1. Home
  2. Amazon Web Services
  3. AWS Certified Specialty
  4. SCS-C02
  5. AWS Certified Security - Specialty Questions and Answers

Pass the Amazon Web Services AWS Certified Specialty SCS-C02 Questions and answers with CertsForce

 Amazon Web Services Exams      Go to Exam Detail      Get Premium Access
Viewing page 2 out of 13 pages
Viewing questions 11-20 out of questions
Questions # 11:

A company's cloud operations team is responsible for building effective security for IAM cross-account access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp).The two account policies are as follows:

Question # 11

Which recommendations should the security engineer make to resolve this issue? (Select TWO.)

Options:
A.

Ask the developers to change their password and use a different web browser.

B.

Ensure that developers are using multi-factor authentication (MFA) when they log in to their developer account as the developer role.

C.

Modify the production account ReadS3 role policy to allow the PutBucketPolicy action onthe productionapp S3 bucket.

D.

Update the trust relationship policy on the production account S3 role to allow the account number of the developer account.

E.

Update the developer group permissions in the developer account to allow access to the productionapp S3 bucket.

Expert Solution
Questions # 12:

For compliance reasons a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied. The Engineer must also ensure that no system goes more than 30 days without the latest approved updates being applied

What would the MOST efficient way to achieve these goals?

Options:
A.

Use Amazon inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version

B.

Configure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows

C.

Examine IAM CloudTrail togs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances

D.

Update the AMls with the latest approved patches and redeploy each instance during the defined maintenance window

Expert Solution
Questions # 13:

A company runs a cuslom online gaming application. The company uses Amazon Cognito for user authentication and authorization.

A security engineer wants to use AWS to implement fine-grained authorization on resources in the custom application. The security engineer must implement a solution that uses the user attributes that exist in Cognito. The company has already set up a user pool and an identity pool in Cognito.

Which solution will meet these requirements?

Options:
A.

Create a set of 1AM roles and 1AM policies Configure the Cognito identity pool to assign users to the 1AM roles.

B.

Create a policy store in Amazon Verified Permissions. Configure Cognito as the identity source Map Cognito access tokens to the Verified Permissions schema.

C.

Create customer managed permissions by using AWS Resource Access Manager (AWS RAM) Configure the Cognito identity pool to assign users to the customer managed permissions

D.

Create a set of 1AM users and 1AM policies. Configure the Cognito user pool to assign users to the 1AM users.

Expert Solution
Questions # 14:

A company has launched an Amazon EC2 instance with an Amazon Elastic Block Store(Amazon EBS) volume in the us-east-1 Region The volume is encrypted with an AWS Key Management Service (AWS KMS) customer managed key that the company's security team created The security team has created an 1AM key policy and has assigned the policy to the key The security team has also created an 1AM instance profile and has assigned the profile to the instance

The EC2 instance will not start and transitions from the pending state to the shutting-down state to the terminated state

Which combination of steps should a security engineer take to troubleshoot this issue? (Select TWO )

Options:
A.

Verify that the KMS key policy specifies a deny statement that prevents access to the key by using the aws SourcelP condition key Check that the range includes the EC2 instance IP address that is associated with the EBS volume

B.

Verify that the KMS key that is associated with the EBS volume is set to the Symmetric key type

C.

Verify that the KMS key that is associated with the EBS volume is in the Enabled state

D.

Verify that the EC2 role that is associated with the instance profile has the correct 1AM instance policy to launch an EC2 instance with the EBS volume

E.

Verify that the key that is associated with the EBS volume has not expired and needs to be rotated

Expert Solution
Questions # 15:

While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host

(IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following:

2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK

2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK

What action should be performed to allow the ping to work?

Options:
A.

In the security group of the EC2 instance, allow inbound ICMP traffic.

B.

In the security group of the EC2 instance, allow outbound ICMP traffic.

C.

In the VPC's NACL, allow inbound ICMP traffic.

D.

In the VPC's NACL, allow outbound ICMP traffic.

Expert Solution
Questions # 16:

A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message.

What is the likely cause of this access denial?

Options:
A.

The ACL in the bucket needs to be updated

B.

The IAM policy does not allow the user to access the bucket

C.

It takes a few minutes for a bucket policy to take effect

D.

