Summer Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmas50

Amazon Web Services SCS-C03 - AWS Certified Security – Specialty

Page: 1 / 7
Total 231 questions

A company wants to establish separate AWS Key Management Service (AWS KMS) keys to use for different AWS services. The company ' s security engineer created the following key policy to allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructureDeployment IAM role:

{

" Version " : " 2012-10-17 " ,

" Id " : " key-policy-ebs " ,

" Statement " : [

{

" Sid " : " Enable IAM User Permissions " ,

" Effect " : " Allow " ,

" Principal " : {

" AWS " : " arn:aws:iam::123456789012:root "

},

" Action " : " kms:* " ,

" Resource " : " * "

},

{

" Sid " : " Allow use of the key " ,

" Effect " : " Allow " ,

" Principal " : {

" AWS " : " arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/InfrastructureDeployment "

},

" Action " : [

" kms:Encrypt " ,

" kms:Decrypt " ,

" kms:ReEncrypt* " ,

" kms:GenerateDataKey* " ,

" kms:DescribeKey " ,

" kms:CreateGrant " ,

" kms:ListGrants " ,

" kms:RevokeGrant "

],

" Resource " : " * " ,

" Condition " : {

" StringEquals " : {

" kms:ViaService " : " ec2.us-west-2.amazonaws.com "

}

}

}

]

}

The security engineer recently discovered that IAM rolesother thanthe InfrastructureDeployment role used this key for other services.

Which change to the policy should the security engineer make to resolve these issues?

A.

In the statement block that contains the Sid " Allow use of the key " , under theConditionblock, change StringEquals to StringLike.

B.

In the policy document, remove the statement block that contains the Sid " Enable IAM User Permissions " . Add key management policies to the KMS policy.

C.

In the statement block that contains the Sid " Allow use of the key " , under theConditionblock, change the kms:ViaService value to ec2.us-east-1.amazonaws.com.

D.

In the policy document, add a new statement block that grants the kms:Disable* permission to the security engineer ' s IAM role.

A company in France uses Amazon Cognito with the Cognito Hosted UI as an identity broker for sign-in and sign-up processes. The company is marketing an application and expects that all the application ' s users will come from France. When the company launches the application, the company ' s security team observes fraudulent sign-ups for the application. Most of the fraudulent registrations are from users outside of France. The security team needs a solution to perform custom validation at sign-up. Based on the results of the validation, the solution must accept or deny the registration request.

Which combination of steps will meet these requirements? (Select TWO.)

A.

Create a pre sign-up AWS Lambda trigger. Associate the Amazon Cognito function with the Amazon Cognito user pool.

B.

Use a geographic match rule statement to configure an AWS WAF web ACL. Associate the web ACL with the Amazon Cognito user pool.

C.

Configure an app client for the application ' s Amazon Cognito user pool. Use the app client ID to validate the requests in the hosted UI.

D.

Update the application ' s Amazon Cognito user pool to configure a geographic restriction setting.

E.

Use Amazon Cognito to configure a social identity provider (IdP) to validate the requests on the hosted UI.

A security engineer has designed a VPC to segment private traffic from public traffic. The VPC includes two Availability Zones. The security engineer has provisioned each Availability Zone with one private subnet and one public subnet. The security engineer has created three route tables for use with the environment. One route table is for the public subnets, and two route tables are for the private subnets (one route table for the private subnet in each Availability Zone).

The security engineer discovers that all four subnets are attempting to route traffic out through the internet gateway that is attached to the VPC.

Which combination of steps should the security engineer take to remediate this scenario? (Select TWO.)

A.

Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.

B.

Verify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.

C.

Modify the route tables that are associated with each of the public subnets. Create a new route for local destinations to the VPC CIDR range.

D.

Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the NAT gateway in the public subnet of the same Availability Zone as the target of the route.

E.

Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the internet gateway as the target of the route.

A company runs several applications on Amazon Elastic Kubernetes Service (Amazon EKS). The company needs a solution to detect any Kubernetes security risks by monitoring Amazon EKS audit logs in addition to operating system, networking, and file events. The solution must send email alerts for any identified risks to a mailing list that is associated with a security team.

