SCS-C01 : AWS Certified Security – Specialty : Part 11
A company manages multiple AWS accounts using AWS Organizations. The company’s security team notices that some member accounts are not sending AWS CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured for all existing accounts and for any account that is created in the future.
Which set of actions should the security team implement to accomplish this?
Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.
Deploy an AWS Lambda function in every account to check if there is an existing trail and create a new trail, if needed.
Edit the existing trail in the Organizations master account and apply it to the organization.
Create an SCP to deny the cloudtrail:Delete* and cloudtrail:Stop* actions. Apply the SCP to all accounts.
A security engineer is setting up a new AWS account. The engineer has been asked to continuously monitor the company’s AWS account using automated compliance checks based on AWS best practices and Center for Internet Security (CIS) AWS Foundations Benchmarks.
How can the security engineer accomplish this using AWS services?
Enable AWS Config and set it to record all resources in all Regions and global resources. Then enable AWS Security Hub and confirm that the CIS AWS Foundations compliance standard is enabled.
Enable Amazon Inspector and configure it to scan all Regions for the CIS AWS Foundations Benchmarks. Then enable AWS Security Hub and configure it to ingest the Amazon Inspector findings.
Enable Amazon Inspector and configure it to scan all Regions for the CIS AWS Foundations Benchmarks. Then enable AWS Shield in all Regions to protect the account from DDoS attacks.
Enable AWS Config and set it to record all resources in all Regions and global resources. Then enable Amazon Inspector and configure it to enforce CIS AWS Foundations Benchmarks using AWS Config rules.
A company has a VPC with several Amazon EC2 instances behind a NAT gateway. The company’s security policy states that all network traffic must be logged and must include the original source and destination IP addresses. The existing VPC Flow Logs do not include this information. A security engineer needs to recommend a solution.
Which combination of steps should the security engineer recommend? (Choose two.)
Edit the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.
Delete and recreate the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.
Change the destination to Amazon CloudWatch Logs.
Include the pkt-srcaddr and pkt-dstaddr fields in the log format.
Include the subnet-id and instance-id fields in the log format.
A company has a VPC with an IPv6 address range and a public subnet with an IPv6 address block. The VPC currently hosts some public Amazon EC2 instances, but a security engineer needs to migrate a second application into the VPC that also requires IPv6 connectivity.
This new application will occasionally make API requests to an external, internet-accessible endpoint to receive updates. However, the security team does not want the application’s EC2 instance exposed directly to the internet. The security engineer intends to create a private subnet with a custom route table and to associate the route table with the private subnet.
What else does the security engineer need to do to ensure the application will not be exposed directly to the internet, but can still communicate as required?
Launch a NAT instance in the public subnet. Update the custom route table with a new route to the NAT instance.
Remove the internet gateway, and add AWS PrivateLink to the VPC. Then update the custom route table with a new route to AWS PrivateLink.
Add a managed NAT gateway to the VPC. Update the custom route table with a new route to the gateway.
Add an egress-only internet gateway to the VPC. Update the custom route table with a new route to the gateway.
An ecommerce website was down for 1 hour following a DDoS attack. Users were unable to connect to the website during the attack period. The ecommerce company’s security team is worried about future potential attacks and wants to prepare for such events. The company needs to minimize downtime in its response to similar attacks in the future.
Which steps would help achieve this? (Choose two.)
Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access.
Subscribe to AWS Shield Advanced and reach out to AWS Support in the event of an attack.
Use VPC Flow Logs to monitor network traffic and an AWS Lambda function to automatically block an attacker’s IP using security groups.
Set up an Amazon CloudWatch Events rule to monitor the AWS CloudTrail events in real time, use AWS Config rules to audit the configuration, and use AWS Systems Manager for remediation.
Use AWS WAF to create rules to respond to such attacks.
A company’s on-premises data center forwards DNS logs to a third-party security incident events management (SIEM) solution that alerts on suspicious behavior.
