Amazon AWS Certified Security - Specialty SCS-C01
Prev

There are 254 results

Next
#41 (Accuracy: 100% / 5 votes)
A security engineer has enabled AWS Security Hub in their AWS account, and has enabled the Center for Internet Security (CIS) AWS Foundations compliance standard. No evaluation results on compliance are returned in the Security Hub console after several hours. The engineer wants to ensure that Security Hub can evaluate their resources for CIS AWS Foundations compliance.
Which steps should the security engineer take to meet these requirements?
  • A. Add full Amazon Inspector IAM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation.
  • B. Ensure that AWS Trusted Advisor is enabled in the account, and that the Security Hub service role has permissions to retrieve the Trusted Advisor security- related recommended actions.
  • C. Ensure that AWS Config is enabled in the account, and that the required AWS Config rules have been created for the CIS compliance evaluation.
  • D. Ensure that the correct trail in AWS CloudTrail has been configured for monitoring by Security Hub, and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrail's Amazon S3 bucket.
#42 (Accuracy: 100% / 6 votes)
A company's development team is designing an application using AWS Lambda and Amazon Elastic Container Service (Amazon ECS). The development team needs to create IAM roles to support these systems. The company's security team wants to allow the developers to build IAM roles directly, but the security team wants to retain control over the permissions the developers can delegate to those roles. The development team needs access to more permissions than those required for application's AWS services. The solution must minimize management overhead.
How should the security team prevent privilege escalation for both teams?
  • A. Enable AWS CloudTrail. Create a Lambda function that monitors the event history for privilege escalation events and notifies the security team.
  • B. Create a managed IAM policy for the permissions required. Reference the IAM policy as a permissions boundary within the development team's IAM role.
  • C. Enable AWS Organizations. Create an SCP that allows the iam:CreateUser action but that has a condition that prevents API calls other than those required by the development team.
  • D. Create an IAM policy with a deny on the iam:CreateUser action and assign the policy to the development team. Use a ticket system to allow the developers to request new IAM roles for their applications. The IAM roles will then be created by the security team.
#43 (Accuracy: 100% / 2 votes)
An application team is developing an internal application in its AWS account. Employees will use the application to access their employee benefits information. The application has an Amazon S3 bucket that is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. The application team has configured an S3 gateway VPC endpoint for the application to use.

During testing, an IAM user is unable to download objects from the S3 bucket by using the AWS Management Console. However, other IAM users in the same AWS account can download objects from the S3 bucket.

Which policies or ACL should a security engineer review and modify to resolve this issue? (Choose three.)
  • A. The KMS customer managed key policy.
  • B. The S3 VPC endpoint policy.
  • C. The S3 bucket policy.
  • D. The S3 ACL.
  • E. The IAM policy.
  • F. The KMS VPC endpoint policy.
#44 (Accuracy: 100% / 4 votes)
A web application gives users the ability to log in, verify their membership’s validity, and browse artifacts that are stored in an Amazon S3 bucket. When a user attempts to download an object, the application must verify the permission to access the object and allow the user to download the object from a custom domain name such as example.com.

What is the MOST secure way for a security engineer to implement this functionality?
  • A. Configure read-only access to the object by using a bucket ACL. Remove the access after a set time has elapsed.
  • B. Implement an IAM policy to give the user read access to the S3 bucket.
  • C. Create an S3 presigned URL. Provide the S3 presigned URL to the user through the application.
  • D. Create an Amazon CloudFront signed URL. Provide the CloudFront signed URL to the user through the application.
#45 (Accuracy: 100% / 2 votes)
A company's application uses Amazon DynamoDB to store data. The company's security policy requires all data to be encrypted at rest. The security policy also requires the company to use an on-premises hardware security module (HSM) to generate and manage the company's encryption keys.

A security engineer uses the on-premises HSM to generate an encryption key.

What should the security engineer do next to meet these requirements?
  • A. Generate a new AWS Key Management Service (AWS KMS) customer managed key. Import the new key material. Grant DynamoDB access to use the key. Create a new DynamoDB table, and select the new key as the encryption key. Import the data into DynamoDB.
  • B. Generate a new AWS Key Management Service (AWS KMS) customer managed key. Import the new key material. Create a new DynamoDB table, and select the new key as the encryption key. Disable the KMS key after table creation. Import the data into DynamoDB.
  • C. Generate a new AWS Key Management Service (AWS KMS) AWS managed key. Import the new key material. Grant DynamoDB access to use the key. Create a new DynamoDB table, and select the new key as the encryption key. Import the data into DynamoDB.
  • D. Generate a new AWS Key Management Service (AWS KMS) AWS managed key. Import the new key material. Use the AWS SDK integration with AWS KMS to encrypt the data locally by using the new KMS key. Create a new DynamoDB table, and select the new key as the encryption key. Disable the KMS key after table creation. Import the data into DynamoDB.
#46 (Accuracy: 100% / 3 votes)
A company wants to protect its website from man-in-the-middle attacks by using Amazon CloudFront.

Which solution will meet these requirements with the LEAST operational overhead?
  • A. Use the SimpleCORS managed response headers policy.
  • B. Use a Lambda@Edge function to add the Strict-Transport-Security response header.
  • C. Use the SecurityHeadersPolicy managed response headers policy.
  • D. Include the X-XSS-Protection header in a custom response headers policy.
#47 (Accuracy: 100% / 2 votes)
A company's security engineer has been asked to monitor and report all AWS account root user activities.
Which of the following would enable the security engineer to monitor and report all root user activities? (Choose two.)
  • A. Configuring AWS Organizations to monitor root user API calls on the paying account
  • B. Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported
  • C. Configuring Amazon Inspector to scan the AWS account for any root user activity
  • D. Configuring AWS Trusted Advisor to send an email to the security team when the root user logs in to the console
  • E. Using Amazon SNS to notify the target group
#48 (Accuracy: 90% / 6 votes)
A company is hosting a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application has become the target of a DoS attack. Application logging shows that requests are coming from small number of client IP addresses, but the addresses change regularly.
The company needs to block the malicious traffic with a solution that requires the least amount of ongoing effort.
Which solution meets these requirements?
  • A. Create an AWS WAF rate-based rule, and attach it to the ALB.
  • B. Update the security group that is attached to the ALB to block the attacking IP addresses.
  • C. Update the ALB subnet's network ACL to block the attacking client IP addresses.
  • D. Create a AWS WAF rate-based rule, and attach it to the security group of the EC2 instances.
#49 (Accuracy: 100% / 5 votes)
A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running in Amazon Elastic Container
Service (Amazon ECS). This solution will also handle volatile traffic patterns.
Which solution would have the MOST scalability and LOWEST latency?
  • A. Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.
  • B. Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.
  • C. Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers.
  • D. Configure Amazon Route to use multivalue answer routing to send traffic to the containers.
#50 (Accuracy: 100% / 5 votes)
A company is running an application on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally. A security engineer noticed that logs were lost after a scale-in event. The security engineer needs to recommend a solution to ensure the durability and availability of log data. All logs must be kept for a minimum of 1 year for auditing purposes.
What should the security engineer recommend?
  • A. Within the Auto Scaling lifecycle, add a hook to create an attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is created. When the instance is terminated, the EBS volume can be reattached to another instance for log review.
  • B. Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation. Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system.
  • C. Build the Amazon CloudWatch agent into the AMI used in the Auto Scaling group. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review.
  • D. Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to allow manual review of the security logs prior to instance termination.