Summer Certification Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: force70

Pass the Amazon Web Services AWS Certified Specialty SCS-C03 Questions and answers with CertsForce

Viewing page 5 out of 7 pages
Viewing questions 41-50 out of questions
Questions # 41:

A security engineer must investigate an Amazon GuardDuty finding. The finding indicates potential cryptocurrency mining activity on an Amazon EC2 instance. The security engineer must validate the finding and assess the impact.

Which data sources should the security engineer analyze to meet these requirements?

Options:

A.

Check the instance’s CPU utilization metrics in Amazon CloudWatch. Examine the finding’s MITRE ATT & CK tactic classification. Review any associated IAM role permissions.


B.

Count the number of GuardDuty findings associated with the instance. Verify the instance’s launch time. Check AWS Security Hub CSPM for any related alerts.


C.

Review the instance’s process details that relate to the finding. Examine DNS queries to known mining domains. Analyze the instance’s outbound network connections by using VPC Flow Logs.


D.

Examine the instance’s AWS Systems Manager session history. Verify Amazon Route 53 DNS records. Review GuardDuty severity levels.


Expert Solution
Questions # 42:

A company needs to scan all AWS Lambda functions for code vulnerabilities.

Options:

A.

Use Amazon Macie.


B.

Enable Amazon Inspector Lambda scanning.


C.

Use GuardDuty and Security Hub.


D.

Use GuardDuty Lambda Protection.


Expert Solution
Questions # 43:

A company uploads data files as objects into an Amazon S3 bucket. A vendor downloads the objects to perform data processing.

A security engineer must implement a solution that prevents objects from residing in the S3 bucket for longer than 72 hours.

Options:

A.

Configure S3 Versioning to expire object versions that have been in the bucket for 72 hours.


B.

Configure an S3 Lifecycle configuration rule on the bucket to expire objects after 72 hours.


C.

Use the S3 Intelligent-Tiering storage class and configure expiration after 72 hours.


D.

Generate presigned URLs that expire after 72 hours.


Expert Solution
Questions # 44:

A company has several Amazon S3 buckets that do not enforce encryption in transit. A security engineer must implement a solution that enforces encryption in transit for all the company ' s existing and future S3 buckets.

Which solution will meet these requirements?

Options:

A.

Enable AWS Config. Create a proactive AWS Config Custom Policy rule. Create a Guard clause to evaluate the S3 bucket policies to check for a value of True for the aws:SecureTransport condition key. If the AWS Config rule evaluates to NON_COMPLIANT, block resource creation.


B.

Enable AWS Config. Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid. Create an AWS Systems Manager Automation runbook that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure automatic remediation. Set the runbook as the target of the rule.


C.

Enable Amazon Inspector. Create a custom AWS Lambda rule. Create a Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Set the Lambda function as the target of the rule.


D.

Create an AWS CloudTrail trail. Enable S3 data events on the trail. Create an AWS Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure the CloudTrail trail to invoke the Lambda function.


Expert Solution
Questions # 45:

A company’s web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. Instance logs are lost after reboots. The operations team suspects malicious activity targeting a specific PHP file.

Which set of actions will identify the suspect attacker’s IP address for future occurrences?

Options:

A.

Configure VPC Flow Logs and search for PHP file activity.


B.

Install the CloudWatch agent on the ALB and export application logs.


C.

Export ALB access logs to Amazon OpenSearch Service and search them.


D.

Configure the web ACL to send logs to Amazon Kinesis Data Firehose. Deliver logs to Amazon S3 and query them with Amazon Athena.


Expert Solution
Questions # 46:

A company is using AWS CloudTrail and Amazon CloudWatch to monitor resources in an AWS account. The company’s developers have been using an IAM role in the account for the last 3 months.

A security engineer needs to refine the customer managed IAM policy attached to the role to ensure that the role provides least privilege access.

Which solution will meet this requirement with the LEAST effort?