The allow permission is being overridden by the deny

Expert Solution
Questions # 17:

A security engineer needs to develop a process to investigate and respond to po-tential security events on a company's Amazon EC2 instances. All the EC2 in-stances are backed by Amazon Elastic Block Store (Amazon EBS). The company uses AWS Systems Manager to manage all the EC2 instances and has installed Systems Manager Agent (SSM Agent) on all the EC2 instances.

The process that the security engineer is developing must comply with AWS secu-rity best practices and must meet the following requirements:

• A compromised EC2 instance's volatile memory and non-volatile memory must be preserved for forensic purposes.

• A compromised EC2 instance's metadata must be updated with corresponding inci-dent ticket information.

• A compromised EC2 instance must remain online during the investigation but must be isolated to prevent the spread of malware.

• Any investigative activity during the collection of volatile data must be cap-tured as part of the process.

Which combination of steps should the security engineer take to meet these re-quirements with the LEAST operational overhead? (Select THREE.)

Options:
A.

Gather any relevant metadata for the compromised EC2 instance. Enable ter-mination protection. Isolate the instance by updating the instance's secu-rity groups to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing (ELB) resources.

B.

Gather any relevant metadata for the compromised EC2 instance. Enable ter-mination protection. Move the instance to an isolation subnet that denies all source and destination traffic. Associate the instance with the subnet to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing (ELB) resources.

C.

Use Systems Manager Run Command to invoke scripts that collect volatile data.

D.

Establish a Linux SSH or Windows Remote Desktop Protocol (RDP) session to the compromised EC2 instance to invoke scripts that collect volatile data.

E.

Create a snapshot of the compromised EC2 instance's EBS volume for follow-up investigations. Tag the instance with any relevant metadata and inci-dent ticket information.

F.

Create a Systems Manager State Manager association to generate an EBS vol-ume snapshot of the compromised EC2 instance. Tag the instance with any relevant metadata and incident ticket information.

Expert Solution
Questions # 18:

A security administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has all features enabled. The management account is used for billing and administrative purposes, but it is not used for operational AWS resource purposes.

How can the security administrator restrict usage of member root user accounts across the organization?

Options:
A.

Disable the use of the root user account at the organizational root. Enable multi-factor authentication (MFA) of the root user account for each organization member account.

B.

Configure 1AM user policies to restrict root account capabilities for each organization member account.

C.

Create an OU in Organizations, and attach an SCP that controls usage of the root user. Add all member accounts to the new OU.

D.

Configure AWS CloudTrail to integrate with Amazon CloudWatch Logs Create a metric filter for RootAccountUsage.

Expert Solution
Questions # 19:

A business requires a forensic logging solution for hundreds of Docker-based apps running on Amazon EC2. The solution must analyze logs in real time, provide message replay, and persist logs.

Which Amazon Web Offerings (IAM) services should be employed to satisfy these requirements? (Select two.)

Options:
A.

Amazon Athena

B.

Amazon Kinesis

C.

Amazon SQS

D.

Amazon Elasticsearch

E.

Amazon EMR

Expert Solution
Questions # 20:

A company is operating a website using Amazon CloudFornt. CloudFront servers some content from Amazon S3 and other from web servers running EC2 instances behind an Application. Load Balancer (ALB). Amazon DynamoDB is used as the data store. The company already uses IAM Certificate Manager (ACM) to store a public TLS certificate that can optionally secure connections between the website users and CloudFront. The company has a new requirement to enforce end-to-end encryption in transit.

Which combination of steps should the company take to meet this requirement? (Select THREE.)

Options:
A.

Update the CloudFront distribution. configuring it to optionally use HTTPS when connecting to origins on Amazon S3

B.

Update the web application configuration on the web servers to use HTTPS instead of HTTP when connecting to DynamoDB

C.

Update the CloudFront distribution to redirect HTTP corrections to HTTPS

D.

Configure the web servers on the EC2 instances to listen using HTTPS using the public ACM TLS certificate Update the ALB to connect to the target group using HTTPS

E.

Update the ALB listen to listen using HTTPS using the public ACM TLS certificate. Update the CloudFront distribution to connect to the HTTPS listener.

F.

Create a TLS certificate Configure the web servers on the EC2 instances to use HTTPS only with that certificate. Update the ALB to connect to the target group using HTTPS.

Expert Solution
Viewing page 2 out of 13 pages
Viewing questions 11-20 out of questions