SCS-C01 : AWS Certified Security – Specialty : Part 04
-
A distributed web application is installed across several EC2 instances in public subnets residing in two Availability Zones. Apache logs show several intermittent brute-force attacks from hundreds of IP addresses at the layer 7 level over the past six months.
What would be the BEST way to reduce the potential impact of these attacks in the future?
- Use custom route tables to prevent malicious traffic from routing to the instances.
- Update security groups to deny traffic from the originating source IP addresses.
- Use network ACLs.
- Install intrusion prevention software (IPS) on each instance.
-
A company plans to move most of its IT infrastructure to AWS. They want to leverage their existing on-premises Active Directory as an identity provider for AWS.
Which combination of steps should a Security Engineer take to federate the company’s on-premises Active Directory with AWS? (Choose two.)
- Create IAM roles with permissions corresponding to each Active Directory group.
- Create IAM groups with permissions corresponding to each Active Directory group.
- Configure Amazon Cloud Directory to support a SAML provider.
- Configure Active Directory to add relying party trust between Active Directory and AWS.
- Configure Amazon Cognito to add relying party trust between Active Directory and AWS.
-
A security alert has been raised for an Amazon EC2 instance in a customer account that is exhibiting strange behavior. The Security Engineer must first isolate the EC2 instance and then use tools for further investigation.
What should the Security Engineer use to isolate and research this event? (Choose three.)
- AWS CloudTrail
- Amazon Athena
- AWS Key Management Service (AWS KMS)
- VPC Flow Logs
- AWS Firewall Manager
- Security groups
-
A financial institution has the following security requirements:
– Cloud-based users must be contained in a separate authentication domain.
– Cloud-based users cannot access on-premises systems.As part of standing up a cloud environment, the financial institution is creating a number of Amazon managed databases and Amazon EC2 instances. An Active Directory service exists on-premises that has all the administrator accounts, and these must be able to access the databases and instances.
How would the organization manage its resources in the MOST secure manner? (Choose two.)
- Configure an AWS Managed Microsoft AD to manage the cloud resources.
- Configure an additional on-premises Active Directory service to manage the cloud resources.
- Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service.
- Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service.
- Establish a two-way trust between the new and existing Active Directory services.
-
An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs a network port scan against other instances in the VPC. When the Security team performs its own internal tests in a separate account by using pre-approved third-party scanners from the AWS Marketplace, the Security team also then receives multiple Amazon GuardDuty events from Amazon CloudWatch alerting on its test activities.
How can the Security team suppress alerts about authorized security tests while still receiving alerts about the unauthorized activity?
- Use a filter in AWS CloudTrail to exclude the IP addresses of the Security team’s EC2 instances.
- Add the Elastic IP addresses of the Security team’s EC2 instances to a trusted IP list in Amazon GuardDuty.
- Install the Amazon Inspector agent on the EC2 instances that the Security team uses.
- Grant the Security team’s EC2 instances a role with permissions to call Amazon GuardDuty API operations.
-
An organization is moving non-business-critical applications to AWS while maintaining a mission-critical application in an on-premises data center. An on-premises application must share limited confidential information with the applications in AWS. The internet performance is unpredictable.
Which configuration will ensure continued connectivity between sites MOST securely?
- VPN and a cached storage gateway
- AWS Snowball Edge
- VPN Gateway over AWS Direct Connect
- AWS Direct Connect
-
An application has been built with Amazon EC2 instances that retrieve messages from Amazon SQS. Recently, IAM changes were made and the instances can no longer retrieve messages.
What actions should be taken to troubleshoot the issue while maintaining least privilege? (Choose two.)
- Configure and assign an MFA device to the role used by the instances.
- Verify that the SQS resource policy does not explicitly deny access to the role used by the instances.
- Verify that the access key attached to the role used by the instances is active.
- Attach the AmazonSQSFullAccess managed policy to the role used by the instances.
- Verify that the role attached to the instances contains policies that allow access to the queue.
