SCS-C01 : AWS Certified Security – Specialty : Part 12
-
A company is designing the security architecture for a global latency-sensitive web application it plans to deploy to AWS. A security engineer needs to configure a highly available and secure two-tier architecture. The security design must include controls to prevent common attacks such as DDoS, cross-site scripting, and SQL injection.
Which solution meets these requirements?
- Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.
- Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.
- Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate AWS WAF ACLs and enable them on the ALB.
- Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate AWS WAF ACLs and enable them on the ALB.
-
A company is using AWS Organizations to manage multiple AWS accounts. The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an AWS KMS CMK. However, when users try to access the files in the S3 bucket, they get an access denied error.What should a security engineer do to troubleshoot this error? (Choose three.)
- Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK.
- Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket.
- Ensure the CMK was created before the S3 bucket.
- Ensure the S3 block public access feature is enabled for the S3 bucket.
- Ensure that automatic key rotation is disabled for the CMK.
- Ensure the SCPs within Organizations allow access to the S3 bucket.
-
A city is implementing an election results reporting website that will use Amazon CloudFront. The website runs on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. Election results are updated hourly and are stored as .pdf files in an Amazon S3 bucket. A security engineer needs to ensure that all external access to the website goes through CloudFront.
Which solution meets these requirements?
- Create an IAM role that allows CloudFront to access the specific S3 bucket. Modify the S3 bucket policy to allow only the new IAM role to access its contents. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB.
- Create an IAM role that allows CloudFront to access the specific S3 bucket. Modify the S3 bucket policy to allow only the new IAM role to access its contents. Associate the ALB with a security group that allows only incoming traffic from the CloudFront service to communicate with the ALB.
- Create an origin access identity (OAI) in CloudFront. Modify the S3 bucket policy to allow only the new OAI to access the bucket contents. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB.
- Create an origin access identity (OAI) in CloudFront. Modify the S3 bucket policy to allow only the new OAI to access the bucket contents. Associate the ALB with a security group that allows only incoming traffic from the CloudFront service to communicate with the ALB.
-
Which of the following are valid configurations for using SSL certificates with Amazon CloudFront? (Choose three.)
- Default AWS Certificate Manager certificate
- Custom SSL certificate stored in AWS KMS
- Default CloudFront certificate
- Custom SSL certificate stored in AWS Certificate Manager
- Default SSL certificate stored in AWS Secrets Manager
- Custom SSL certificate stored in AWS IAM
-
An AWS account administrator created an IAM group and applied the following managed policy to require that each individual user authenticate using multi-factor authentication:
After implementing the policy, the administrator receives reports that users are unable to perform Amazon EC2 commands using the AWS CLI.
What should the administrator do to resolve this problem while still enforcing multi-factor authentication?
- Change the value of aws:MultiFactorAuthPresent to true.
- Instruct users to run the aws sts get-session-token CLI command and pass the multi-factor authentication –serial-number and –token-code parameters. Use these resulting values to make API/CLI calls.
- Implement federated API/CLI access using SAML 2.0, then configure the identity provider to enforce multi-factor authentication.
- Create a role and enforce multi-factor authentication in the role trust policy. Instruct users to run the sts assume-role CLI command and pass –serial-number and –token-code parameters. Store the resulting values in environment variables. Add sts:AssumeRole to NotAction in the policy.
-
A recent security audit identified that a company’s application team injects database credentials into the environment variables of an AWS Fargate task. The company’s security policy mandates that all sensitive data be encrypted at rest and in transit.
Which combination of actions should the security team take to make the application compliant with the security policy? (Choose three.)
-
Store the credentials securely in a file in an Amazon S3 bucket with restricted access to the application team IAM role. Ask the application team to read the credentials from the S3 object instead.
- Create an AWS Secrets Manager secret and specify the key/value pairs to be stored in this secret.
- Modify the application to pull credentials from the AWS Secrets Manager secret instead of the environment variables.
- Add the following statement to the container instance IAM role policy:
- Add the following statement to the task execution role policy:
- Log in to the AWS Fargate instance, create a script to read the secret value from AWS Secrets Manager, and inject the environment variables. Ask the application team to redeploy the application.
-
-
A security engineer is responsible for providing secure access to AWS resources for thousands of developers in a company’s corporate identity provider (IdP). The developers access a set of AWS services from their corporate premises using IAM credentials. Due to the volume of requests for provisioning new IAM users, it is taking a long time to grant access permissions. The security engineer receives reports that developers are sharing their IAM credentials with others to avoid provisioning delays. This causes concern about overall security for the security engineer.
Which actions will meet the program requirements that address security?
- Create an Amazon CloudWatch alarm for AWS CloudTrail events. Create a metric filter to send a notification when the same set of IAM credentials is used by multiple developers.
- Create a federation between AWS and the existing corporate IdP. Leverage IAM roles to provide federated access to AWS resources.
- Create a VPN tunnel between the corporate premises and the VPC. Allow permissions to all AWS services only if it originates from corporate premises.
