Amazon AWS Certified Security - Specialty SCS-C01
Prev

There are 254 results

Next
#121 (Accuracy: 100% / 3 votes)
A company needs to use HTTPS when connecting to its web applications to meet compliance requirements. These web applications run in Amazon VPC on
Amazon EC2 instances behind an Application Load Balancer (ALB). A security engineer wants to ensure that the load balancer will only accept connections over port 443, even if the ALB is mistakenly configured with an HTTP listener.
Which configuration steps should the security engineer take to accomplish this task?
  • A. Create a security group with a rule that denies inbound connections from 0.0.0.0/0 on port 80. Attach this security group to the ALB to overwrite more permissive rules from the ALB's default security group.
  • B. Create a network ACL that denies inbound connections from 0.0.0.0/0 on port 80. Associate the network ACL with the VPC's internet gateway.
  • C. Create a network ACL that allows outbound connections to the VPC IP range on port 443 only. Associate the network ACL with the VPC's internet gateway.
  • D. Create a security group with a single inbound rule that allows connections from 0.0.0.0/0 on port 443. Ensure this security group is the only one associated with the ALB.
#122 (Accuracy: 100% / 4 votes)
A company runs a cron job on an Amazon EC2 instance on a predefined schedule. The cron job calls a bash script that encrypts a 2 KB file. A security engineer creates an AWS Key Management Service (AWS KMS) CMK with a key policy. The key policy and the EC2 instance role have the necessary configuration for this job.

Which process should the bash script use to encrypt the file?
  • A. Use the aws kms encrypt command to encrypt the file by using the existing CMK.
  • B. Use the aws kms create-grant command to generate a grant for the existing CMK.
  • C. Use the aws kms encrypt command to generate a data key. Use the plaintext data key to encrypt the file.
  • D. Use the aws kms generate-data-key command to generate a data key. Use the encrypted data key to encrypt the file.
#123 (Accuracy: 100% / 5 votes)
A company is running an Amazon RDS for MySQL DB instance in a VPC. The VPC must not send or receive network traffic through the internet.

A security engineer wants to use AWS Secrets Manager to rotate the DB instance credentials automatically. Because of a security policy, the security engineer cannot use the standard AWS Lambda function that Secrets Manager provides to rotate the credentials.

The security engineer deploys a custom Lambda function in the VPC. The custom Lambda function will be responsible for rotating the secret in Secrets Manager. The security engineer edits the DB instance's security group to allow connections from this function. When the function is invoked, the function cannot communicate with Secrets Manager to rotate the secret properly.

