New Year Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmas50

Amazon Web Services SCS-C02 - AWS Certified Security - Specialty

Amazon Web Services SCS-C02 Premium Access     Download Demo    
Page: 8 / 14
Total 467 questions

An application is running on an Amazon EC2 instance that has an IAM role attached. The IAM role provides access to an AWS Key Management Service (AWS KMS) customer managed key and an Amazon S3 bucket. The key is used to access 2 TB of sensitive data that is stored in the S3 bucket.

A security engineer discovers a potential vulnerability on the EC2 instance that could result in the compromise of the sensitive data. Due to other critical operations, the security engineer cannot immediately shut down the EC2 instance for vulnerability patching.

What is the FASTEST way to prevent the sensitive data from being exposed?

A.

Download the data from the existing S3 bucket to a new EC2 instance. Then delete the data from the S3 bucket. Re-encrypt the data with a client-based key. Upload the data to a new S3 bucket.

B.

Block access to the public range of S3 endpoint IP addresses by using a host-based firewall. Ensure that internet-bound traffic from the affected EC2 instance is routed through the host-based firewall.

C.

Revoke the IAM role's active session permissions. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile.

D.

Disable the current key. Create a new KMS key that the IAM role does not have access to, and re-encrypt all the data with the new key. Schedule the compromised key for deletion.

A company is hosting a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application has become the target of a DoS attack. Application logging shows that requests are coming from small number of client IP addresses, but the addresses change regularly.

The company needs to block the malicious traffic with a solution that requires the least amount of ongoing effort.

Which solution meets these requirements?

A.

Create an AWS WAF rate-based rule, and attach it to the ALB.

B.

Update the security group that is attached to the ALB to block the attacking IP addresses.

C.

Update the ALB subnet's network ACL to block the attacking client IP addresses.

D.

Create a AWS WAF rate-based rule, and attach it to the security group of the EC2 instances.

A company has a new web-based account management system for an online game Players create a unique username and password to log in to the system.

The company has implemented an AWS WAF web ACL for the system. The web ACL includes the core rule set (CRS) AWS managed rule group on the Application Load Balancer that serves the system.

The company's security team finds that the system was the target of a credential stuffing attack Credentials that were exposed in other breaches were used to try to log in to the system

The security team must implement a solution to reduce the chance of a successful credential stuffing attack in the future The solution also must minimize impact on legitimate users of the system

Which combination of actions will meet these requirements? (Select TWO.)

A.

Create an Amazon CloudWatch custom metric to analyze the number of successful login responses from a single IP address

B.

Add the account takeover prevention (ATP) AWS managed rule group to the web ACL Configure the rule group to inspect login requests to the system Block any requests that have the awswaf managed awsatp signal credential_compromised label

C.

Configure a default web ACL action that requires all users to solve a CAPTCHA puzzle when they log in

D.

Implement IP-based match rules in the web ACL for any IP addresses that generate many successful login responses Block any IP addresses that generate many successful logins

E.

Create a custom block response that redirects users to a secure workflow to reset their password inside the system

A security team is responsible for reviewing AWS API call activity in the cloud environment for security violations. These events must be recorded and retained in a centralized location for both current and future AWS regions.

What is the SIMPLEST way to meet these requirements?

A.

Enable AWS Trusted Advisor security checks in the AWS Console, tsnd report all security incidents for all regions.

B.

Enable AWS CloudTrail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later analysis.

C.

Enable AWS CloudTrail by creating a new trail and applying the trail to all regions. Specify a single Amazon S3 bucket as the storage location.

D.

Enable Amazon CloudWatch logging for all AWS services across all regions, and aggregate them to a single Amazon S3 bucket for later analysis.

A company developed an application by using AWS Lambda, Amazon S3, Amazon Simple Notification Service (Amazon SNS), and Amazon DynamoDB. An external application puts objects into the company's S3 bucket and tags the objects with date and time. A Lambda function periodically pulls data from the company's S3 bucket based on date and time tags and inserts specific values into a DynamoDB table for further processing.

The data includes personally identifiable information (Pll). The company must remove data that is older than 30 days from the S3 bucket and the DynamoDB table.

Which solution will meet this requirement with the MOST operational efficiency?

A.

Update the Lambda function to add a TTL S3 flag to S3 objects. Create an S3 Lifecycle policy to expire objects that are older than 30 days by using the TTL S3 flag.

B.

