Amazon AWS Certified Security - Specialty SCS-C01
Prev

There are 254 results

Next
#61 (Accuracy: 100% / 5 votes)
A security engineer received an Amazon GuardDuty alert indicating a finding involving the Amazon EC2 instance that hosts the company's primary website. The
GuardDuty finding received read:
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.
The security engineer confirmed that a malicious actor used API access keys intended for the EC2 instance from a country where the company does not operate.
The security engineer needs to deny access to the malicious actor.
What is the first step the security engineer should take?
  • A. Open the EC2 console and remove any security groups that allow inbound traffic from 0.0.0.0/0.
  • B. Install the AWS Systems Manager Agent on the EC2 instance and run an inventory report.
  • C. Install the Amazon Inspector agent on the host and run an assessment with the CVE rules package.
  • D. Open the IAM console and revoke all IAM sessions that are associated with the instance profile.
#62 (Accuracy: 100% / 4 votes)
A large corporation is creating a multi-account strategy and needs to determine how its employees should access the AWS Infrastructure.
Which of the following solutions would provide the MOST scalable solution?
  • A. Create dedicated IAM users within each AWS account that employees can assume though federation based upon group membership in their existing identity provider.
  • B. Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider. Use cross-account roles to allow the federated users to assume their target role in the resource accounts.
  • C. Configure the AWS Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access AWS resources directly.
  • D. Configure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider, allowing users to assume the role based off their SAML token.
#63 (Accuracy: 100% / 4 votes)
During a manual review of system logs from an Amazon Linux EC2 instance, a Security Engineer noticed that there are sudo commands that were never properly alerted or reported on the Amazon CloudWatch Logs agent.
Why were there no alerts on the sudo commands?
  • A. There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs.
  • B. The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch.
  • C. CloudWatch Logs status is set to ON versus SECURE, which prevents if from pulling in OS security event logs.
  • D. The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.
#64 (Accuracy: 100% / 4 votes)
A large company wants its Compliance team to audit its Amazon S3 buckets to identify if personally identifiable information (PII) is stored in them. The company has hundreds of S3 buckets and has asked the Security Engineers to scan every bucket.
How can this task be accomplished?
  • A. Configure Amazon CloudWatch Events to trigger Amazon Inspector to scan the S3 buckets daily for PII. Configure Amazon Inspector to publish Amazon SNS notifications to the Compliance team if PII is detected.
  • B. Configure Amazon Macie to classify data in the S3 buckets and check the dashboard for PII findings. Configure Amazon CloudWatch Events to capture Macie alerts and target an Amazon SNS topic to be notified if PII is detected.
  • C. Check the AWS Trusted Advisor data loss prevention page in the AWS Management Console. Download the Amazon S3 data confidentiality report and send it to the Compliance team. Configure Amazon CloudWatch Events to capture Trusted Advisor alerts and target an Amazon SNS topic to be notified if PII is detected.
  • D. Enable Amazon GuardDuty in multiple Regions to scan the S3 buckets. Configure Amazon CloudWatch Events to capture GuardDuty alerts and target an Amazon SNS topic to be notified if PII is detected.
#65 (Accuracy: 100% / 4 votes)
An organization has a multi-petabyte workload that it is moving to Amazon S3, but the CISO is concerned about cryptographic wear-out and the blast radius if a key is compromised.
How can the CISO be assured that AWS KMS and Amazon S3 are addressing the concerns? (Choose two.)
  • A. There is no API operation to retrieve an S3 object in its encrypted form.
  • B. Encryption of S3 objects is performed within the secure boundary of the KMS service.
  • C. S3 uses KMS to generate a unique data key for each individual object.
  • D. Using a single master key to encrypt all data includes having a single place to perform audits and usage validation.
  • E. The KMS encryption envelope digitally signs the master key during encryption to prevent cryptographic wear-out.
#66 (Accuracy: 100% / 7 votes)
A Security Engineer accidentally deleted the imported key material in an AWS KMS CMK.
What should the Security Engineer do to restore the deleted key material?
  • A. Create a new CMK. Download a new wrapping key and a new import token to import the original key material.
  • B. Create a new CMK. Use the original wrapping key and import token to import the original key material.
  • C. Download a new wrapping key and a new import token. Import the original key material into the existing CMK.
  • D. Use the original wrapping key and import token. Import the original key material into the existing CMK.
#67 (Accuracy: 100% / 5 votes)
A Security Engineer is troubleshooting a connectivity issue between a web server that is writing log files to the logging server in another VPC. The Engineer has confirmed that a peering relationship exists between the two VPCs. VPC flow logs show that requests sent from the web server are accepted by the logging server, but the web server never receives a reply.
Which of the following actions could fix this issue?
  • A. Add an inbound rule to the security group associated with the logging server that allows requests from the web server.
  • B. Add an outbound rule to the security group associated with the web server that allows requests to the logging server.
  • C. Add a route to the route table associated with the subnet that hosts the logging server that targets the peering connection.
  • D. Add a route to the route table associated with the subnet that hosts the web server that targets the peering connection.
#68 (Accuracy: 100% / 5 votes)
A company has configured a gateway VPC endpoint in a VPC. Only Amazon EC2 instances that reside in a single subnet in the VPC can use the endpoint. The company has modified the route table for this single subnet to route traffic to Amazon S3 through the gateway VPC endpoint. The VPC provides internet access through an internet gateway.

A security engineer attempts to use instance profile credentials from an EC2 instance to retrieve an object from the S3 bucket, but the attempt fails. The security engineer verifies that the EC2 instance has an IAM instance profile with the correct permissions to access the S3 bucket and to retrieve objects. The security engineer also verifies that the S3 bucket policy is allowing access properly. Additionally, the security engineer verifies that the EC2 instance’s security group and the subnet’s network ACLs allow the communication.

What else should the security engineer check to determine why the request from the EC2 instance is failing?
  • A. Verify that the EC2 instance’s security group does not have an implicit inbound deny rule for Amazon S3.
  • B. Verify that the VPC endpoint’s security group does not have an explicit inbound deny rule for the EC2 instance.
  • C. Verify that the internet gateway is allowing traffic to Amazon S3.
  • D. Verify that the VPC endpoint policy is allowing access to Amazon S3.
#69 (Accuracy: 100% / 5 votes)
A company uses AWS Organizations. The company has teams that use an AWS CloudHSM hardware security module (HSM) that is hosted in a central AWS account. One of the teams creates its own new dedicated AWS account and wants to use the HSM that is hosted in the central account.

How should a security engineer share the HSM that is hosted in the central account with the new dedicated account?
  • A. Use AWS Resource Access Manager (AWS RAM) to share the VPC subnet ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.
  • B. Use AWS Identity and Access Management (IAM) to create a cross-account role to access the CloudHSM cluster that is in the central account. Create a new IAM user in the new dedicated account. Assign the cross-account role the new IAM user.
  • C. Use AWS Single Sign-On to create an AWS Security Token Service (AWS STS) token to authenticate from the new dedicated account to the central account. Use the cross-account permissions that are assigned to the STS token to invoke an operation on the HSM in the central account.
  • D. Use AWS Resource Access Manager (AWS RAM) to share the ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.
#70 (Accuracy: 100% / 4 votes)
A healthcare company has multiple AWS accounts in an organization in AWS Organizations. The company uses Amazon S3 buckets to store sensitive information of patients. The company needs to restrict users from deleting any S3 bucket across the organization.

What is the MOST scalable solution that meets these requirements?
  • A. Permissions boundaries in AWS Identity and Access Management (IAM)
  • B. S3 bucket policies
  • C. Tag policies
  • D. SCPs