Summer Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmas50

Amazon Web Services SCS-C03 - AWS Certified Security – Specialty

Page: 3 / 7
Total 231 questions

A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data. During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code in the company ' s source code repository. A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only. The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates. The solution must also minimize administrative overhead.

Which solution meets these requirements?

A.

Use the AWS Systems Manager Parameter Store to generate database credentials. Use an IAM profile for ECS tasks to restrict access to database credentials to specific containers only.

B.

Use AWS Secrets Manager to store database credentials. Use an IAM inline policy for ECS tasks to restrict access to database credentials to specific containers only.

C.

Use the AWS Systems Manager Parameter Store to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.

D.

Use AWS Secrets Manager to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.

A company has a large fleet of Amazon Linux 2 Amazon EC2 instances that run an application processing sensitive data. Compliance requirements include no exposed management ports, full session logging, and authentication through AWS IAM Identity Center. DevOps engineers occasionally need access for troubleshooting.

Which solution will provide remote access while meeting these requirements?

A.

Grant access to the EC2 serial console and allow IAM role access.

B.

Enable EC2 Instance Connect and configure security groups accordingly.

C.

Assign an EC2 instance role that allows access to AWS Systems Manager. Create an IAM policy that grants access to Systems Manager Session Manager and assign it to an IAM Identity Center role.

D.

Use Systems Manager Automation to temporarily open remote access ports.

A company has two AWS accounts: Account A and Account B. Each account has a VPC. An application that runs in the VPC in Account A needs to write to an Amazon S3 bucket in Account B. The application in Account A already has permission to write to the S3 bucket in Account B. The application and the S3 bucket are in the same AWS Region. The company cannot send network traffic over the public internet.

Which solution will meet these requirements?

A.

In both accounts, create a transit gateway and VPC attachments in a subnet in each Availability Zone. Update the VPC route tables.

B.

Deploy a software VPN appliance in Account A. Create a VPN connection between the software VPN appliance and a virtual private gateway in Account B.

C.

Create a VPC peering connection between the VPC in Account A and the VPC in Account B. Update the VPC route tables, network ACLs, and security groups to allow network traffic between the peered IP ranges.

D.

In Account A, create a gateway VPC endpoint for Amazon S3. Update the VPC route table in Account A.

A company runs ECS services behind an internet-facing ALB that is the origin for CloudFront. An AWS WAF web ACL is associated with CloudFront, but clients can bypass it by accessing the ALB directly.

Which solution will prevent direct access to the ALB?

A.

Use AWS PrivateLink with the ALB.

B.

Replace the ALB with an internal ALB.

C.

Restrict ALB listener rules to CloudFront IP ranges.

D.

Require a custom header from CloudFront and validate it at the ALB.

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company wants to centrally give users the ability to access Amazon Q Developer.

Which solution will meet this requirement?

A.

Enable AWS IAM Identity Center and set up Amazon Q Developer as an AWS managed application.

B.

Enable Amazon Cognito and create a new identity pool for Amazon Q Developer.

C.

Enable Amazon Cognito and set up Amazon Q Developer as an AWS managed application.

D.

Enable AWS IAM Identity Center and create a new identity pool for Amazon Q Developer.

A company runs an application on an Amazon EC2 instance. The application generates invoices and stores them in an Amazon S3 bucket. The instance profile that is attached to the instance has appropriate access to the S3 bucket. The company needs to share each invoice with multiple clients that do not have AWS credentials. Each client must be able to download only the client ' s own invoices. Clients must download their invoices within 1 hour of invoice creation. Clients must use only temporary credentials to access the company ' s AWS resources.

Which additional step will meet these requirements?

A.

Update the S3 bucket policy to ensure that clients that use pre-signed URLs have the S3:Get* permission and the S3:List* permission to access S3 objects in the bucket.

B.

Add a StringEquals condition to the IAM role policy for the EC2 instance profile. Configure the policy condition to restrict access based on the s3:ResourceTag/ClientId tag of each invoice. Tag each generated invoice with the ID of its corresponding client.

C.

Update the script to use AWS Security Token Service (AWS STS) to obtain new credentials each time the script runs by assuming a new role that has S3:GetObject permissions. Use the credentials to generate the pre-signed URLs.

D.

Generate an access key and a secret key for an IAM user that has S3:GetObject permissions on the S3 bucket. Embed the keys into the script. Use the keys to generate the pre-signed URLs.

