Amazon AWS Certified Security - Specialty SCS-C01
Prev

There are 254 results

Next
#81 (Accuracy: 100% / 6 votes)
A Security Architect has been asked to review an existing security architecture and identity why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture:
1. An Application Load Balancer, an internet gateway and a NAT gateway are configured in the pubic subnet.
2. Database, application, and web servers are configured on three different private subnets.
3. The VPC has two route tables: one for the public subnet and one for all other subnets. The route table for the public subnet has a 0.0.0.0/0 route to the internet gateway. The route table for all other subnets has a 0.0.0.0/0 route to the NAT gateway. All private subnets can route to each other.
4. Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols.
5. There are 3 Security Groups (SGs): database, application, and web. Each group limits all inbound and outbound connectivity to the minimum required.
Which of the following accurately reflects the access control mechanisms the Architect should verify?
  • A. Outbound SG configuration on database servers Inbound SG configuration on application servers Inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet
  • B. Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet
  • C. Inbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet
  • D. Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet
#82 (Accuracy: 100% / 6 votes)
A company has a VPC that contains a publicly accessible subnet and a privately accessible subnet. Both subnets send network traffic that is destined for the company's data center through the public internet.

The public subnet uses Route Table A, which has a default route for network traffic to travel through the internet gateway of the VPC. The private subnet uses Route Table B, which has a default route for network traffic to travel through a NAT gateway within the VPC. Recently, the company created an AWS Site-to-Site VPN connection to the VPC from one of is data centers. The tunnel s active and is working property between the customer gateway and the virtual private gateway. The CIDR blocks of the VPC and the data center do not overlap.

According to a new security policy, all network traffic that originates from the VPC and travels to the data center must not travel across the public internet. A security engineer determines that resources in the public subnet and private subnet are still sending traffic across the public internet to the data center.

Which combination of steps will ensure that all network traffic that originates from the VPC will not use the public internet to communicate with the data cantor? (Choose two.)
  • A. Adjust the route table for the public subnet to use the NAT gateway as its default route,
  • B. Adjust the route table for the public subnet to use the customer gateway for the data center's CIDR block.
  • C. Adjust the route table for the public subnet to use the virtual private gateway for the data cantor’s CIDR block
  • D. Adjust the route table for the private subnet to use the customer gateway for the data center's CIDR block.
  • E. Adjust the route table for the private subnet to use the virtual private gateway for the data centers CIDR block.
#83 (Accuracy: 100% / 5 votes)
A recent security audit found that AWS CloudTrail logs are insufficiently protected from tampering and unauthorized access.
Which actions must the Security Engineer take to access these audit findings? (Choose three.)
  • A. Ensure CloudTrail log file validation is turned on.
  • B. Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage.
  • C. Use an S3 bucket with tight access controls that exists in a separate account.
  • D. Use Amazon Inspector to monitor the file integrity of CloudTrail log files.
  • E. Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files.
  • F. Encrypt the CloudTrail log files with server-side encryption AWS KMS-managed keys (SSE-KMS).
#84 (Accuracy: 100% / 1 votes)
A global company must mitigate and respond to DDoS attacks at Layers 3, 4 and 7. All of the company's AWS applications are serverless with static content hosted on Amazon S3 using Amazon CloudFront and Amazon Route 53.
Which solution will meet these requirements?
  • A. Use AWS WAF with an upgrade to the AWS Business support plan.
  • B. Use AWS Certificate Manager with an Application Load Balancer configured with an origin access identity.
  • C. Use AWS Shield Advanced.
  • D. Use AWS WAF to protect AWS Lambda functions encrypted with AWS KMS, and a NACL restricting all ingress traffic.
#85 (Accuracy: 100% / 6 votes)
A company has deployed servers on Amazon EC2 instances in a VPC. External vendors access these servers over the internet. Recently, the company deployed a new application on EC2 instances in a new CIDR range. The company needs to make the application available to the vendors.

A security engineer verified that the associated security groups and network ACLs are allowing the required ports in the inbound diction. However, the vendors cannot connect to the application.

