Amazon AWS Certified Security - Specialty SCS-C01
Prev

There are 254 results

Next
#181 (Accuracy: 100% / 1 votes)
A company manages three separate AWS accounts for its production, development, and test environments. Each Developer is assigned a unique IAM user under the development account. A new application hosted on an Amazon EC2 instance in the development account requires read access to the archived documents stored in an Amazon S3 bucket in the production account.
How should access be granted?
  • A. Create an IAM role in the production account and allow EC2 instance in the development account to assume that role using the trust policy. Provide read access for the required S3 bucket to this role.
  • B. Use a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket.
  • C. Create a temporary IAM user for the application to use in the production account.
  • D. Create a temporary IAM user in the production account and provide read access to Amazon S3. Generate the temporary IAM user's access key and secret key and store these keys on the EC2 instance used by the application in the development account.
#182 (Accuracy: 100% / 1 votes)
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load
Balancer's access logs.

How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?
  • A. Add a rule to the Application Load Balancer to route the traffic originating from the IP address in question and show a static webpage.
  • B. Implement a rate-based rule with AWS WAF.
  • C. Use AWS Shield to limit the originating traffic hit rate.
  • D. Implement the GeoLocation feature in Amazon Route 53.
#183 (Accuracy: 100% / 3 votes)
A company has a legacy application that runs on a single Amazon EC2 instance. A security audit shows that the application has been using an IAM access key within its code to access an Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET1 in the same AWS account. This access key pair has the s3:GetObject permission to all objects in only this S3 bucket. The company takes the application offline because the application is not compliant with the company’s security policies for accessing other AWS resources from Amazon EC2.

A security engineer validates that AWS CloudTrail is turned on in all AWS Regions.
CloudTrail is sending logs to an S3 bucket that is named DOC-EXAMPLE-BUCKET2. This S3 bucket is in the same AWS account as DOC-EXAMPLE-BUCKET1. However, CloudTrail has not been configured to send logs to Amazon CloudWatch Logs.

The company wants to know if any objects in DOC-EXAMPLE-BUCKET1 were accessed with the IAM access key in the past 60 days.
If any objects were accessed, the company wants to know if any of the objects that are text files (.txt extension) contained personally identifiable information (PII).

Which combination of steps should the security engineer take to gather this information? (Choose two.)
  • A. Configure Amazon Macie to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII and that were available to the access key.
  • B. Use Amazon CloudWatch Logs Insights to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII and that were available to the access key.
  • C. Use Amazon OpenSearch Service (Amazon Elasticsearch Service) to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for API calls that used the access key to access an object that contained PII.
  • D. Use Amazon Athena to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for any API calls that used the access key to access an object that contained PII.
  • E. Use AWS Identity and Access Management Access Analyzer to identify any API calls that used the access key to access objects that contained PII in DOC-EXAMPLE-BUCKET1.
#184 (Accuracy: 100% / 4 votes)
A security engineer is working for a parent company that provides hosting and services to client companies. The parent company maintains an organization in AWS Organizations for all client company accounts. The parent company adds any new accounts to the organization when the new accounts are created. The parent company currently uses IAM users to administer the client company accounts. As more client accounts are added, the administration of the IAM accounts takes more time.

The security engineer must design a solution to reduce the amount of time that the parent company spends on administration and access provisioning for client accounts.


Which combination of steps should the security engineer take to meet these requirements? (Choose two.)
  • A. Provision an external identity provider (IdP) for the parent company. Implement AWS Single Sign-On (AWS SSO) with the IdP as the identity source for AWS SSO.
  • B. Provision an external identity provider (IdP) for each client company. Implement AWS Single Sign-On (AWS SSO) with the IdPs as the identity source for AWS SSO.
  • C. Provision an external identity provider (IdP) for the parent company. Implement AWS Single Sign-On (AWS SSO) with employee IAM roles as the identity source for AWS SSO.
  • D. In the AWS Single Sign-On console, select the users who require access to client accounts. Assign these users to the accounts.
  • E. In the IAM console, select the users who require access to client accounts. Assign these users to the accounts.
#185 (Accuracy: 100% / 1 votes)
A Security Engineer has several thousand Amazon EC2 instances split across production and development environments. Each instance is tagged with its environment. The Engineer needs to analyze and patch all the development EC2 instances to ensure they are not currently exposed to any common vulnerabilities or exposures (CVEs).
Which combination of steps is the MOST efficient way for the Engineer to meet these requirements? (Choose two.)
  • A. Log on to each EC2 instance, check and export the different software versions installed, and verify this against a list of current CVEs.
  • B. Install the Amazon Inspector agent on all development instances. Build a custom rule package, and configure Inspector to perform a scan using this custom rule on all instances tagged as being in the development environment.
  • C. Install the Amazon Inspector agent on all development instances. Configure Inspector to perform a scan using this CVE rule package on all instances tagged as being in the development environment.
  • D. Install the Amazon EC2 System Manager agent on all development instances. Issue the Run command to EC2 System Manager to update all instances.
  • E. Use AWS Trusted Advisor to check that all EC2 instances have been patched to the most recent version of operating system and installed software.
#186 (Accuracy: 100% / 4 votes)
For compliance reasons, a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied. The
Engineer must also ensure that no system goes more than 30 days without the latest approved updates being applied.

