Summer Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmas50

Amazon Web Services SCS-C03 - AWS Certified Security – Specialty

Page: 5 / 7
Total 231 questions

A company needs a cloud-based, managed desktop solution for its workforce of remote employees. The company wants to ensure that the employees can access the desktops only by using company-provided devices. A security engineer must design a solution that will minimize cost and management overhead.

Which solution will meet these requirements?

A.

Deploy a custom virtual desktop infrastructure (VDI) solution with a restriction policy to allow access only from corporate devices.

B.

Deploy a fleet of Amazon EC2 instances. Assign an instance to each employee with certificate-based device authentication that uses Windows Active Directory.

C.

Deploy Amazon WorkSpaces. Set up a trusted device policy with IP blocking on the authentication gateway by using AWS Identity and Access Management (IAM).

D.

Deploy Amazon WorkSpaces. Create client certificates, and deploy them to trusted devices. Enable restricted access at the directory level.

A company is implementing new compliance requirements to meet customer needs. According to the new requirements, the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster.

Which solution will meet these requirements in the MOST operationally efficient manner?

A.

Create an AWS Config managed rule to detect unencrypted RDS storage. Configure an automatic remediation action to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

B.

Create an AWS Config managed rule to detect unencrypted RDS storage. Configure a manual remediation action to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

C.

Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

D.

Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

A company is using Amazon Macie, AWS Firewall Manager, Amazon Inspector, and AWS Shield Advanced in its AWS account. The company wants to receive alerts if a DDoS attack occurs against the account.

Which solution will meet this requirement?

A.

Use Amazon Macie to detect an active DDoS event and create Amazon CloudWatch alarms that respond to Macie findings.

B.

Use Amazon Inspector to review resources and invoke Amazon CloudWatch alarms for any resources that are vulnerable to DDoS attacks.

C.

Create an Amazon CloudWatch alarm that monitors AWS Firewall Manager metrics for an active DDoS event.

D.

Create an Amazon CloudWatch alarm that monitors AWS Shield Advanced metrics for an active DDoS event.

A company uses AWS Organizations. The company subscribes to AWS Shield Advanced. The company must share third-party firewall logs from all its accounts with the Shield Response Team. The company stores the logs in an Amazon S3 bucket that uses server-side encryption with S3 managed keys (SSE-S3).

Which combination of steps will meet these requirements? (Select TWO.)

A.

Use the aws shield associate-drt-log-bucket command to grant the Shield Response Team access to the bucket.

B.

Configure multi-account support by creating a delegated administrator account for Shield Advanced.

C.

In the delegated administrator account, configure Shield Advanced to forward events to AWS Security Hub CSPM.

D.

Create an IAM role and attach the AWSShieldDRTAccessPolicy policy. Create a trust policy with the drt.shield.amazonaws.com service principal.

E.

Configure auto-enable preferences in Organizations to enable Shield Advanced as the organization adds new member accounts.

A company is using AWS Organizations with the default SCP. The company needs to restrict AWS usage for all AWS accounts that are in a specific OU. Except for some desired global services, the AWS usage must occur only in theeu-west-1Region for all accounts in the OU. A security engineer must create an SCP that applies the restriction to existing accounts and any new accounts in the OU.

Which SCP will meet these requirements?

A.

Deny with NotAction, but uses StringEquals for aws:RequestedRegion = eu-west-1

B.

Allow with Action, scoped to desired global services in eu-west-1

C.

Deny with NotAction for desired global services, and StringNotEquals aws:RequestedRegion = eu-west-1

D.

Allow with NotAction and StringNotEquals aws:RequestedRegion = eu-west-1

A company sends Apache logs from EC2 Auto Scaling instances to a CloudWatch Logs log group with 1-year retention. A suspicious IP address appears in logs. A security engineer needs to analyze the past week of logs to count requests from that IP and list requested URLs.

What should the engineer do with the LEAST effort?

A.

Export to S3 and use Macie.

B.

Stream to OpenSearch and analyze.

C.

Use CloudWatch Logs Insights with queries.

D.

Export to S3 and use AWS Glue.

A company requires a specific software application to be installed on all new and existing Amazon EC2 instances across an AWS Organization. SSM Agent is installed and active.

How can the company continuously monitor deployment status of the software application?

A.

Use AWS Config organization-wide with the ec2-managedinstance-applications-required managed rule and specify the application name.

B.

Use approved AMIs rule organization-wide.

C.

Use Distributor package and review output.

D.

Use Systems Manager Application Manager inventory filtering.

A corporate cloud security policy states that communications between the company ' s VPC and KMS must travel entirely within the AWS network and not use public service endpoints.

Which combination of the following actions MOST satisfies this requirement? (Select TWO.)

A.

Add theaws:sourceVpcecondition to the AWS KMS key policy referencing the company ' s VPC endpoint ID.

B.

Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.

C.

Create a VPC endpoint for AWS KMS withprivate DNS enabled.

D.

Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN.

E.

Add the following condition to the AWS KMS key policy: " aws:SourceIp " : " 10.0.0.0/16 " .

A security engineer discovers that a company ' s user passwords have no required minimum length. The company is using the following two identity providers (IdPs):

• AWS Identity and Access Management (IAM) federated with on-premises Active Directory

• Amazon Cognito user pools that contain the user database for an AWS Cloud application that the company developed

Which combination of actions should the security engineer take to implement a required minimum length for the passwords? (Select TWO.)

A.

Update the password length policy in the IAM configuration.

B.

Update the password length policy in the Cognito configuration.

C.

Update the password length policy in the on-premises Active Directory configuration.

D.

Create an SCP in AWS Organizations. Configure the SCP to enforce a minimum password length for IAM and Cognito.

E.

Create an IAM policy that includes a condition for minimum password length. Enforce the policy for IAM and Cognito.

A company operates an Amazon EC2 instance that is registered as a target of a Network Load Balancer (NLB). The NLB is associated with a security group. The security group allows inbound TCP traffic on port 22 from 10.0.0.0/23.

The company maps the NLB to two subnets that share the same network ACL and route table. The route table has a route for 0.0.0.0/0 to an internet gateway. The network ACL has one inbound rule that has a priority of 20 and that allows TCP traffic on port 22 from 10.0.0.0/16.

A security engineer receives an alert that there is an unauthorized SSH session on the EC2 instance. The unauthorized session originates from 10.0.1.5. The company ' s incident response procedure requires unauthorized SSH sessions to beimmediately interrupted. The instance must remain running, and its memory must remain intact.

Which solution will meet these requirements?

A.

Restart the EC2 instance from either the AWS Management Console or the AWS CLI.

B.

Add a new inbound rule that has a priority of 10 to the network ACL to deny TCP traffic on port 22 from 10.0.1.5.

C.

Remove the security group rule that allows inbound TCP traffic on port 22 from 10.0.0.0/16.

D.

Update the route table to remove the route to the internet gateway.