Amazon AWS Certified Security - Specialty SCS-C01
Prev

There are 254 results

Next
#211 (Accuracy: 100% / 3 votes)
A systems engineer deployed containers from several custom-built images that an application team provided through a QA workflow. The systems engineer used Amazon Elastic Container Service (Amazon ECS) with the Fargate launch type as the target platform. The system engineer now needs to collect logs from all containers into an existing Amazon CloudWatch log group.

Which solution will meet this requirement?
  • A. Turn on the awslogs log driver by specifying parameters for awslogs-group and awslogs-region in the LogConfiguration property.
  • B. Download and configure the CloudWatch agent on the container instances.
  • C. Set up Fluent Bit and FluentD as a DaemonSet to send logs to Amazon CloudWatch Logs.
  • D. Configure an IAM policy that includes the logs:CreateLogGroup action. Assign the policy to the container instances.
#212 (Accuracy: 93% / 5 votes)
A security engineer receives a notice from the AWS Abuse team about suspicious activity from a Linux-based Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS)-based storage. The instance is making connections to known malicious addresses.

The instance is in a development account within a VPC that is in the us-east-1 Region. The VPC contains an internet gateway and has a subnet in us-east-1a and us-east-1 b. Each subnet is associate with a route table that uses the internet gateway as a default route. Each subnet also uses the default network ACL. The suspicious EC2 instance runs within the us-east-1 b subnet. During an initial investigation, a security engineer discovers that the suspicious instance is the only instance that runs in the subnet.

Which response will immediately mitigate the attack and help investigate the root cause?
  • A. Log in to the suspicious instance and use the netstat command to identify remote connections. Use the IP addresses from these remote connections to create deny rules in the security group of the instance. Install diagnostic tools on the instance for investigation. Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule during the investigation of the instance.
  • B. Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule. Replace the security group with a new security group that allows connections only from a diagnostics security group. Update the outbound network ACL for the us-east-1b subnet to remove the deny all rule. Launch a new EC2 instance that has diagnostic tools. Assign the new security group to the new EC2 instance. Use the new EC2 instance to investigate the suspicious instance.
  • C. Ensure that the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the suspicious EC2 instance will not delete upon termination. Terminate the instance. Launch a new EC2 instance in us-east-1a that has diagnostic tools. Mount the EBS volumes from the terminated instance for investigation.
  • D. Create an AWS WAF web ACL that denies traffic to and from the suspicious instance. Attach the AWS WAF web ACL to the instance to mitigate the attack. Log in to the instance and install diagnostic tools to investigate the instance.
#213 (Accuracy: 100% / 5 votes)
A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1, the company cannot access the key that was used to encrypt the original database.

What should the company do to set up the snapshot in us-west-1 with proper encryption?
  • A. Use AWS Secrets Manager to store the customer managed key in us-west-1 as a secret. Use this secret to encrypt the snapshot in us-west-1.
  • B. Create a new customer managed key in us-west-1. Use this new key to encrypt the snapshot in us-west-1.
  • C. Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn:aws:kms:us-west-1as the principal.
  • D. Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn:aws:rds:us-west-1 :* as the principal.
#214 (Accuracy: 100% / 2 votes)
A company's security administrator receives an AWS Abuse notification that an IAM user's access key might be compromised. A legacy application uses the IAM user. The security administrator must remediate the potential compromise with the least possible downtime to the application.

Which solution will meet these requirements?
  • A. Delete the IAM user's access key Immediately. Create a new access key to update in the legacy application.
  • B. Create a new access key for the IAM user. Update the latest application version to use the new access key. Deactivate the compromised access key.
  • C. Attach an IAM policy to revoke all sessions from before the time of the AWS Abuse notification.
  • D. Update the legacy application to use an IAM role that has the same permissions as the IAM user.
#215 (Accuracy: 100% / 2 votes)
A company wants to store all objects that contain sensitive data in an Amazon S3 bucket. The company will use server-side encryption to encrypt the S3 bucket. The company’s operations team manages access to the company's S3 buckets. The company's security team manages access to encryption keys.

The company wants to separate the duties of the two teams to ensure that configuration errors by only one of these teams will not compromise the data by granting unauthorized access to plaintext data.