- Create multiple IAM roles for each IAM user. Ensure that users who use the same IAM credentials cannot assume the same IAM role at the same time.
-
A company hosts an application on Amazon EC2 that is subject to specific rules for regulatory compliance. One rule states that traffic to and from the workload must be inspected for network-level attacks. This involves inspecting the whole packet.
To comply with this regulatory rule, a security engineer must install intrusion detection software on a c5n.4xlarge EC2 instance. The engineer must then configure the software to monitor traffic to and from the application instances.
What should the security engineer do next?
- Place the network interface in promiscuous mode to capture the traffic.
- Configure VPC Flow Logs to send traffic to the monitoring EC2 instance using a Network Load Balancer.
- Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer.
- Use Amazon Inspector to detect network-level attacks and trigger an AWS Lambda function to send the suspicious packets to the EC2 instance.
-
A company’s security officer is concerned about the risk of AWS account root user logins and has assigned a security engineer to implement a notification solution for near-real-time alerts upon account root user logins.
How should the security engineer meet these requirements?
- Create a cron job that runs a script to download the AWS IAM security credentials file, parse the file for account root user logins, and email the security team’s distribution list.
- Run AWS CloudTrail logs through Amazon CloudWatch Events to detect account root user logins and trigger an AWS Lambda function to send an Amazon SNS notification to the security team’s distribution list.
- Save AWS CloudTrail logs to an Amazon S3 bucket in the security team’s account. Process the CloudTrail logs with the security engineer’s logging solution for account root user logins. Send an Amazon SNS notification to the security team upon encountering the account root user login events.
- Save VPC Flow Logs to an Amazon S3 bucket in the security team’s account, and process the VPC Flow Logs with their logging solutions for account root user logins. Send an Amazon SNS notification to the security team upon encountering the account root user login events.
-
A company wants to encrypt data locally while meeting regulatory requirements related to key exhaustion. The encryption key can be no more than 10 days old or encrypt more than 2^16 objects. Any encryption key must be generated on a FIPS-validated hardware security module (HSM). The company is cost-conscious, as it plans to upload an average of 100 objects to Amazon S3 each second for sustained operations across 5 data producers.
Which approach MOST efficiently meets the company’s needs?
- Use the AWS Encryption SDK and set the maximum age to 10 days and the maximum number of messages encrypted to 2^16. Use AWS Key Management Service (AWS KMS) to generate the master key and data key. Use data key caching with the Encryption SDK during the encryption process.
- Use AWS Key Management Service (AWS KMS) to generate an AWS managed CMK. Then use Amazon S3 client-side encryption configured to automatically rotate with every object.
- Use AWS CloudHSM to generate the master key and data keys. Then use Boto 3 and Python to locally encrypt data before uploading the object. Rotate the data key every 10 days or after 2^16 objects have been uploaded to Amazon S3.
- Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3) and set the master key to automatically rotate.
-
A company is setting up products to deploy in AWS Service Catalog. Management is concerned that when users launch products, elevated IAM privileges will be required to create resources.
How should the company mitigate this concern?
- Add a template constraint to each product in the portfolio.
- Add a launch constraint to each product in the portfolio.
- Define resource update constraints for each product in the portfolio.
- Update the AWS CloudFormation template backing the product to include a service role configuration.
-
A company is implementing a new application in a new AWS account. A VPC and subnets have been created for the application. The application has been peered to an existing VPC in another account in the same AWS Region for database access. Amazon EC2 instances will regularly be created and terminated in the application VPC, but only some of them will need access to the databases in the peered VPC over TCP port 1521. A security engineer must ensure that only the EC2 instances than need access to the databases can access them through the network.
How can the security engineer implement this solution?
- Create a new security group in the database VPC and create an inbound rule that allows all traffic from the IP address range of the application VPC. Add a new network ACL rule on the database subnets. Configure the rule to TCP port 1521 from the IP address range of the application VPC. Attach the new security group to the database instances that the application instances need to access.
- Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Create a new security group in the database VPC with an inbound rule that allows the IP address range of the application VPC over port 1521. Attach the new security group to the database instances and the application instances that need database access.
- Create a new security group in the application VPC with no inbound rules. Create a new security group in the database VPC with an inbound rule that allows TCP port 1521 from the new application security group in the application VPC. Attach the application security group to the application instances that need database access, and attach the database security group to the database instances.
- Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Add a new network ACL rule on the database subnets. Configure the rule to allow all traffic from the IP address range of the application VPC. Attach the new security group to the application instances that need database access.
-
A company is running an application on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally. A security engineer noticed that logs were lost after a scale-in event. The security engineer needs to recommend a solution to ensure the durability and availability of log data. All logs must be kept for a minimum of 1 year for auditing purposes.
What should the security engineer recommend?
- Within the Auto Scaling lifecycle, add a hook to create an attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is created. When the instance is terminated, the EBS volume can be reattached to another instance for log review.
- Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation. Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system.
- Build the Amazon CloudWatch agent into the AMI used in the Auto Scaling group. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review.
- Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to allow manual review of the security logs prior to instance termination.
-
A company needs to retain log data archives for several years to be compliant with regulations. The log data is no longer used, but it must be retained.
What is the MOST secure and cost-effective solution to meet these requirements?
- Archive the data to Amazon S3 and apply a restrictive bucket policy to deny the s3:DeleteObject API.
- Archive the data to Amazon S3 Glacier and apply a Vault Lock policy.
- Archive the data to Amazon S3 and replicated it to a second bucket in a second AWS Region. Choose the S3 Standard-Infrequent Access (S3 Standard-IA) storage class and apply a restrictive bucket policy to deny the s3:DeleteObject API.
- Migrate the log data to a 16 TB Amazon Elastic Block Store (Amazon EBS) volume. Create a snapshot of the EBS volume.
-
A company uses an Amazon S3 bucket to store reports. Management has mandated that all new objects stored in this bucket must be encrypted at rest using server-side encryption with a client specified AWS Key Management Service (AWS KMS) CMK owned by the same account as the S3 bucket. The AWS account number is 111122223333, and the bucket name is reportbucket. The company’s security specialist must write the S3 bucket policy to ensure the mandate can be implemented.
Which statement should the security specialist include in the policy?
-
A company website runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an Auto Scaling group across multiple Availability Zones. There is an Amazon CloudFront distribution in front of the ALB. Users are reporting performance problems. A security engineer discovers that the website is receiving a high rate of unwanted requests to the CloudFront distribution originating from a series of source IP addresses.
How should the security engineer address this problem?
- Using AWS Shield, configure a deny rule with an IP match condition containing the source IPs of the unwanted requests.
- Using Auto Scaling, configure the maximum an instance value to an increased count that will absorb the unwanted requests.
- Using an Amazon VPC NACL, configure an inbound deny rule for each source IP CIDR address of the unwanted requests.
- Using AWS WAF, configure a web ACL rate-based rule on the CloudFront distribution with a rate limit below that of the unwanted requests.
-
A developer is building a serverless application hosted on AWS that uses Amazon Redshift as a data store. The application has separate module for read/write and read-only functionality. The modules need their own database users for compliance reasons.
Which combination of steps should a security engineer implement to grant appropriate access? (Choose two.)
- Configure cluster security groups for each application module to control access to database users that are required for read-only and read-write.
- Configure a VPC endpoint for Amazon Redshift. Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write.
- Configure an IAM policy for each module. Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call.
- Create local database users for each module.
- Configure an IAM policy for each module. Specify the ARN of an IAM user that allows the GetClusterCredentials API call.
-
A company uses an external identity provider to allow federation into different AWS accounts. A security engineer for the company needs to identify the federated user that terminated a production Amazon EC2 instance a week ago.
What is the FASTEST way for the security engineer to identify the federated user?
- Review the AWS CloudTrail event history logs in an Amazon S3 bucket and look for the TerminateInstances event to identify the federated user from the role session name.
- Filter the AWS CloudTrail event history for the TerminateInstances event and identify the assumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username.
- Search the AWS CloudTrail logs for the TerminateInstances event and note the event time. Review the IAM Access Advisor tab for all federated roles. The last accessed time should match the time when the instance was terminated.
- Use Amazon Athena to run a SQL query on the AWS CloudTrail logs stored in an Amazon S3 bucket and filter on the TerminateInstances event. Identify the corresponding role and run another query to filter the AssumeRoleWithWebIdentity event for the user name.
-
A company has two software development teams that are creating applications that store sensitive data in Amazon S3. Each team’s data must always be separate. The company’s security team must design a data encryption strategy for both teams that provides the ability to audit key usage. The solution must also minimize operational overhead.
What should the security team recommend?
- Tell the application teams to use two different S3 buckets with separate AWS Key Management Service (AWS KMS) AWS managed CMKs. Limit the key policies to allow encryption and decryption of the CMKs to their respective teams only. Force the teams to use encryption context to encrypt and decrypt.
- Tell the application teams to use two different S3 buckets with a single AWS Key Management Service (AWS KMS) AWS managed CMK. Limit the key policy to allow encryption and decryption of the CMK only. Do not allow the teams to use encryption context to encrypt and decrypt.
- Tell the application teams to use two different S3 buckets with separate AWS Key Management Service (AWS KMS) customer managed CMKs. Limit the key policies to allow encryption and decryption of the CMKs to their respective teams only. Force the teams to use encryption context to encrypt and decrypt.
- Tell the application teams to use two different S3 buckets with a single AWS Key Management Service (AWS KMS) customer managed CMK. Limit the key policy to allow encryption and decryption of the CMK only. Do not allow the teams to use encryption context to encrypt and decrypt.
-
A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running in Amazon Elastic Container Service (Amazon ECS). This solution will also handle volatile traffic patterns.
Which solution would have the MOST scalability and LOWEST latency?
- Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.
- Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.
- Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers.
- Configure Amazon Route to use multivalue answer routing to send traffic to the containers.
Subscribe
0 Comments
Newest