Amazon AWS Certified Security - Specialty SCS-C01
Prev

There are 254 results

Next
#101 (Accuracy: 100% / 5 votes)
A company's policy requires that all API keys be encrypted and stored separately from source code in a centralized security account. This security account is managed by the company's security team. However, an audit revealed that an API key is stored with the source code of an AWS Lambda function in an AWS
CodeCommit repository in the DevOps account.
How should the security team securely store the API key?
  • A. Create a CodeCommit repository in the security account using AWS Key Management Service (AWS KMS) for encryption. Require the development team to migrate the Lambda source code to this repository.
  • B. Store the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key. Create a presigned URL for the S3 key, and specify the URL in a Lambda environmental variable in the AWS CloudFormation template. Update the Lambda function code to retrieve the key using the URL and call the API.
  • C. Create a secret in AWS Secrets Manager in the security account to store the API key using AWS Key Management Service (AWS KMS) for encryption. Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API.
  • D. Create an encrypted environment variable for the Lambda function to store the API key using AWS Key Management Service (AWS KMS) for encryption. Grant access to the IAM role used by the Lambda function so that the function can decrypt the key at runtime.
#102 (Accuracy: 100% / 4 votes)
A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data. During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code in the company's source code repository.
A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only. The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates. The solution must also minimize administrative overhead.
Which solution meets these requirements?
  • A. Use the AWS Systems Manager Parameter Store to generate database credentials. Use an IAM profile for ECS tasks to restrict access to database credentials to specific containers only.
  • B. Use AWS Secrets Manager to store database credentials. Use an IAM inline policy for ECS tasks to restrict access to database credentials to specific containers only.
  • C. Use the AWS Systems Manager Parameter Store to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.
  • D. Use AWS Secrets Manager to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.
#103 (Accuracy: 93% / 4 votes)
A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots.
After performing a gap analysis of its disaster recovery procedures and backup strategies, the company is concerned that, next time, it will not be able to recover the EC2 instances if the AWS account was compromised and Amazon EBS snapshots were deleted.
All EBS snapshots are encrypted using an AWS KMS CMK.
Which solution would solve this problem?
  • A. Create a new Amazon S3 bucket. Use EBS lifecycle policies to move EBS snapshots to the new S3 bucket. Move snapshots to Amazon S3 Glacier using lifecycle policies, and apply Glacier Vault Lock policies to prevent deletion.
  • B. Use AWS Systems Manager to distribute a configuration that performs local backups of all attached disks to Amazon S3.
  • C. Create a new AWS account with limited privileges. Allow the new account to access the AWS KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots to the new account on a recurring basis.
  • D. Use AWS Backup to copy EBS snapshots to Amazon S3.
#104 (Accuracy: 100% / 3 votes)
A company needs a cloud-based, managed desktop solution for its workforce of remote employees. The company wants to ensure that the employees can access the desktops only by using company-provided devices. A security engineer must design a solution that will minimize cost and management overhead.

Which solution will meet these requirements?
  • A. Deploy a custom virtual desktop infrastructure (VDI) solution with a restriction policy to allow access only from corporate devices.
  • B. Deploy a fleet of Amazon EC2 instances. Assign an instance to each employee with certificate-based device authentication that uses Windows Active Directory.
  • C. Deploy Amazon WorkSpaces. Set up a trusted device policy with IP blocking on the authentication gateway by using AWS Identity and Access Management (IAM).
  • D. Deploy Amazon WorkSpaces. Create client certificates, and deploy them to trusted devices. Enable restricted access at the directory level.
#105 (Accuracy: 100% / 7 votes)
A security engineer is analyzing Amazon GuardDuty findings. The security engineer observes an Impact value for ThreatPurpose in a GuardDuty finding.
What does this value indicate?
  • A. An adversary has compromised an AWS resource so that the resource is capable of contacting its home command and control (C&C) server to receive further instructions for malicious activity.
  • B. GuardDuty is detecting activity or activity patterns that are different from the established baseline for a particular AWS resource.
  • C. GuardDuty is detecting activity or activity patterns that suggest that an adversary is attempting to manipulate, interrupt, or destroy the company's systems and data.
  • D. GuardDuty is detecting activity or activity patterns that an adversary might use to expand its knowledge of the company's systems and internal networks.
#106 (Accuracy: 91% / 7 votes)
A company has implemented centralized logging and monitoring of AWS CloudTrail logs from all Regions in an Amazon S3 bucket. The log files are encrypted using AWS KMS. A security engineer is attempting to review the log files using a third-party tool hosted on an Amazon EC2 instance. The security engineer is unable to access the logs in the S3 bucket and receives an access denied error message.

