Amazon AWS Certified Security - Specialty SCS-C01
Prev

There are 254 results

Next
#21 (Accuracy: 100% / 4 votes)
A security engineer recently rotated all IAM access keys in an AWS account. The security engineer then configured AWS Config and enabled the following AWS
Config managed rules; mfa-enabled-for-iam-console-access, iam-user-mfa-enabled, access-key-rotated, and iam-user-unused-credentials-check.
The security engineer notices that all resources are displaying as noncompliant after the IAM GenerateCredentialReport API operation is invoked.
What could be the reason for the noncompliant status?
  • A. The IAM credential report was generated within the past 4 hours.
  • B. The security engineer does not have the GenerateCredentialReport permission.
  • C. The security engineer does not have the GetCredentialReport permission.
  • D. The AWS Config rules have a MaximumExecutionFrequency value of 24 hours.
#22 (Accuracy: 95% / 7 votes)
A security engineer is configuring a new website that is named example.com. The security engineer wants to secure communications with the website by requiring users to connect to example.com through HTTPS.

Which of the following is a valid option for storing SSL/TLS certificates?
  • A. Custom SSL certificate that is stored in AWS Key Management Service (AWS KMS)
  • B. Default SSL certificate that is stored in Amazon CloudFront.
  • C. Custom SSL certificate that is stored in AWS Certificate Manager (ACM)
  • D. Default SSL certificate that is stored in Amazon S3
#23 (Accuracy: 92% / 7 votes)
A company's public website consists of an Application Load Balancer (ALB), a set of Amazon EC2 instances that run a stateless application behind the ALB, and an Amazon DynamoDB table from which the application reads data. The company is concerned about malicious scanning and DDoS attacks. The company wants to impose a restriction in which each client IP address can read the data only 3 times in any 5-minute period.

Which solution will meet this requirement with the LEAST effort?
  • A. Set up AWS WAF in front of the ALB. Create a rule that blocks requests that exceed the limit of 3 requests in any 5-minute period for each IP address.
  • B. Create an AWS Lambda function based on an Amazon CloudWatch request. Configure the Lambda function to count the requests for each IP address in rolling 5-sminute intervals and to provide notification if the count exceeds 3.
  • C. Modify the EC2 application to count the source IP address of requests and calculate a rolling 5-minute sum. Return an error message if the count sum is greater than 3.
  • D. Add source IP address and request time to the DynamoDB table. Add a 5-minute TTL setting based on request time. Change the read capacity of the DynamoDB table throughput to 3.
#24 (Accuracy: 100% / 4 votes)
A Security Engineer must add additional protection to a legacy web application by adding the following HTTP security headers:
-Content Security-Policy
-X-Frame-Options
-X-XSS-Protection
The Engineer does not have access to the source code of the legacy web application.
Which of the following approaches would meet this requirement?
  • A. Configure an Amazon Route 53 routing policy to send all web traffic that does not include the required headers to a black hole.
  • B. Implement an AWS Lambda@Edge origin response function that inserts the required headers.
  • C. Migrate the legacy application to an Amazon S3 static website and front it with an Amazon CloudFront distribution.
  • D. Construct an AWS WAF rule to replace existing HTTP headers with the required security headers by using regular expressions.
#25 (Accuracy: 100% / 5 votes)
A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected.
Which combination of steps should the security engineer take to accomplish this? (Choose two.)
  • A. Create an AWS Config rule to detect the creation of encrypted RDS databases. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the AWS Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
  • B. Use AWS System Manager State Manager to detect RDS database encryption configuration drift. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
  • C. Create a read replica for the existing unencrypted RDS database and enable replica encryption in the process. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.
  • D. Take a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance.
  • E. Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database.
#26 (Accuracy: 100% / 10 votes)
An application outputs logs to a text file. The logs must be continuously monitored for security incidents.
Which design will meet the requirements with MINIMUM effort?
  • A. Create a scheduled process to copy the component's logs into Amazon S3. Use S3 events to trigger a Lambda function that updates Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
  • B. Install and configure the Amazon CloudWatch Logs agent on the application's EC2 instance. Create a CloudWatch metric filter to monitor the application logs. Set up CloudWatch alerts based on the metrics.
  • C. Create a scheduled process to copy the application log files to AWS CloudTrail. Use S3 events to trigger Lambda functions that update CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
  • D. Create a file watcher that copies data to Amazon Kinesis when the application writes to the log file. Have Kinesis trigger a Lambda function to update Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
#27 (Accuracy: 100% / 3 votes)
A Security Engineer received an AWS Abuse Notice listing EC2 instance IDs that are reportedly abusing other hosts.
Which action should the Engineer take based on this situation? (Choose three.)
  • A. Use AWS Artifact to capture an exact image of the state of each instance.
  • B. Create EBS Snapshots of each of the volumes attached to the compromised instances.
  • C. Capture a memory dump.
  • D. Log in to each instance with administrative credentials to restart the instance.
  • E. Revoke all network ingress and egress except for to/from a forensics workstation.
  • F. Run Auto Recovery for Amazon EC2.
#28 (Accuracy: 100% / 6 votes)
The Security Engineer is managing a web application that processes highly sensitive personal information. The application runs on Amazon EC2. The application has strict compliance requirements, which instruct that all incoming traffic to the application is protected from common web exploits and that all outgoing traffic from the EC2 instances is restricted to specific whitelisted URLs.
Which architecture should the Security Engineer use to meet these requirements?
  • A. Use AWS Shield to scan inbound traffic for web exploits. Use VPC Flow Logs and AWS Lambda to restrict egress traffic to specific whitelisted URLs.
  • B. Use AWS Shield to scan inbound traffic for web exploits. Use a third-party AWS Marketplace solution to restrict egress traffic to specific whitelisted URLs.
  • C. Use AWS WAF to scan inbound traffic for web exploits. Use VPC Flow Logs and AWS Lambda to restrict egress traffic to specific whitelisted URLs.
  • D. Use AWS WAF to scan inbound traffic for web exploits. Use a third-party AWS Marketplace solution to restrict egress traffic to specific whitelisted URLs.
#29 (Accuracy: 100% / 6 votes)
A company has a customer master key (CMK) with imported key materials. Company policy requires that all encryption keys must be rotated every year.
What can be done to implement the above policy?
  • A. Enable automatic key rotation annually for the CMK.
  • B. Use AWS Command Line Interface to create an AWS Lambda function to rotate the existing CMK annually.
  • C. Import new key material to the existing CMK and manually rotate the CMK.
  • D. Create a new CMK, import new key material to it, and point the key alias to the new CMK.
#30 (Accuracy: 100% / 2 votes)
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of `Sensitive,` `Confidential,` and `Restricted.` The security solution must meet all of the following requirements:
✑ Each object must be encrypted using a unique key.
✑ Items that are stored in the `Restricted` bucket require two-factor authentication for decryption.
✑ AWS KMS must automatically rotate encryption keys annually.
Which of the following meets these requirements?
  • A. Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the ג€Restrictedג€ CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.
  • B. Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK.
  • C. Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket.
  • D. Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the ג€Restrictedג€ key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.