Summer Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmas50

Amazon Web Services SCS-C03 - AWS Certified Security – Specialty

Page: 6 / 7
Total 231 questions

A company uses an incident response team to troubleshoot incidents. The incident response team must use temporary credentials from AWS STS for cross-account IAM role access when troubleshooting. Occasionally, each team member will need to respond to multiple different types of incidents simultaneously. Based on the type of incident, the company wants to dynamically assign minimal permissions to whichever team member responds.

Which solution will meet these requirements?

A.

Attach a policy to the cross-account role that grants the appropriate permissions for all types of incidents. Reduce the scope of those permissions by using a session policy.

B.

Attach a policy to the cross-account role that grants the appropriate permissions for all types of incidents. Reduce the scope of those permissions by using a permissions boundary.

C.

Do not assign any permissions to the cross-account role initially. Assign a session policy to the role being assumed with the required permission for that type of incident.

D.

Use an AWS Lambda function for each incident. Configure the function to create a temporary cross-account role that uses the AWS managed policy AWSSecurityIncidentResponseServiceRolePolicy. Reduce the scope of those permissions by using a permissions boundary.

A company needs centralized log monitoring with automatic detection across hundreds of AWS accounts.

Which solution meets these requirements with the LEAST operational effort?

A.

Designate a GuardDuty administrator account and enable protections.

B.

Centralize CloudWatch logs and use Inspector.

C.

Centralize CloudTrail logs and query with Athena.

D.

Stream logs to Kinesis and process with Lambda.

A company runs an internet-accessible application on several Amazon EC2 instances that run Windows Server. The company used an instance profile to configure the EC2 instances. A security team currently accesses the VPC that hosts the EC2 instances by using an AWS Site-to-Site VPN tunnel from an on-premises office. The security team issues a policy that requires all external access to the VPC to be blocked in the event of a security incident. However, during an incident, the security team must be able to access the EC2 instances to obtain forensic information on the instances.

Which solution will meet these requirements?

A.

Install EC2 Instance Connect on the EC2 instances. Update the IAM policy for the IAM role to grant the required permissions. Use the AWS CLI to open a tunnel to connect to the instances.

B.

Install EC2 Instance Connect on the EC2 instances. Configure the instances to permit access to the ec2-instance-connect command user. Use the AWS Management Console to connect to the EC2 instances.

C.

Create an EC2 Instance Connect endpoint in the VPC. Configure an appropriate security group to allow access between the EC2 instances and the endpoint. Use the AWS CLI to open a tunnel to connect to the instances.

D.

Create an EC2 Instance Connect endpoint in the VPC. Configure an appropriate security group to allow access between the EC2 instances and the endpoint. Use the AWS Management Console to connect to the EC2 instances.

A company has hundreds of AWS accounts in an organization in AWS Organizations. The company operates out of a single AWS Region. The company has a dedicated security tooling AWS account in the organization. The security tooling account is configured as the organization ' s delegated administrator for Amazon GuardDuty and AWS Security Hub. The company has configured the environment to automatically enable GuardDuty and Security Hub for existing AWS accounts and new AWS accounts.

The company is performing control tests on specific GuardDuty findings to make sure that the company ' s security team can detect and respond to security events. The security team launched an Amazon EC2 instance and attempted to run DNS requests against a test domain,example.com, to generate a DNS finding. However, the GuardDuty finding was never created in the Security Hub delegated administrator account.

Why was the finding not created in the Security Hub delegated administrator account?

A.

VPC flow logs were not turned on for the VPC where the EC2 instance was launched.

B.

The VPC where the EC2 instance was launched had the DHCP option configured for a custom OpenDNS resolver.

C.

The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.

D.

Cross-Region aggregation in Security Hub was not configured.

A security engineer received an Amazon GuardDuty alert indicating a finding involving the Amazon EC2 instance that hosts the company ' s primary website. The GuardDuty finding received read:UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration. The security engineer confirmed that a malicious actor used API access keys intended for the EC2 instance from a country where the company does not operate. The security engineer needs to deny access to the malicious actor.