What would be the MOST efficient way to achieve these goals?
  • A. Use Amazon Inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version.
  • B. Configure Amazon EC2 Systems Manager to report on instance patch compliance, and enforce updates during the defined maintenance windows.
  • C. Examine AWS CloudTrail logs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances.
  • D. Update the AMIs with the latest approved patches, and redeploy each instance during the defined maintenance window.
#187 (Accuracy: 100% / 2 votes)
A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password.
Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)
  • A. Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.
  • B. Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.
  • C. Configure automatic rotation of credentials in AWS Secrets Manager.
  • D. Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it.
  • E. Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.
#188 (Accuracy: 94% / 4 votes)
A security engineer is configuring a mechanism to send an alert when three or more failed sign-in attempts to the AWS Management Console occur during a 5-minute period. The security engineer creates a trail in AWS CloudTrail to assist in this work.

Which solution will meet these requirements?
  • A. In CloudTrail, turn on Insights events on the trail. Configure an alarm on the insight with eventName matching ConsoleLogin and errorMessage matching “Failed authentication”. Configure a threshold of 3 and a period of 5 minutes.
  • B. Configure CloudTrail to send events to Amazon CloudWatch Logs. Create a metric filter for the relevant log group. Create a filter pattern with eventName matching ConsoleLogin and errorMessage matching “Failed authentication”. Create a CloudWatch alarm with a threshold of 3 and a period of 5 minutes.
  • C. Create an Amazon Athena table from the CloudTrail events. Run a query for eventName matching ConsoleLogin and for errorMessage matching “Failed authentication”. Create a notification action from the query to send an Amazon Simple Notification Service (Amazon SNS) notification when the count equals 3 within a period of 5 minutes.
  • D. In AWS Identity and Access Management Access Analyzer, create a new analyzer. Configure the analyzer to send an Amazon Simple Notification Service (Amazon SNS) notification when a failed sign-in event occurs 3 times for any IAM user within a period of 5 minutes.
#189 (Accuracy: 100% / 1 votes)
While analyzing a company's security solution, a Security Engineer wants to secure the AWS account root user.
What should the Security Engineer do to provide the highest level of security for the account?
  • A. Create a new IAM user that has administrator permissions in the AWS account. Delete the password for the AWS account root user.
  • B. Create a new IAM user that has administrator permissions in the AWS account. Modify the permissions for the existing IAM users.
  • C. Replace the access key for the AWS account root user. Delete the password for the AWS account root user.
  • D. Create a new IAM user that has administrator permissions in the AWS account. Enable multi-factor authentication for the AWS account root user.
#190 (Accuracy: 100% / 1 votes)
A company is developing a mobile shopping web app. The company needs an environment that is configured to encrypt all resources in transit and at rest.
A security engineer must develop a solution that will encrypt traffic in transit to the company's Application Load Balancer and Amazon API Gateway resources.

The solution also must encrypt traffic at rest for Amazon S3 storage.

What should the security engineer do to meet these requirements?
  • A. Use AWS Certificate Manager (ACM) for encryption in transit. Use AWS Key Management Service for encryption at rest.
  • B. Use AWS Certificate Manager (ACM) for encryption in transit and encryption at rest.
  • C. Use AWS Key Management Service for encryption in transit. Use AWS Certificate Manager (ACM) for encryption at rest.
  • D. Use AWS Key Management Service for encryption in transit and encryption at rest.