The company wants to introduce a similar capability to its AWS accounts that includes automatic remediation. The company expects to double in size within the next few months.
Which solution meets the company’s current and future logging requirements?
Enable Amazon GuardDuty and AWS Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Set up specific rules within Amazon EventBridge to trigger an AWS Lambda function for remediation steps.
Ingest all AWS CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Use the current on-premises SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.
Ingest all AWS CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Launch an Amazon EC2 instance and install the current SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.
Enable Amazon GuardDuty and AWS Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Create an AWS Organizations SCP that denies access to certain API calls that are on an ignore list.
A company has a serverless application for internal users deployed on AWS. The application uses AWS Lambda for the front end and for business logic. The Lambda function accesses an Amazon RDS database inside a VPC. The company uses AWS Systems Manager Parameter Store for storing database credentials.
A recent security review highlighted the following issues:
– The Lambda function has internet access.
– The relational database is publicly accessible.
– The database credentials are not stored in an encrypted state.
Which combination of steps should the company take to resolve these security issues? (Choose three.)
Disable public access to the RDS database inside the VPC.
Move all the Lambda functions inside the VPC.
Edit the IAM role used by Lambda to restrict internet access.
Create a VPC endpoint for Systems Manager. Store the credentials as a string parameter. Change the parameter type to an advanced parameter.
Edit the IAM role used by RDS to restrict internet access.
Create a VPC endpoint for Systems Manager. Store the credentials as a SecureString parameter.
A company wants to deploy an application in a private VPC that will not be connected to the internet. The company’s security team will not allow bastion hosts or methods using SSH to log in to Amazon EC2 instances. The application team plans to use AWS Systems Manager Session Manager to connect to and manage the EC2 instances.
Which combination of steps should the security team take? (Choose three.)
Make sure the Systems Manager Agent is installed and running on all EC2 instances inside the VPC.
Ensure the IAM role attached to the EC2 instances in the VPC allows access to Systems Manager.
Create an SCP that prevents the creation of SSH key pairs.
Launch a NAT gateway in the VPC. Update the routing policies to forward traffic to this NAT gateway.
Ensure proper VPC endpoints are in place for Systems Manager and Amazon EC2.
Ensure the VPC has a transit gateway attachment. Update the routing policies to forward traffic to this transit gateway.
A company uses multiple AWS accounts managed with AWS Organizations. Security engineers have created a standard set of security groups for all these. accounts. The security policy requires that these security groups be used for all applications and delegates modification authority to the security team only.
A recent security audit found that the security groups are inconsistently implemented across accounts and that unauthorized changes have been made to the security groups. A security engineer needs to recommend a solution to improve consistency and to prevent unauthorized changes in the individual accounts in the future.
Which solution should the security engineer recommend?
Use AWS Resource Access Manager to create shared resources for each required security group and apply an IAM policy that permits read-only access to the security groups only.
Create an AWS CloudFormation template that creates the required security groups. Execute the template as part of configuring new accounts. Enable Amazon Simple Notification Service (Amazon SNS) notifications when changes occur.
Use AWS Firewall Manager to create a security group policy, enable the policy feature to identify and revert local changes, and enable automatic remediation.
Use AWS Control Tower to edit the account factory template to enable the share security groups option. Apply an SCP to the OU or individual accounts that prohibits security group modifications from local account users.
A developer reported that AWS CloudTrail was disabled on their account. A security engineer investigated the account and discovered the event was undetected by the current security solution. The security engineer must recommend a solution that will detect future changes to the CloudTrail configuration and send alerts when changes occur.
What should the security engineer do to meet these requirements?
Use AWS Resource Access Manager (AWS RAM) to monitor the AWS CloudTrail configuration. Send notifications using Amazon SNS.
Create an Amazon CloudWatch Events rule to monitor Amazon GuardDuty findings. Send email notifications using Amazon SNS.
Update security contact details in AWS account settings for AWS Support to send alerts when suspicious activity is detected.
