Amazon AWS Certified Security - Specialty SCS-C01
Prev

There are 254 results

Next
#51 (Accuracy: 100% / 2 votes)
An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised.
What techniques will limit lateral movement and allow evidence gathering?
  • A. Remove the instance from the load balancer and terminate it.
  • B. Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.
  • C. Reboot the instance and check for any Amazon CloudWatch alarms.
  • D. Stop the instance and make a snapshot of the root EBS volume.
#52 (Accuracy: 100% / 3 votes)
A company is setting up products to deploy in AWS Service Catalog. Management is concerned that when users launch products, elevated IAM privileges will be required to create resources.
How should the company mitigate this concern?
  • A. Add a template constraint to each product in the portfolio.
  • B. Add a launch constraint to each product in the portfolio.
  • C. Define resource update constraints for each product in the portfolio.
  • D. Update the AWS CloudFormation template backing the product to include a service role configuration.
#53 (Accuracy: 100% / 6 votes)
A company is using AWS Organizations to manage multiple AWS accounts. The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an AWS KMS CMK. However, when users try to access the files in the S3 bucket, they get an access denied error.
What should a security engineer do to troubleshoot this error? (Choose three.)
  • A. Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK.
  • B. Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket.
  • C. Ensure the CMK was created before the S3 bucket.
  • D. Ensure the S3 block public access feature is enabled for the S3 bucket.
  • E. Ensure that automatic key rotation is disabled for the CMK.
  • F. Ensure the SCPs within Organizations allow access to the S3 bucket.
#54 (Accuracy: 100% / 4 votes)
A security engineer is designing an incident response plan to address the risk of a compromised Amazon EC2 instance. The plan must recommend a solution to meet the following requirements:
✑ A trusted forensic environment must be provisioned.
✑ Automated response processes must be orchestrated.
Which AWS services should be included in the plan? (Choose two.)
  • A. AWS CloudFormation
  • B. Amazon GuardDuty
  • C. Amazon Inspector
  • D. Amazon Macie
  • E. AWS Step Functions
#55 (Accuracy: 100% / 4 votes)
A company's data lake uses Amazon S3 and Amazon Athena. The company's security engineer has been asked to design an encryption solution that meets the company's data protection requirements. The encryption solution must work with Amazon S3 and keys managed by the company. The encryption solution must be protected in a hardware security module that is validated to Federal Information Processing Standards (FIPS) 140-2 Level 3.
Which solution meets these requirements?
  • A. Use client-side encryption with an AWS KMS customer-managed key implemented with the AWS Encryption SDK.
  • B. Use AWS CloudHSM to store the keys and perform cryptographic operations. Save the encrypted text in Amazon S3.
  • C. Use an AWS KMS customer-managed key that is backed by a custom key store using AWS CloudHSM.
  • D. Use an AWS KMS customer-managed key with the bring your own key (BYOK) feature to import a key stored in AWS CloudHSM.
#56 (Accuracy: 92% / 5 votes)
A developer reported that AWS CloudTrail was disabled on their account. A security engineer investigated the account and discovered the event was undetected by the current security solution. The security engineer must recommend a solution that will detect future changes to the CloudTrail configuration and send alerts when changes occur.
What should the security engineer do to meet these requirements?
  • A. Use AWS Resource Access Manager (AWS RAM) to monitor the AWS CloudTrail configuration. Send notifications using Amazon SNS.
  • B. Create an Amazon CloudWatch Events rule to monitor Amazon GuardDuty findings. Send email notifications using Amazon SNS.
  • C. Update security contact details in AWS account settings for AWS Support to send alerts when suspicious activity is detected.
  • D. Use Amazon Inspector to automatically detect security issues. Send alerts using Amazon SNS.
#57 (Accuracy: 100% / 4 votes)
A company has multiple departments. Each department has its own AWS account. All these accounts belong to the same organization in AWS Organizations.

A large .csv file is stored in an Amazon S3 bucket in the sales department's AWS account. The company wants to allow users from the other accounts to access the .csv file’s content through the combination of AWS Glue and Amazon Athena. However, the company does not want to allow users from the other accounts to access other files in the same folder.

Which solution will meet these requirements?
  • A. Apply a user policy in the other accounts to allow AWS Glue and Athena to access the .csv file.
  • B. Use S3 Select to restrict access to the .csv file. In AWS Glue Data Catalog, use S3 Select as the source of the AWS Glue database.
  • C. Define an AWS Glue Data Catalog resource policy in AWS Glue to grant cross-account S3 object access to the .csv file.
  • D. Grant AWS Glue access to Amazon S3 in a resource-based policy that specifies the organization as the principal.
#58 (Accuracy: 90% / 4 votes)
A company has a serverless application for internal users deployed on AWS. The application uses AWS Lambda for the front end and for business logic. The
Lambda function accesses an Amazon RDS database inside a VPC. The company uses AWS Systems Manager Parameter Store for storing database credentials.
A recent security review highlighted the following issues:
✑ The Lambda function has internet access.
✑ The relational database is publicly accessible.
✑ The database credentials are not stored in an encrypted state.
Which combination of steps should the company take to resolve these security issues? (Choose three.)
  • A. Disable public access to the RDS database inside the VPC.
  • B. Move all the Lambda functions inside the VPC.
  • C. Edit the IAM role used by Lambda to restrict internet access.
  • D. Create a VPC endpoint for Systems Manager. Store the credentials as a string parameter. Change the parameter type to an advanced parameter.
  • E. Edit the IAM role used by RDS to restrict internet access.
  • F. Create a VPC endpoint for Systems Manager. Store the credentials as a SecureString parameter.
#59 (Accuracy: 100% / 2 votes)
A company has a VPC with several Amazon EC2 instances behind a NAT gateway. The company's security policy states that all network traffic must be logged and must include the original source and destination IP addresses. The existing VPC Flow Logs do not include this information. A security engineer needs to recommend a solution.
Which combination of steps should the security engineer recommend? (Choose two.)
  • A. Edit the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.
  • B. Delete and recreate the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.
  • C. Change the destination to Amazon CloudWatch Logs.
  • D. Include the pkt-srcaddr and pkt-dstaddr fields in the log format.
  • E. Include the subnet-id and instance-id fields in the log format.
#60 (Accuracy: 100% / 2 votes)
A company manages multiple AWS accounts using AWS Organizations. The company's security team notices that some member accounts are not sending AWS
CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured for all existing accounts and for any account that is created in the future.
Which set of actions should the security team implement to accomplish this?
  • A. Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.
  • B. Deploy an AWS Lambda function in every account to check if there is an existing trail and create a new trail, if needed.
  • C. Edit the existing trail in the Organizations master account and apply it to the organization.
  • D. Create an SCP to deny the cloudtrail:Delete* and cloudtrail:Stop* actions. Apply the SCP to all accounts.