Amazon AWS Certified Security - Specialty SCS-C01
Prev

There are 254 results

Next
#191 (Accuracy: 100% / 4 votes)
A company has a requirement that none of its Amazon RDS resources can be publicly accessible. A security engineer needs to set up monitoring for this requirement and must receive a near-real-time notification if any RDS resource is noncompliant.

Which combination of steps should the security engineer take to meet these requirements? (Choose three.)
  • A. Configure RDS event notifications on each RDS resource. Target an AWS Lambda function that notifies AWS Config of a change to the RDS public access setting
  • B. Configure the rds-instance-public-access-check AWS Config managed rule to monitor the RDS resources.
  • C. Configure the Amazon EventBridge (Amazon CloudWatch Events) rule to target an Amazon Simple Notification Service (Amazon SNS) topic to provide a notification to the security engineer.
  • D. Configure RDS event notifications to post events to an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the SQS queue to an Amazon Simple Notification Service (Amazon SNS) topic to provide a notification to the security engineer.
  • E. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that is invoked by a compliance change event from the rds-instance-public-access-check rule.
  • F. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that is invoked when the AWS Lambda function notifies AWS Config of an RDS event change.
#192 (Accuracy: 100% / 4 votes)
A company’s security engineer has configured a client account to capture AWS CloudTrail logs that are then sent to an Amazon S3 bucket. The S3 bucket that stores these CloudTrail logs has always been configured to use AWS Key Management Service (AWS KMS) with the default KMS key (aws/s3) for encryption. Recently, the company changed the key on the S3 bucket to a new KMS key.

Since the modification of the bucket key, the security engineer cannot retrieve new CloudTrail log files that are written to the S3 bucket. The security engineer receives the following error message: “An error occurred (AccessDenied) when calling the GetObject operation: Access Denied”.

Log files that were written to the S3 bucket before the bucket key was changed are still accessible. The company used the new KMS key to encrypt other S3 buckets, and the same error is occurring with those S3 buckets.

What is the MOST likely cause of this error?
  • A. The security engineer’s IAM user does not have encrypt and decrypt permissions for the new KMS key.
  • B. The security engineer’s IAM user does not have administrative permissions for the new KMS key.
  • C. The S3 bucket policy needs modification to allow users to access objects that are encrypted with the new KMS key.
  • D. The S3 bucket policy needs modification to allow the security engineer’s IAM user to access objects in the S3 bucket.
#193 (Accuracy: 100% / 2 votes)
A company’s public Application Load Balancer (ALB) recently experienced a DDoS attack. To mitigate this issue. the company deployed Amazon CloudFront in front of the ALB so that users would not directly access the Amazon EC2 instances behind the ALB.

The company discovers that some traffic is still coming directly into the ALB and is still being handled by the EC2 instances.

Which combination of steps should the company take to ensure that the EC2 instances will receive traffic only from CloudFront? (Choose two.)
  • A. Configure CloudFront to add a cache key policy to allow a custom HTTP header that CloudFront sends to the ALB.
  • B. Configure CloudFront to add a custom: HTTP header to requests that CloudFront sends to the ALB.
  • C. Configure the ALB to forward only requests that contain the custom HTTP header.
  • D. Configure the ALB and CloudFront to use the X-Forwarded-For header to check client IP addresses.
  • E. Configure the ALB and CloudFront to use the same X.509 certificate that is generated by AWS Certificate Manager (ACM).
#194 (Accuracy: 100% / 3 votes)
A company’s security team needs to receive a notification whenever an AWS access key has not been rotated in 90 or more days. A security engineer must develop a solution that provides these notifications automatically.

Which solution will meet these requirements with the LEAST amount of effort?
  • A. Deploy an AWS Config managed rule to run on a periodic basis of 24 hours. Select the access-keys-rotated managed rule, and set the maxAccessKeyAge parameter to 90 days. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern that matches the compliance type of NON_COMPLIANT from AWS Config for the managed rule. Configure EventBridge (CloudWatch Events) to send an Amazon Simple Notification Service (Amazon SNS) notification to the security team.
  • B. Create a script to export a .csv file from the AWS Trusted Advisor check for IAM access key rotation. Load the script into an AWS Lambda function that will upload the .csv file to an Amazon S3 bucket. Create an Amazon Athena table query that runs when the .csv file is uploaded to the S3 bucket. Publish the results for any keys older than 90 days by using an invocation of an Amazon Simple Notification Service (Amazon SNS) notification to the security team.
  • C. Create a script to download the IAM credentials report on a periodic basis. Load the script into an AWS Lambda function that will run on a schedule through Amazon EventBridge (Amazon CloudWatch Events). Configure the Lambda script to load the report into memory and to filter the report for records in which the key was last rotated at least 90 days ago. If any records are detected, send an Amazon Simple Notification Service (Amazon SNS) notification to the security team.
  • D. Create an AWS Lambda function that queries the IAM API to list all the users. Iterate through the users by using the ListAccessKeys operation. Verify that the value in the CreateDate field is not at least 90 days old. Send an Amazon Simple Notification Service (Amazon SNS) notification to the security team if the value is at least 90 days old. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to schedule the Lambda function to run each day.
#195 (Accuracy: 100% / 2 votes)
A company is using Amazon Macie, AWS Firewall Manager, Amazon Inspector, and AWS Shield Advanced in its AWS account. The company wants to receive alerts if a DDoS attack occurs against the account.

