1. Home
  2. Amazon Web Services
  3. AWS Certified Specialty
  4. SCS-C02
  5. AWS Certified Security - Specialty Questions and Answers

Pass the Amazon Web Services AWS Certified Specialty SCS-C02 Questions and answers with CertsForce

 Amazon Web Services Exams      Go to Exam Detail      Get Premium Access
Viewing page 4 out of 13 pages
Viewing questions 31-40 out of questions
Questions # 31:

A developer 15 building a serverless application hosted on IAM that uses Amazon Redshift in a data store. The application has separate modules for read/write and read-only functionality. The modules need their own database users tor compliance reasons.

Which combination of steps should a security engineer implement to grant appropriate access' (Select TWO )

Options:
A.

Configure cluster security groups for each application module to control access to database users that are required for read-only and read/write.

B.

Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write

C.

Configure an IAM poky for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call

D.

Create focal database users for each module

E.

Configure an IAM policy for each module Specify the ARN of an IAM user that allows the GetClusterCredentials API call

Expert Solution
Questions # 32:

A company stores images for a website in an Amazon S3 bucket. The company is using Amazon CloudFront to serve the images to end users. The company recently discovered that the images are being accessed from countries where the company does not have a distribution license.

Which actions should the company take to secure the images to limit their distribution? (Select TWO.)

Options:
A.

Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).

B.

Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.

C.

Add a CloudFront geo restriction deny list of countries where the company lacks a license.

D.

Update the S3 bucket policy with a deny list of countries where the company lacks a license.

E.

Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.

Expert Solution
Questions # 33:

An Amazon API Gateway API invokes an AWS Lambda function that needs to interact with a software-as-a-service (SaaS) platform. A unique client token is generated in the SaaS platform to grant access to the Lambda function. A security engineer needs to design a solution to encrypt the access token at rest and pass the token to the Lambda function at runtime.

Which solution will meet these requirements MOST cost-effectively?

Options:
A.

Store the client token as a secret in AWS Secrets Manager. Use th^AWS SDK to retneve the secret in the Lambda function.

B.

Configure a token-based Lambda authorizer in API Gateway.

C.

Store the client token as a SecureString parameter in AWS Systems Manager Parameter Store. Use the AWS SDK to retrieve the value of the SecureString parameter in the Lambda function.

D.

Use AWS Key Management Service (AWS KMS) to encrypt the client token. Pass the token to the Lambda function at runtime through an environment variable.

Expert Solution
Questions # 34:

A company runs workloads on Amazon EC2 instances. The company needs to continually scan the EC2 instances for software vulnerabilities and unintended network exposure.

Which solution will meet these requirements?

Options:
A.

Use Amazon Inspector. Set the scan mode to hybrid scanning.

B.

Use Amazon GuardDuty. Enable the Malware Protection feature.

C.

Use Amazon Inspector. Enable the Malware Protection feature.

D.

Use Amazon GuardDuty. Enable the Runtime Monitoring feature.

Expert Solution
Questions # 35:

A company wants to remove all SSH keys permanently from a specific subset of its Amazon Linux 2 Amazon EC2 instances that are using the same 1AM instance profile However three individuals who have IAM user accounts will need to access these instances by using an SSH session to perform critical duties

How can a security engineer provide the access to meet these requirements'?

Options:
A.

Assign an 1AM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the 1AM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Inventory to select the EC2 instance and connect

B.

Assign an 1AM policy to the 1AM user accounts to provide permission to use AWS Systems Manager Run Command Remove the SSH keys from the EC2 instances Use Run Command to open an SSH connection to the EC2 instance

C.

Assign an 1AM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the 1AM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Session Manager to select the EC2 instance and connect

D.

Assign an 1AM policy to the 1AM user accounts to provide permission to use the EC2 service in the AWS Management Console Remove the SSH keys from the EC2 instances Connect to the EC2 instance as the ec2-user through the AWS Management Console's EC2 SSH client method

Expert Solution
Questions # 36:

A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1 the company cannot access the key that was used to encrypt the original database.

What should the company do to set up the snapshot in us-west-1 with proper encryption?

Options:
A.

