1. Home
  2. Amazon Web Services
  3. AWS Certified Specialty
  4. SCS-C02
  5. AWS Certified Security - Specialty Questions and Answers

Pass the Amazon Web Services AWS Certified Specialty SCS-C02 Questions and answers with CertsForce

 Amazon Web Services Exams      Go to Exam Detail      Get Premium Access
Viewing page 11 out of 13 pages
Viewing questions 101-110 out of questions
Questions # 101:

A security engineer has created an Amazon GuardDuty detector in several AWS accounts. The accounts are in an organization in AWS Organizations. The security engineer needs centralized visibility of the security findings from the detectors.

Options:
A.

Configure Amazon CloudWatch Logs Insights

B.

Create an Amazon CloudWatch dashboard

C.

Configure AWS Security Hub integrations

D.

Query the findings by using Amazon Athena

Expert Solution
Questions # 102:

A company discovers a billing anomaly in its AWS account. A security consultant investigates the anomaly and discovers that an employee who left the company 30 days ago still has access to the account.

The company has not monitored account activity in the past.

The security consultant needs to determine which resources have been deployed or reconfigured by the employee as quickly as possible.

Which solution will meet these requirements?

Options:
A.

In AWS Cost Explorer, filter chart data to display results from the past 30 days. Export the results to a data table. Group the data table by re-source.

B.

Use AWS Cost Anomaly Detection to create a cost monitor. Access the detec-tion history. Set the time frame to Last 30 days. In the search area, choose the service category.

C.

In AWS CloudTrail, filter the event history to display results from the past 30 days. Create an Amazon Athena table that contains the data. Parti-tion the table by event source.

D.

Use AWS Audit Manager to create an assessment for the past 30 days. Apply a usage-based framework to the assessment. Configure the assessment to as-sess by resource.

Expert Solution
Questions # 103:

A company runs its microservices architecture in Kubernetes containers on AWS by using Amazon Elastic Kubemetes Service (Amazon EKS) and Amazon Aurora. The company has an organization in AWS Organizations to manage hundreds of AWS accounts that host different microservices.

The company needs to implement a monitoring solution for logs from all AWS resources across all accounts. The solution must include automatic detection of security-related issues.

Which solution will meet these requirements with the LEAST operational effort?

Options:
A.

Designate an Amazon GuardDuty administrator account in the organization's management account Enable GuardDuty for all accounts Enable EKS Protection and RDS Protection in the GuardDuty administrator account.

B.

Designate a monitoring account Share Amazon CloudWatch logs from all accounts with the monitoring account Configure Aurora to publish all logs to CloudWatch Use Amazon Inspector in the monitoring account to evaluate the CloudWatch logs.

C.

Create a central Amazon S3 bucket in the organization's management account Configure AWS CloudTrail in all AWS accounts to deliver CloudTrail logs to the S3 bucket Configure Aurora to publish all logs to CloudTrail Use Amazon Athena to query the CloudTrail logs in the S3 bucket for secunty issues.

D.

Designate a monitoring account Share Amazon CloudWatch logs from all accounts with the monitoring account Subscnbe an Amazon Kinesis data stream to the CloudWatch logs Create AWS Lambda functions to process log records in the data stream to detect security issues.

Expert Solution
Questions # 104:

Example.com is hosted on Amazon EC2 instances behind an Application Load Balancer (ALB). Third-party host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host. The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers.

What is the MOST secure way to meet these requirements?

Options:
A.

Enable TLS pass through on the ALB, and handle decryption at the server using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.

B.

Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server.

C.

Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do not enable Perfect Forward Secrecy (PFS).

D.

Create a listener on the ALB that does not enable Perfect Forward Secrecy (PFS) cipher suites, and use encrypted connections to the servers using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.

Expert Solution
Questions # 105:

A company needs to store multiple years of financial records. The company wants to use Amazon S3 to store copies of these documents. The company must implement a solution to prevent the documents from being edited, replaced, or deleted for 7 years after the documents are stored in Amazon S3. The solution must also encrypt the documents at rest.

A security engineer creates a new S3 bucket to store the documents.

What should the security engineer do next to meet these requirements?

Options:
A.

Configure S3 server-side encryption. Create an S3 bucket policy that has an explicit deny rule for all users for s3:DeleteObject and s3:PutObject API calls. Configure S3 Object Lock to use governance mode with a retention period of 7 years.

B.

Configure S3 server-side encryption. Configure S3 Versioning on the S3 bucket. Configure S3 Object Lock to use compliance mode with a retention period of 7 years.

C.

Configure S3 Versioning. Configure S3 Intelligent-Tiering on the S3 bucket to move the documents to S3 Glacier Deep Archive storage. Use S3 server-side encryption immediately. Expire the objects after 7 years.

D.

