone else all access to the bucket

Answer: B

Explanation:
The policy consists of 2 statements, one is the allow for the user mark to the bucket and the next is the deny policy for all other users. The deny permission will override the allow and hence all users will not have access to the bucket.
Options A,B and D are all invalid because this policy is used to deny all access to the bucket mybucket For examples on S3 bucket policies, please refer to the below Link:
http://docs.IAM.amazon.com/AmazonS3/latest/dev/example-bucket-policies.htmll The correct answer is: It will deny all access to the bucket mybucket Submit your FeedbacK/Quenes to our Experts

NEW QUESTION # 321
Your company has an EC2 Instance that is hosted in an IAM VPC. There is a requirement to ensure that logs files from the EC2 Instance are stored accordingly. The access should also be limited for the destination of the log files. How can this be accomplished? Choose 2 answers from the options given below. Each answer forms part of the solution Please select:

• A. Stream the log files to a separate Cloudtrail trail
• B. Create an IAM policy that gives the desired level of access to the Cloudtrail trail
• C. Create an IAM policy that gives the desired level of access to the Cloudwatch Log group
• D. Stream the log files to a separate Cloudwatch Log group

Answer: C,D

Explanation:
You can create a Log group and send all logs from the EC2 Instance to that group. You can then limit the access to the Log groups via an IAM policy.
Option A is invalid because Cloudtrail is used to record API activity and not for storing log files Option C is invalid because Cloudtrail is the wrong service to be used for this requirement For more information on Log Groups and Log Streams, please visit the following URL:
* https://docs.IAM.amazon.com/AmazonCloudWatch/latest/logs/Workinj
For more information on Access to Cloudwatch logs, please visit the following URL:
* https://docs.IAM.amazon.com/AmazonCloudWatch/latest/logs/auth-and-access-control-cwl.html The correct answers are: Stream the log files to a separate Cloudwatch Log group. Create an IAM policy that gives the desired level of access to the Cloudwatch Log group Submit your Feedback/Queries to our Experts

NEW QUESTION # 322
A Systems Engineer has been tasked with configuring outbound mail through Simple Email Service (SES) and requires compliance with current TLS standards.
The mail application should be configured to connect to which of the following endpoints and corresponding ports?

• A. email.us-east-1.amazonaws.com over port 8080
• B. email-smtp.us-east-1.amazonaws.com over port 587
• C. email-pop3.us-east-1.amazonaws.com over port 995
• D. email-imap.us-east-1.amazonaws.com over port 993

Answer: B

NEW QUESTION # 323
A company has contracted with a third party to audit several IAM accounts. To enable the audit, cross-account IAM roles have been created in each account targeted for audit. The Auditor is having trouble accessing some of the accounts.
Which of the following may be causing this problem? (Choose three.)

• A. The Auditor is using the incorrect password.
• B. The role ARN used by the Auditor is missing or incorrect.
• C. The Amazon EC2 role used by the Auditor must be set to the destination account role.
• D. The Auditor has not been granted sts:AssumeRole for the role in the destination account.
• E. The external ID used by the Auditor is missing or incorrect.
• F. The secret key used by the Auditor is missing or incorrect.

Answer: B,D,E

Explanation:
Using IAM to grant access to a Third-Party Account 1) Create a role to provide access to the require resources 1.1) Create a role policy that specifies the IAM Account ID to be accessed, "sts:AssumeRole" as action, and "sts:ExternalID" as condition 1.2) Create a role using the role policy just created 1.3) Assign a resouce policy to the role. This will provide permission to access resource ARNs to the auditor 2) Repeat steps 1 and 2 on all IAM accounts 3) The auditor connects to the IAM account IAM Security Token Service (STS). The auditor must provide its ExternalID from step 1.2, the ARN of the role he is trying to assume from step 1.3, sts:ExternalID 4) STS provide the auditor with temporary credentials that provides the role access from step 1 https://docs.IAM.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html https://IAM.amazon.com/blogs/security/how-to-audit-cross-account-roles-using-IAM-cloudtrail-and-amazon-cloudwatch-events/

NEW QUESTION # 324
Due to new compliance requirements, a Security Engineer must enable encryption with customer-provided keys on corporate data that is stored in DynamoDB. The company wants to retain full control of the encryption keys.
Which DynamoDB feature should the Engineer use to achieve compliance'?

