Summer Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmas50

Amazon Web Services SCS-C03 - AWS Certified Security – Specialty

Page: 4 / 7
Total 231 questions

A company is running an application in the eu-west-1 Region. The application uses an AWS Key Management Service (AWS KMS) customer managed key to encrypt sensitive data. The company plans to deploy the application in the eu-north-1 Region. A security engineer needs to implement a key management solution for the application deployment in the new Region. The security engineer must minimize changes to the application code.

Which change should the security engineer make to the AWS KMS configuration to meet these requirements?

A.

Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same customer managed key as the application in eu-west-1.

B.

Allocate a new customer managed key to eu-north-1 to be used by the application that is deployed in that Region.

C.

Allocate a new customer managed key to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias.

D.

Allocate a new customer managed key to eu-north-1. Create an alias for eu--1. Change the application code to point to the alias for eu--1.

A company has a large fleet of Amazon Linux 2 Amazon EC2 instances that run an application. The application processes sensitive data and has the following compliance requirements:

• No remote access management ports to the EC2 instances can be exposed internally or externally.

• All remote session activity must be recorded in an audit log.

• All remote access to the EC2 instances must be authenticated and authorized by AWS IAM Identity Center.

The company ' s DevOps team occasionally needs to connect to one of the EC2 instances to troubleshoot issues.

Which solution will provide remote access to the EC2 instances while meeting the compliance requirements?

A.

Grant access to the EC2 serial console at the account level.

B.

Enable EC2 Instance Connect and configure security group rules.

C.

Assign an EC2 instance role that allows access to AWS Systems Manager. Create an IAM policy that grants access to Systems Manager Session Manager. Assign the policy to an IAM role of the DevOps team.

D.

Use AWS Systems Manager Automation runbooks to open remote access ports.

A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region that uses an AWS KMS customer managed key. The company must copy a DB snapshot to the us-west-1 Region but cannot access the encryption key across Regions.

What should the company do to properly encrypt the snapshot in us-west-1?

A.

Store the customer managed key in AWS Secrets Manager in us-west-1.

B.

Create a new customer managed key in us-west-1 and use it to encrypt the snapshot.

C.

Create an IAM policy to allow access to the key in us-east-1 from us-west-1.

D.

Create an IAM policy that allows RDS in us-west-1 to access the key in us-east-1.

An application is running on an Amazon EC2 instance that has an IAM role attached. The IAM role provides access to an AWS Key Management Service (AWS KMS) customer managed key and an Amazon S3 bucket. The key is used to access 2 TB of sensitive data that is stored in the S3 bucket. A security engineer discovers a potential vulnerability on the EC2 instance that could result in the compromise of the sensitive data. Due to other critical operations, the security engineer cannot immediately shut down the EC2 instance for vulnerability patching.

What is the FASTEST way to prevent the sensitive data from being exposed?

A.

Download the data from the existing S3 bucket to a new EC2 instance. Then delete the data from the S3 bucket. Re-encrypt the data with a client-based key. Upload the data to a new S3 bucket.

B.

Block access to the public range of S3 endpoint IP addresses by using a host-based firewall. Ensure that internet-bound traffic from the affected EC2 instance is routed through the host-based firewall.

C.

Revoke the IAM role’s active session permissions. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile.

D.

Disable the current key. Create a new KMS key that the IAM role does not have access to, and re-encrypt all the data with the new key. Schedule the compromised key for deletion.

A company has a web application that reads from and writes to an Amazon S3 bucket. The company needs to use AWS credentials to authenticate all S3 API calls to the S3 bucket.

Which solution will provide the application with AWS credentials to make S3 API calls?

A.

Integrate with Cognito identity pools and use GetId to obtain AWS credentials.

B.

Integrate with Cognito identity pools and use AssumeRoleWithWebIdentity to obtain AWS credentials.

C.

Integrate with Cognito user pools and use the ID token to obtain AWS credentials.