What should the security engineer do so that the function can rotate the secret?
  • A. Add an egress-only internet gateway to the VPC. Allow only the Lambda function's subnet to route traffic through the egress-only internet gateway.
  • B. Add a NAT gateway to the VPC. Configure only the Lambda function's subnet with a default route through the NAT gateway.
  • C. Configure a VPC peering connection to the default VPC for Secrets Manager. Configure the Lambda function's subnet to use the peering connection for routes.
  • D. Configure a Secrets Manager interface VPC endpoint. Include the Lambda function's private subnet during the configuration process.
#124 (Accuracy: 100% / 5 votes)
A user is implementing a third-party web application on an Amazon EC2 instance. All client communications must be over HTTPS, and traffic must be terminated before it reaches the instance. Communication to the instance must be over port 80. Company policy requires that workloads reside in private subnets.
Which solution meets these requirements?
  • A. Create an Application Load Balancer. Add an HTTP listener for port 80 to redirect traffic to HTTPS on port 443. Add another listener with an AWS Certificate Manager (ACM) certificate for termination and a rule that forwards to the target instance through port 80.
  • B. Allocate an Elastic IP address that has SSL termination activated. Associate the Elastic IP address with the instance on port 80.
  • C. Create a Gateway Load Balancer. Add an HTTP listener for port 80 to redirect traffic to HTTPS on port 443. Add another listener with an AWS Certificate Manager (ACM) certificate for termination and a rule that forwards to the target instance through port 80.
  • D. Implement a Network Load Balancer. Add an HTTP listener for port 80 to redirect traffic to HTTPS on port 443. Add another listener with an AWS Certificate Manager (ACM) certificate for termination and a rule that forwards to the target instance through port 80.
#125 (Accuracy: 100% / 3 votes)
A company needs to provide digital evidence to a security engineer for analysis. The evidence must be encrypted and the immutability of the source data must be maintained.
What is the MOST secure solution that meets these requirements?
  • A. Upload the digital evidence to a new Amazon S3 bucket. Set up an S3 Lifecycle configuration to move the data to S3 Glacier. Configure S3 Glacier with a vault lock policy.
  • B. Upload the digital evidence to a new Amazon S3 bucket with S3 Object Lock enabled. Implement server-side encryption with AWS Key Management Service (AWS KMS).
  • C. Upload the digital evidence to a new Amazon S3 bucket Configure an S3 bucket policy. Enable S3 Versioning and MFA Delete. Use S3 presigned URLs.
  • D. Launch an Amazon EC2 instance. Store the digital evidence on an attached Amazon Elastic Block Store (Amazon EBS) volume. Enable termination protection, isolate the EC2 instance and take a snapshot of the EBS volume.
#126 (Accuracy: 100% / 4 votes)
A security engineer receives an AWS abuse email message. According to the message, an Amazon EC2 instance that is running in the security engineer's AWS account is sending phishing email messages.
The EC2 instance is part of an application that is deployed in production. The application runs on many EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple subnets and multiple Availability Zones.
The instances normally communicate only over the HTTP, HTTPS, and MySQL protocols. Upon investigation, the security engineer discovers that email messages are being sent over port 587. All other traffic is normal.
The security engineer must create a solution that contains the compromised EC2 instance, preserves forensic evidence for analysis, and minimizes application downtime.
Which combination of steps must the security engineer take to meet these requirements? (Choose three.)
  • A. Add an outbound rule to the security group that is attached to the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.
  • B. Add an outbound rule to the network ACL for the subnet that contains the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.
  • C. Gather volatile memory from the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then take a snapshot of the compromised EC2 instance.
  • D. Take a snapshot of the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then gather volatile memory from the compromised EC2 instance.
  • E. Move the compromised EC2 instance to an isolated subnet that has a network ACL that has no inbound rules or outbound rules.
  • F. Replace the existing security group that is attached to the compromised EC2 instance with a new security group that has no inbound rules or outbound rules.
#127 (Accuracy: 100% / 3 votes)
A company runs a global ecommerce website that is hosted on AWS. The company uses Amazon CloudFront to serve content to its user base. The company wants to block inbound traffic from a specific set of countries to comply with recent data regulation policies.
Which solution will meet these requirements MOST cost-effectively?
  • A. Create an AWS WAF web ACL with an IP match condition to deny the countries' IP ranges. Associate the web ACL with the CloudFront distribution.
  • B. Create an AWS WAF web ACL with a geo match condition to deny the specific countries. Associate the web ACL with the CloudFront distribution.
  • C. Use the geo restriction feature in CloudFront to deny the specific countries.
  • D. Use geolocation headers in CloudFront to deny the specific countries.
#128 (Accuracy: 100% / 2 votes)
A company wants to monitor the deletion of customer managed CMKs. A security engineer must create an alarm that will notify the company before a CM׀ is deleted. The security engineer has configured the integration of AWS CloudTrail with Amazon CloudWatch.
What should the security engineer do next to meet this requirement?
  • A. Within AWS Key Management Service (AWS KMS), specify the deletion time of the key material during CMK creation. AWS KMS will automatically create a CloudWatch alarm.
  • B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to look for API calls of DeleteAlias. Create an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the company. Add the Lambda function as the target of the Eventbridge (CloudWatch Events) rule.
  • C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to look for API calls of DisableKey and ScheduleKeyDeletion. Create an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the company. Add the Lambda function as the target of the Eventbridge (CloudWatch Events) rule.
  • D. Create an Amazon Simple Notification Service (Amazon SNS) policy to look for AWS Key Management Service (AWS KMS) API calls of RevokeGrant and ScheduleKeyDeletion. Create an AWS Lambda function to generate the alarm and send the notification to the company. Add the Lambda function as the target of the SNS policy.
#129 (Accuracy: 100% / 13 votes)
A development team is using an AWS Key Management Service (AWS KMS) CMK to try to encrypt and decrypt a secure string parameter from AWS Systems
Manager Parameter Store. However, the development team receives an error message on each attempt.
Which issues that are related to the CMK could be reasons for the error? (Choose two.)
  • A. The CMK is used in the attempt does not exist.
  • B. The CMK is used in the attempt needs to be rotated.
  • C. The CMK is used in the attempt is using the CMK's key ID instead of the CMK ARN.
  • D. The CMK is used in the attempt is not enabled.
  • E. The CMK is used in the attempt is using an alias.
#130 (Accuracy: 100% / 3 votes)
The Development team receives an error message each time the team members attempt to encrypt or decrypt a Secure String parameter from the SSM
Parameter Store by using an AWS KMS customer managed key (CMK).
Which CMK-related issues could be responsible? (Choose two.)
  • A. The CMK specified in the application does not exist.
  • B. The CMK specified in the application is currently in use.
  • C. The CMK specified in the application is using the CMK KeyID instead of CMK Amazon Resource Name.
  • D. The CMK specified in the application is not enabled.
  • E. The CMK specified in the application is using an alias.