-
A company has a forensic logging use case whereby several hundred applications running on Docker on EC2 need to send logs to a central location. The Security Engineer must create a logging solution that is able to perform real-time analytics on the log files, grants the ability to replay events, and persists data.
Which AWS Services, together, can satisfy this use case? (Choose two.)
- Amazon Elasticsearch
- Amazon Kinesis
- Amazon SQS
- Amazon CloudWatch
- Amazon Athena
-
Which of the following is the most efficient way to automate the encryption of AWS CloudTrail logs using a Customer Master Key (CMK) in AWS KMS?
- Use the KMS direct encrypt function on the log data every time a CloudTrail log is generated.
- Use the default Amazon S3 server-side encryption with S3-managed keys to encrypt and decrypt the CloudTrail logs.
- Configure CloudTrail to use server-side encryption using KMS-managed keys to encrypt and decrypt CloudTrail logs.
- Use encrypted API endpoints so that all AWS API calls generate encrypted CloudTrail log entries using the TLS certificate from the encrypted API call.
-
An organization is using AWS CloudTrail, Amazon CloudWatch Logs, and Amazon CloudWatch to send alerts when new access keys are created. However, the alerts are no longer appearing in the Security Operations mail box.
Which of the following actions would resolve this issue?
- In CloudTrail, verify that the trail logging bucket has a log prefix configured.
- In Amazon SNS, determine whether the “Account spend limit” has been reached for this alert.
- In SNS, ensure that the subscription used by these alerts has not been deleted.
- In CloudWatch, verify that the alarm threshold “consecutive periods” value is equal to, or greater than 1.
-
A Security Engineer must add additional protection to a legacy web application by adding the following HTTP security headers:
-Content Security-Policy
-X-Frame-Options
-X-XSS-ProtectionThe Engineer does not have access to the source code of the legacy web application.
Which of the following approaches would meet this requirement?- Configure an Amazon Route 53 routing policy to send all web traffic that does not include the required headers to a black hole.
- Implement an AWS Lambda@Edge origin response function that inserts the required headers.
- Migrate the legacy application to an Amazon S3 static website and front it with an Amazon CloudFront distribution.
- Construct an AWS WAF rule to replace existing HTTP headers with the required security headers by using regular expressions.
-
During a security event, it is discovered that some Amazon EC2 instances have not been sending Amazon CloudWatch logs.
Which steps can the Security Engineer take to troubleshoot this issue? (Choose two.)
- Connect to the EC2 instances that are not sending the appropriate logs and verify that the CloudWatch Logs agent is running.
- Log in to the AWS account and select CloudWatch Logs. Check for any monitored EC2 instances that are in the “Alerting” state and restart them using the EC2 console.
- Verify that the EC2 instances have a route to the public AWS API endpoints.
- Connect to the EC2 instances that are not sending logs. Use the command prompt to verify that the right permissions have been set for the Amazon SNS topic.
- Verify that the network access control lists and security groups of the EC2 instances have the access to send logs over SNMP.
-
A Security Engineer discovers that developers have been adding rules to security groups that allow SSH and RDP traffic from 0.0.0.0/0 instead of the organization firewall IP.
What is the most efficient way to remediate the risk of this activity?
- Delete the internet gateway associated with the VPC.
- Use network access control lists to block source IP addresses matching 0.0.0.0/0.
- Use a host-based firewall to prevent access from all but the organization’s firewall IP.
- Use AWS Config rules to detect 0.0.0.0/0 and invoke an AWS Lambda function to update the security group with the organization’s firewall IP.
-
In response to the past DDoS attack experiences, a Security Engineer has set up an Amazon CloudFront distribution for an Amazon S3 bucket. There is concern that some users may bypass the CloudFront distribution and access the S3 bucket directly.
What must be done to prevent users from accessing the S3 objects directly by using URLs?
- Change the S3 bucket/object permission so that only the bucket owner has access.
- Set up a CloudFront origin access identity (OAI), and change the S3 bucket/object permission so that only the OAI has access.
- Create IAM roles for CloudFront, and change the S3 bucket/object permission so that only the IAM role has access.
- Redirect S3 bucket access to the corresponding CloudFront distribution.