• A. Create a KMS master key. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoDS. Dispose of the cleartext and encrypted data keys after encryption without storing.
• B. Enable S3 server-side encryption with the customer-provided keys. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB
• C. Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.
• D. Use AWS Certificate Manager to request a certificate. Use that certificate to encrypt data prior to uploading it to DynamoDB.

Answer: C

Explanation:
Follow the link: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/what-is-ddb-encrypt.html

NEW QUESTION # 325
Your company has a hybrid environment, with on-premise servers and servers hosted in the AWS cloud. They are planning to use the Systems Manager for patching servers. Which of the following is a pre-requisite for this to work;
Please select:

• A. Ensure that an IAM service role is created
• B. Ensure that an IAM User is created
• C. Ensure that the on-premise servers are running on Hyper-V.
• D. Ensure that an IAM Group is created for the on-premise servers

Answer: A

Explanation:
You need to ensure that an IAM service role is created for allowing the on-premise servers to communicate with the AWS Systems Manager.
Option A is incorrect since it is not necessary that servers should only be running Hyper-V
Options C and D are incorrect since it is not necessary that IAM users and groups are created
For more information on the Systems Manager role please refer to the below URL:
.com/systems-rnanaeer/latest/usereuide/sysman-!
The correct answer is: Ensure that an IAM service role is created
Submit your Feedback/Queries to our Experts

NEW QUESTION # 326
For compliance reasons, an organization limits the use of resources to three specific AWS regions. It wants to be alerted when any resources are launched in unapproved regions.
Which of the following approaches will provide alerts on any resources launched in an unapproved region?

• A. Use AWS Trusted Advisor to alert on all resources being created.
• B. Analyze Amazon CloudWatch Logs for activities in unapproved regions.
• C. Monitor Amazon S3 Event Notifications for objects stored in buckets in unapproved regions.
• D. Develop an alerting mechanism based on processing AWS CloudTrail logs.

Answer: A

NEW QUESTION # 327
You need to have a requirement to store objects in an S3 bucket with a key that is automatically managed and rotated. Which of the following can be used for this purpose?
Please select:

• A. IAM KMS
• B. IAM Customer Keys
• C. IAM S3 Server side encryption
• D. IAM Cloud HSM

Answer: C

Explanation:
Explanation
The IAM Documentation mentions the following
Server-side encryption protects data at rest. Server-side encryption with Amazon S3-managed encryption keys (SSE-S3) uses strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it rotates regularly. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.
All other options are invalid since here you need to ensure the keys are manually rotated since you manage the entire key set Using IAM S3 Server side encryption, IAM will manage the rotation of keys automatically.
For more information on Server side encryption, please visit the following URL:
https://docs.IAM.amazon.com/AmazonS3/latest/dev/UsineServerSideEncryption.htmll The correct answer is: IAM S3 Server side encryption Submit your Feedback/Queries to our Experts

NEW QUESTION # 328
A company is building a data processing application that uses AWS Lambda functions The application's Lambda functions need to communicate with an Amazon RDS OB instance that is deployed within a VPC in the same AWS account Which solution meets these requirements in the MOST secure way?

• A. Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group
• B. Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0 0 0 0/0
• C. Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups
• D. Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region

Answer: A

Explanation:
Explanation
The AWS documentation states that you can deploy the Lambda functions inside the VPC and attach a security group to the Lambda functions. You can then provide outbound rule access to the VPC CIDR range only and update the DB instance security group to allow traffic from the Lambda security group. This method is the most secure way to meet the requirements.
References: : AWS Lambda Developer Guide

NEW QUESTION # 329
A company plans to move most of its IT infrastructure to AWS. They want to leverage their existing on-premises Active Directory as an identity provider for AWS.
Which combination of steps should a Security Engineer take to federate the company's on-premises Active Directory with AWS? (Choose two.)

