SCS-C01 : AWS Certified Security – Specialty : Part 02
An organization has a system in AWS that allows a large number of remote workers to submit data files. File sizes vary from a few kilobytes to several megabytes. A recent audit highlighted a concern that data files are not encrypted while in transit over untrusted networks.
Which solution would remediate the audit finding while minimizing the effort required?
Upload an SSL certificate to IAM, and configure Amazon CloudFront with the passphrase for the private key.
Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() server-side.
Use AWS Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service’s servers.
Create a new VPC with an Amazon VPC VPN endpoint, and update the web service’s DNS record.
Which option for the use of the AWS Key Management Service (KMS) supports key management best practices that focus on minimizing the potential scope of data exposed by a possible future key compromise?
Use KMS automatic key rotation to replace the master key, and use this new master key for future encryption operations without re-encrypting previously encrypted data.
Generate a new Customer Master Key (CMK), re-encrypt all existing data with the new CMK, and use it for all future encryption operations.
Change the CMK alias every 90 days, and update key-calling applications with the new key alias.
Change the CMK permissions to ensure that individuals who can provision keys are not the same individuals who can use the keys.
A Security Engineer must enforce the use of only Amazon EC2, Amazon S3, Amazon RDS, Amazon DynamoDB, and AWS STS in specific accounts.
What is a scalable and efficient approach to meet this requirement?
Set up an AWS Organizations hierarchy, and replace the FullAWSAccess policy with the following Service Control Policy for the governed organization units: SCS-C01 AWS Certified Security – Specialty Part 02 Q03 004
Create multiple IAM users for the regulated accounts, and attach the following policy statement to restrict services as required: SCS-C01 AWS Certified Security – Specialty Part 02 Q03 005
Set up an Organizations hierarchy, replace the global FullAWSAccess with the following Service Control Policy at the top level: SCS-C01 AWS Certified Security – Specialty Part 02 Q03 006
Set up all users in the Active Directory for federated access to all accounts in the company. Associate Active Directory groups with IAM groups, and attach the following policy statement to restrict services as required: SCS-C01 AWS Certified Security – Specialty Part 02 Q03 007
A company’s database developer has just migrated an Amazon RDS database credential to be stored and managed by AWS Secrets Manager. The developer has also enabled rotation of the credential within the Secrets Manager console and set the rotation to change every 30 days.
After a short period of time, a number of existing applications have failed with authentication errors.
What is the MOST likely cause of the authentication errors?
Migrating the credential to RDS requires that all access come through requests to the Secrets Manager.
Enabling rotation in Secrets Manager causes the secret to rotate immediately, and the applications are using the earlier credential.
The Secrets Manager IAM policy does not allow access to the RDS database.
The Secrets Manager IAM policy does not allow access for the applications.
A Security Engineer launches two Amazon EC2 instances in the same Amazon VPC but in separate Availability Zones. Each instance has a public IP address and is able to connect to external hosts on the internet. The two instances are able to communicate with each other by using their private IP addresses, but they are not able to communicate with each other when using their public IP addresses.
Which action should the Security Engineer take to allow communication over the public IP addresses?
Associate the instances to the same security groups.
Add 0.0.0.0/0 to the egress rules of the instance security groups.
Add the instance IDs to the ingress rules of the instance security groups.
Add the public IP addresses to the ingress rules of the instance security groups.
The Security Engineer is managing a web application that processes highly sensitive personal information. The application runs on Amazon EC2. The application has strict compliance requirements, which instruct that all incoming traffic to the application is protected from common web exploits and that all outgoing traffic from the EC2 instances is restricted to specific whitelisted URLs.
Which architecture should the Security Engineer use to meet these requirements?
Use AWS Shield to scan inbound traffic for web exploits. Use VPC Flow Logs and AWS Lambda to restrict egress traffic to specific whitelisted URLs.
Use AWS Shield to scan inbound traffic for web exploits. Use a third-party AWS Marketplace solution to restrict egress traffic to specific whitelisted URLs.
Use AWS WAF to scan inbound traffic for web exploits. Use VPC Flow Logs and AWS Lambda to restrict egress traffic to specific whitelisted URLs.
