Summer Certification Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: force70

Pass the Amazon Web Services AWS Certified Specialty SCS-C03 Questions and answers with CertsForce

Viewing page 2 out of 7 pages
Viewing questions 11-20 out of questions
Questions # 11:

A security engineer wants to evaluate configuration changes to a specific AWS resource to ensure that the resource meets compliance standards. However, the security engineer is concerned about a situation in which several configuration changes are made to the resource in quick succession. The security engineer wants to record only the latest configuration of that resource to indicate the cumulative impact of the set of changes.

Which solution will meet this requirement in the MOST operationally efficient way?

Options:

A.

Use AWS CloudTrail to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls.


B.

Use AWS Config to detect the configuration changes and to record the latest configuration in case of multiple configuration changes.


C.

Use Amazon CloudWatch to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls.


D.

Use AWS Cloud Map to detect the configuration changes. Generate a report of configuration changes from AWS Cloud Map to track the latest state by using a sliding time window.


Expert Solution
Questions # 12:

A company must capture AWS CloudTrail data events and must retain the logs for 7 years. The logs must be immutable and must be available to be searched by complex queries. The company also needs to visualize the data from the logs.

Which solution will meet these requirements MOST cost-effectively?

Options:

A.

Create a CloudTrail Lake data store. Implement CloudTrail Lake dashboards to visualize and query the results.


B.

Use the CloudTrail Event History feature in the AWS Management Console. Visualize and query the results in the console.


C.

Send the CloudTrail logs to an Amazon S3 bucket. Provision a persistent Amazon EMR cluster that has access to the S3 bucket. Enable S3 Object Lock on the S3 bucket. Use Apache Spark to perform queries. Use Amazon QuickSight for visualizations.


D.

Send the CloudTrail logs to a log group in Amazon CloudWatch Logs. Set the CloudWatch Logs stream to send the data to an Amazon OpenSearch Service domain. Enable cold storage for the OpenSearch Service domain. Use OpenSearch Dashboards for visualizations and queries.


Expert Solution
Questions # 13:

A company runs an application outside of AWS. The external application authenticates to AWS as an IAM user. A security engineer needs to migrate the external application to use an IAM role. The company’s human users already use IAM roles with AWS IAM Identity Center.

Which solution will give the external application the ability to use an IAM role?

Options:

A.

Set up the external application as a managed application in IAM Identity Center. Create a new account assignment to generate an IAM role for the external application to use.


B.

Create an AWS Verified Access instance. Set up a trust provider for the external application. Create a Verified Access policy to allow the external application to assume an IAM role.


C.

Use IAM Roles Anywhere. Create a trust anchor and profile on AWS. Set up the credential helper tool in the external application. Configure an IAM role to trust IAM Roles Anywhere.


D.

Enable federation with IAM. Configure SAML 2.0 federation by adding a relying party trust between the external application and AWS. Set up an IAM role for the external application to assume.


Expert Solution
Questions # 14:

A company is undergoing a security audit. The company issues IAM user credentials for an auditor. Because of third-party integration requirements, the auditor is unable to assume an IAM role. The auditor attempts to log in to AWS for the first time to reset the account password and to configure multi-factor authentication (MFA). However, the auditor receives an “Access Denied” error during the attempt to reset the password.

The auditor’s account has the following IAM permissions:

securityhub:Get*

securityhub:List*

securityhub:BatchGet*

securityhub:Describe*

iam:ChangePassword on arn:aws:iam::*:user/${aws:username}

Which action will resolve this error?

Options:

A.

The auditor needs to configure MFA before resetting the password.


B.

The auditor must create a more complex password that requires additional characters or symbols.


C.

Add iam:GetAccountPasswordPolicy with Resource: " * " to the auditor’s user account policy.


D.

Add iam:ChangePassword with Resource: " * " to the auditor’s user account policy.


Expert Solution
Questions # 15:

A company uses Amazon API Gateway to present REST APIs to users. An API developer wants to analyze API access patterns without the need to parse the log files.

Which combination of steps will meet these requirements with the LEAST effort? (Select TWO.)

Options:

A.

Configure access logging for the required API stage.


B.

Configure an AWS CloudTrail trail destination for API Gateway events. Configure filters on the userIdentity, userAgent, and sourceIPAddress fields.


C.

Configure an Amazon S3 destination for API Gateway logs. Run Amazon Athena queries to analyze API access information.


D.

Use Amazon CloudWatch Logs Insights to analyze API access information.


E.

Select the Enable Detailed CloudWatch Metrics option on the required API stage.