• A. Configure Active Directory to add relying party trust between Active Directory and AWS.
• B. Configure Amazon Cloud Directory to support a SAML provider.
• C. Create IAM groups with permissions corresponding to each Active Directory group.
• D. Create IAM roles with permissions corresponding to each Active Directory group.
• E. Configure Amazon Cognito to add relying party trust between Active Directory and AWS.

Answer: A,D

Explanation:
Explanation
https://aws.amazon.com/blogs/security/how-to-establish-federated-access-to-your-aws-resources-by-using-active

NEW QUESTION # 330
Your company has an external web site. This web site needs to access the objects in an S3 bucket. Which of the following would allow the web site to access the objects in the most secure manner?
Please select:

• A. Grant public access for the bucket via the bucket policy
• B. Use the aws:sites key in the condition clause for the bucket policy
• C. Use the aws:Referer key in the condition clause for the bucket policy
• D. Grant a role that can be assumed by the web site

Answer: C

Explanation:
Explanation
An example of this is given intheAWS Documentatioi
Restricting Access to a Specific HTTP Referrer
Suppose you have a website with domain name (www.example.com or example.com) with links to photos and videos stored in your S3 bucket examplebucket. By default, all the S3 resources are private, so only the AWS account that created the resources can access them. To allow read access to these objects from your website, you can add a bucket policy that allows s3:GetObject permission with a condition, using the aws:referer key, that the get request must originate from specific webpages. The following policy specifies the StringLike condition with the aws:Referer condition key.

Option A is invalid because giving public access is not a secure way to provide access Option C is invalid because aws:sites is not a valid condition key Option D is invalid because 1AM roles will not be assigned to web sites For more information on example bucket policies please visit the below Link:
1 https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html The correct answer is: Use the aws:Referer key in the condition clause for the bucket policy Submit your Feedback/Queries to our Experts

NEW QUESTION # 331
You need to ensure that objects in an S3 bucket are available in another region. This is because of the criticality of the data that is hosted in the S3 bucket. How can you achieve this in the easiest way possible?
Please select:

• A. Enable cross region replication for the bucket
• B. Enable versioning which will copy the objects to the destination region
• C. Create an S3 snapshot in the destination region
• D. Write a script to copy the objects to another bucket in the destination region

Answer: A

Explanation:
Option B is partially correct but a big maintenance over head to create and maintain a script when the functionality is already available in S3 Option C is invalid because snapshots are not available in S3 Option D is invalid because versioning will not replicate objects The AWS Documentation mentions the following Cross-region replication is a bucket-level configuration that enables automatic, asynchronous copying of objects across buck in different AWS Regions.
For more information on Cross region replication in the Simple Storage Service, please visit the below URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html
The correct answer is: Enable cross region replication for the bucket Submit your Feedback/Queries to our Experts

NEW QUESTION # 332
The InfoSec team has mandated that in the future only approved Amazon Machine Images (AMIs) can be used.
How can the InfoSec team ensure compliance with this mandate?

• A. Patch all running instances by using AWS Systems Manager.
• B. Deploy AWS Config rules and check all running instances for compliance.
• C. Terminate all Amazon EC2 instances and relaunch them with approved AMIs.
• D. Define a metric filter in Amazon CloudWatch Logs to verify compliance.

