Amazon AWS Certified Security - Specialty SCS-C01
Prev

There are 254 results

Next
#161 (Accuracy: 100% / 3 votes)
A Security Engineer for a large company is managing a data processing application used by 1,500 subsidiary companies. The parent and subsidiary companies all use AWS. The application uses TCP port 443 and runs on Amazon EC2 behind a Network Load Balancer (NLB). For compliance reasons, the application should only be accessible to the subsidiaries and should not be available on the public internet. To meet the compliance requirements for restricted access, the Engineer has received the public and private CIDR block ranges for each subsidiary.
What solution should the Engineer use to implement the appropriate access restrictions for the application?
  • A. Create a NACL to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the NACL to both the NLB and EC2 instances
  • B. Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group to the NLB. Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group.
  • C. Create an AWS PrivateLink endpoint service in the parent company account attached to the NLB. Create an AWS security group for the instances to allow access on TCP port 443 from the AWS PrivateLink endpoint. Use AWS PrivateLink interface endpoints in the 1,500 subsidiary AWS accounts to connect to the data processing application.
  • D. Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.
#162 (Accuracy: 100% / 4 votes)
A company has a group of Amazon EC2 instances in a single private subnet of a VPC with no internet gateway attached. A security engineer has installed the Amazon CloudWatch agent on all instances in that subnet to capture logs from a specific application. To ensure that the logs flow securely, the company's networking team has created VPC endpoints for CloudWatch monitoring and CloudWatch logs. The networking team has attached the endpoints to the VPC.

The application is generating logs. However, when the security engineer queries CloudWatch, the logs do not appear.