D.

Integrate with Cognito user pools and use the access token to obtain AWS credentials.

A company has configured an organization in AWS Organizations for its AWS accounts. AWS CloudTrail is enabled in all AWS Regions.

A security engineer must implement a solution toprevent CloudTrail from being disabled.

Which solution will meet this requirement?

A.

Enable CloudTrail log file integrity validation from the organization ' s management account.

B.

Enable server-side encryption with AWS KMS keys (SSE-KMS) for CloudTrail logs. Create a KMS key. Attach a policy to the key to prevent decryption of the logs.

C.

Create a service control policy (SCP) that includes an explicitDenyrule for the cloudtrail:StopLogging action and the cloudtrail:DeleteTrail action. Attach the SCP to the root OU.

D.

Create IAM policies for all the company ' s users to prevent the users from performing the DescribeTrails action and the GetTrailStatus action.

An IAM user receives an Access Denied message when the user attempts to access objects in an Amazon S3 bucket. The user and the S3 bucket are in the same AWS account. The S3 bucket is configured to use server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all of its objects at rest by using a customer managed key from the same AWS account. The S3 bucket has no bucket policy defined. The IAM user has been granted permissions through an IAM policy that allows thekms:Decryptpermission to the customer managed key. The IAM policy also allows thes3:List* ands3:Get* permissions for the S3 bucket and its objects.

Which of the following is a possible reason that the IAM user cannot access the objects in the S3 bucket?

A.

The IAM policy needs to allow thekms:DescribeKeypermission.

B.

The S3 bucket has been changed to use the AWS managed key to encrypt objects at rest.

C.

An S3 bucket policy needs to be added to allow the IAM user to access the objects.

D.

The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key.

A company is planning to deploy a new log analysis environment. The company needs to analyze logs from multiple AWS services in near real time. The solution must provide the ability to search the logs and must send alerts to an existing Amazon Simple Notification Service (Amazon SNS) topic when specific logs match detection rules.

Which solution will meet these requirements?

A.

Analyze the logs by using Amazon OpenSearch Service. Search the logs from the OpenSearch API. Use OpenSearch Service Security Analytics to match logs with detection rules and to send alerts to the SNS topic.

B.

Analyze the logs by using AWS Security Hub. Search the logs from the Findings page in Security Hub. Create custom actions to match logs with detection rules and to send alerts to the SNS topic.

C.

Analyze the logs by using Amazon CloudWatch Logs. Use a subscription filter to match logs with detection rules and to send alerts to the SNS topic. Search the logs manually by using CloudWatch Logs Insights.

D.

Analyze the logs by using Amazon QuickSight. Search the logs by listing the query results in a dashboard. Run queries to match logs with detection rules and to send alerts to the SNS topic.

A company needs to detect unauthenticated access to its Amazon Elastic Kubernetes Service (Amazon EKS) clusters. The solution must require no additional configuration of the existing EKS deployment.

Which solution will meet these requirements with the LEAST operational effort?

A.

Install a third-party security add-on.

B.

Enable AWS Security Hub and monitor Kubernetes findings.

C.

Monitor CloudWatch Container Insights metrics for EKS.

D.

Enable Amazon GuardDuty and use EKS Audit Log Monitoring.

A company is using Amazon EC2 instances to host an application in a private subnet in a VPC. The application needs to use AWS KMS.

What is the MOST secure way for a security engineer to meet this requirement?

A.

Attach an internet gateway to the VPC. Move the EC2 instances to a public subnet. Use the internet gateway to connect to AWS KMS.

B.

Create a gateway VPC endpoint. Use the endpoint to connect to AWS KMS.

C.

Attach a NAT gateway to the VPC. Leave the EC2 instances in the private subnet. Use the NAT gateway to connect to AWS KMS.

D.

Create an interface VPC endpoint. Use the endpoint to connect to AWS KMS.