What should the security engineer do to fix this issue?
  • A. Check that the role the security engineer uses grants permission to decrypt objects using the KMS CMK.
  • B. Check that the role the security engineer uses grants permission to decrypt objects using the KMS CMK and gives access to the S3 bucket and objects.
  • C. Check that the role the EC2 instance profile uses grants permission to decrypt objects using the KMS CMK and gives access to the S3 bucket and objects.
  • D. Check that the role the EC2 instance profile uses grants permission to decrypt objects using the KMS CMK.
#107 (Accuracy: 100% / 4 votes)
A security engineer is creating a new Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster. The cluster will act as a data warehouse. A separate fleet of application servers will extract records from the data warehouse and will transform these records into reports that will be uploaded to Amazon S3 buckets.

The security engineer must securely configure the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster so that only the application servers can access it.

Which solution meets these requirements?
  • A. Configure network ACLs on the subnets that host the Amazon OpenSearch Service (Amazon Elasticsearch Service) instances to allow access from the application servers only.
  • B. Configure a VPC peering connection between the VPC that contains the application servers and the VPC that contains the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster.
  • C. Monitor the VPC flow logs for traffic that is destined for the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster. Use the flow logs to detect traffic that did not originate from the application servers.
  • D. Configure the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster for VPC access only. Use a security group to allow access to the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster from the application servers only.
#108 (Accuracy: 100% / 4 votes)
A company is running batch workloads that use containers on Amazon Elastic Container Service (Amazon ECS). The company needs a secure solution for storing API keys that are required for integration with external services. The company's security policy states that API keys must not be stored or transmitted in plaintext. The company's IT team currently rotates the API keys manually.

A security engineer must recommend a solution that meets the security requirements and automates the rotation of the API keys

Which solution should the security engineer recommend?
  • A. Use a secure string parameter in AWS Systems Manager Parameter Store. Activate the feature for automatic rotation.
  • B. Use Amazon EC2 user data for storing the API keys. Set up a scheduled AWS Lambda function to automatically rotate the API keys.
  • C. Use AWS Fargate to store the API keys. Set up a scheduled AWS Lambda function to automatically rotate the API keys.
  • D. Use AWS Secrets Manager to store the API keys. Reference the API keys in the container definition.
#109 (Accuracy: 100% / 3 votes)
A security team is working on a solution that will use Amazon EventBridge (Amazon CloudWatch Events) to monitor new Amazon S3 objects. The solution will monitor for public access and for changes to any S3 bucket policy or setting that result in public access. The security team configures EventBridge to watch for specific API calls that are logged from AWS CloudTrail. EventBridge has an action to send an email notification through Amazon Simple Notification Service (Amazon SNS) to the security team immediately with details of the API call.

Specifically, the security team wants EventBridge to watch for the s3:PutObjectAcl, s3:DeleteBucketPolicy, and s3:PutBucketPolicy API invocation logs from CloudTrail. While developing the solution in a single account, the security team discovers that the s3:PutObjectAcl API call does not invoke an EventBridge event. However, the s3:DeleteBucketPolicy API call and the s3:PutBucketPolicy API call do invoke an event.

The security team has enabled CloudTrail for AWS management events with a basic configuration in the AWS Region in which EventBridge is being tested. Verification of the EventBridge event pattern indicates that the pattern is set up correctly. The security team must implement a solution so that the s3:PutObjectAcl API call will invoke an EventBridge event. The solution must not generate false notifications.

Which solution will meet these requirements?
  • A. Modify the EventBridge event pattern by selecting Amazon S3. Select All Events as the event type.
  • B. Modify the EventBridge event pattern by selecting Amazon S3. Select Bucket Level Operations as the event type.
  • C. Enable CloudTrail Insights to identify unusual API activity.
  • D. Enable CloudTrail to monitor data events for read and write operations to S3 buckets.
#110 (Accuracy: 100% / 4 votes)
A company uses Amazon GuardDuty to detect threats and malicious activities in AWS accounts. The company has subscribed to a third-party threat intelligence list uploaded to an Amazon S3 bucket.
How should the security engineer efficiently use the threat list across all company AWS accounts?
  • A. Ensure the S3 bucket policy allows all company AWS accounts access to the threat list. Use an AWS Lambda function to automatically add the threat list to all company AWS accounts.
  • B. Ensure GuardDuty is in master-member configuration. Add the threat list to the master account referencing the S3 object that contains the threat list.
  • C. Ensure all accounts are part of the same organization in AWS Organizations. Add the threat list to any company account within AWS Organizations.
  • D. Ensure the threat list in the S3 bucket is publicly accessible. Use an Amazon CloudWatch Events event on GuardDuty findings to match IPs against the threat list.