AWS Certified Security Specialty (SCS)

The AWS Certified Security Specialty (SCS) were last updated on today.

Viewing page 2 out of 121 pages.
Viewing questions 6-10 out of 605 questions

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.and Azure
- Trademarks, certification & product names are used for reference only and belong to Amazon.and Azure

Topic 1 - Exam A

Question #6 Topic 1

A company has an encrypted Amazon S3 bucket. An Application Developer has an IAM policy that allows access to the S3 bucket, but the Application Developer is unable to access objects within the bucket. What is a possible cause of the issue?

A The S3 ACL for the S3 bucket fails to explicitly grant access to the Application Developer
B The AWS KMS key for the S3 bucket fails to list the Application Developer as an administrator
C The S3 bucket policy fails to explicitly grant access to the Application Developer
D The S3 bucket policy explicitly denies access to the Application Developer

Suggested Answer: C
NOTE: Answer is :B
Explanation :The AWS KMS key for the S3 bucket is required to decrypt the objects stored in the S3 bucket. If the Application Developer is not listed as an administrator of the AWS KMS key, they would not be able to access the objects within the bucket. Other options related to access but do not involve encryption, hence option B is most plausible.

Question #7 Topic 1

The Security Engineer is managing a web application that processes highly sensitive personal information. The application runs on Amazon EC2. The application has strict compliance requirements, which instruct that all incoming traffic to the application is protected from common web exploits and that all outgoing traffic from the EC2 instances is restricted to specific whitelisted URLs. Which architecture should the Security Engineer use to meet these requirements?

A Use AWS Shield to scan inbound traffic for web exploits. Use VPC Flow Logs and AWS Lambda to restrict egress traffic to specific whitelisted URLs.
B Use AWS Shield to scan inbound traffic for web exploits. Use a third-party AWS Marketplace solution to restrict egress traffic to specific whitelisted URLs.
C Use AWS WAF to scan inbound traffic for web exploits. Use VPC Flow Logs and AWS Lambda to restrict egress traffic to specific whitelisted URLs.
D Use AWS WAF to scan inbound traffic for web exploits. Use a third-party AWS Marketplace solution to restrict egress traffic to specific whitelisted URLs.

Suggested Answer: C
NOTE: Answer is :C
Explanation :AWS WAF is designed to protect web applications from common web exploits. VPC Flow Logs coupled with AWS Lambda function performs the task of security monitoring and controlling network connectivity thus ensuring that all outgoing traffic from the EC2 instances is restricted to specific whitelisted URLs.

Question #8 Topic 1

An application is currently secured using network access control lists and security groups. Web servers are located in public subnets behind an Application Load Balancer (ALB); application servers are located in private subnets. How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose two.)

A Configure the application’s EC2 instances to use NAT gateways for all inbound traffic.
B Move the web servers to private subnets without public IP addresses.
C Configure AWS WAF to provide DDoS attack protection for the ALB.
D Require all inbound network traffic to route through a bastion host in the private subnet.
E Require all inbound and outbound network traffic to route through an AWS Direct Connect connection.

Suggested Answer: CD
NOTE: Answer is :B, C
Explanation :To enhance edge security, moving web servers to private subnets without public IP addresses (option B) helps limit the exposure of these servers, making them less susceptible to attacks. Additionally, configuring AWS WAF to provide DDoS attack protection for the ALB (option C) would help in guarding the Amazon EC2 instances against attacks.

Question #9 Topic 1

While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host (IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following: 2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK 2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK What action should be performed to allow the ping to work?

A In the security group of the EC2 instance, allow inbound ICMP traffic.
B In the security group of the EC2 instance, allow outbound ICMP traffic.
C In the VPC's NACL, allow inbound ICMP traffic.
D In the VPC's NACL, allow outbound ICMP traffic.

Suggested Answer: A
NOTE: Answer is :A
Explanation :The reason for the ping command not returning a response might be due to the security settings of the EC2 instance. With outbound traffic showing 'REJECT OK', this could mean outbound ICMP traffic (ping) is currently blocked from the EC2 instance. So, changing the security group attached to EC2 instance to allow inbound ICMP traffic should solve the issue.

Question #10 Topic 1

A company maintains sensitive data in an Amazon S3 bucket that must be protected using an AWS KMS CMK. The company requires that keys be rotated automatically every year. How should the bucket be configured?

A Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select an AWS-managed CMK.
B Select Amazon S3-AWS KMS managed encryption keys (S3-KMS) and select a customer-managed CMK with key rotation enabled.
C Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select a customer-managed CMK that has imported key material.
D Select server-side encryption with AWS KMS-managed keys (SSE-KMS) and select an alias to an AWS-managed CMK.

Suggested Answer: B
NOTE: Answer is :B
Explanation :A customer-managed CMK with key rotation enabled allows the keys to be automatically rotated every year, in line with the company's requirements.