Answer: B

Explanation:
Explanation
https://docs.aws.amazon.com/config/latest/developerguide/approved-amis-by-id.html

NEW QUESTION # 333
Your current setup in AWS consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup Please select:

• A. Consider moving both the web and database server to a private subnet
• B. Consider moving the web server to a private subnet
• C. Consider creating a private subnet and adding a NAT instance to that subnet
• D. Consider moving the database server to a private subnet

Answer: D

Explanation:
Explanation
The ideal setup is to ensure that the web server is hosted in the public subnet so that it can be accessed by users on the internet. The database server can be hosted in the private subnet.
The below diagram from the AWS Documentation shows how this can be setup

Option A and C are invalid because if you move the web server to a private subnet, then it cannot be accessed by users Option D is invalid because NAT instances should be present in the public subnet For more information on public and private subnets in AWS, please visit the following url com/AmazonVPC/latest/UserGuide/VPC Scenario2.
The correct answer is: Consider moving the database server to a private subnet Submit your Feedback/Queries to our Experts

NEW QUESTION # 334
A company is deploying a new web application on AWS. Based on their other web applications, they anticipate being the target of frequent DDoS attacks. Which steps can the company use to protect their application? Select 2 answers from the options given below.
Please select:

• A. Enable GuardDuty to block malicious traffic from reaching the application
• B. Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious traffic.
• C. Associate the EC2 instances with a security group that blocks traffic from blacklisted IP addresses.
• D. Use CloudFront and AWS WAF to prevent malicious traffic from reaching the application
• E. Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic.

Answer: D,E

Explanation:
The below diagram from AWS shows the best case scenario for avoiding DDos attacks using services such as AWS Cloudfro WAF, ELB and Autoscaling

Option A is invalid because by default security groups don't allow access Option C is invalid because AWS Inspector cannot be used to examine traffic Option E is invalid because this can be used for attacks on EC2 Instances but not against DDos attacks on the entire application For more information on DDos mitigation from AWS, please visit the below URL:
https://aws.amazon.com/answers/networking/aws-ddos-attack-mitieationi
The correct answers are: Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic., Use CloudFront and AWS WAF to prevent malicious traffic from reaching the application Submit your Feedback/Queries to our Experts

NEW QUESTION # 335
Your company has a hybrid environment, with on-premise servers and servers hosted in the AWS cloud. They are planning to use the Systems Manager for patching servers. Which of the following is a pre-requisite for this to work; Please select:

• A. Ensure that an IAM service role is created
• B. Ensure that an IAM User is created
• C. Ensure that the on-premise servers are running on Hyper-V.
• D. Ensure that an IAM Group is created for the on-premise servers

Answer: A

Explanation:
You need to ensure that an IAM service role is created for allowing the on-premise servers to communicate with the AWS Systems Manager.
Option A is incorrect since it is not necessary that servers should only be running Hyper-V Options C and D are incorrect since it is not necessary that IAM users and groups are created For more information on the Systems Manager role please refer to the below URL:
.com/systems-rnanaeer/latest/usereuide/sysman-!
The correct answer is: Ensure that an IAM service role is created
Submit your Feedback/Queries to our Experts

NEW QUESTION # 336
What is the result of the following bucket policy?

Choose the correct answer:
Please select:

• A. It will allow all access to the bucket mybucket
• B. It will deny all access to the bucket mybucket
• C. None of these
• D. It will allow the user mark from AWS account number 111111111 all access to the bucket but deny everyone else all access to the bucket

Answer: B

Explanation:
The policy consists of 2 statements, one is the allow for the user mark to the bucket and the next is the deny policy for all other users. The deny permission will override the allow and hence all users will not have access to the bucket.
Options A,B and D are all invalid because this policy is used to deny all access to the bucket mybucket For examples on S3 bucket policies, please refer to the below Link:
http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.htmll The correct answer is: It will deny all access to the bucket mybucket Submit your FeedbacK/Quenes to our Experts

NEW QUESTION # 337
You need to have a requirement to store objects in an S3 bucket with a key that is automatically managed and rotated. Which of the following can be used for this purpose?
Please select:

• A. AWS KMS
• B. AWS Customer Keys
• C. AWS S3 Server side encryption
• D. AWS Cloud HSM

