Amazon AWS Certified Security - Specialty SCS-C01
Prev

There are 254 results

Next
#71 (Accuracy: 93% / 7 votes)
A company has an organization in AWS Organizations. The company’s security team is developing automation to capture Amazon EC2 forensic evidence within any AWS account in the organization. The company has encrypted the Amazon Elastic Block Store (Amazon EBS) volumes of all the EC2 instances in the organization by default by using the AWS managed key. The automation consists of AWS Lambda functions and AWS Step Functions state machines.

The automation assumes an IAM role in the target AWS account. The automation takes snapshots of suspicious EC2 instances and assigns permissions to allow the security team’s account to copy the snapshots. The security team has an AWS Key Management Service (AWS KMS) key to encrypt the snapshots. During testing, the automation fails to copy the snapshots into the security team's AWS account.

Which combination of steps should the security team take so that the automation can capture EC2 forensic evidence in all AWS accounts in the organization? (Choose three.)
  • A. In the target AWS account, update the KMS key policy on the AWS managed key to explicitly allow the kms:Decrypt and kms:CreateGrant actions to the automation’s IAM role.
  • B. In the target AWS account, create a customer managed KMS key. Update the automation’s IAM role to allow the kms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, and kms:CreateGrant actions.
  • C. In the security team's AWS account, update the automation’s IAM role to allow the kms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, and kms:CreateGrant actions for the AWS managed key.
  • D. In the security team’s AWS account, update the automation’s IAM role to allow the kms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, and kms:CreateGrant actions for the customer managed KMS key.
  • E. In the security team's AWS account, update the automation code to take EBS snapshots and to use the AWS managed key.
  • F. In the security team's AWS account, update the automation code to take EBS snapshots and to use the customer managed KMS key.
#72 (Accuracy: 100% / 4 votes)
A company's Information Security team wants to analyze Amazon EC2 performance and utilization data in near-real time for anomalies. A Security Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company's AWS accounts in a centralized location to perform the analysis.
How should the Security Engineer do this?
  • A. Log in to each account four times a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.
  • B. Set up Amazon CloudWatch to stream data to an Amazon S3 bucket in each source account. Set up bucket replication for each source account into a centralized bucket owned by the Security Engineer.
  • C. Set up an AWS Config aggregator to collect AWS configuration data from multiple sources.
  • D. Set up Amazon CloudWatch cross-account log data sharing with subscriptions in each account. Send the logs to Amazon Kinesis Data Firehose in the Security Engineer's account.
#73 (Accuracy: 100% / 4 votes)
A Security Engineer has launched multiple Amazon EC2 instances from a private AMI using an AWS CloudFormation template. The Engineer notices instances terminating right after they are launched.
What could be causing these terminations?
  • A. The IAM user launching those instances is missing ec2:RunInstances permissions
  • B. The AMI used was encrypted and the IAM user does not have the required AWS KMS permissions
  • C. The instance profile used with the EC2 instances is unable to query instance metadata
  • D. AWS currently does not have sufficient capacity in the Region
#74 (Accuracy: 90% / 5 votes)
A Security Engineer is asked to update an AWS CloudTrail log file prefix for an existing trail. When attempting to save the change in the CloudTrail console, the
Security Engineer receives the following error message: `There is a problem with the bucket policy.`
What will enable the Security Engineer to save the change?
  • A. Create a new trail with the updated log file prefix, and then delete the original trail. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.
  • B. Update the existing bucket policy in the Amazon S3 console to allow the Security Engineer's Principal to perform PutBucketPolicy, and then update the log file prefix in the CloudTrail console.
  • C. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.
  • D. Update the existing bucket policy in the Amazon S3 console to allow the Security Engineer's Principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console.
#75 (Accuracy: 100% / 6 votes)
A company recently performed an annual security assessment of its AWS environment. The assessment showed the audit logs are not available beyond 90 days and that unauthorized changes to IAM policies are made without detection.
How should a Security Engineer resolve these issues?
  • A. Create an Amazon S3 lifecycle policy that archives AWS CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources.
  • B. Configure AWS Artifact to archive AWS CloudTrail logs. Configure AWS Trusted Advisor to provide a notification when a policy change is made to resources.
  • C. Configure Amazon CloudWatch to export log groups to Amazon S3. Configure AWS CloudTrail to provide a notification when a policy change is made to resources.
  • D. Create an AWS CloudTrail trail that stores audit logs in Amazon S3. Configure an AWS Config rule to provide a notification when a policy change is made to resources.
#76 (Accuracy: 100% / 2 votes)
A company uses Microsoft Active Directory for access management for on-premises resources, and wants to use the same mechanism for accessing its AWS accounts. Additionally, the Development team plans to launch a public-facing application for which they need a separate authentication solution.
Which combination of the following would satisfy these requirements? (Choose two.)
  • A. Set up domain controllers on Amazon EC2 to extend the on-premises directory to AWS.
  • B. Establish network connectivity between on-premises and the user's VPC.
  • C. Use Amazon Cognito user pools for application authentication.
  • D. Use AD Connector for application authentication.
  • E. Set up federated sign-in to AWS through ADFS and SAML.
#77 (Accuracy: 100% / 5 votes)
A company finds that one of its Amazon EC2 instances suddenly has a high CPU usage. The company does not know whether the EC2 instance is compromised or whether the operating system is performing background cleanup.

