Amazon AWS Certified Security - Specialty SCS-C01
Prev

There are 254 results

Next
#201 (Accuracy: 100% / 3 votes)
The InfoSec team has mandated that in the future only approved Amazon Machine Images (AMIs) can be used.
How can the InfoSec team ensure compliance with this mandate?
  • A. Terminate all Amazon EC2 instances and relaunch them with approved AMIs.
  • B. Patch all running instances by using AWS Systems Manager.
  • C. Deploy AWS Config rules and check all running instances for compliance.
  • D. Define a metric filter in Amazon CloudWatch Logs to verify compliance.
#202 (Accuracy: 100% / 2 votes)
A company hosts business-critical applications on Amazon EC2 instances in a VPC. The VPC uses default DHCP options sets. A security engineer needs to log all DNS queries that internal resources make in the VPC. The security engineer also must create a list of the most common DNS queries over time.

Which solution will meet these requirements?
  • A. Install the Amazon CloudWatch agent on each EC2 instance in the VPC. Use the CloudWatch agent to stream the DNS query logs to an Amazon CloudWatch Logs log group. Use CloudWatch metric filters to automatically generate metrics that list the most common DNS queries.
  • B. Install a BIND DNS server in the VPC. Create a bash script to list the DNS request number of common DNS queries from the BIND logs.
  • C. Create VPC flow logs for all subnets in the VPStream the flow logs to an Amazon CloudWatch Logs log group. Use CloudWatch Logs Insights to list the most common DNS queries for the log group in a custom dashboard.
  • D. Configure Amazon Route 53 Resolver query logging. Add an Amazon CloudWatch Logs log group as the destination. Use Amazon CloudWatch Contributor Insights to analyze the data and create time series that display the most common DNS queries.
#203 (Accuracy: 100% / 3 votes)
An Application team has requested a new AWS KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different AWS services to limit blast radius.
How can an AWS KMS customer master key (CMK) be constrained to work with only Amazon S3?
  • A. Configure the CMK key policy to allow only the Amazon S3 service to use the kms:Encrypt action.
  • B. Configure the CMK key policy to allow AWS KMS actions only when the kms:ViaService condition matches the Amazon S3 service name.
  • C. Configure the IAM user's policy to allow KMS to pass a role to Amazon S3.
  • D. Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK.
#204 (Accuracy: 100% / 2 votes)
A company’s security engineer must record when specific AWS Lambda functions are invoked. The logs must include the AWS principal that invoked the function. External sources and the company’s developers deliver the Lambda function code by using a variety of languages such as Python, Node.js, and Golang. The security engineer has created an AWS CloudTrail trail with default configuration for the AWS account.

Which solution will meet these requirements with the LEAST operational overhead?
  • A. Update the Lambda function code to extract the AWS principal from the Lambda context and to write a log entry when the function to be monitored is invoked.
  • B. Use Amazon EventBridge (Amazon CloudWatch Events) to configure a rule and custom pattern for lambda:invoke events with a filter on the functions to monitor. Invoke another Lambda function to write the EventBridge (CloudWatch Events) data to Amazon CloudWatch Logs.
  • C. Modify the existing CloudTrail trail. Configure the existing CloudTrail trail to monitor Lambda functions as data events.
  • D. Create a Lambda layer that provides CloudTrail with a log event that includes the Lambda context when the function is invoked. Attach this layer to all Lambda functions that must be monitored.
#205 (Accuracy: 100% / 4 votes)
A Solutions Architect is designing a web application that uses Amazon CloudFront, an Elastic Load Balancing Application Load Balancer, and an Auto Scaling group of Amazon EC2 instances. The load balancer and EC2 instances are in the US West (Oregon) region. It has been decided that encryption in transit is necessary by using a customer-branded domain name from the client to CloudFront and from CloudFront to the load balancer.
Assuming that AWS Certificate Manager is used, how many certificates will need to be generated?
  • A. One in the US West (Oregon) region and one in the US East (Virginia) region.
  • B. Two in the US West (Oregon) region and none in the US East (Virginia) region.
  • C. One in the US West (Oregon) region and none in the US East (Virginia) region.
  • D. Two in the US East (Virginia) region and none in the US West (Oregon) region.
#206 (Accuracy: 100% / 3 votes)
A company is hosting multiple applications within a single VPC in its AWS account. The applications are running behind an Application Load Balancer that is associated with an AWS WAF web ACL. The company's security team has identified that multiple port scans are originating from a specific range of IP addresses on the internet.
A security engineer needs to deny access from the offending IP addresses.
Which solution will meet these requirements?
  • A. Modify the AWS WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range.
  • B. Add a rule to all security groups to deny the incoming requests from the IP address range.
  • C. Modify the AWS WAF web ACL with a rate-based rule statement to deny incoming requests from the IP address range.
  • D. Configure the AWS WAF web ACL with regex match conditions. Specify a pattern set to deny the incoming requests based on the match condition.
#207 (Accuracy: 100% / 2 votes)
A company decides to use AWS Key Management Service (AWS KMS) for data encryption operations. The company must create a KMS key and automate the rotation of the key. The company also needs the ability to deactivate the key and schedule the key for deletion.

Which solution will meet these requirements?
  • A. Create an asymmetric customer managed KMS key. Enable automatic key rotation.
  • B. Create a symmetric customer managed KMS key. Disable the envelope encryption option.
  • C. Create a symmetric customer managed KMS key. Enable automatic key rotation.
  • D. Create an asymmetric customer managed KMS key. Disable the envelope encryption option.
#208 (Accuracy: 100% / 2 votes)
A company is building an application on AWS that will store sensitive information. The company has a support team with access to the IT infrastructure, including databases. The company's security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead. The credentials must be regularly rotated.
What should the security engineer recommend?
  • A. Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an AWS Lambda function to rotate database credentials. Set up TLS for the connection to the database.
  • B. Install a database on an Amazon EC2 instance. Enable third-party disk encryption to encrypt Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in AWS CloudHSM with automatic rotation. Set up TLS for the connection to the database.
  • C. Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in AWS Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.
  • D. Set up an AWS CloudHSM cluster with AWS Key Management Service (AWS KMS) to store KMS keys. Set up Amazon RDS encryption using AWS KSM to encrypt the database. Store the database credentials in AWS Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.
#209 (Accuracy: 100% / 4 votes)
A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message.
What is the likely cause of this access denial?
  • A. The ACL in the bucket needs to be updated
  • B. The IAM policy does not allow the user to access the bucket
  • C. It takes a few minutes for a bucket policy to take effect
  • D. The allow permission is being overridden by the deny
#210 (Accuracy: 100% / 3 votes)
A security administrator is setting up a new AWS account. The security administrator wants to secure the data that a company stores in an Amazon S3 bucket. The security administrator also wants to reduce the chance of unintended data exposure and the potential for misconfiguration of objects that are in the S3 bucket.

Which solution will meet these requirements with the LEAST operational overhead?
  • A. Configure the S3 Block Public Access feature for the AWS account.
  • B. Configure the S3 Block Public Access feature for all objects that are in the bucket.
  • C. Deactivate ACLs for objects that are in the bucket.
  • D. Use AWS PrivateLink for Amazon S3 to access the bucket.