Which solution will meet this requirement?
  • A. Ensure that the operations team configures default bucket encryption on the S3 bucket to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to use the encryption keys.
  • B. Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with AWS KMS keys (SSE-KMS) that are customer managed. Ensure that the security team creates a key policy that controls access to the encryption keys.
  • C. Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with Amazon S3 managed keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to the encryption keys.
  • D. Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with customer-provided encryption keys (SSE-C). Ensure that the security team stores the customer-provided keys in AWS Key Management Service (AWS KMS). Ensure that the security team creates a key policy that controls access to the encryption keys.
#216 (Accuracy: 100% / 3 votes)
A company uses AWS Organizations to manage 20 AWS accounts. The company has a new requirement to enforce IAM access key rotation every 90 days. Currently, the company uses the access keys to connect to Amazon EC2 instances. The company uses the organization's management account to manage the IAM users of all the accounts.

A security administrator needs to develop a solution for the key rotation.

Which solution will meet these requirements?
  • A. Add an automatic remediation option to an AWS Config rule for access key rotation. Create an AWS Systems Manager Automation runbook. Use AWS CloudFormation StackSets to deploy the runbook. Activate the AWS Config rule. Link the runbook as the automatic remediation step.
  • B. Add an automatic remediation option to an AWS Config rule for access key rotation. Create an AWS Systems Manager Automation runbook. Use AWS CloudFormation change sets to deploy the runbook. Activate the AWS Config rule. Link the runbook as the automatic remediation step.
  • C. Add an automatic remediation option to an AWS Systems Manager rule for access key rotation. Create a Systems Manager Automation runbook. Use AWS CloudFormation StackSets to deploy the runbook. Activate the Systems Manager rule. Link the runbook as the automatic remediation step.
  • D. Add an automatic remediation option to an AWS Systems Manager rule for access key rotation. Create a Systems Manager Automation runbook. Use AWS CloudFormation change sets to deploy the runbook. Invoke an AWS Lambda function to link the runbook as the automatic remediation step.
#217 (Accuracy: 100% / 5 votes)
A company uses Amazon Route 53 to create a public DNS zone for the domain example.com in Account A. The company creates another public DNS zone for the subdomain dev.example.com in Account B. A security engineer creates a wildcard certificate (*.dev.example.com) with DNS validation by using AWS Certificate Manager (ACM). The security engineer validates that the corresponding CNAME records have been created in the zone for dev.example.com in Account B.

After all these operations are completed, the certificate status is still pending validation.

What should the security engineer do to resolve this issue?
  • A. Purchase a valid wildcard certificate authority (CA) certificate that supports managed renewal. Import this certificate into ACM in Account B.
  • B. Add NS records for the subdomain dev.example.com to the Route 53 parent zone example.com in Account A.
  • C. Use AWS Certificate Manager Private Certificate Authority to create a subordinate certificate authority (CA). Use ACM to generate a private certificate that supports managed renewal.
  • D. Resend the email message that requests ownership validation of dev.example.com.
#218 (Accuracy: 100% / 4 votes)
A company needs to implement DNS Security Extensions (DNSSEC) for a specific subdomain. The subdomain is already registered with Amazon Route 53. A security engineer has enabled DNSSEC signing and has created a key-signing key (KSK). When the security engineer tries to test the configuration, the security engineer receives an error for a broken trust chain.

What should the security engineer do to resolve this error?
  • A. Replace the KSK with a zone-signing key (ZSK).
  • B. Deactivate and then activate the KSK.
  • C. Create a Delegation Signer (DS) record in the parent hosted zone.
  • D. Create a Delegation Signer (DS) record in the subdomain.
#219 (Accuracy: 93% / 8 votes)
A company has decided to use AWS Key Management Service (AWS KMS) for all of its encryption keys. The company plans to create all of its keys as customer managed CMKs and will not import any encryption keys. The company must rotate its encryption keys once every 12 months.

Which solution will meet these requirements?
  • A. Change the customer managed CMK key policy to enable automatic key rotation.
  • B. Use AWS managed CMKs instead of customer managed CMKs so that AWS will rotate the keys automatically.
  • C. Invoke an AWS Lambda function regularly to rotate the backing key of each customer managed CMK.
  • D. Enable automatic key rotation for each customer managed CMK after it has been created in AWS KMS.
#220 (Accuracy: 100% / 3 votes)
A security engineer is attempting to troubleshoot a problem. An application that runs on an Amazon EC2 instance in a VPC cannot communicate with an Amazon RDS DB instance in another subnet of the same VPC. The connection request is timing out.

Which issues could be causing this problem? (Choose two.)
  • A. The application instance’s security group is not allowing outbound traffic.
  • B. The network ACL of the application instance’s subnet is not allowing traffic between the application and the DB instance.
  • C. The VPC’s route table is not configured correctly.
  • D. There is no peering connection between the application and the database.
  • E. The DB instance’s security group is not allowing outbound traffic.