Use Amazon Inspector to automatically detect security issues. Send alerts using Amazon SNS.
A security engineer noticed an anomaly within a company EC2 instance as shown in the image. The engineer must now investigate what is causing the anomaly.
SCS-C01 AWS Certified Security – Specialty Part 11 Q11 035
What are the MOST effective steps to take to ensure that the instance is not further manipulated, while allowing the engineer to understand what happened?
Remove the instance from the Auto Scaling group. Place the instance within an isolation security group, detach the EBS volume, launch an EC2 instance with a forensic toolkit, and attach the EBS volume to investigate.
Remove the instance from the Auto Scaling group and the Elastic Load Balancer. Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious instance to perform the investigation.
Remove the instance from the Auto Scaling group. Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and use the forensic toolkit image to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance.
Remove the instance from the Auto Scaling group and the Elastic Load Balancer. Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 instance with a forensic toolkit, and attach the copy of the EBS volume to investigate.
An external auditor finds that a company’s user passwords have no minimum length. The company is currently using two identity providers:
– AWS IAM federated with on-premises Active Directory
– Amazon Cognito user pools to accessing an AWS Cloud application developed by the company
Which combination of actions should the security engineer take to solve this issue? (Choose two.)
Update the password length policy in the on-premises Active Directory configuration.
Update the password length policy in the IAM configuration.
Enforce an IAM policy in Amazon Cognito and AWS IAM with a minimum password length condition.
Update the password length policy in the Amazon Cognito configuration.
Create an SCP with AWS Organizations that enforces a minimum password length for AWS IAM and Amazon Cognito.
A company’s data lake uses Amazon S3 and Amazon Athena. The company’s security engineer has been asked to design an encryption solution that meets the company’s data protection requirements. The encryption solution must work with Amazon S3 and keys managed by the company. The encryption solution must be protected in a hardware security module that is validated to Federal Information Processing Standards (FIPS) 140-2 Level 3.
Which solution meets these requirements?
Use client-side encryption with an AWS KMS customer-managed key implemented with the AWS Encryption SDK.
Use AWS CloudHSM to store the keys and perform cryptographic operations. Save the encrypted text in Amazon S3.
Use an AWS KMS customer-managed key that is backed by a custom key store using AWS CloudHSM.
Use an AWS KMS customer-managed key with the bring your own key (BYOK) feature to import a key stored in AWS CloudHSM.
A company’s security engineer has been asked to monitor and report all AWS account root user activities.
Which of the following would enable the security engineer to monitor and report all root user activities? (Choose two.)
Configuring AWS Organizations to monitor root user API calls on the paying account
Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported
Configuring Amazon Inspector to scan the AWS account for any root user activity
Configuring AWS Trusted Advisor to send an email to the security team when the root user logs in to the console
Using Amazon SNS to notify the target group
A security engineer needs to ensure their company’s use of AWS meets AWS security best practices. As part of this, the AWS account root user must not be used for daily work. The root user must be monitored for use, and the security team must be alerted as quickly as possible if the root user is used.
Which solution meets these requirements?
Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification.
Create root user access keys. Use an AWS Lambda function to parse AWS CloudTrail logs from Amazon S3 and generate notifications using Amazon SNS.
Set up a rule in AWS Config to trigger root user events. Trigger an AWS Lambda function and generate notifications using Amazon SNS.
Use Amazon Inspector to monitor the usage of the root user and generate notifications using Amazon SNS.
A security engineer is designing an incident response plan to address the risk of a compromised Amazon EC2 instance. The plan must recommend a solution to meet the following requirements:
– A trusted forensic environment must be provisioned.
– Automated response processes must be orchestrated.
Which AWS services should be included in the plan? (Choose two.)
