Summer Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmas50

Amazon Web Services SCS-C03 - AWS Certified Security – Specialty

Page: 2 / 7
Total 231 questions

A company ' s security team wants to receive email notification from AWS about any abuse reports regarding DoS attacks. A security engineer needs to implement a solution that will provide a near-real-time alert for any abuse reports that AWS sends for the account. The security engineer already has created an Amazon Simple Notification Service (Amazon SNS) topic and has subscribed the security team ' s email address to the topic.

What should the security engineer do next to meet these requirements?

A.

Use the AWS Trusted Advisor API and a scheduled Lambda function to detect AWS_ABUSE_DOS_REPORT notifications.

B.

Create an Amazon EventBridge rule that uses AWS Health and identifies a specific event for AWS_ABUSE_DOS_REPORT. Configure the rule action to publish a message to the SNS topic.

C.

Use the AWS Support API and a scheduled Lambda function to detect abuse report cases.

D.

Use AWS CloudTrail logs with metric filters to detect AWS_ABUSE_DOS_REPORT events.

A company is undergoing a security audit. The company issues IAM user credentials for an auditor. Because of third-party integration requirements, the auditor is unable to assume an IAM role. The auditor attempts to log in to AWS for the first time to reset the account password and to configure multi-factor authentication (MFA). However, the auditor receives an “Access Denied” error during the attempt to reset the password.

The auditor’s account has the following IAM permissions:

securityhub:Get*

securityhub:List*

securityhub:BatchGet*

securityhub:Describe*

iam:ChangePassword on arn:aws:iam::*:user/${aws:username}

Which action will resolve this error?

A.

The auditor needs to configure MFA before resetting the password.

B.

The auditor must create a more complex password that requires additional characters or symbols.

C.

Add iam:GetAccountPasswordPolicy with Resource: " * " to the auditor’s user account policy.

D.

Add iam:ChangePassword with Resource: " * " to the auditor’s user account policy.

A company’s data scientists use Amazon SageMaker with datasets stored in Amazon S3. Data older than 45 days must be removed according to policy.

Which action should enforce this policy?

A.

Configure an S3 Lifecycle rule to delete objects after 45 days.

B.

Create a Lambda function triggered on object upload to delete old data.

C.

Create a scheduled Lambda function to delete old objects monthly.

D.

Configure S3 Intelligent-Tiering.

A company is using an organization with all features enabled in AWS Organizations. The organization contains OUs. The company has configured a delegated administrator account for AWS IAM Identity Center. In this delegated administrator account, the company has deployed an AWS CloudFormation stack that contains permission sets.

A security engineer must implement a solution to prevent the deletion of the CloudFormation stack.

Which solution will meet this requirement?

A.

Enable termination protection for the CloudFormation stack. Create an SCP that denies the cloudformation:UpdateTerminationProtection action for the stack’s ARN. Apply the SCP to the root of the organization.

B.

Enable termination protection for the CloudFormation stack. Create an SCP that denies the cloudformation:DeleteStack action for the stack’s ARN. Apply the SCP to all OUs except the OU that contains the delegated administrator account.

C.

Set the DeletionPolicy attribute to Retain for all resources in the CloudFormation stack. Create an IAM policy that denies the cloudformation:DeleteStack action for the stack’s ARN. Attach the IAM policy to all IAM users and roles in the organization’s management account.

D.

Assign a stack policy to deny updates to stack resources. Create an SCP that denies the cloudformation:UpdateStack action for the stack’s ARN. Apply the SCP to all OUs and the organization’s management account.

A company needs to implement data lifecycle management for Amazon RDS snapshots. The company will use AWS Backup to manage the snapshots. The company must retain RDS automated snapshots for 5 years and will use Amazon S3 for long-term archival storage.

Which solution will meet these requirements?

A.

Use AWS Backup to apply a 5-year retention tag to the RDS snapshots.

B.

Enable versioning on the S3 bucket that AWS Backup uses for the RDS snapshots. Configure a 5-year retention period.

C.

Create an S3 Lifecycle policy. Include a 5-year retention period for the S3 bucket that AWS Backup uses for the RDS snapshots.

D.

Create a backup plan in AWS Backup. Configure a 5-year retention period.

A company uses AWS IAM Identity Center to manage access to its AWS accounts. The accounts are in an organization in AWS Organizations. A security engineer needs to set up delegated administration of IAM Identity Center in the organization’s management account.

Which combination of steps should the security engineer perform in IAM Identity Center before configuring delegated administration? (Select THREE.)

A.

Grant least privilege access to the organization ' s management account.

B.

Create a new IAM Identity Center directory in the organization ' s management account.

C.

Set up a second AWS Region in the organization’s management account.

D.

Create permission sets for use only in the organization ' s management account.

E.

Create IAM users for use only in the organization ' s management account.

F.

Create user assignments only in the organization ' s management account.

A company’s security policy requires all Amazon EC2 instances to use the Amazon Time Sync Service. AWS CloudTrail trails are enabled in all of the company’s AWS accounts. VPC Flow Logs are enabled for all VPCs.

A security engineer must identify any EC2 instances that attempt to use Network Time Protocol (NTP) servers on the internet.

Which solution will meet these requirements?

A.

Monitor CloudTrail logs for API calls to non-standard time servers.

B.

Monitor CloudTrail logs for API calls to the Amazon Time Sync Service.

C.

Monitor VPC Flow Logs for traffic to non-standard time servers.

D.

Monitor VPC Flow Logs for traffic to the Amazon Time Sync Service.

A security engineer configured VPC Flow Logs to publish to Amazon CloudWatch Logs. After 10 minutes, no logs appear. The issue is isolated to the IAM role associated with VPC Flow Logs.

What could be the reason?

A.

logs:GetLogEvents is missing.

B.

The engineer cannot assume the role.

C.

The vpc-flow-logs.amazonaws.com principal cannot assume the role.

D.

The role cannot tag the log stream.

A company is developing an application that runs across a combination of Amazon EC2 On-Demand Instances and Spot Instances. A security engineer needs to provide a logging solution that makes logs for all instances available from a single location. The solution must allow only a specific set of users to analyze the logs for event patterns. The users must be able to use SQL queries on the logs to perform root cause analysis.

Which solution will meet these requirements?

A.

Configure the EC2 instances to send application logs to a single Amazon CloudWatch Logs log group. Allow only specific users to access the log group. Use CloudWatch Logs Insights to query the log group.

B.

Configure the EC2 instances to send application logs to a single Amazon S3 bucket. Allow only specific users to access the S3 bucket. Use Amazon CloudWatch Logs Insights to query the log files in the S3 bucket.

C.

Configure each EC2 instance to send its application logs to its own specific Amazon CloudWatch Logs log group. Allow only specific users to access the log groups. Use Amazon Athena to query all the log groups.

D.

Configure the EC2 instances to send application logs to a single Amazon CloudWatch Logs log group. Grant Amazon Detective access to the log group. Allow only specific users to use Detective to analyze the logs.

A company uses AWS IAM Identity Center to manage access to its AWS accounts. The accounts are in an organization in AWS Organizations. A security engineer needs to set up delegated administration of IAM Identity Center in the organization ' s management account.

Which combination of steps should the security engineer perform in IAM Identity Center before configuring delegated administration? (Select THREE.)

A.

Grant least privilege access to the organization ' s management account.

B.

Create a new IAM Identity Center directory in the organization ' s management account.

C.

Set up a second AWS Region in the organization ' s management account.

D.

Create permission sets for use only in the organization ' s management account.

E.

Create IAM users for use only in the organization ' s management account.

F.

Create user assignments only in the organization ' s management account.