AWS Certified Security Specialty (SCS)

The AWS Certified Security Specialty (SCS) were last updated on today.

Viewing page 3 out of 121 pages.
Viewing questions 11-15 out of 605 questions

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.and Azure
- Trademarks, certification & product names are used for reference only and belong to Amazon.and Azure

Topic 1 - Exam A

Question #11 Topic 1

A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents. A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance, the Security team must be notified quickly. Which combination of actions would build the required solution? (Choose three.)

A Configure Amazon CloudWatch Events in the production accounts to send all S3 events to the security account event bus.
B Enable Amazon GuardDuty in the security account, and join the production accounts as members.
C Configure an Amazon CloudWatch Events rule in the security account to detect S3 bucket creation or modification events.
D Enable AWS Trusted Advisor and activate email notifications for an email address assigned to the security contact.
E Invoke an AWS Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team.
F Configure event notifications on S3 buckets for PUT, POST, and DELETE events.

Suggested Answer: ACE
NOTE: Answer is :A, C, E
Explanation :A is selected because it allows for monitoring of all S3 events from the production accounts in the central security account. C is chosen because it helps in detecting any creation or modification in the S3 buckets. E is selected because it will help analyze S3 bucket settings and swiftly notify the security team about any non-compliance.

Question #12 Topic 1

A water utility company uses a number of Amazon EC2 instances to manage updates to a fleet of 2,000 Internet of Things (IoT) field devices that monitor water quality. These devices each have unique access credentials. An operational safety policy requires that access to specific credentials is independently auditable. What is the MOST cost-effective way to manage the storage of credentials?

A Use AWS Systems Manager to store the credentials as Secure Strings Parameters. Secure by using an AWS KMS key.
B Use AWS Key Management System to store a master key, which is used to encrypt the credentials. The encrypted credentials are stored in an Amazon RDS instance.
C Use AWS Secrets Manager to store the credentials.
D Store the credentials in a JSON file on Amazon S3 with server-side encryption.

Suggested Answer: C
NOTE: Answer is :C
Explanation :AWS Secrets Manager is the most cost-effective solution for storing and managing secrets. It was specifically designed for this purpose, is independently auditable, and fully managed which reduces overhead.

Question #13 Topic 1

A company is building a data lake on Amazon S3. The data consists of millions of small files containing sensitive information. The Security team has the following requirements for the architecture: * Data must be encrypted in transit. * Data must be encrypted at rest. * The bucket must be private, but if the bucket is accidentally made public, the data must remain confidential. Which combination of steps would meet the requirements? (Choose two.)

A Enable AES-256 encryption using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) on the S3 bucket.
B Enable default encryption with server-side encryption with AWS KMS-managed keys (SSE-KMS) on the S3 bucket.
C Add a bucket policy that includes a deny if a PutObject request does not include aws:SecureTransport.
D Add a bucket policy with aws:SourceIp to Allow uploads and downloads from the corporate intranet only.
E Add a bucket policy that includes a deny if a PutObject request does not include s3:x-amz-server-side-encryption: "aws:kms".
F Enable Amazon Macie to monitor and act on changes to the data lake's S3 bucket.

Suggested Answer: BC
NOTE: Answer is :B,C
Explanation :B achieves encryption at rest, and C ensures that all inbound communication will be encrypted in transit. AWS KMS keys allow for fine-grained access control and can be audited. The bucket policy in C denies any unencrypted traffic to the bucket, ensuring that data is encrypted in transit, and ensuring the data remain confidential even if the bucket is accidentally made public.

Question #14 Topic 1

A company requires that SSH commands used to access its AWS instance be traceable to the user who executed each command. How should a Security Engineer accomplish this?

A Allow inbound access on port 22 at the security group attached to the instance. Use AWS Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined. Enable Amazon CloudWatch logging for Systems Manager sessions.
B Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each user. Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances. Allow inbound access on port 22 at the security group attached to the instance. Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance.
C Deny inbound access on port 22 at the security group attached to the instance. Use AWS Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined. Enable Amazon CloudWatch logging for Systems Manager sessions.
D Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each team or group. Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instance. Allow inbound access on port 22 at the security group attached to the instance. Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instances.

Suggested Answer: A
NOTE: Answer is :A
Explanation :This option achieves the result through correct use of the AWS Systems Manager Session Manager for shell access, enabling individual user tags, and logging with Amazon Cloudwatch. This combination enables traceability of SSH commands to specific users, in line with the company's requirement.

Question #15 Topic 1

A company uses user data scripts that contain sensitive information to bootstrap Amazon EC2 instances. A Security Engineer discovers that this sensitive information is viewable by people who should not have access to it. What is the MOST secure way to protect the sensitive information used to bootstrap the instances?

A Store the scripts in the AMI and encrypt the sensitive data using AWS KMS Use the instance role profile to control access to the KMS keys needed to decrypt the data.
B Store the sensitive data in AWS Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role.
C Externalize the bootstrap scripts in Amazon S3 and encrypt them using AWS KMS. Remove the scripts from the instance and clear the logs after the instance is configured.
D Block user access of the EC2 instance's metadata service using IAM policies. Remove all scripts and clear the logs after execution.

Suggested Answer: B
NOTE: Answer is :B
Explanation :Option B is the most secure way. AWS Systems Manager Parameter Store is designed for storing data such as passwords, database strings, and license codes as secure string parameters. By enabling the EC2 instance role with GetParameters permission, the sensitive data can be retrieved securely when it is needed and won't be exposed to unauthorized access.