Answer: C

Explanation:
The AWS Documentation mentions the following
Server-side encryption protects data at rest. Server-side encryption with Amazon S3-managed encryption keys (SSE-S3) uses strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it rotates regularly. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.
All other options are invalid since here you need to ensure the keys are manually rotated since you manage the entire key set Using AWS S3 Server side encryption, AWS will manage the rotation of keys automatically.
For more information on Server side encryption, please visit the following URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsineServerSideEncryption.htmll
The correct answer is: AWS S3 Server side encryption Submit your Feedback/Queries to our Experts

NEW QUESTION # 338
Your company has been using IAM for hosting EC2 Instances for their web and database applications. They want to have a compliance check to see the following Whether any ports are left open other than admin ones like SSH and RDP Whether any ports to the database server other than ones from the web server security group are open Which of the following can help achieve this in the easiest way possible. You don't want to carry out an extra configuration changes?
Please select:

• A. IAM Config
• B. IAM Inspector D.IAMGuardDuty
• C. IAM Trusted Advisor

Answer: C

Explanation:
Explanation
Trusted Advisor checks for compliance with the following security recommendations:
Limited access to common administrative ports to only a small subset of addresses. This includes ports 22 (SSH), 23 (Telnet) 3389 (RDP), and 5500 (VNQ.
Limited access to common database ports. This includes ports 1433 (MSSQL Server), 1434 (MSSQL Monitor), 3306 (MySQL), Oracle (1521) and 5432 (PostgreSQL).
Option A is partially correct but then you would need to write custom rules for this. The IAM trusted advisor can give you all o these checks on its dashboard Option C is incorrect. Amazon Inspector needs a software agent to be installed on all EC2 instances that are included in th.
assessment target, the security of which you want to evaluate with Amazon Inspector. It monitors the behavior of the EC2 instance on which it is installed, including network, file system, and process activity, and collects a wide set of behavior and configuration data (telemetry), which it then passes to the Amazon Inspector service.
Our question's requirement is to choose a choice that is easy to implement. Hence Trusted Advisor is more appropriate for this ) question.
Options D is invalid because this service dont provide these details.
For more information on the Trusted Advisor, please visit the following URL
https://IAM.amazon.com/premiumsupport/trustedadvisor>
The correct answer is: IAM Trusted Advisor Submit your Feedback/Queries to our Experts

NEW QUESTION # 339
A company uses Amazon API Gateway to present REST APIs to users. An API developer wants to analyze API access patterns without the need to parse the log files.
Which combination of steps will meet these requirements with the LEAST effort? (Select TWO.)

• A. Configure access logging for the required API stage.
• B. Configure an AWS CloudTrail trail destination for API Gateway events. Configure filters on the userldentity, userAgent, and sourcelPAddress fields.
• C. Use Amazon CloudWatch Logs Insights to analyze API access information.
• D. Select the Enable Detailed CloudWatch Metrics option on the required API stage.
• E. Configure an Amazon S3 destination for API Gateway logs. Run Amazon Athena queries to analyze API access information.

Answer: C,E

NEW QUESTION # 340
A System Administrator is unable to start an Amazon EC2 instance in the eu-west-1 Region using an IAM role The same System Administrator is able to start an EC2 instance in the eu-west-2 and eu-west-3 Regions. The AWSSystemAdministrator access policy attached to the System Administrator IAM role allows unconditional access to all AWS services and resources within the account Which configuration caused this issue?
A) An SCP is attached to the account with the following permission statement:

B)
A permission boundary policy is attached to the System Administrator role with the following permission statement:

C)
A permission boundary is attached to the System Administrator role with the following permission statement:

D)
An SCP is attached to the account with the following statement:

• A. Option A
• B. Option B
• C. Option C
• D. Option D

Answer: B

NEW QUESTION # 341
......

Free Amazon AWS-Security-Specialty Exam 2023 Practice Materials Collection: https://torrentvce.certkingdompdf.com/AWS-Security-Specialty-latest-certkingdom-dumps.html