Use AWS WAF to scan inbound traffic for web exploits. Use a third-party AWS Marketplace solution to restrict egress traffic to specific whitelisted URLs.
A company recently experienced a DDoS attack that prevented its web server from serving content. The website is static and hosts only HTML, CSS, and PDF files that users download.
Based on the architecture shown in the image, what is the BEST way to protect the site against future attacks while minimizing the ongoing operational overhead?
SCS-C01 AWS Certified Security – Specialty Part 02 Q07 008
Move all the files to an Amazon S3 bucket. Have the web server serve the files from the S3 bucket.
Launch a second Amazon EC2 instance in a new subnet. Launch an Application Load Balancer in front of both instances.
Launch an Application Load Balancer in front of the EC2 instance. Create an Amazon CloudFront distribution in front of the Application Load Balancer.
Move all the files to an S3 bucket. Create a CloudFront distribution in front of the bucket and terminate the web server.
The Information Technology department has stopped using Classic Load Balancers and switched to Application Load Balancers to save costs. After the switch, some users on older devices are no longer able to connect to the website.
What is causing this situation?
Application Load Balancers do not support older web browsers.
The Perfect Forward Secrecy settings are not configured correctly.
The intermediate certificate is installed within the Application Load Balancer.
The cipher suites on the Application Load Balancers are blocking connections.
A security team is responsible for reviewing AWS API call activity in the cloud environment for security violations. These events must be recorded and retained in a centralized location for both current and future AWS regions.
What is the SIMPLEST way to meet these requirements?
Enable AWS Trusted Advisor security checks in the AWS Console, and report all security incidents for all regions.
Enable AWS CloudTrail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later analysis.
Enable AWS CloudTrail by creating a new trail and applying the trail to all regions. Specify a single Amazon S3 bucket as the storage location.
Enable Amazon CloudWatch logging for all AWS services across all regions, and aggregate them to a single Amazon S3 bucket for later analysis.
A Security Administrator is performing a log analysis as a result of a suspected AWS account compromise. The Administrator wants to analyze suspicious AWS CloudTrail log files but is overwhelmed by the volume of audit logs being generated.
What approach enables the Administrator to search through the logs MOST efficiently?
Implement a “write-only” CloudTrail event filter to detect any modifications to the AWS account resources.
Configure Amazon Macie to classify and discover sensitive data in the Amazon S3 bucket that contains the CloudTrail audit logs.
Configure Amazon Athena to read from the CloudTrail S3 bucket and query the logs to examine account activities.
Enable Amazon S3 event notifications to trigger an AWS Lambda function that sends an email alarm when there are new CloudTrail API entries.
During a recent security audit, it was discovered that multiple teams in a large organization have placed restricted data in multiple Amazon S3 buckets, and the data may have been exposed. The auditor has requested that the organization identify all possible objects that contain personally identifiable information (PII) and then determine whether this information has been accessed.
What solution will allow the Security team to complete this request?
Using Amazon Athena, query the impacted S3 buckets by using the PII query identifier function. Then, create a new Amazon CloudWatch metric for Amazon S3 object access to alert when the objects are accessed.
Enable Amazon Macie on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, use the research function for auditing AWS CloudTrail logs and S3 bucket logs for GET operations.
Enable Amazon GuardDuty and enable the PII rule set on the S3 buckets that were impacted, then perform data classification. Using the PII findings report from GuardDuty, query the S3 bucket logs by using Athena for GET operations.
Enable Amazon Inspector on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, query the S3 bucket logs by using Athena for GET operations.
During a recent internal investigation, it was discovered that all API logging was disabled in a production account, and the root user had created new API keys that appear to have been used several times.
What could have been done to detect and automatically remediate the incident?
Using Amazon Inspector, review all of the API calls and configure the inspector agent to leverage SNS topics to notify security of the change to AWS CloudTrail, and revoke the new API keys for the root user.
Using AWS Config, create a config rule that detects when AWS CloudTrail is disabled, as well as any calls to the root user create-api-key. Then use a Lambda function to re-enable CloudTrail logs and deactivate the root API keys.