Which combination of steps should the security engineer take to troubleshoot this issue? (Choose three.)
  • A. Ensure that the EC2 instance profile that is attached to the EC2 instances has permissions to create log streams and write logs.
  • B. Create a metric filter on the logs so that they can be viewed in the AWS Management Console.
  • C. Check the CloudWatch agent configuration file on each EC2 instance to make sure that the CloudWatch agent is collecting the proper log files.
  • D. Check the VPC endpoint policies of both VPC endpoints to ensure that the EC2 instances have permissions to use them.
  • E. Create a NAT gateway in the subnet so that the EC2 instances can communicate with CloudWatch.
  • F. Ensure that the security groups allow all the EC2 instances to communicate with each other to aggregate logs before sending.
#163 (Accuracy: 100% / 5 votes)
A company had one of its Amazon EC2 key pairs compromised. A Security Engineer must identify which current Linux EC2 instances were deployed and used the compromised key pair.
How can this task be accomplished?
  • A. Obtain the list of instances by directly querying Amazon EC2 using: aws ec2 describe-instances --filters "Name=key- name,Values=KEYNAMEHERE".
  • B. Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in the Amazon Inspector logs.
  • C. Obtain the output from the EC2 instance metadata using: curl http://169.254.169.254/latest/meta-data/public-keys/0/.
  • D. Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in Amazon CloudWatch Logs using: aws logs filter-log-events.
#164 (Accuracy: 100% / 3 votes)
A Security Engineer is setting up an AWS CloudTrail trail for all regions in an AWS account. For added security, the logs are stored using server-side encryption with AWS KMS-managed keys (SSE-KMS) and have log integrity validation enabled.
While testing the solution, the Security Engineer discovers that the digest files are readable, but the log files are not. What is the MOST likely cause?
  • A. The log files fail integrity validation and automatically are marked as unavailable.
  • B. The KMS key policy does not grant the Security Engineer's IAM user or role permissions to decrypt with it.
  • C. The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.
  • D. An IAM policy applicable to the Security Engineer's IAM user or role denies access to the "CloudTrail/" prefix in the Amazon S3 bucket.
#165 (Accuracy: 100% / 5 votes)
A Security Engineer is working with a Product team building a web application on AWS. The application uses Amazon S3 to host the static content, Amazon API
Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider.
Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)
  • A. Create a custom authorization service using AWS Lambda.
  • B. Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.
  • C. Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.
  • D. Configure an Amazon Cognito identity pool to integrate with social login providers.
  • E. Update DynamoDB to store the user email addresses and passwords.
  • F. Update API Gateway to use a COGNITO_USER_POOLS authorizer.
#166 (Accuracy: 100% / 3 votes)
The Accounting department at Example Corp. has made a decision to hire a third-party firm, AnyCompany, to monitor Example Corp.'s AWS account to help optimize costs.
The Security Engineer for Example Corp. has been tasked with providing AnyCompany with access to the required Example Corp. AWS resources. The Engineer has created an IAM role and granted permission to AnyCompany's AWS account to assume this role.
When customers contact AnyCompany, they provide their role ARN for validation. The Engineer is concerned that one of AnyCompany's other customers might deduce Example Corp.'s role ARN and potentially compromise the company's account.
What steps should the Engineer perform to prevent this outcome?
  • A. Create an IAM user and generate a set of long-term credentials. Provide the credentials to AnyCompany. Monitor access in IAM access advisor and plan to rotate credentials on a recurring basis.
  • B. Request an external ID from AnyCompany and add a condition with sts:Externald to the role's trust policy.
  • C. Require two-factor authentication by adding a condition to the role's trust policy with aws:MultiFactorAuthPresent.
  • D. Request an IP range from AnyCompany and add a condition with aws:SourceIp to the role's trust policy.
#167 (Accuracy: 100% / 4 votes)
A Security Engineer is looking for a way to control access to data that is being encrypted under a CMK. The Engineer is also looking to use additional authenticated data (AAD) to prevent tampering with ciphertext.
Which action would provide the required functionality?
  • A. Pass the key alias to AWS KMS when calling Encrypt and Decrypt API actions.
  • B. Use IAM policies to restrict access to Encrypt and Decrypt API actions.
  • C. Use kms:EncryptionContext as a condition when defining IAM policies for the CMK.
  • D. Use key policies to restrict access to the appropriate IAM groups.
#168 (Accuracy: 100% / 4 votes)
The AWS Systems Manager Parameter Store is being used to store database passwords used by an AWS Lambda function. Because this is sensitive data, the parameters are stored as type SecureString and protected by an AWS KMS key that allows access through IAM. When the function executes, this parameter cannot be retrieved as the result of an access denied error.
Which of the following actions will resolve the access denied error?
  • A. Update the ssm.amazonaws.com principal in the KMS key policy to allow kms: Decrypt.
  • B. Update the Lambda configuration to launch the function in a VPC.
  • C. Add a policy to the role that the Lambda function uses, allowing kms: Decrypt for the KMS key.
  • D. Add lambda.amazonaws.com as a trusted entity on the IAM role that the Lambda function uses.
#169 (Accuracy: 100% / 4 votes)
A company has Windows Amazon EC2 instances in a VPC that are joined to on-premises Active Directory servers for domain services. The security team has enabled Amazon GuardDuty on the AWS account to alert on issues with the instances.
During a weekly audit of network traffic, the Security Engineer notices that one of the EC2 instances is attempting to communicate with a known command-and- control server but failing. This alert does not show up in GuardDuty.
Why did GuardDuty fail to alert to this behavior?
  • A. GuardDuty did not have the appropriate alerts activated.
  • B. GuardDuty does not see these DNS requests.
  • C. GuardDuty only monitors active network traffic flow for command-and-control activity.
  • D. GuardDuty does not report on command-and-control activity.
#170 (Accuracy: 100% / 2 votes)
An AWS Lambda function was misused to alter data, and a Security Engineer must identify who invoked the function and what output was produced. The Engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.
Which of the following explains why the logs are not available?
  • A. The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.
  • B. The Lambda function was executed by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.
  • C. The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.
  • D. The version of the Lambda function that was executed was not current.