Amazon AWS Certified Security - Specialty SCS-C01
Prev

There are 254 results

Next
#231 (Accuracy: 100% / 2 votes)
While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host
(IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following:
2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK
2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK
What action should be performed to allow the ping to work?
  • A. In the security group of the EC2 instance, allow inbound ICMP traffic.
  • B. In the security group of the EC2 instance, allow outbound ICMP traffic.
  • C. In the VPC's NACL, allow inbound ICMP traffic.
  • D. In the VPC's NACL, allow outbound ICMP traffic.
#232 (Accuracy: 100% / 3 votes)
A company has a website with an Amazon CloudFront HTTPS distribution an Application Load Balancer (ALB) with multiple web instances for dynamic website content, and an Amazon S3 bucket for static website content. The company's security engineer recently updated the website security requirements:
✑ HTTPS needs to be enforced for all data in transit with specific ciphers.
✑ The CloudFront distribution needs to be accessible from the internet only.
Which solution will meet these requirements?
  • A. Set up an S3 bucket policy with the aws:securetransport key. Configure the CloudFront origin access identity (OAI) with the S3 bucket. Configure CloudFront to use specific ciphers. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers. Link the ALB with AWS WAF to allow access from the CloudFront IP ranges.
  • B. Set up an S3 bucket policy with the aws:securetransport key. Configure the CloudFront origin access identity (OAI) with the S3 bucket. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers.
  • C. Modify the CloudFront distribution to use AWS WAF. Force HTTPS on the S3 bucket with specific ciphers in the bucket policy. Configure an HTTPS listener only for the ALB. Set up a security group to limit access to the ALB from the CloudFront IP ranges.
  • D. Modify the CloudFront distribution to use the ALB as the origin. Enforce an HTTP listener on the ALB. Create a path-based routing rule on the ALB with proxies that connect to Amazon S3. Create a bucket policy to allow access from these proxies only.
#233 (Accuracy: 100% / 4 votes)
A company accidentally deleted the private key for an Amazon Elastic Block Store (Amazon EBS)-backed Amazon EC2 instance. A security engineer needs to regain access to the instance.

Which combination of steps will meet this requirement? (Choose two.)
  • A. Stop the instance. Detach the root volume. Generate a new key pair.
  • B. Keep the instance running. Detach the root volume. Generate a new key pair.
  • C. When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new public key. Move the volume back to the original instance. Start the instance.
  • D. When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new private key. Move the volume back to the original instance. Start the instance.
  • E. When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new public key. Move the volume back to the original instance that is running.
#234 (Accuracy: 100% / 2 votes)
A company has an AWS WAF web ACL. According to a new compliance requirement, the company must configure comprehensive logging of all web ACL requests. The company has created an Amazon S3 bucket to store the logs.

Which combination of steps should the company take next to meet this requirement? (Choose two.)
  • A. Enable logging for the web ACL. Associate the web ACL with the Amazon Kinesis data stream.
  • B. Enable logging for the web ACL. Associate the web ACL with the Amazon Kinesis Data Firehose delivery stream.
  • C. Configure log filtering for the web ACL. Associate the web ACL with the Amazon Kinesis Data Firehose delivery stream.
  • D. Create an Amazon Kinesis data stream in any AWS Region. Specify the S3 bucket as the destination for the data stream.
  • E. Create an Amazon Kinesis Data Firehose delivery stream in the same AWS Region as the web ACL. Specify the S3 bucket as the destination for the delivery stream.
#235 (Accuracy: 100% / 5 votes)
A company needs to migrate several applications to AWS. This will require storing more than 5,000 credentials. To meet compliance requirements, the company will use its existing password management system for key rotation, auditing, and integration with third-party secrets containers. The company has a limited budget and is seeking the most cost-effective solution that is still secure.
How should the company accomplish this at the LOWEST cost?
  • A. Configure the company's key management solution to integrate with AWS Systems Manager Parameter Store.
  • B. Configure the company's key management solution to integrate with AWS Secrets Manager.
  • C. Use an Amazon S3 encrypted bucket to store the secrets and configure the applications with the appropriate roles to access the secrets.
  • D. Configure the company's key management solution to integrate with AWS CloudHSM.
#236 (Accuracy: 100% / 6 votes)
A company requires that IP packet data be inspected for invalid or malicious content.
Which of the following approaches achieve this requirement? (Choose two.)
  • A. Configure a proxy solution on Amazon EC2 and route all outbound VPC traffic through it. Perform inspection within proxy software on the EC2 instance.
  • B. Configure the host-based agent on each EC2 instance within the VPC. Perform inspection within the host-based agent.
  • C. Enable VPC Flow Logs for all subnets in the VPC. Perform inspection from the Flow Log data within Amazon CloudWatch Logs.
  • D. Configure Elastic Load Balancing (ELB) access logs. Perform inspection from the log data within the ELB access log files.
  • E. Configure the CloudWatch Logs agent on each EC2 instance within the VPC. Perform inspection from the log data within CloudWatch Logs.
#237 (Accuracy: 100% / 2 votes)
A Security Administrator has a website hosted in Amazon S3. The Administrator has been given the following requirements:
✑ Users may access the website by using an Amazon CloudFront distribution.
✑ Users may not access the website directly by using an Amazon S3 URL.
Which configurations will support these requirements? (Choose two.)
  • A. Associate an origin access identity with the CloudFront distribution.
  • B. Implement a ג€Principalג€: ג€cloudfront.amazonaws.comג€ condition in the S3 bucket policy.
  • C. Modify the S3 bucket permissions so that only the origin access identity can access the bucket contents.
  • D. Implement security groups so that the S3 bucket can be accessed only by using the intended CloudFront distribution.
  • E. Configure the S3 bucket policy so that it is accessible only through VPC endpoints, and place the CloudFront distribution into the specified VPC.
#238 (Accuracy: 100% / 3 votes)
A company has complex connectivity rules governing ingress, egress, and communications between Amazon EC2 instances. The rules are so complex that they cannot be implemented within the limits of the maximum number of security groups and network access control lists (network ACLs).
What mechanism will allow the company to implement all required network rules without incurring additional cost?
  • A. Configure AWS WAF rules to implement the required rules.
  • B. Use the operating system built-in, host-based firewall to implement the required rules.
  • C. Use a NAT gateway to control ingress and egress according to the requirements.
  • D. Launch an EC2-based firewall product from the AWS Marketplace, and implement the required rules in that product.
#239 (Accuracy: 100% / 4 votes)
A Systems Engineer has been tasked with configuring outbound mail through Simple Email Service (SES) and requires compliance with current TLS standards.
The mail application should be configured to connect to which of the following endpoints and corresponding ports?
  • A. email.us-east-1.amazonaws.com over port 8080
  • B. email-pop3.us-east-1.amazonaws.com over port 995
  • C. email-smtp.us-east-1.amazonaws.com over port 587
  • D. email-imap.us-east-1.amazonaws.com over port 993
#240 (Accuracy: 100% / 2 votes)
A Security Administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has enabled it for all feature sets, including consolidated billing. The top-level account is used for billing and administrative purposes, not for operational AWS resource purposes.
How can the Administrator restrict usage of member root user accounts across the organization?
  • A. Disable the use of the root user account at the organizational root. Enable multi-factor authentication of the root user account for each organizational member account.
  • B. Configure IAM user policies to restrict root account capabilities for each Organizations member account.
  • C. Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU.
  • D. Configure AWS CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric filter for RootAccountUsage.