-
A company plans to move most of its IT infrastructure to AWS. The company wants to leverage its existing on-premises Active Directory as an identity provider for AWS.
Which steps should be taken to authenticate to AWS services using the company’s on-premises Active Directory? (Choose three.)
- Create IAM roles with permissions corresponding to each Active Directory group.
- Create IAM groups with permissions corresponding to each Active Directory group.
- Create a SAML provider with IAM.
- Create a SAML provider with Amazon Cloud Directory.
- Configure AWS as a trusted relying party for the Active Directory
- Configure IAM as a trusted relying party for Amazon Cloud Directory.
-
A Security Analyst attempted to troubleshoot the monitoring of suspicious security group changes. The Analyst was told that there is an Amazon CloudWatch alarm in place for these AWS CloudTrail log events. The Analyst tested the monitoring setup by making a configuration change to the security group but did not receive any alerts.
Which of the following troubleshooting steps should the Analyst perform?
- Ensure that CloudTrail and S3 bucket access logging is enabled for the Analyst’s AWS account. B. Verify that a metric filter was created and then mapped to an alarm. Check the alarm notification action.
- Check the CloudWatch dashboards to ensure that there is a metric configured with an appropriate dimension for security group changes.
- Verify that the Analyst’s account is mapped to an IAM policy that includes permissions for cloudwatch: GetMetricStatistics and Cloudwatch: ListMetrics.
-
Example.com hosts its internal document repository on Amazon EC2 instances. The application runs on EC2 instances and previously stored the documents on encrypted Amazon EBS volumes. To optimize the application for scale, example.com has moved the files to Amazon S3. The security team has mandated that all the files are securely deleted from the EBS volume, and it must certify that the data is unreadable before releasing the underlying disks.
Which of the following methods will ensure that the data is unreadable by anyone else?
- Change the volume encryption on the EBS volume to use a different encryption mechanism. Then, release the EBS volumes back to AWS.
- Release the volumes back to AWS. AWS immediately wipes the disk after it is deprovisioned.
- Delete the encryption key used to encrypt the EBS volume. Then, release the EBS volumes back to AWS.
- Delete the data by using the operating system delete commands. Run Quick Format on the drive and then release the EBS volumes back to AWS.
-
A Systems Administrator has written the following Amazon S3 bucket policy designed to allow access to an S3 bucket for only an authorized AWS IAM user from the IP address range 10.10.10.0/24:
When trying to download an object from the S3 bucket from 10.10.10.40, the IAM user receives an access denied message.
What does the Administrator need to change to grant access to the user?- Change the “Resource” from “arn: aws:s3:::Bucket” to “arn:aws:s3:::Bucket/*”.
- Change the “Principal” from “*” to {AWS:”arn:aws:iam: : account-number: user/username”}
- Change the “Version” from “2012-10-17” to the last revised date of the policy
- Change the “Action” from [“s3:*”] to [“s3:GetObject”, “s3:ListBucket”]
-
The Security Engineer has discovered that a new application that deals with highly sensitive data is storing Amazon S3 objects with the following key pattern, which itself contains highly sensitive data.
Pattern:
“randomID_datestamp_PII.csv”
Example:
“1234567_12302017_000-00-0000 csv”The bucket where these objects are being stored is using server-side encryption (SSE).
Which solution is the most secure and cost-effective option to protect the sensitive data?
- Remove the sensitive data from the object name, and store the sensitive data using S3 user-defined metadata.
- Add an S3 bucket policy that denies the action s3:GetObject
- Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes.
- Store all sensitive objects in Binary Large Objects (BLOBS) in an encrypted Amazon RDS instance.
-
AWS CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected.
What initial actions should be taken to allow delivery of CloudTrail events to S3? (Choose two.)
- Verify that the S3 bucket policy allow CloudTrail to write objects.
- Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs.
- Remove any lifecycle policies on the S3 bucket that are archiving objects to Amazon Glacier.
- Verify that the S3 bucket defined in CloudTrail exists.
- Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.
Subscribe
0 Comments
Newest