AWS CloudFormation
Amazon GuardDuty
Amazon Inspector
Amazon Macie
AWS Step Functions
A company’s security information events management (SIEM) tool receives new AWS CloudTrail logs from an Amazon S3 bucket that is configured to send all object created event notifications to an Amazon SNS topic. An Amazon SQS queue is subscribed to this SNS topic. The company’s SIEM tool then polls this SQS queue for new messages using an IAM role and fetches new log events from the S3 bucket based on the SQS messages.
After a recent security review that resulted in restricted permissions, the SIEM tool has stopped receiving new CloudTrail logs.
Which of the following are possible causes of this issue? (Choose three.)
The SQS queue does not allow the SQS:SendMessage action from the SNS topic.
The SNS topic does not allow the SNS:Publish action from Amazon S3.
The SNS topic is not delivering raw messages to the SQS queue.
The S3 bucket policy does not allow CloudTrail to perform the PutObject action.
The IAM role used by the SIEM tool does not have permission to subscribe to the SNS topic.
The IAM role used by the SIEM tool does not allow the SQS:DeleteMessage action.
A security engineer has noticed that VPC Flow Logs are getting a lot of REJECT traffic originating from a single Amazon EC2 instance in an Auto Scaling group. The security engineer is concerned that this EC2 instance may be compromised.
What immediate action should the security engineer take?
Remove the instance from the Auto Scaling group. Close the security group with ingress only from a single forensic IP address to perform an analysis.
Remove the instance from the Auto Scaling group. Change the network ACL rules to allow traffic only from a single forensic IP address to perform an analysis. Add a rule to deny all other traffic.
Remove the instance from the Auto Scaling group. Enable Amazon GuardDuty in that AWS account. Install the Amazon Inspector agent on the suspicious EC2 instance to perform a scan.
Take a snapshot of the suspicious EC2 instance. Create a new EC2 instance from the snapshot in a closed security group with ingress only from a single forensic IP address to perform an analysis.
A company’s director of information security wants a daily email report from AWS that contains recommendations for each company account to meet AWS Security best practices.
Which solution would meet these requirements?
In every AWS account, configure AWS Lambda to query the AWS Support API for AWS Trusted Advisor security checks. Send the results from Lambda to an Amazon SNS topic to send reports.
Configure Amazon GuardDuty in a master account and invite all other accounts to be managed by the master account. Use GuardDuty’s integration with Amazon SNS to report on findings.
Use Amazon Athena and Amazon QuickSight to build reports off of AWS CloudTrail. Create a daily Amazon CloudWatch trigger to run the report daily and email it using Amazon SNS.
Use AWS Artifact’s prebuilt reports and subscriptions. Subscribe the director of information security to the reports by adding the director as the security alternate contact for each account.
A company is using AWS Organizations to manage multiple AWS member accounts. All of these accounts have Amazon GuardDuty enabled in all Regions. The company’s AWS Security Operations Center has a centralized security account for logging and monitoring. One of the member accounts has received an excessively high bill. A security engineer discovers that a compromised Amazon EC2 instance is being used to mine cryptocurrency. The Security Operations Center did not receive a GuardDuty finding in the central security account, but there was a GuardDuty finding in the account containing the compromised EC2 instance. The security engineer needs to ensure all GuardDuty findings are available in the security account.
What should the security engineer do to resolve this issue?
Set up an Amazon CloudWatch Events rule to forward all GuardDuty findings to the security account. Use an AWS Lambda function as a target to raise findings.
Set up an Amazon CloudWatch Events rule to forward all GuardDuty findings to the security account. Use an AWS Lambda function as a target to raise findings in AWS Security Hub.
Check that GuardDuty in the security account is able to assume a role in the compromised account using the guardduty;listfindings permission. Schedule an Amazon CloudWatch Events rule and an AWS Lambda function to periodically check for GuardDuty findings.
Use the aws guardduty get-members AWS CLI command in the security account to see if the account is listed. Send an invitation from GuardDuty in the security account to GuardDuty in the compromised account. Accept the invitation to forward all future GuardDuty findings.