Create an S3 Lifecycle policy to expire objects that are older than 30 days. Update the Lambda function to add the TTL attribute in the DynamoDB table. Enable TTL on the DynamoDB table to expire entires that are older than 30 days based on the TTL attribute.

C.

Create an S3 Lifecycle policy to expire objects that are older than 30 days and to add all prefixes to the S3 bucket. Update the Lambda function to delete entries that are older than 30 days.

D.

Create an S3 Lifecycle policy to expire objects that are older than 30 days by using object tags. Update the Lambda function to delete entries that are older than 30 days.

A company has AWS accounts that are in an organization in AWS Organizations. An Amazon S3 bucket in one of the accounts is publicly accessible.

A security engineer must change the configuration so that the S3 bucket is no longer publicly accessible The security engineer also must ensure that the S3 bucket cannot be made publicly accessible in the future.

Which solution will meet these requirements?

A.

Configure the S3 bucket to use an AWS Key Management Service (AWS KMS) key Encrypt all objects in the S3 bucket by creating a bucket policy that enforces encryption Configure an SCP to deny the s3 GetObject action for the OU that contains the AWS account.

B.

Enable the PublicAccessBlock configuration on the S3 bucket Configure an SCP to deny the s3 GetObject action for the OU that contains the AWS account.

C.

Enable the PublicAccessBlock configuration on the S3 bucket Configure an SCP to deny the s3 PutPublicAccessBlock action for the OU that contains the AWS account.

D.

Configure the S3 bucket to use S3 Object Lock in governance mode Configure an SCP to deny the s3 PutPublicAccessBlock action for the OU that contains the AWS account.

During a manual review of system logs from an Amazon Linux EC2 instance, a Security Engineer noticed that there are sudo commands that were never properly alerted or reported on the Amazon CloudWatch Logs agent

Why were there no alerts on the sudo commands?

A.

There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs

B.

The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch

C.

CloudWatch Logs status is set to ON versus SECURE, which prevents it from pulling in OS security event logs

D.

The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.

A company uses a third-party identity provider and SAML-based SSO for its AWS accounts. After the third-party identity provider renewed an expired signing certificate, users saw the following message when trying to log in:

Error: Response Signature Invalid (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidldentityToken)

A security engineer needs to provide a solution that corrects the error and min-imizes operational overhead.

Which solution meets these requirements?

A.

Upload the third-party signing certificate's new private key to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS Management Console.

B.

Sign the identity provider's metadata file with the new public key. Upload the signature to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CU.

C.

Download the updated SAML metadata file from the identity service provid-er. Update the file in the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CLI.

D.

Configure the AWS identity provider entity defined in AWS Identity and Ac-cess Management (IAM) to synchronously fetch the new public key by using the AWS Management Console.

A company uses AWS Organizations to manage an organization that consists of three workload OUs Producbon Development and Testing. The company uses AWS CloudFormation templates to define and deploy workload infrastructure in AWS accounts that are associated with the OUs Different SCPs are attached to each workload OU.

The company successfully deployed a CloudFormation stack update to workloads in the Development OU and the Testing OU. When the company uses the same CloudFormation template to deploy the stack update in an account in the Production OU the update fails The error message reports insufficient 1AM permissions.

What is the FIRST step that a security engineer should take to troubleshoot this issue?

A.

Review the AWS CloudTrail logs in the account in the Production OU Search for any failed API calls from CloudFormation during the deployment attempt.

B.

Remove all the SCPs that are attached to the Production OU Rerun the CloudFormation stack update to determine if the SCPs were preventing the CloudFormation API calls.

C.

Confirm that the role used by CloudFormation has sufficient permissions to create update and delete the resources that are referenced in the CloudFormation template.

D.

Make all the SCPs that are attached to the Production OU the same as the SCPs that are attached to the Testing OU.

An application has been built with Amazon EC2 instances that retrieve messages from Amazon SQS. Recently, IAM changes were made and the instances can no longer retrieve messages.

What actions should be taken to troubleshoot the issue while maintaining least privilege? (Select TWO.)

A.

A. Configure and assign an MFA device to the role used by the instances.

B.

B. Verify that the SQS resource policy does not explicitly deny access to the role used by the instances.

C.

C. Verify that the access key attached to the role used by the instances is active.

D.

D. Attach the AmazonSQSFullAccest. managed policy to the role used by the instances.

E.

E Verify that the role attached to the instances contains policies that allow access to the queue