A company wants to improve the remediation of specific security incidents. Currently, a security engineer performs network isolation manually if traffic from Amazon EC2 instances to known command and control servers is detected. The manual network isolation process is error prone. The security engineer must automate the process.

The security engineer enables Amazon GuardDuty. The security engineer configures instances to be managed by AWS Systems Manager. The security engineer prepares a Systems Manager Automation document to change security groups on selected instances.

Which solution will meet these requirements?

A.

Create a permanent Amazon Detective investigation. Select all resources to monitor. Configure Detective to invoke the Systems Manager document if known command and control traffic is detected.

B.

Set up AWS Config. Use the managed rule ec2-prefix-list-tagged to detect traffic to network prefixes tagged for command and control activity. Configure automatic remediation and select the Automation document.

C.

Enable Systems Manager OpsCenter. Create an Amazon EventBridge rule to transform GuardDuty alerts of command and control traffic for OpsCenter. Use the Automation document for remediation.

D.

Configure AWS Security Hub CSPM. Use NIST SP 800-53 scans to report compromised instances based on NIST alerts. Create an automation rule to invoke the Automation document.

A company uses AWS to run a web application that manages ticket sales in several countries. The company recently migrated the application to an architecture that includes Amazon API Gateway, AWS Lambda, and Amazon Aurora Serverless. The company needs the application to comply with Payment Card Industry Data Security Standard (PCI DSS) v4.0. A security engineer must generate a report that shows the effectiveness of the PCI DSS v4.0 controls that apply to the application. The company ' s compliance team must be able to add manual evidence to the report.

Which solution will meet these requirements?

A.

Enable AWS Trusted Advisor. Configure all the Trusted Advisor checks. Manually map the checks against the PCI DSS v4.0 standard to generate the report.

B.

Enable and configure AWS Config. Deploy the Operational Best Practices for PCI DSS conformance pack in AWS Config. Use AWS Config to generate the report.

C.

Enable AWS Security Hub. Enable the Security Hub PCI DSS security standard. Use the AWS Management Console to download the report from the security standard.

D.

Create an AWS Audit Manager assessment that uses the AWS managed PCI DSS v4.0 standard framework. Add all evidence to the assessment. Generate the report in Audit Manager for download.

A company’s application team wants to replace an internal application with a new AWS architecture that consists of Amazon EC2 instances, an AWS Lambda function, and an Amazon S3 bucket in a single AWS Region. After an architecture review, the security team mandates that no application network traffic can traverse the public internet at any point. The security team already has an SCP in place for the company’s organization in AWS Organizations to restrict the creation of internet gateways, NAT gateways, and egress-only gateways.

Which combination of steps should the application team take to meet these requirements? (Select THREE.)

A.

Create an S3 endpoint that has a full-access policy for the application’s VPC.

B.

Create an S3 access point for the S3 bucket. Include a policy that restricts the network origin to VPCs.

C.

Launch the Lambda function. Enable the block public access configuration.

D.

Create a security group that has an outbound rule over port 443 with a destination of the S3 endpoint. Associate the security group with the EC2 instances.

E.

Create a security group that has an outbound rule over port 443 with a destination of the S3 access point. Associate the security group with the EC2 instances.

F.

Launch the Lambda function in a VPC.

A company has an Amazon RDS database. The database contains sensitive data that is shared across teams in the company. The company needs a solution to detect anomalous logins to the database. The solution must notify an existing Amazon SNS topic when anomalous logins occur.

Which solution will meet these requirements?

A.

Use AWS Trusted Advisor security checks for Amazon RDS. Create an Amazon EventBridge rule to monitor the security checks for status changes. Configure the EventBridge rule to invoke an AWS Lambda function to publish a message to the SNS topic.

B.

Enable AWS AppFabric. Connect AWS AppFabric to the RDS DB instance. Create an Amazon Data Firehose stream as the destination for the AWS AppFabric findings. Create an AWS Lambda function that is invoked by the Firehose stream to publish a message to the SNS topic.

C.

Enable Amazon GuardDuty and configure GuardDuty RDS Protection. Create an Amazon EventBridge rule to monitor GuardDuty findings of anomalous logins. Configure the SNS topic as the target of the EventBridge rule.

D.

Enable Amazon Inspector. Create an Amazon EventBridge rule to monitor Amazon Inspector findings of anomalous logins. Configure the SNS topic as the target of the EventBridge rule.