AWS Certified Security Specialty (SCS)

The AWS Certified Security Specialty (SCS) were last updated on today.
  • Viewing page 10 out of 121 pages.
  • Viewing questions 46-50 out of 605 questions
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.and Azure
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.and Azure

Topic 1 - Exam A

Question #46 Topic 1

A Developer is creating an AWS Lambda function that requires environment variables to store connection information and logging settings. The Developer is required to use an AWS KMS Customer Master Key (CMK) supplied by the Information Security department in order to adhere to company standards for securing Lambda environment variables. Which of the following are required for this configuration to work? (Choose two.)

  • A The Developer must configure Lambda access to the VPC using the --vpc-config parameter.
  • B The Lambda function execution role must have the kms:Decrypt permission added in the AWS IAM policy.
  • C The KMS key policy must allow permissions for the Developer to use the KMS key.
  • D The AWS IAM policy assigned to the Developer must have the kms:GenerateDataKey permission added.
  • E The Lambda execution role must have the kms:Encrypt permission added in the AWS IAM policy.
Suggested Answer: BC
NOTE: Answer is :B, C
Explanation :B is correct because the Lambda function execution role must have the kms:Decrypt permission added in the AWS IAM policy, as we are using KMS CMK to secure lambda environment variables, and we want to decrypt the encrypted variables. C is correct because the KMS key policy must grant permissions for the Developer to use the KMS key (which is under the control of the Information Security department). Without this permission granted in the KMS key policy, the developer won't be allowed to use the KMS key.
Question #47 Topic 1

During a recent internal investigation, it was discovered that all API logging was disabled in a production account, and the root user had created new API keys that appear to have been used several times. What could have been done to detect and automatically remediate the incident?

  • A Using Amazon Inspector, review all of the API calls and configure the inspector agent to leverage SNS topics to notify security of the change to AWS CloudTrail, and revoke the new API keys for the root user.
  • B Using AWS Config, create a config rule that detects when AWS CloudTrail is disabled, as well as any calls to the root user create-api-key. Then use a Lambda function to re-enable CloudTrail logs and deactivate the root API keys.
  • C Using Amazon CloudWatch, create a CloudWatch event that detects AWS CloudTrail deactivation and a separate Amazon Trusted Advisor check to automatically detect the creation of root API keys. Then use a Lambda function to enable AWS CloudTrail and deactivate the root API keys.
  • D Using Amazon CloudTrail, create a new CloudTrail event that detects the deactivation of CloudTrail logs, and a separate CloudTrail event that detects the creation of root API keys. Then use a Lambda function to enable CloudTrail and deactivate the root API keys.
Suggested Answer: B
NOTE: Answer is :B
Explanation :AWS Config is designed for these sort of governance, auditing, and risk and compliance use-cases. It could be used to run a rule checking for the creation of root user API keys and/or if AWS CloudTrail is enabled or not. The corresponding AWS Lambda function can then be called for remediation action to disable the root user API keys or to enable CloudTrail logs.
Question #48 Topic 1

A company had one of its Amazon EC2 key pairs compromised. A Security Engineer must identify which current Linux EC2 instances were deployed and used the compromised key pair. How can this task be accomplished?

  • A Obtain the list of instances by directly querying Amazon EC2 using: aws ec2 describe-instances --filters "Name=key- name,Values=KEYNAMEHERE".
  • B Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in the Amazon Inspector logs.
  • C Obtain the output from the EC2 instance metadata using: curl http://169.254.169.254/latest/meta-data/public-keys/0/.
  • D Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in Amazon CloudWatch Logs using: aws logs filter-log-events.
Suggested Answer: D
NOTE: Answer is :A
Explanation :Option A is the most direct method to obtain the list of instances that were deployed using the compromised key pair. By directly querying EC2 instances with the specific filter for the compromised key pair name, it identifies all instances that used this key pair.
Question #49 Topic 1

A security team is responsible for reviewing AWS API call activity in the cloud environment for security violations. These events must be recorded and retained in a centralized location for both current and future AWS regions. What is the SIMPLEST way to meet these requirements?

  • A Enable AWS Trusted Advisor security checks in the AWS Console, and report all security incidents for all regions.
  • B Enable AWS CloudTrail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later analysis.
  • C Enable AWS CloudTrail by creating a new trail and applying the trail to all regions. Specify a single Amazon S3 bucket as the storage location.
  • D Enable Amazon CloudWatch logging for all AWS services across all regions, and aggregate them to a single Amazon S3 bucket for later analysis.
Suggested Answer: C
NOTE: Answer is :C
Explanation :CloudTrail allows you to record and centrally store AWS API call activities for auditing purposes. By creating a new trail and applying it to all regions, you can ensure that both current and future regions are covered. By specifying a single Amazon S3 bucket as the storage location, you achieve a centralized location for storage.
Question #50 Topic 1

A company's architecture requires that its three Amazon EC2 instances run behind an Application Load Balancer (ALB). The EC2 instances transmit sensitive data between each other. Developers use SSL certificates to encrypt the traffic between the public users and the ALB. However, the Developers are unsure of how to encrypt the data in transit between the ALB and the EC2 instances and the traffic between the EC2 instances. Which combination of activities must the company implement to meet its encryption requirements? (Choose two.)

  • A Configure SSL/TLS on the EC2 instances and configure the ALB target group to use HTTPS.
  • B Ensure that all resources are in the same VPC so the default encryption provided by the VPC is used to encrypt the traffic between the EC2 instances.
  • C In the ALB, select the default encryption to encrypt the traffic between the ALB and the EC2 instances.
  • D In the code for the application, include a cryptography library and encrypt the data before sending it between the EC2 instances.
  • E Configure AWS Direct Connect to provide an encrypted tunnel between the EC2 instances.
Suggested Answer: AC
NOTE: Option A is correct because configuring SSL/TLS on the EC2 instances and configuring the ALB target group to use HTTPS will encrypt the traffic between the ALB and the EC2 instances. Option C is also correct because selecting the default encryption in the ALB will encrypt the traffic between the ALB and the EC2 instances.
Previous Questions Next Questions