Expert Solution
Questions # 16:

A company uses AWS Organizations to manage its AWS accounts in a single organization. The company applies the FullAWSAccess SCP to every OU. However, now the company must explicitly deny specific services. The company needs a solution that restricts any users in the organization from using the explicitly denied services.

Additionally, the solution must enforce all Amazon S3 buckets across the organization to have a minimum TLS version of 1.2. The company requires a central solution that applies to all existing accounts and any new accounts that the company creates in the future.

Which solution will meet these requirements?

Options:

A.

Create an SCP that denies a list of services that are restricted in the organization. Create an RCP to deny s3:* where the TLS version is less than 1.2. Attach both policies to the root of the organization.


B.

Create an SCP that denies a list of services that are restricted in the organization. Create an RCP to deny s3:* where the TLS version is less than 1.2. Attach the SCP to the root OU. Attach the RCP to each account within the organization.


C.

Create an SCP deny statement to disallow s3:* where the TLS version is less than 1.2. Create an RCP that denies a list of services that are restricted in the organization. Attach both policies to the root OU.


D.

Create an SCP that denies a list of services that are restricted in the organization. Create a declarative policy to deny s3:* where the TLS version is less than 1.2. Attach both policies to the root of the organization.


Expert Solution
Questions # 17:

A company’s security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue. All the company’s accounts are within an organization in AWS Organizations. The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools outside of AWS.

What should the security engineer do to meet these requirements?

Options:

A.

Create security groups and attach them to all SQS queues.


B.

Modify network ACLs in all VPCs to restrict inbound traffic.


C.

Create interface VPC endpoints for Amazon SQS. Restrict access using aws:SourceVpce and aws:PrincipalOrgId conditions.


D.

Use a third-party cloud access security broker (CASB).


Expert Solution
Questions # 18:

A company ' s web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled and stores logs in Amazon S3 and Amazon CloudWatch Logs.

The operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The operations team needs to view log information to determine if the company is being attacked.

Which set of actions will identify the suspect attacker ' s IP address for future occurrences?

Options:

A.

Configure VPC Flow Logs on the subnet where the ALB is located and stream the data to CloudWatch. Search for the new-user-creation.php occurrences in CloudWatch.


B.

Configure the CloudWatch agent on the ALB and send application logs to CloudWatch Logs.


C.

Configure the ALB to export access logs to an Amazon OpenSearch Service cluster and search for the new-user-creation.php occurrences.


D.

Configure the web ACL to send logs to Amazon Data Firehose, which delivers the logs to an S3 bucket. Use Amazon Athena to query the logs and find the new-user-creation.php occurrences.


Expert Solution
Questions # 19:

A company runs an application on a fleet of Amazon EC2 instances. The application is accessible to users around the world. The company associates an AWS WAF web ACL with an Application Load Balancer (ALB) that routes traffic to the EC2 instances.

A security engineer is investigating a sudden increase in traffic to the application. The security engineer discovers a significant amount of potentially malicious requests coming from hundreds of IP addresses in two countries. The security engineer wants to quickly limit the potentially malicious requests. The security engineer does not want to prevent legitimate users from accessing the application.

Which solution will meet these requirements?

Options:

A.

Use AWS WAF to implement a rate-based rule for all incoming requests.


B.

Use AWS WAF to implement a geographical match rule to block all incoming traffic from the two countries.


C.

Edit the ALB security group to include a geographical match rule to block all incoming traffic from the two countries.


D.

Add deny rules to the ALB security group that prohibit incoming requests from the IP addresses.


Expert Solution
Questions # 20:

A company uses an organization in AWS Organizations to manage its 250 member accounts. The company also uses AWS IAM Identity Center with a SAML external identity provider (IdP). IAM Identity Center has been delegated to a member account. The company ' s security team has access to the delegated account.

The security team has been investigating a malicious internal user who might be accessing sensitive accounts. The security team needs to know when the user logged into the organization during the last 7 days.

Which solution will quickly identify the access attempts?

Options:

A.

In the delegated account, use Amazon CloudWatch Logs to search for events that match the user details for all successful attempts.


B.

In each member account, use the IAM Identity Center console to search for events that match the user details for all attempts.


C.

In the external IdP, use Amazon EventBridge to search for events that match the user details for all attempts.


D.

In the organization ' s management account, use AWS CloudTrail to search for events that match the user details for all successful attempts.


Expert Solution
Viewing page 2 out of 7 pages
Viewing questions 11-20 out of questions