Set up S3 Event Notifications and use S3 server-side encryption. Configure S3 Event Notifications to target an AWS Lambda function that will review any S3 API call to the S3 bucket and deny the s3:DeleteObject and s3:PutObject API calls. Remove the S3 eventnotification after 7 years.

Expert Solution
Questions # 106:

A company is building a data processing application that uses AWS Lambda functions The application's Lambda functions need to communicate with an Amazon RDS OB instance that is deployed within a VPC in the same AWS account

Which solution meets these requirements in the MOST secure way?

Options:
A.

Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region

B.

Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0 0 0 0/0

C.

Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group

D.

Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups

Expert Solution
Questions # 107:

A company has implemented IAM WAF and Amazon CloudFront for an application. The application runs on Amazon EC2 instances that are part of an Auto Scaling group. The Auto Scaling group is behind an Application Load Balancer (ALB).

The IAM WAF web ACL uses an IAM Managed Rules rule group and is associated with the CloudFront distribution. CloudFront receives the request from IAM WAF and then uses the ALB as the distribution's origin.

During a security review, a security engineer discovers that the infrastructure is susceptible to a large, layer 7 DDoS attack.

How can the security engineer improve the security at the edge of the solution to defend against this type of attack?

Options:
A.

Configure the CloudFront distribution to use the Lambda@Edge feature. Create an IAM Lambda function that imposes a rate limit on CloudFront viewer requests. Block the request if the rate limit is exceeded.

B.

Configure the IAM WAF web ACL so that the web ACL has more capacity units to process all IAM WAF rules faster.

C.

Configure IAM WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.

D.

Configure the CloudFront distribution to use IAM WAF as its origin instead of the ALB.

Expert Solution
Questions # 108:

A security engineer for a large company is managing a data processing application used by 1.500 subsidiary companies. The parent and subsidiary companies all use AWS. The application uses TCP port 443 and runs on Amazon EC2 behind a Network Load Balancer (NLB). For compliance reasons, the application should only be accessible to the subsidianes and should not be available on the public internet. To meet the compliance requirements for restricted access, the engineer has received the public and private CIDR block ranges for each subsidiary.

What solution should the engineer use to implement the appropriate access restrictions for the application?

Options:
A.

Create a NACL to allow access on TCP port 443 (rom the 1.500 subsidiary CIDR block ranges Associate the NACL to both the NLB and EC2 instances.

B.

Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges Associate the security group to the NLB Create a second security group (or EC2 instances with access on TCP port 443 from the NLB security group.

C.

Create an AWS PrivateLink endpoint service in the parent company account attached to the NLB. Create an AWS security group for the instances to allow access on TCP port 443 from the AWS PrivateLink endpoint Use AWS PrivateLink interface endpoints in the 1.500 subsidiary AWS accounts to connect to the data processing application.

D.

Create an AWS security group to allow access on TCP port 443 from the 1.500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.

Expert Solution
Questions # 109:

A security engineer is investigating a malware infection that has spread across a set of Amazon EC2 instances. A key indicator of the compromise is outbound traffic on TCP port 2905 to a set of command and control hosts on the internet.

The security engineer creates a network ACL rule that denies the identified outbound traffic. The security engineer applies the network ACL rule to the subnet of the EC2 instances. The security engineer must identify any EC2 instances that are trying to communtcate on TCP port 2905.

Which solution will identify the affected EC2 instances with the LEAST operational effort?

Options:
A.

Create a Network Access Scope in Amazon VPC Network Access Analyzer. Use the Network Access Scope to identify EC2 instances that try to send traffic to TCP port 2905.

B.

Enable VPC flow logs for the VPC where the affected EC2 instances are located Configure the flow logs to capture rejected traffic. In the flow logs, search for REJECT records that have a destination TCP port of 2905.

C.

Enable Amazon GuardDuty Create a custom GuardDuty IP list to create a finding when an EC2 instance tries to communicate with one of the command and control hosts. Use Amazon Detective to identify the EC2 instances that initiate the communication.

D.

Create a firewall in AWS Network Firewall. Attach the firewall to the subnet of the EC2 instances. Create a custom rule to identify and log traffic from the firewall on TCP port 2905. Create an Amazon CloudWatch Logs metric filter to identify firewall logs that reference traffic on TCP port 2905.

Expert Solution
Questions # 110:

A company needs to implement DNS Security Extensions (DNSSEC) for a specific subdomain. The subdomain is already registered with Amazon Route 53. A security engineer has enabled DNSSEC signing and has created a key-signing key (KSK). When the security engineer tries to test the configuration, the security engineer receives an error for a broken trust chain.

What should the security engineer do to resolve this error?

Options:
A.

Replace the KSK with a zone-signing key (ZSK).

B.

Deactivate and then activate the KSK.

C.

Create a Delegation Signer (DS) record in the parent hosted zone.

D.

Create a Delegation Signer (DS) record in the subdomain.

Expert Solution
Viewing page 11 out of 13 pages
Viewing questions 101-110 out of questions