Amazon AWS Certified Security - Specialty SCS-C01
Prev

There are 254 results

Next
#151 (Accuracy: 100% / 2 votes)
The Security Engineer for a mobile game has to implement a method to authenticate users so that they can save their progress. Because most of the users are part of the same OpenID-Connect compatible social media website, the Security Engineer would like to use that as the identity provider.
Which solution is the SIMPLEST way to allow the authentication of users using their social media identities?
  • A. Amazon Cognito
  • B. AssumeRoleWithWebIdentity API
  • C. Amazon Cloud Directory
  • D. Active Directory (AD) Connector
#152 (Accuracy: 100% / 1 votes)
A Security Engineer is trying to determine whether the encryption keys used in an AWS service are in compliance with certain regulatory standards.
Which of the following actions should the Engineer perform to get further guidance?
  • A. Read the AWS Customer Agreement.
  • B. Use AWS Artifact to access AWS compliance reports.
  • C. Post the question on the AWS Discussion Forums.
  • D. Run AWS Config and evaluate the configuration outputs.
#153 (Accuracy: 100% / 3 votes)
A company is migrating its Amazon EC2 based applications to use Instance Metadata Service Version 2 (IMDSv2). A security engineer needs to determine whether any of the EC2 instances are still using Instance Metadata Service Version 1 (IMDSv1).

What should the security engineer do to confirm that the IMDSv1 endpoint is no longer being used?
  • A. Configure logging on the Amazon CloudWatch agent for IMDSv1 as part of EC2 instance startup. Create a metric filter and a CloudWatch dashboard. Track the metric in the dashboard.
  • B. Create an Amazon CloudWatch dashboard. Verify that the EC2:MetadataNoToken metric is zero across all EC2 instances. Monitor the dashboard.
  • C. Create a security group that blocks access to HTTP for the IMDSv1 endpoint. Attach the security group to all EC2 instances.
  • D. Configure user data scripts for all EC2 instances to send logging information to AWS CloudTrail when IMDSv1 is used. Create a metric filter and an Amazon CloudWatch dashboard. Track the metric in the dashboard.
#154 (Accuracy: 100% / 3 votes)
A company is using an AWS owned CMK in its application to encrypt files in an AWS account. The company’s security team wants to have the ability to change to new key material for new files whenever there is a potential key breach. A security engineer must implement a solution that gives the security team the ability to change the key whenever the team wants to do so.

Which solution will meet these requirements?
  • A. Create a new customer managed CMK. Add a key rotation schedule to the CMK. Invoke the key rotation schedule every time the security team requests a key change.
  • B. Create a new AWS managed CMK. Add a key rotation schedule to the CMK. Invoke the key rotation schedule every time the security team requests a key change.
  • C. Create a CMK alias. Create a new customer managed CMK every time the security team requests a key change. Associate the alias with the new CMK.
  • D. Create a CMK alias. Create a new AWS managed CMK every time the security team requests a key change. Associate the alias with the new CMK.
#155 (Accuracy: 100% / 4 votes)
A company has several workloads running on AWS. Employees are required to authenticate using on-premises ADFS and SSO to access the AWS Management
Console. Developers migrated an existing legacy web application to an Amazon EC2 instance. Employees need to access this application from anywhere on the internet, but currently, there is no authentication system built into the application.
How should the Security Engineer implement employee-only access to this system without changing the application?
  • A. Place the application behind an Application Load Balancer (ALB). Use Amazon Cognito as authentication for the ALB. Define a SAML-based Amazon Cognito user pool and connect it to ADFS.
  • B. Implement AWS SSO in the master account and link it to ADFS as an identity provider. Define the EC2 instance as a managed resource, then apply an IAM policy on the resource.
  • C. Define an Amazon Cognito identity pool, then install the connector on the Active Directory server. Use the Amazon Cognito SDK on the application instance to authenticate the employees using their Active Directory user names and passwords.
  • D. Create an AWS Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2. Ensure the security group on Amazon EC2 only allows access from the Lambda function.
#156 (Accuracy: 100% / 3 votes)
A company is hosting a set of application, database, and web server instances in the AWS Cloud. Each set of instances has separate security groups. The company has properly defined the network ACLs. The company discovers an issue with the communication between the application and database instances.

Which set of steps should a security engineer take to troubleshoot the issue?
  • A. Check the inbound rules for the database security group. Check the outbound rules for the application security group.
  • B. Check the outbound rules for the database security group. Check the inbound rules for the application security group.
  • C. Check the inbound rules for the database security group. Check the inbound rules for the application security group.
  • D. Check the outbound rules for the database security group. Check the inbound rules and the outbound rules for the application security group.
#157 (Accuracy: 100% / 4 votes)
A Web Administrator for the website example.com has created an Amazon CloudFront distribution for dev.example.com, with a requirement to configure HTTPS using a custom TLS certificate imported to AWS Certificate Manager.
Which combination of steps is required to ensure availability of the certificate in the CloudFront console? (Choose two.)
  • A. Call UploadServerCertificate with /cloudfront/dev/ in the path parameter.
  • B. Import the certificate with a 4,096-bit RSA public key.
  • C. Ensure that the certificate, private key, and certificate chain are PKCS #12-encoded.
  • D. Import the certificate in the us-east-1 (N. Virginia) Region.
  • E. Ensure that the certificate, private key, and certificate chain are PEM-encoded.
#158 (Accuracy: 100% / 6 votes)
What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account? (Choose two.)
  • A. Use the AWS account root user access keys instead of the AWS Management Console
  • B. Enable multi-factor authentication for the AWS IAM users with the AdministratorAccess managed policy attached to them
  • C. Enable multi-factor authentication for the AWS account root user
  • D. Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days
  • E. Do not create access keys for the AWS account root user; instead, create AWS IAM users
#159 (Accuracy: 100% / 2 votes)
A company has enabled Amazon GuardDuty in all Regions as part of its security monitoring strategy. In one of the VPCs, the company hosts an Amazon EC2 instance working as an FTP server that is contacted by a high number of clients from multiple locations. This is identified by GuardDuty as a brute force attack due to the high number of connections that happen every hour.
The finding has been flagged as a false positive. However, GuardDuty keeps raising the issue. A Security Engineer has been asked to improve the signal-to-noise ratio. The Engineer needs to ensure that changes do not compromise the visibility of potential anomalous behavior.
How can the Security Engineer address the issue?
  • A. Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed
  • B. Add the FTP server to a trusted IP list and deploy it to GuardDuty to stop receiving the notifications
  • C. Use GuardDuty filters with auto archiving enabled to close the findings
  • D. Create an AWS Lambda function that closes the finding whenever a new occurrence is reported
#160 (Accuracy: 100% / 4 votes)
A Security Engineer discovered a vulnerability in an application running on Amazon ECS. The vulnerability allowed attackers to install malicious code. Analysis of the code shows it exfiltrates data on port 5353 in batches at random time intervals.
While the code of the containers is being patched, how can Engineers quickly identify all compromised hosts and stop the egress of data on port 5353?
  • A. Enable AWS Shield Advanced and AWS WAF. Configure an AWS WAF custom filter for egress traffic on port 5353
  • B. Enable Amazon Inspector on Amazon ECS and configure a custom assessment to evaluate containers that have port 5353 open. Update the NACLs to block port 5353 outbound.
  • C. Create an Amazon CloudWatch custom metric on the VPC Flow Logs identifying egress traffic on port 5353. Update the NACLs to block port 5353 outbound.
  • D. Use Amazon Athena to query AWS CloudTrail logs in Amazon S3 and look for any traffic on port 5353. Update the security groups to block port 5353 outbound.