Options:

A.

Implement AWS IAM Access Analyzer policy generation on the role.


B.

Implement AWS IAM Access Analyzer policy validation on the role.


C.

Search CloudWatch logs to determine the actions the role invoked and to evaluate the permissions.


D.

Use AWS Trusted Advisor to compare the policies assigned to the role against AWS best practices.


Expert Solution
Questions # 47:

A company has a single AWS account and uses an Amazon EC2 instance to test application code. The company recently discovered that the instance was compromised and was serving malware. Analysis showed that the instance was compromised 35 days ago. A security engineer must implement a continuous monitoring solution that automatically notifies the security team by email for high severity findings as soon as possible.

Which combination of steps should the security engineer take to meet these requirements? (Select THREE.)

Options:

A.

Enable AWS Security Hub in the AWS account.


B.

Enable Amazon GuardDuty in the AWS account.


C.

Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team ' s email distribution list to the topic.


D.

Create an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the security team ' s email distribution list to the queue.


E.

Create an Amazon EventBridge rule for GuardDuty findings of high severity. Configure the rule to publish a message to the topic.


F.

Create an Amazon EventBridge rule for Security Hub findings of high severity. Configure the rule to publish a message to the queue.


Expert Solution
Questions # 48:

A company has configured an organization in AWS Organizations for its AWS accounts. AWS CloudTrail is enabled in all AWS Regions.

A security engineer must implement a solution toprevent CloudTrail from being disabled.

Which solution will meet this requirement?

Options:

A.

Enable CloudTrail log file integrity validation from the organization ' s management account.


B.

Enable server-side encryption with AWS KMS keys (SSE-KMS) for CloudTrail logs. Create a KMS key. Attach a policy to the key to prevent decryption of the logs.


C.

Create a service control policy (SCP) that includes an explicitDenyrule for the cloudtrail:StopLogging action and the cloudtrail:DeleteTrail action. Attach the SCP to the root OU.


D.

Create IAM policies for all the company ' s users to prevent the users from performing the DescribeTrails action and the GetTrailStatus action.


Expert Solution
Questions # 49:

A security engineer received an Amazon GuardDuty alert indicating a finding involving the Amazon EC2 instance that hosts the company ' s primary website. The GuardDuty finding received read:UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration. The security engineer confirmed that a malicious actor used API access keys intended for the EC2 instance from a country where the company does not operate. The security engineer needs to deny access to the malicious actor.

What is the first step the security engineer should take?

Options:

A.

Open the EC2 console and remove any security groups that allow inbound traffic from 0.0.0.0/0.


B.

Install the AWS Systems Manager Agent on the EC2 instance and run an inventory report.


C.

Install the Amazon Inspector agent on the host and run an assessment with the CVE rules package.


D.

Open the IAM console and revoke all IAM sessions that are associated with the instance profile.


Expert Solution
Questions # 50:

A company has decided to move its fleet of Linux-based web server instances to an Amazon EC2 Auto Scaling group. Currently, the instances are static and are launched manually. When an administrator needs to view log files, the administrator uses SSH to establish a connection to the instances and retrieves the logs manually.

The company often needs to query the logs to produce results about application sessions and user issues. The company does not want its new automatically scaling architecture to result in the loss of any log files when instances are scaled in.

Which combination of steps should a security engineer take to meet these requirements MOST cost-effectively? (Select TWO.)

Options:

A.

Configure a cron job on the instances to forward the log files to Amazon S3 periodically.


B.

Configure AWS Glue and Amazon Athena to query the log files.


C.

Configure the Amazon CloudWatch agent on the instances to forward the logs to Amazon CloudWatch Logs.


D.

Configure Amazon CloudWatch Logs Insights to query the log files.


E.

Configure the instances to write the logs to an Amazon Elastic File System (Amazon EFS) volume.


Expert Solution
Viewing page 5 out of 7 pages
Viewing questions 41-50 out of questions