Amazon AWS Certified Security - Specialty SCS-C01
Prev

There are 254 results

Next
#11 (Accuracy: 100% / 3 votes)
The Security Engineer is given the following requirements for an application that is running on Amazon EC2 and managed by using AWS CloudFormation templates with EC2 Auto Scaling groups:
-Have the EC2 instances bootstrapped to connect to a backend database.
-Ensure that the database credentials are handled securely.
-Ensure that retrievals of database credentials are logged.
Which of the following is the MOST efficient way to meet these requirements?
  • A. Pass databases credentials to EC2 by using CloudFormation stack parameters with the property set to true. Ensure that the instance is configured to log to Amazon CloudWatch Logs.
  • B. Store database passwords in AWS Systems Manager Parameter Store by using SecureString parameters. Set the IAM role for the EC2 instance profile to allow access to the parameters.
  • C. Create an AWS Lambda that ingests the database password and persists it to Amazon S3 with server-side encryption. Have the EC2 instances retrieve the S3 object on startup, and log all script invocations to syslog.
  • D. Write a script that is passed in as UserData so that it is executed upon launch of the EC2 instance. Ensure that the instance is configured to log to Amazon CloudWatch Logs.
#12 (Accuracy: 100% / 5 votes)
Due to new compliance requirements, a Security Engineer must enable encryption with customer-provided keys on corporate data that is stored in DynamoDB.
The company wants to retain full control of the encryption keys.
Which DynamoDB feature should the Engineer use to achieve compliance'?
  • A. Use AWS Certificate Manager to request a certificate. Use that certificate to encrypt data prior to uploading it to DynamoDB.
  • B. Enable S3 server-side encryption with the customer-provided keys. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB
  • C. Create a KMS master key. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoDS. Dispose of the cleartext and encrypted data keys after encryption without storing.
  • D. Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.
#13 (Accuracy: 91% / 9 votes)
A company maintains sensitive data in an Amazon S3 bucket that must be protected using an AWS KMS CMK. The company requires that keys be rotated automatically every year.
How should the bucket be configured?
  • A. Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select an AWS-managed CMK.
  • B. Select Amazon S3-AWS KMS managed encryption keys (S3-KMS) and select a customer-managed CMK with key rotation enabled.
  • C. Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select a customer-managed CMK that has imported key material.
  • D. Select server-side encryption with AWS KMS-managed keys (SSE-KMS) and select an alias to an AWS-managed CMK.
#14 (Accuracy: 100% / 4 votes)
During a recent security audit, it was discovered that multiple teams in a large organization have placed restricted data in multiple Amazon S3 buckets, and the data may have been exposed. The auditor has requested that the organization identify all possible objects that contain personally identifiable information (PII) and then determine whether this information has been accessed.
What solution will allow the Security team to complete this request?
  • A. Using Amazon Athena, query the impacted S3 buckets by using the PII query identifier function. Then, create a new Amazon CloudWatch metric for Amazon S3 object access to alert when the objects are accessed.
  • B. Enable Amazon Macie on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, use the research function for auditing AWS CloudTrail logs and S3 bucket logs for GET operations.
  • C. Enable Amazon GuardDuty and enable the PII rule set on the S3 buckets that were impacted, then perform data classification. Using the PII findings report from GuardDuty, query the S3 bucket logs by using Athena for GET operations.
  • D. Enable Amazon Inspector on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, query the S3 bucket logs by using Athena for GET operations.
#15 (Accuracy: 100% / 4 votes)
Company A has an AWS account that is named Account A. Company A recently acquired Company B, which has an AWS account that is named Account B. Company B stores its files in an Amazon S3 bucket. The administrators need to give a user from Account A full access to the S3 bucket in Account B.

After the administrators adjust the IAM permissions for the user in Account A to access the S3 bucket in Account B, the user still cannot access any files in the S3 bucket.