Which combination of steps should a security engineer take before investigating the issue? (Choose three.)
  • A. Disable termination protection for the EC2 instance if termination protection has not been disabled.
  • B. Enable termination protection for the EC2 instance if termination protection has not been enabled.
  • C. Take snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.
  • D. Remove all snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.
  • E. Capture the EC2 instance metadata, and then tag the EC2 instance as under quarantine.
  • F. Immediately remove any entries in the EC2 instance metadata that contain sensitive information.
#78 (Accuracy: 100% / 7 votes)
A company is observing frequent bursts of unusual traffic to its corporate website. The IP address ranges that inflate the requests keep changing, and the volumes of traffic are increasing.

A security engineer needs to implement a solution to protect the website from a potential DDoS attack. The solution must rack the rate of requests from IP addresses. When the requests from a particular IP address exceed a specific rate, the solution must limit the amount of traffic that can reach the website from that IP address.

Which solution will meet these requirements?
  • A. Setup Amazon Inspector on the backend servers. Create assessment targets with a rate-based configuration to block any offending IP address.
  • B. Create a rate-based rule in AWS WAF to block an IP address when that IP address exceeds the configured threshold rate.
  • C. Identity the offending client IP address ranges. Create a regular rule in AWS WAF to block the offending IP address ranges.
  • D. Create a rate-based rule in Amazon GuardDuty to block an IP address when that IP address exceeds the configured threshold rate
#79 (Accuracy: 100% / 4 votes)
A Website currently runs on Amazon EC2, with mostly static content on the site. Recently, the site was subjected to a DDoS attack, and a Security Engineer was tasked with redesigning the edge security to help mitigate this risk in the future.
What are some ways the Engineer could achieve this? (Choose three.)
  • A. Use AWS X-Ray to inspect the traffic going to the EC2 instances.
  • B. Move the static content to Amazon S3, and front this with an Amazon CloudFront distribution.
  • C. Change the security group configuration to block the source of the attack traffic.
  • D. Use AWS WAF security rules to inspect the inbound traffic.
  • E. Use Amazon Inspector assessment templates to inspect the inbound traffic.
  • F. Use Amazon Route 53 to distribute traffic.
#80 (Accuracy: 100% / 2 votes)
Example.com is hosted on Amazon EC2 instance behind an Application Load Balancer (ALB). Third-party host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host. The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers.
What is the MOST secure way to meet these requirements?
  • A. Enable TLS pass through on the ALB, and handle decryption at the server using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.
  • B. Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server.
  • C. Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do not enable Perfect Forward Secrecy (PFS).
  • D. Create a listener on the ALB that does not enable Perfect Forward Secrecy (PFS) cipher suites, and use encrypted connections to the servers using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.