Using Amazon CloudWatch, create a CloudWatch event that detects AWS CloudTrail deactivation and a separate Amazon Trusted Advisor check to automatically detect the creation of root API keys. Then use a Lambda function to enable AWS CloudTrail and deactivate the root API keys.
Using Amazon CloudTrail, create a new CloudTrail event that detects the deactivation of CloudTrail logs, and a separate CloudTrail event that detects the creation of root API keys. Then use a Lambda function to enable CloudTrail and deactivate the root API keys.
An application has a requirement to be resilient across not only Availability Zones within the application’s primary region but also be available within another region altogether.
Which of the following supports this requirement for AWS resources that are encrypted by AWS KMS?
Copy the application’s AWS KMS CMK from the source region to the target region so that it can be used to decrypt the resource after it is copied to the target region.
Configure AWS KMS to automatically synchronize the CMK between regions so that it can be used to decrypt the resource in the target region.
Use AWS services that replicate data across regions, and re-wrap the data encryption key created in the source region by using the CMK in the target region so that the target region’s CMK can decrypt the database encryption key.
Configure the target region’s AWS service to communicate with the source region’s AWS KMS so that it can decrypt the resource in the target region.
An organization policy states that all encryption keys must be automatically rotated every 12 months.
Which AWS Key Management Service (KMS) key type should be used to meet this requirement?
AWS managed Customer Master Key (CMK)
Customer managed CMK with AWS generated key material
Customer managed CMK with imported key material
AWS managed data key
A Security Engineer received an AWS Abuse Notice listing EC2 instance IDs that are reportedly abusing other hosts.
Which action should the Engineer take based on this situation? (Choose three.)
Use AWS Artifact to capture an exact image of the state of each instance.
Create EBS Snapshots of each of the volumes attached to the compromised instances.
Capture a memory dump.
Log in to each instance with administrative credentials to restart the instance.
Revoke all network ingress and egress except for to/from a forensics workstation.
Run Auto Recovery for Amazon EC2.
A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements:
– Encryption in transit
– Encryption at rest
– Logging of all object retrievals in AWS CloudTrail
Which of the following meet these security requirements? (Choose three.)
Specify “aws:SecureTransport”: “true” within a condition in the S3 bucket policy.
Enable a security group for the S3 bucket that allows port 443, but not port 80.
Set up default encryption for the S3 bucket.
Enable Amazon CloudWatch Logs for the AWS account.
Enable API logging of data events for all S3 objects.
Enable S3 object versioning for the S3 bucket.
What is the function of the following AWS Key Management Service (KMS) key policy attached to a customer master key (CMK)?
SCS-C01 AWS Certified Security – Specialty Part 02 Q17 009
The Amazon WorkMail and Amazon SES services have delegated KMS encrypt and decrypt permissions to the ExampleUser principal in the 111122223333 account.
The ExampleUser principal can transparently encrypt and decrypt email exchanges specifically between ExampleUser and AWS.
The CMK is to be used for encrypting and decrypting only when the principal is ExampleUser and the request comes from WorkMail or SES in the specified region.
The key policy allows WorkMail or SES to encrypt or decrypt on behalf of the user for any CMK in the account.
A Security Engineer who was reviewing AWS Key Management Service (AWS KMS) key policies found this statement in each key policy in the company AWS account.
SCS-C01 AWS Certified Security – Specialty Part 02 Q18 010
What does the statement allow?
All principals from all AWS accounts to use the key.
Only the root user from account 111122223333 to use the key.
All principals from account 111122223333 to use the key but only on Amazon S3.
Only principals from account 111122223333 that have an IAM policy applied that grants access to this key to use the key.
A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2 instances. The company security policy states that application logs for the reporting service must be centrally collected.
What is the MOST efficient way to meet these requirements?
Write an AWS Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket.
Enable AWS CloudTrail logging for the AWS account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail.
Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync.
Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.
A Security Engineer is trying to determine whether the encryption keys used in an AWS service are in compliance with certain regulatory standards.
Which of the following actions should the Engineer perform to get further guidance?
Read the AWS Customer Agreement.
Use AWS Artifact to access AWS compliance reports.
Post the question on the AWS Discussion Forums.
Run AWS Config and evaluate the configuration outputs.
