Summer Certification Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: force70

Pass the Amazon Web Services AWS Certified Specialty SCS-C03 Questions and answers with CertsForce

Viewing page 6 out of 7 pages
Viewing questions 51-60 out of questions
Questions # 51:

A security engineer needs to develop a process to investigate and respond to potential security events on a company’s Amazon EC2 instances. All the EC2 instances are backed by Amazon EBS. The company uses AWS Systems Manager to manage all the EC2 instances and has installed Systems Manager Agent on all the EC2 instances.

The process that the security engineer is developing must comply with AWS security best practices and must meet the following requirements:

• A compromised EC2 instance’s volatile memory and non-volatile memory must be preserved for forensic purposes.

• A compromised EC2 instance’s metadata must be updated with corresponding incident ticket information.

• A compromised EC2 instance must remain online during the investigation but must be isolated to prevent the spread of malware.

• Any investigative activity during the collection of volatile data must be captured as part of the process.

Which combination of steps should the security engineer take to meet these requirements with the LEAST operational overhead? (Select THREE.)

Options:

A.

Gather any relevant metadata for the compromised EC2 instance. Enable termination protection. Isolate the instance by updating the instance’s security groups to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing resources.


B.

Gather any relevant metadata for the compromised EC2 instance. Enable termination protection. Move the instance to an isolation subnet that denies all source and destination traffic. Associate the instance with the subnet to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing resources.


C.

Use Systems Manager Run Command to invoke scripts that collect volatile data.


D.

Establish a Linux SSH or Windows Remote Desktop Protocol session to the compromised EC2 instance to invoke scripts that collect volatile data.


E.

Create a snapshot of the compromised EC2 instance’s EBS volume for follow-up investigations. Tag the instance with any relevant metadata and incident ticket information.


F.

Create a Systems Manager State Manager association to generate an EBS volume snapshot of the compromised EC2 instance. Tag the instance with any relevant metadata and incident ticket information.


Expert Solution
Questions # 52:

A company needs the ability to identify the root cause of security findings in an AWS account. The company has enabled VPC Flow Logs, Amazon GuardDuty, and AWS CloudTrail. The company must investigate any IAM roles that are involved in the security findings and must visualize the findings.

Which solution will meet these requirements?

Options:

A.

Use Amazon Detective to run investigations on the IAM roles and to visualize the findings.


B.

Use Amazon Inspector to run investigations on the IAM roles and visualize the findings.


C.

Export GuardDuty findings to Amazon S3 and analyze them with Amazon Athena.


D.

Enable AWS Security Hub and use custom actions to investigate IAM roles.


Expert Solution
Questions # 53:

A security engineer needs to implement a solution to create and control the keys that a company uses for cryptographic operations. The security engineer must create symmetric keys in which the key material is generated and used within a custom key store that is backed by an AWS CloudHSM cluster. The security engineer will use symmetric and asymmetric data key pairs for local use within applications. The security engineer also must audit the use of the keys.

How can the security engineer meet these requirements?

Options:

A.

To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon Athena.


B.

To create the keys, use Amazon S3 and the custom key stores with the CloudHSM cluster. For auditing, use AWS CloudTrail.


C.

To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon GuardDuty.


D.

To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use AWS CloudTrail.


Expert Solution
Questions # 54:

A company has an AWS Lambda function that requires access to an Amazon S3 bucket. The company’s security policy requires that connections to Amazon S3 are over a private network and are secure.

The company has configured a gateway VPC endpoint in the VPC to allow access to Amazon S3. The company has configured the Lambda function to run inside the VPC. Additionally, the company has configured the Lambda function to use a private subnet that has a route to the internet through a NAT gateway. Other resources in the VPC use this private subnet to access the internet successfully. When the Lambda function runs, it uses the NAT gateway instead of the gateway VPC endpoint to access Amazon S3.

What can a security engineer do to ensure that the Lambda function uses the gateway VPC endpoint for Amazon S3?

Options:

A.

Remove the route to the NAT gateway within the route table of the private subnet that the Lambda function uses.


B.

Associate the gateway VPC endpoint with the route table of the private subnet that the Lambda function uses.


C.

Adjust the gateway VPC endpoint policy to allow access from the Lambda function’s network interface address.


D.

Configure the Lambda function’s security group to allow connections to the S3 network address space.


Expert Solution
Questions # 55:

A company runs a web application on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are in the same VPC subnet as other workloads.