Which solution will resolve this issue?
  • A. In Account B, create a bucket ACL to allow the user from Account A to access the S3 bucket in Account B.
  • B. In Account B, create an object ACL to allow the user from Account A to access all the objects in the S3 bucket in Account B.
  • C. In Account B, create a bucket policy to allow the user from Account A to access the S3 bucket in Account B.
  • D. In Account B, create a user policy to allow the user from Account A to access the S3 bucket in Account B.
#16 (Accuracy: 100% / 7 votes)
A Security Engineer has been asked to troubleshoot inbound connectivity to a web server. This single web server is not receiving inbound connections from the internet, whereas all other web servers are functioning properly.
The architecture includes network ACLs, security groups, and a virtual security appliance. In addition, the Development team has implemented Application Load
Balancers (ALBs) to distribute the load across all web servers. It is a requirement that traffic between the web servers and the internet flow through the virtual security appliance.
The Security Engineer has verified the following:
1. The rule set in the Security Groups is correct
2. The rule set in the network ACLs is correct
3. The rule set in the virtual appliance is correct
Which of the following are other valid items to troubleshoot in this scenario? (Choose two.)
  • A. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway.
  • B. Verify which Security Group is applied to the particular web server's elastic network interface (ENI).
  • C. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance.
  • D. Verify the registered targets in the ALB.
  • E. Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.
#17 (Accuracy: 96% / 7 votes)
A company is migrating one of its legacy systems from an on-premises data center to AWS. The application server will run on AWS, but the database must remain in the on-premises data center for compliance reasons. The database is sensitive to network latency. Additionally, the data that travels between the on-premises data center and AWS must have IPsec encryption.

Which combination of AWS solutions will meet these requirements? (Choose two.)
  • A. AWS Site-to-Site VPN
  • B. AWS Direct Connect
  • C. AWS VPN CloudHub
  • D. VPC peering
  • E. NAT gateway
#18 (Accuracy: 100% / 3 votes)
An international company has established a new business entity in South Korea. The company also has established a new AWS account to contain the workload for the South Korean region. The company has set up the workload in the new account in the ap-northeast-2 Region. The workload consists of three Auto Scaling groups of Amazon EC2 instances. All workloads that operate in this Region must keep system logs and application logs for 7 years.

A security engineer must implement a solution to ensure that no logging data is lost for each instance during scaling activities. The solution also must keep the logs for only the required period of 7 years.

Which combination of steps should the security engineer take to meet these requirements? (Choose three.)
  • A. Ensure that the Amazon CloudWatch agent is installed on all the EC2 instances that the Auto Scaling groups launch. Generate a CloudWatch agent configuration file to forward the required logs to Amazon CloudWatch Logs.
  • B. Set the log retention for desired log groups to 7 years.
  • C. Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon CloudWatch Logs.
  • D. Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon S3.
  • E. Ensure that a log forwarding application is installed on all the EC2 instances that the Auto Scaling groups launch. Configure the log forwarding application to periodically bundle the logs and forward the logs to Amazon S3.
  • F. Configure an Amazon S3 Lifecycle policy on the target S3 bucket to expire objects after 7 years.
#19 (Accuracy: 100% / 3 votes)
An Amazon S3 bucket is encrypted using an AWS KMS CMK. An IAM user is unable to download objects from the S3 bucket using the AWS Management
Console; however, other users can download objects from the S3 bucket.
Which policies should the Security Engineer review and modify to resolve this issue? (Choose three.)
  • A. The CMK policy
  • B. The VPC endpoint policy
  • C. The S3 bucket policy
  • D. The S3 ACL
  • E. The IAM policy
#20 (Accuracy: 91% / 9 votes)
A company is using AWS Secrets Manager to manage database credentials that an application uses to access Amazon DocumentDB (with MongoDB compatibility). The company needs to implement automated password rotation.

Which solution will meet this requirement with the LEAST administrative overhead?
  • A. Create a new AWS Lambda function to manage the password rotation. Turn on automatic password rotation in Secrets Manager. Associate the rotation with the Lambda function.
  • B. Turn on automatic password rotation in Secrets Manager. Configure Secrets Manager to create a new AWS Lambda function to manage the password rotation.
  • C. Use the SecretsManagerRotationTemplate from the AWS Serverless Application Model (AWS SAM) to create a new AWS Lambda function. Change the vpc-config option of the Lambda function to include the subnet IDs when Amazon DocumentDB is hosted.
  • D. Use the SecretsManagerRotationTemplate from the AWS Serverlss Application Model (AWS SAM) to create three new AWS Lambda functions: createSecret, setSecret, and testSecret. Change the vpc-config option of all three Lambda functions to include the subnet IDs where Amazon DocumentDB is hosted.