What is the first step the security engineer should take?

A.

Open the EC2 console and remove any security groups that allow inbound traffic from 0.0.0.0/0.

B.

Install the AWS Systems Manager Agent on the EC2 instance and run an inventory report.

C.

Install the Amazon Inspector agent on the host and run an assessment with the CVE rules package.

D.

Open the IAM console and revoke all IAM sessions that are associated with the instance profile.

A company needs to scan all AWS Lambda functions for code vulnerabilities.

A.

Use Amazon Macie.

B.

Enable Amazon Inspector Lambda scanning.

C.

Use GuardDuty and Security Hub.

D.

Use GuardDuty Lambda Protection.

A company needs a solution to protect critical data from being permanently deleted. The data is stored in Amazon S3 buckets. The company needs to replicate the S3 objects from the company ' s primary AWS Region to a secondary Region to meet disaster recovery requirements. The company must also ensure that users who have administrator access cannot permanently delete the data in the secondary Region.

Which solution will meet these requirements?

A.

Configure AWS Backup to perform cross-Region S3 backups. Select a backup vault in the secondary Region. Enable AWS Backup Vault Lock in governance mode for the backups in the secondary Region.

B.

Implement S3 Object Lock in compliance mode in the primary Region. Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region.

C.

Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region. Create an S3 bucket policy to deny the s3:ReplicateDelete action on the S3 bucket in the secondary Region.

D.

Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region. Configure S3 object versioning on the S3 bucket in the secondary Region.

A company ' s web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled and stores logs in Amazon S3 and Amazon CloudWatch Logs.

The operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The operations team needs to view log information to determine if the company is being attacked.

Which set of actions will identify the suspect attacker ' s IP address for future occurrences?

A.

Configure VPC Flow Logs on the subnet where the ALB is located and stream the data to CloudWatch. Search for the new-user-creation.php occurrences in CloudWatch.

B.

Configure the CloudWatch agent on the ALB and send application logs to CloudWatch Logs.

C.

Configure the ALB to export access logs to an Amazon OpenSearch Service cluster and search for the new-user-creation.php occurrences.

D.

Configure the web ACL to send logs to Amazon Data Firehose, which delivers the logs to an S3 bucket. Use Amazon Athena to query the logs and find the new-user-creation.php occurrences.

A security engineer needs to implement a logging solution that captures detailed information about objects in an Amazon S3 bucket. The solution must include details such as the IAM identity that makes the request and the time the object was accessed. The data must be structured and available in near real time.

Which solution meets these requirements?

A.

Enable Amazon S3 server access logging on the S3 bucket. Create a new S3 bucket to store the logs. Analyze the logs from the logging S3 bucket.

B.

Enable AWS CloudTrail data event logging. Create a new S3 bucket to store the logs. Analyze the logs from the logging S3 bucket.

C.

Configure AWS Config rules to log access to the objects stored in the S3 bucket.

D.

Enable Amazon Macie to log access to the objects stored in the S3 bucket.

A company is running its application on AWS. The company has a multi-environment setup, and each environment is isolated in a separate AWS account. The company has an organization in AWS Organizations to manage the accounts. There is a single dedicated security account for the organization. The company must create an inventory of all sensitive data that is stored in Amazon S3 buckets across the organization ' s accounts. The findings must be visible from a single location.

Which solution will meet these requirements?

A.

Set the security account as the delegated administrator for Amazon Macie and AWS Security Hub. Enable and configure Macie to publish sensitive data findings to Security Hub.

B.

Set the security account as the delegated administrator for AWS Security Hub. In each account, configure Amazon Inspector to scan the S3 buckets for sensitive data. Publish sensitive data findings to Security Hub.

C.

In each account, configure Amazon Inspector to scan the S3 buckets for sensitive data. Enable Amazon Inspector integration with AWS Trusted Advisor. Publish sensitive data findings to Trusted Advisor.

D.

In each account, enable and configure Amazon Macie to detect sensitive data. Enable Macie integration with AWS Trusted Advisor. Publish sensitive data findings to Trusted Advisor.