AWS Certified Security Specialty (SCS)

The AWS Certified Security Specialty (SCS) were last updated on today.
  • Viewing page 1 out of 121 pages.
  • Viewing questions 1-5 out of 605 questions
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.and Azure
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.and Azure

Topic 1 - Exam A

Question #1 Topic 1

A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password. Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)

  • A Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.
  • B Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.
  • C Configure automatic rotation of credentials in AWS Secrets Manager.
  • D Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it.
  • E Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.
Suggested Answer: CE
NOTE: Answer is :C and E
Explanation :C and E are the best ways to minimize downtime and ensure the protection of credentials. AWS Secrets Manager provides automatic rotation of credentials which eliminates the hassle of manual rotation and minimizes downtime. It also allows to catch a connection failure and automatically update credentials when the password is rotated. This provides a strong layer of security, by limiting direct access to the credentials.
Question #2 Topic 1

A Web Administrator for the website example.com has created an Amazon CloudFront distribution for dev.example.com, with a requirement to configure HTTPS using a custom TLS certificate imported to AWS Certificate Manager. Which combination of steps is required to ensure availability of the certificate in the CloudFront console? (Choose two.)

  • A Call UploadServerCertificate with /cloudfront/dev/ in the path parameter.
  • B Import the certificate with a 4,096-bit RSA public key.
  • C Ensure that the certificate, private key, and certificate chain are PKCS #12-encoded.
  • D Import the certificate in the us-east-1 (N. Virginia) Region.
  • E Ensure that the certificate, private key, and certificate chain are PEM-encoded.
Suggested Answer: DE
NOTE: Answer is :B, D
Explanation :B: AWS Certificate Manager accepts certificates with RSA keys of 1024, 2048, or 4096 bits, so it's valid to import a certificate with a 4096-bit RSA public key. D: AWS Certificate Manager needs the certificate to be imported in the us-east-1 (N. Virginia) region for the certificate to be available in the Amazon Cloudfront console.
Question #3 Topic 1

A Security Engineer is setting up an AWS CloudTrail trail for all regions in an AWS account. For added security, the logs are stored using server-side encryption with AWS KMS-managed keys (SSE-KMS) and have log integrity validation enabled. While testing the solution, the Security Engineer discovers that the digest files are readable, but the log files are not. What is the MOST likely cause?

  • A The log files fail integrity validation and automatically are marked as unavailable.
  • B The KMS key policy does not grant the Security Engineer's IAM user or role permissions to decrypt with it.
  • C The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.
  • D An IAM policy applicable to the Security Engineer's IAM user or role denies access to the "CloudTrail/" prefix in the Amazon S3 bucket.
Suggested Answer: B
NOTE: Answer is :B
Explanation :Log files can't be read because the Security Engineer's IAM user or role does not have permissions to decrypt with KMS key. This demonstrates the importance of key permission setups in AWS.
Question #4 Topic 1

The Accounting department at Example Corp. has made a decision to hire a third-party firm, AnyCompany, to monitor Example Corp.'s AWS account to help optimize costs. The Security Engineer for Example Corp. has been tasked with providing AnyCompany with access to the required Example Corp. AWS resources. The Engineer has created an IAM role and granted permission to AnyCompany's AWS account to assume this role. When customers contact AnyCompany, they provide their role ARN for validation. The Engineer is concerned that one of AnyCompany's other customers might deduce Example Corp.'s role ARN and potentially compromise the company's account. What steps should the Engineer perform to prevent this outcome?

  • A Create an IAM user and generate a set of long-term credentials. Provide the credentials to AnyCompany. Monitor access in IAM access advisor and plan to rotate credentials on a recurring basis.
  • B Request an external ID from AnyCompany and add a condition with sts:Externald to the role's trust policy.
  • C Require two-factor authentication by adding a condition to the role's trust policy with aws:MultiFactorAuthPresent.
  • D Request an IP range from AnyCompany and add a condition with aws:SourceIp to the role's trust policy.
Suggested Answer: B
NOTE: Answer is :B
Explanation :The Engineer should request an external ID from AnyCompany and add conditions with sts:Externald to the role's trust policy. It adds an extra layer of security because even if a customer finds out the ARN of the Example Corp, they still won't be able to assume the role without knowing the external ID. This technique is generally used when a third-party needs to access your AWS resources, and can greatly reduce the chance of unauthorized users assuming the role and accessing resources.
Question #5 Topic 1

A Security Engineer must implement mutually authenticated TLS connections between containers that communicate inside a VPC. Which solution would be MOST secure and easy to maintain?

  • A Use AWS Certificate Manager to generate certificates from a public certificate authority and deploy them to all the containers.
  • B Create a self-signed certificate in one container and use AWS Secrets Manager to distribute the certificate to the other containers to establish trust.
  • C Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then create the private keys in the containers and sign them using the ACM PCA API.
  • D Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use AWS Certificate Manager to generate the private certificates and deploy them to all the containers.
Suggested Answer: C
NOTE: Answer is :D
Explanation :Using AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use AWS Certificate Manager to generate the private certificates and deploy them to all the containers is the most secure and easiest to maintain. It provides centralized management and automation of creating, storing, and renewing the SSL/TLS certificates which helps in reducing the complexity of managing SSL/TLS certificates across multiple containers and improves security.
Previous Questions Next Questions