Amazon AWS Certified Security - Specialty SCS-C01
Prev

There are 254 results

Next
#241 (Accuracy: 100% / 5 votes)
After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows
Server 2019 Base AMI is compromised.
How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?
  • A. Give consent to the AWS Security team to dump the memory core on the compromised instance and provide it to AWS Support for analysis.
  • B. Review memory dump data that the AWS Systems Manager Agent sent to Amazon CloudWatch Logs.
  • C. Download and run the EC2Rescue for Windows Server utility from AWS.
  • D. Reboot the EC2 Windows Server, enter safe mode, and select memory dump.
#242 (Accuracy: 100% / 1 votes)
A company has a VPC with an IPv6 address range and a public subnet with an IPv6 address block. The VPC currently hosts some public Amazon EC2 instances, but a security engineer needs to migrate a second application into the VPC that also requires IPv6 connectivity.
This new application will occasionally make API requests to an external, internet-accessible endpoint to receive updates. However, the security team does not want the application's EC2 instance exposed directly to the internet. The security engineer intends to create a private subnet with a custom route table and to associate the route table with the private subnet.
What else does the security engineer need to do to ensure the application will not be exposed directly to the internet, but can still communicate as required?
  • A. Launch a NAT instance in the public subnet. Update the custom route table with a new route to the NAT instance.
  • B. Remove the internet gateway, and add AWS PrivateLink to the VPC. Then update the custom route table with a new route to AWS PrivateLink.
  • C. Add a managed NAT gateway to the VPC. Update the custom route table with a new route to the gateway.
  • D. Add an egress-only internet gateway to the VPC. Update the custom route table with a new route to the gateway.
#243 (Accuracy: 100% / 2 votes)
A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements:
✑ Encryption in transit
✑ Encryption at rest
✑ Logging of all object retrievals in AWS CloudTrail
Which of the following meet these security requirements? (Choose three.)
  • A. Specify ג€aws:SecureTransportג€: ג€trueג€ within a condition in the S3 bucket policy.
  • B. Enable a security group for the S3 bucket that allows port 443, but not port 80.
  • C. Set up default encryption for the S3 bucket.
  • D. Enable Amazon CloudWatch Logs for the AWS account.
  • E. Enable API logging of data events for all S3 objects.
  • F. Enable S3 object versioning for the S3 bucket.
#244 (Accuracy: 100% / 3 votes)
An organization has a system in AWS that allows a large number of remote workers to submit data files. File sizes vary from a few kilobytes to several megabytes.
A recent audit highlighted a concern that data files are not encrypted while in transit over untrusted networks.
Which solution would remediate the audit finding while minimizing the effort required?
  • A. Upload an SSL certificate to IAM, and configure Amazon CloudFront with the passphrase for the private key.
  • B. Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() server-side.
  • C. Use AWS Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service's servers.
  • D. Create a new VPC with an Amazon VPC VPN endpoint, and update the web service's DNS record.
#245 (Accuracy: 100% / 3 votes)
A company wants to analyze Amazon EC2 performance and utilization data in near real time for anomalies. The information that the company needs to analyze is in application logs. All the EC2 instances currently send logs to Amazon CloudWatch Logs.

A security engineer must set up the log aggregation. The security engineer must collect logs from all the company's AWS accounts into a centralized location to facilitate analysis.

Which solution will meet this requirement?
  • A. Log in to each account four times a day. Filter the required CloudWatch Logs data. Copy and paste the logs into an Amazon S3 bucket that is in the security engineer's account.
  • B. Set up CloudWatch Logs Insights in each account. Use CloudWatch Logs subscriptions to send the CloudWatch Logs Insights query results to the security engineer's account.
  • C. Set up an AWS Config aggregator to collect AWS configuration data from multiple sources. View the aggregator data from the security engineer's account.
  • D. Set up Amazon CloudWatch cross-account log data sharing with subscriptions in each account. Send the logs to an Amazon Kinesis Data Firehose stream in the security engineer's account.
#246 (Accuracy: 95% / 5 votes)
A security engineer receives an abuse report email message from the AWS Trust and Safety team. The abuse report identifies a resource that appears to be compromised. The abuse report indicates that the resource is an IAM access key that belongs to a DevOps engineer in the security engineer's company. The access key is used in a deployment system that uses AWS Lambda functions to launch AWS CloudFormation stacks.

The security engineer must address the abuse report, prevent any further use of the exposed access key, and implement security best practices.