Which solution will meet these requirements?

A.

Deploy AWS Security Hub and enable security standards that contain EKS controls. Create an Amazon Simple Notification Service (Amazon SNS) topic and set the security team’s mailing list as a subscriber. Use an Amazon EventBridge rule to send relevant Security Hub events to the SNS topic.

B.

Enable Amazon Inspector container image scanning. Configure Amazon Detective to analyze EKS security logs. Create Amazon CloudWatch log groups for EKS audit logs. Use an AWS Lambda function to process the logs and to send email alerts to the security team.

C.

Enable Amazon GuardDuty. Enable EKS Protection and Runtime Monitoring for Amazon EKS in GuardDuty. Create an Amazon Simple Notification Service (Amazon SNS) topic and set the security team ' s mailing list as a subscriber. Use an Amazon EventBridge rule to send relevant GuardDuty events to the SNS topic.

D.

Install the AWS Systems Manager Agent (SSM Agent) on all EKS nodes. Configure Amazon CloudWatch Logs to collect EKS audit logs. Create an Amazon Simple Notification Service (Amazon SNS) topic and set the security team ' s mailing list as a subscriber. Configure a CloudWatch alarm to publish a message to the SNS topic when new audit logs are generated.

A company runs critical workloads in an on-premises data center. The company wants to implement an AWS based disaster recovery (DR) solution that will achieve an RTO of less than 1 hour. The company needs to continuously replicate physical and virtual servers. The company must optimize costs for data storage and bandwidth usage. The DR solution must be automated.

Which solution will meet these requirements?

A.

Use AWS Backup to directly replicate the on-premises servers to AWS. Enable cross-Region backup copying and data vaulting. Configure recovery points to match the defined RTO. Use AWS Step Functions to automate recovery steps.

B.

Configure an AWS Storage Gateway Volume Gateway to use Amazon Elastic Block Store (Amazon EBS) snapshots for recovery. Configure AWS Backup to manage the snapshots. Create automated recovery procedures.

C.

Enable AWS Elastic Disaster Recovery. Configure replication agents to continuously replicate each on-premises server. Enable the default staging area subnet configuration.

D.

Create an AWS Direct Connect connection between the on-premises data center and AWS. Configure Amazon EventBridge to monitor for failures and to invoke AWS Lambda functions that launch preconfigured Amazon EC2 instances from AMIs in the event of an incident.

A security engineer for a company needs to design an incident response plan that addresses compromised IAM user account credentials. The company uses an organization in AWS Organizations and AWS IAM Identity Center to manage user access. The company uses a delegated administrator account to implement AWS Security Hub. The delegated administrator account contains an organizational trail in AWS CloudTrail that logs all events to an Amazon S3 bucket. The company has also configured an organizational event data store that captures all events from the trail.

The incident response plan must provide steps that the security engineer can take to immediately disable any compromised IAM user when the security engineer receives a notification of a security incident. The plan must prevent the IAM user from being used in any AWS account. The plan must also collect all AWS actions that the compromised IAM user performed across all accounts in the previous 7 days.

Which solution will meet these requirements?

A.

Disable the compromised IAM user in the organization management account. Use Amazon Athena to query the organizational CloudTrail logs in the S3 bucket for actions that the IAM user performed in the previous 7 days.

B.

Remove all IAM policies that are attached to the IAM user in the organization management account. Use AWS Security Hub to query the CloudTrail logs for actions that the IAM user performed in the previous 7 days.

C.

Remove any permission sets that are assigned to the IAM user in IAM Identity Center. Use Amazon CloudWatch Logs Insights to query the CloudTrail logs in the S3 bucket for actions that the IAM user performed in the previous 7 days.

D.

Disable the IAM user’s access in IAM Identity Center. Use AWS CloudTrail to query the organizational event data store for actions that the IAM user performed in the previous 7 days.