Which solution will provide the vendors access to the application?
  • A. Modify the security group that is associated with the EC2 instances to have the same outbound rules as inbound rules.
  • B. Modify the network ACL that is associated with the CIDR range to allow outbound traffic to ephemeral ports.
  • C. Modify the inbound rules on the internet gateway to allow the required ports.
  • D. Modify the network ACL that is associated with the CIDR range to have the same outbound rules as inbound rules.
#86 (Accuracy: 90% / 7 votes)
A Security Engineer has discovered that, although encryption was enabled on the Amazon S3 bucket examplebucket, anyone who has access to the bucket has the ability to retrieve the files. The Engineer wants to limit access to each IAM user can access an assigned folder only.
What should the Security Engineer do to achieve this?
  • A. Use envelope encryption with the AWS-managed CMK aws/s3.
  • B. Create a customer-managed CMK with a key policy granting ג€kms:Decryptג€ based on the ג€${aws:username}ג€ variable.
  • C. Create a customer-managed CMK for each user. Add each user as a key user in their corresponding key policy.
  • D. Change the applicable IAM policy to grant S3 access to ג€Resourceג€: ג€arn:aws:s3:::examplebucket/${aws:username}/*ג€
#87 (Accuracy: 100% / 4 votes)
A company has identified two security concerns. One concern is unencrypted Amazon Elastic Block Store (Amazon EBS) volumes. The other concern is public IP addresses that are assigned to Amazon EC2 instances. A security engineer must build a solution to prevent and remediate these security issues.

What should the security engineer do to meet these requirements with the LEAST amount of effort?
  • A. Use AWS CloudTrail to monitor accounts for noncompliant configurations. Use AWS Lambda functions to evaluate configuration state and perform automated remediation actions.
  • B. Use AWS Config rules to monitor accounts for noncompliant configurations. Use AWS Systems Manager Automation to perform automated remediation actions.
  • C. Use Amazon GuardDuty to monitor accounts for noncompliant configurations. Use AWS Lambda function to perform automated remediation actions.
  • D. Use AWS Systems Manager Compliance to monitor accounts for noncompliant configurations. Use Systems Manager Automation to perform automated remediation actions.
#88 (Accuracy: 100% / 2 votes)
A security team is using Amazon EC2 Image Builder to build a hardened AMI with forensic capabilities. An AWS Key Management Service (AWS KMS) key will encrypt the forensic AMI. EC2 Image Builder successfully installs the required patches and packages in the security team’s AWS account. The security team uses a federated IAM role in the same AWS account to sign in to the AWS Management Console and attempts to launch the forensic AMI. The EC2 instance launches and immediately terminates.

What should the security team do to launch the EC2 instance successfully?
  • A. Update the policy that is associated with the federated IAM role to allow the ec2:DescribeImages action for the forensic AML.
  • B. Update the policy that is associated with the federated IAM role to allow the ec2:StartInstances action in the security team's AWS account.
  • C. Update the policy that is associated with the KMS key that is used to encrypt the forensic AMI. Configure the policy to allow the kms:Encrypt and kms:Decrypt actions for the federated IAM role.
  • D. Update the policy that is associated with the federated IAM role to allow the kms:DescribeKey action for the KMS key that is used to encrypt the forensic AMI.
#89 (Accuracy: 100% / 4 votes)
A Security Engineer is implementing a solution to allow users to seamlessly encrypt Amazon S3 objects without having to touch the keys directly. The solution must be highly scalable without requiring continual management. Additionally, the organization must be able to immediately delete the encryption keys.
Which solution meets these requirements?
  • A. Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary.
  • B. Use KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.
  • C. Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.
  • D. Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the key if necessary.
#90 (Accuracy: 100% / 6 votes)
A Security Engineer must design a system that can detect whether a file on an Amazon EC2 host has been modified. The system must then alert the Security
Engineer of the modification.
What is the MOST efficient way to meet these requirements?
  • A. Install antivirus software and ensure that signatures are up-to-date. Configure Amazon CloudWatch alarms to send alerts for security events.
  • B. Install host-based IDS software to check for file integrity. Export the logs to Amazon CloudWatch Logs for monitoring and alerting.
  • C. Export system log files to Amazon S3. Parse the log files using an AWS Lambda function that will send alerts of any unauthorized system login attempts through Amazon SNS.
  • D. Use Amazon CloudWatch Logs to detect file system changes. If a change is detected, automatically terminate and recreate the instance from the most recent AMI. Use Amazon SNS to send notification of the event.