Which solution will meet these requirements?
  • A. Locate the compromised IAM access key and deactivate or delete the key. Generate new access keys for the Lambda deployment process. Apply the new keys to the deployment system. In the account that contained the compromised key, create a new support case in AWS Support to detail these remediation steps.
  • B. Delete or deactivate the compromised IAM access key. Discontinue the use of IAM access keys. Create a new IAM role for the Lambda deployment process. Apply the IAM role to the deployment system Lambda functions. Respond directly to the abuse report message to detail these remediation steps.
  • C. Locate the compromised IAM access key. Delete the IAM user that is associated with the access key. Generate a new access key. Store the new key as an AWS Secrets Manager secret. Encrypt the secret with an AWS Key Management Service (AWS KMS) customer managed key. Update the Lambda functions to retrieve the access key from AWS Secrets Manager at runtime. In the account that contained the compromised key, create a new support case in AWS Support to detail these remediation steps.
  • D. Delete or deactivate the compromised IAM access key. Generate and store a new access key as an environmental variable within the configuration of the deployment system's Lambda functions. Respond directly to the abuse report message to detail these remediation steps.
#247 (Accuracy: 100% / 8 votes)
An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs a network port scan against other instances in the VPC.
When the Security team performs its own internal tests in a separate account by using pre-approved third-party scanners from the AWS Marketplace, the Security team also then receives multiple Amazon GuardDuty events from Amazon CloudWatch alerting on its test activities.
How can the Security team suppress alerts about authorized security tests while still receiving alerts about the unauthorized activity?
  • A. Use a filter in AWS CloudTrail to exclude the IP addresses of the Security team's EC2 instances.
  • B. Add the Elastic IP addresses of the Security team's EC2 instances to a trusted IP list in Amazon GuardDuty.
  • C. Install the Amazon Inspector agent on the EC2 instances that the Security team uses.
  • D. Grant the Security team's EC2 instances a role with permissions to call Amazon GuardDuty API operations.
#248 (Accuracy: 100% / 2 votes)
A Developer's laptop was stolen. The laptop was not encrypted, and it contained the SSH key used to access multiple Amazon EC2 instances. A Security
Engineer has verified that the key has not been used, and has blocked port 22 to all EC2 instances while developing a response plan.
How can the Security Engineer further protect currently running instances?
  • A. Delete the key-pair key from the EC2 console, then create a new key pair.
  • B. Use the modify-instance-attribute API to change the key on any EC2 instance that is using the key.
  • C. Use the EC2 RunCommand to modify the authorized_keys file on any EC2 instance that is using the key.
  • D. Update the key pair in any AMI used to launch the EC2 instances, then restart the EC2 instances.
#249 (Accuracy: 100% / 1 votes)
A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2 instances. The company security policy states that application logs for the reporting service must be centrally collected.
What is the MOST efficient way to meet these requirements?
  • A. Write an AWS Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket.
  • B. Enable AWS CloudTrail logging for the AWS account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail.
  • C. Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync.
  • D. Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.
#250 (Accuracy: 100% / 5 votes)
A company operates a web application that runs on Amazon EC2 instances. The application listens on port 80 and port 443. The company uses an Application Load Balancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the application instances only on port 80.

The ALB is in public subnets that are associated with a network ACL that is named NACL. The application instances are in dedicated private subnets that are associated with a network ACL that is named NACL2. An Amazon RDS for PostgreSQL DB instance that uses port 5432 is in a dedicated private subnet that is associated with a network ACL that is named NACL3. All the network ACLs currently allow all inbound and outbound traffic.

Which set of network ACL changes will increase the security of the application while ensuring functionality?
  • A. Make the following changes to NACL3:
    Add a rule that allows inbound traffic on port 5432 from NACL2.
    Add a rule that allows outbound traffic on ports 1024-65536 to NACL2.
    Remove the default rules that allow all inbound and outbound traffic.
  • B. Make the following changes to NACL3:
    Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the application instance subnets.
    Add a rule that allows outbound traffic on ports 1024-65536 to the application instance subnets.
    Remove the default rules that allow all inbound and outbound traffic.
  • C. Make the following changes to NACL2:
    Add a rule that allows outbound traffic on port 5432 to the CIDR blocks of the RDS subnets.
    Remove the default rules that allow all inbound and outbound traffic.
  • D. Make the following changes to NACL2:
    Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the RDS subnets.
    Add a rule that allows outbound traffic on port 5432 to the RDS subnets.