Use AWS Secrets Manager to store the customer managed key in us-west-1 as a secret Use this secret to encrypt the snapshot in us-west-1.

B.

Create a new customer managed key in us-west-1. Use this new key to encrypt the snapshot in us-west-1.

C.

Create an IAM policy that allows access to the customer managed key in us-east-1. Specify am aws kms us-west-1 " as the principal.

D.

Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn aws rds us-west-1. * as the principal.

Expert Solution
Questions # 37:

A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots. The company uses an AWS Key

Management Service (AWS KMS) customer managed key to encrypt all Amazon Elastic Block Store (Amazon EBS) snapshots.

The company performs a gap analysis of its disaster recovery procedures and backup strategies. A security engineer needs to implement a solution so that the company can recover the EC2 instances if the AWS account is compromised and the EBS snapshots are deleted.

Which solution will meet this requirement?

Options:
A.

Create a new Amazon S3 bucket. Use EBS lifecycle policies to move EBS snapshots to the new S3 bucket. Use lifecycle policies to move snapshots to the S3Glacier Instant Retrieval storage class. Use S3 Object Lock to prevent deletion of the snapshots.

B.

Use AWS Systems Manager to distribute a configuration that backs up all attached disks to Amazon S3.

C.

Create a new AWS account that has limited privileges. Allow the new account to access the KMS key that encrypts the EBS snapshots. Copy the encryptedsnapshots to the new account on a recurring basis.

D.

Use AWS Backup to copy EBS snapshots to Amazon S3. Use S3 Object Lock to prevent deletion of the snapshots.

Expert Solution
Questions # 38:

A company is hosting multiple applications within a single VPC in its IAM account. The applications are running behind an Application Load Balancer that is associated with an IAM WAF web ACL. The company's security team has identified that multiple port scans are originating from a specific range of IP addresses on the internet.

A security engineer needs to deny access from the offending IP addresses.

Which solution will meet these requirements?

Options:
A.

Modify the IAM WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range.

B.

Add a rule to all security groups to deny the incoming requests from the IP address range.

C.

Modify the IAM WAF web ACL with a rate-based rule statement to deny the incoming requests from the IP address range.

D.

Configure the IAM WAF web ACL with regex match conditions. Specify a pattern set to deny the incoming requests based on the match condition

Expert Solution
Questions # 39:

A company is using IAM Secrets Manager to store secrets for its production Amazon RDS database. The Security Officer has asked that secrets be rotated every 3 months. Which solution would allow the company to securely rotate the secrets? (Select TWO.)

Options:
A.

Place the RDS instance in a public subnet and an IAM Lambda function outside the VPC. Schedule the Lambda function to run every 3 months to rotate the secrets.

B.

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure the private subnet to use a NAT gateway. Schedule the Lambda function to run every 3 months to rotate the secrets.

C.

Place the RDS instance in a private subnet and an IAM Lambda function outside the VPC. Configure the private subnet to use an internet gateway. Schedule the Lambda function to run every 3 months lo rotate the secrets.

D.

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Schedule the Lambda function to run quarterly to rotate the secrets.

E.

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure a Secrets Manager interface endpoint. Schedule the Lambda function to run every 3 months to rotate the secrets.

Expert Solution
Questions # 40:

A company is testing incident response procedures for destination containment. The company needs to contain a critical Amazon EC2 instance as quickly as possible while keeping the EC2 instance running. The EC2 instance is the only resource in a public subnet and has active connections to other resources.

Which solution will contain the EC2 instance IMMEDIATELY?

Options:
A.

Create a new security group that has no inbound rules or outbound rules Attach the new security group to the EC2 instance.

B.

Configure the existing security group for the EC2 instance Remove all existing inbound rules and outbound rules from the security group.

C.

Create a new network ACL that has a single Deny rule for inbound traffic and outbound traffic Associate the new network ACL with the subnet that contains the EC2 instance.

D.

Create a new VPC for isolation Stop the EC2 instance Create a new AMI from the EC2 instance Use the new AMI to launch a new EC2 instance in the new VPC.

Expert Solution
Viewing page 4 out of 13 pages
Viewing questions 31-40 out of questions