Which solution will meet this requirement?
  • A. Use Macie to detect an active DDoS event. Create Amazon CloudWatch alarms that respond to Macie findings.
  • B. Use Amazon Inspector to review resources and to invoke Amazon CloudWatch alarms for any resources that are vulnerable to DDoS attacks.
  • C. Create an Amazon CloudWatch alarm that monitors Firewall Manager metrics for an active DDoS event.
  • D. Create an Amazon CloudWatch alarm that monitors Shield Advanced metrics for an active DDoS event.
#196 (Accuracy: 100% / 2 votes)
A company recently adopted new compliance standards that require all user actions in AWS to be logged. The user actions must be logged for all accounts that belong to an organization in AWS Organizations. The company needs to set alarms that respond when specified actions occur. The alarms must forward alerts to an email distribution list. The alerts must occur in as close to real time as possible.

Which solution will meet these requirements?
  • A. Implement an AWS CloudTrail trail as an organizational trail. Configure the trail with Amazon CloudWatch Logs forwarding. In CloudWatch Logs, set a metric filter for any user action events that the company specifies. Create an Amazon CloudWatch alarm to provide alerts for occurrences within a reported period and to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic.
  • B. Implement an AWS CloudTrail trail. Configure the trail with Amazon CloudWatch Logs forwarding. In CloudWatch Logs, set a metric filter for any user action events that the company specifies. Create an Amazon CloudWatch alarm to provide alerts for occurrences within a reported period and to send messages to an Amazon Simple Queue Service (Amazon SQS) queue.
  • C. Implement an AWS CloudTrail trail as an organizational trail. Configure the trail to store logs in an Amazon S3 bucket. Configure an Amazon EC2 instance to mount the S3 bucket as a file system to ingest new log files that are pushed to the S3 bucket. Configure the EC2 instance also to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic when one of the specified actions is found in the logs.
  • D. Implement an AWS CloudTrail trail. Configure the trail to store logs in an Amazon S3 bucket. Each hour, create an AWS Glue Data Catalog that references the S3 bucket. Configure Amazon Athena to initiate queries against the Data Catalog to identify the specified actions in the logs.
#197 (Accuracy: 100% / 4 votes)
A company wants to use AWS Systems Manager Patch Manager to patch Amazon EC2 instances that run Amazon Linux 2. The EC2 instances are running in a single AWS account. No internet connectivity is allowed from any EC2 instances in the account.

A security engineer has configured the relevant settings in Patch Manager. The security engineer now needs to ensure that the EC2 instances can connect to the Systems Manager endpoint.

Which combination of steps must the security engineer take to meet these requirements? (Choose three.)
  • A. Create a gateway VPC endpoint for com.amazonaws.[region].s3.
  • B. Create VPC endpoints for com.amazonaws.[region].ec2messages and com.amazonaws.[region].ssm.
  • C. Create a NAT gateway.
  • D. Update the route tables to route Systems Manager traffic through the NAT gateway.
  • E. Update the route tables with a route to the gateway VPC endpoint.
  • F. Update the route tables to route the update traffic through the NAT gateway.
#198 (Accuracy: 100% / 2 votes)
A company uses Amazon EC2 Linux instances in the AWS Cloud. A member of the company’s security team recently received a report about common vulnerability identifiers on the instances.

A security engineer needs to verify patching and perform remediation if the instances do not have the correct patches installed. The security engineer must determine which EC2 instances are at risk and must implement a solution to automatically update those instances with the applicable patches.

What should the security engineer do to meet these requirements?
  • A. Use AWS Systems Manager Patch Manager to view vulnerability identifiers for missing patches on the instances. Use Patch Manager also to automate the patching process.
  • B. Use AWS Shield Advanced to view vulnerability identifiers for missing patches on the instances. Use AWS Systems Manager Patch Manager to automate the patching process.
  • C. Use Amazon GuardDuty to view vulnerability identifiers for missing patches on the instances. Use Amazon Inspector to automate the patching process.
  • D. Use Amazon Inspector to view vulnerability identifiers for missing patches on the instances. Use Amazon Inspector also to automate the patching process.
#199 (Accuracy: 100% / 4 votes)
A company that builds document management systems recently performed a security review of its application on AWS. The review showed that uploads of documents through signed URLs into Amazon S3 could occur in the application without encryption in transit. A security engineer must implement a solution that prevents uploads that are not encrypted in transit.

Which solution will meet this requirement?
  • A. Ensure that all client implementations are using HTTPS to upload documents into the application.
  • B. Configure the s3-bucket-ssl-requests-only managed rule in AWS Config.
  • C. Add an S3 bucket policy that denies all S3 actions for condition “aws:secureTransport”: “false”.
  • D. Add an S3 bucket ACL with a grantee of AllUsers, a permission of WRITE, and a condition of secureTransport.
#200 (Accuracy: 100% / 2 votes)
A company deployed Amazon GuardDuty in the us-east-1 Region. The company wants all DNS logs that relate to the company's Amazon EC2 instances to be inspected.
What should a security engineer do to ensure that the EC2 instances are logged?
  • A. Use IPv6 addresses that are configured for hostnames.
  • B. Configure external DNS resolvers as internal resolvers that are visible only to AWS.
  • C. Use AWS DNS resolvers for all EC2 instances.
  • D. Configure a third-party DNS resolver with logging for all EC2 instances.