A security engineer deploys an Amazon GuardDuty detector in the same AWS Region as the EC2 instances and integrates GuardDuty with AWS Security Hub.

The security engineer needs to implement an automated solution to detect and appropriately respond to anomalous traffic patterns for the web application. The solution must comply with AWS best practices forinitial response to security incidentsand mustminimize disruptionto the web application.

Which solution will meet these requirements?

Options:

A.

Disable the EC2 instance profile credentials by using AWS Lambda.


B.

Create an Amazon EventBridge rule that invokes an AWS Lambda function when GuardDuty detects anomalous traffic. Configure the function to remove the affected instance from the Auto Scaling group and attach a restricted security group.


C.

Update the subnet network ACL to block traffic from the detected source IP addresses.


D.

Send GuardDuty findings to Amazon SNS for email notification.


Expert Solution
Questions # 56:

A company ' s public website consists of an Application Load Balancer (ALB), a set of Amazon EC2 instances that run a stateless application behind the ALB, and an Amazon DynamoDB table from which the application reads data. The company is concerned about malicious scanning and DDoS attacks. The company wants to impose a restriction in which each client IP address can read the data only3 times in any 5-minute period.

Which solution will meet this requirement with the LEAST effort?

Options:

A.

Set up AWS WAF in front of the ALB. Create a rule that blocks requests that exceed the limit of 3 requests in any 5-minute period for each IP address.


B.

Create an AWS Lambda function based on an Amazon CloudWatch request. Configure the Lambda function to count the requests for each IP address in rolling 5-minute intervals and to provide notification if the count exceeds 3.


C.

Modify the EC2 application to count the source IP address of requests and calculate a rolling 5-minute sum. Return an error message if the count sum is greater than 3.


D.

Add source IP address and request time to the DynamoDB table. Add a 5-minute TTL setting based on request time. Change the read capacity of the DynamoDB table throughput to 3.


Expert Solution
Questions # 57:

A security team manages a company ' s AWS Key Management Service (AWS KMS) customer managed keys. Only members of the security team can administer the KMS keys. The company ' s application team has a software process that needs temporary access to the keys occasionally. The security team needs to provide the application team’s software process with access to the keys.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Export the KMS key material to an on-premises hardware security module (HSM). Give the application team access to the key material.


B.

Edit the key policy that grants the security team access to the KMS keys by adding the application team as principals. Revert this change when the application team no longer needs access.


C.

Create a key grant to allow the application team to use the KMS keys. Revoke the grant when the application team no longer needs access.


D.

Create a new KMS key by generating key material on premises. Import the key material to AWS KMS whenever the application team needs access. Grant the application team permissions to use the key.


Expert Solution
Questions # 58:

A company recently set up Amazon GuardDuty and is receiving a high number of findings from IP addresses within the company. A security engineer has verified that these IP addresses are trusted and allowed.

Which combination of steps should the security engineer take to configure GuardDuty so that it does not produce findings for these IP addresses? (Select TWO.)

Options:

A.

Create a plaintext configuration file that contains the trusted IP addresses.


B.

Create a JSON configuration file that contains the trusted IP addresses.


C.

Upload the configuration file directly to GuardDuty.


D.

Upload the configuration file to Amazon S3. Add a new trusted IP list to GuardDuty that points to the file.


E.

Manually copy and paste the configuration file data into the trusted IP list in GuardDuty.


Expert Solution
Questions # 59:

A security engineer needs to prepare Amazon EC2 instances for quarantine during a security incident. AWS Systems Manager Agent (SSM Agent) is installed, and a script exists to install and update forensic tools.

Which solution will quarantine EC2 instances during a security incident?

Options:

A.

Track SSM Agent versions with AWS Config.


B.

Configure Session Manager to deny external connections.


C.

Store the script in Amazon S3 and grant read access.


D.

Configure IAM permissions for the SSM Agent to run the script as a Systems Manager Run Command document.


Expert Solution
Questions # 60:

A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided. The company’s security engineer must secure this system against SQL injection attacks within 24 hours. The security engineer’s solution must involve the least amount of effort and maintain normal operations during implementation.

What should the security engineer do to meet these requirements?

Options:

A.

Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.


B.

Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.


C.

Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.


D.

Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances. Test to ensure the vulnerability has been mitigated, then restore the security group to the original setting.


Expert Solution
Viewing page 6 out of 7 pages
Viewing questions 51-60 out of questions