A company uses AWS Lambda functions to implement application logic. The company uses an organization in AWS Organizations to manage hundreds of AWS accounts. The company needs to implement a solution to continuously monitor the Lambda functions for vulnerabilities in all accounts. The solution must publish detected issues to a dashboard. Lambda functions that are being tested or are in development must not appear on the dashboard.

Which combination of steps will meet these requirements? (Select TWO.)

A.

Designate a delegated Amazon GuardDuty administrator account in the organization’s management account. Use the GuardDuty Summary dashboard to obtain an overview of Lambda functions that have vulnerabilities.

B.

Designate a delegated Amazon Inspector administrator account in the organization’s management account. Use the Amazon Inspector dashboard to obtain an overview of Lambda functions that have vulnerabilities.

C.

Apply tags of “test” or “development” to all Lambda functions that are in testing or development. Use a suppression filter that suppresses findings that contain these tags.

D.

Enable AWS Shield Advanced in the organization’s management account. Use Amazon CloudWatch to build a dashboard for Lambda functions that have vulnerabilities.

E.

Enable Lambda Protection in GuardDuty for all accounts. Auto-enable Lambda Protection for new accounts. Apply a tag to the Lambda functions that are in testing or development. Use GuardDutyExclusion as the tag key and LambdaStandardScanning as the tag value.

A company has an AWS Lambda function that requires access to an Amazon S3 bucket. The company’s security policy requires that connections to Amazon S3 are over a private network and are secure.

The company has configured a gateway VPC endpoint in the VPC to allow access to Amazon S3. The company has configured the Lambda function to run inside the VPC. Additionally, the company has configured the Lambda function to use a private subnet that has a route to the internet through a NAT gateway. Other resources in the VPC use this private subnet to access the internet successfully. When the Lambda function runs, it uses the NAT gateway instead of the gateway VPC endpoint to access Amazon S3.

What can a security engineer do to ensure that the Lambda function uses the gateway VPC endpoint for Amazon S3?

A.

Remove the route to the NAT gateway within the route table of the private subnet that the Lambda function uses.

B.

Associate the gateway VPC endpoint with the route table of the private subnet that the Lambda function uses.

C.

Adjust the gateway VPC endpoint policy to allow access from the Lambda function’s network interface address.

D.

Configure the Lambda function’s security group to allow connections to the S3 network address space.

A company is running a containerized application on an Amazon Elastic Container Service (Amazon ECS) cluster that uses AWS Fargate. The application runs as several ECS services.

The ECS services are in individual target groups for an internet-facing Application Load Balancer (ALB). The ALB is the origin for an Amazon CloudFront distribution. An AWS WAF web ACL is associated with the CloudFront distribution.

Web clients access the ECS services through the CloudFront distribution. The company learns that the web clients can bypass the web ACL and can access the ALB directly.

Which solution will prevent the web clients from directly accessing the ALB?

A.

Create an AWS PrivateLink endpoint and set it as the CloudFront origin.

B.

Create a new internal ALB and delete the internet-facing ALB.

C.

Modify the ALB listener rules to allow only CloudFront IP ranges.

D.

Add a custom X-Shared-Secret header in CloudFront and configure the ALB listener rules to allow requests only when the header value matches.

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company uses AWS IAM Identity Center to manage access to the accounts. The company uses AWS Directory Service as an identity source. Employees access the AWS console and specific AWS accounts and permissions through the AWS access portal.

A security engineer creates a new permissions set in IAM Identity Center and assigns the permissions set to one of the member accounts in the organization. The security engineer assigns the permissions set to a user group for developers namedDevOpsin the member account. The security engineer expects all the developers to see the new permissions set listed for the member account in the AWS access portal. All the developers except for one can see the permissions set. The security engineer must ensure that the remaining developer can see the permissions set in the AWS access portal.

Which solution will meet this requirement?

A.

Add the remaining developer to the DevOps group in Directory Service.

B.

Remove and then re-add the permissions set in the member account.

C.

Add the service-linked role for organization to the member account.

D.

Update the permissions set to allow console access for the remaining developer.