AWS Certified Security Specialty (SCS)

The AWS Certified Security Specialty (SCS) were last updated on today.
  • Viewing page 4 out of 121 pages.
  • Viewing questions 16-20 out of 605 questions
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.and Azure
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.and Azure

Topic 1 - Exam A

Question #16 Topic 1

Which of the following are valid event sources that are associated with web access control lists that trigger AWS WAF rules? (Choose two.)

  • A Amazon S3 static web hosting
  • B Amazon CloudFront distribution
  • C Application Load Balancer
  • D Amazon Route 53
  • E VPC Flow Logs
Suggested Answer: BC
NOTE: Answer is :B,C
Explanation :Amazon CloudFront distribution and Application Load Balancer are valid event sources associated with web access control lists that can trigger AWS WAF rules. Although Amazon S3 static web hosting, Amazon Route 53, and VPC Flow Logs are AWS services, they are not used to trigger WAF rules.
Question #17 Topic 1

For compliance reasons, a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied. The Engineer must also ensure that no system goes more than 30 days without the latest approved updates being applied. What would be the MOST efficient way to achieve these goals?

  • A Use Amazon Inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version.
  • B Configure Amazon EC2 Systems Manager to report on instance patch compliance, and enforce updates during the defined maintenance windows.
  • C Examine AWS CloudTrail logs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances.
  • D Update the AMIs with the latest approved patches, and redeploy each instance during the defined maintenance window.
Suggested Answer: B
NOTE: Answer is :B
Explanation :Amazon EC2 Systems Manager will not only provide a report on instance patch compliance but also helps in enforcing updates during the defined maintenance windows. Hence it would be the most efficient way to ensure compliance as well as the latest updates applied within 30 days. Other options are either labor-intensive or don't ensure updates within a 30-day limit.
Question #18 Topic 1

A company's Information Security team wants to analyze Amazon EC2 performance and utilization data in near-real time for anomalies. A Security Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company's AWS accounts in a centralized location to perform the analysis. How should the Security Engineer do this?

  • A Log in to each account four times a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.
  • B Set up Amazon CloudWatch to stream data to an Amazon S3 bucket in each source account. Set up bucket replication for each source account into a centralized bucket owned by the Security Engineer.
  • C Set up an AWS Config aggregator to collect AWS configuration data from multiple sources.
  • D Set up Amazon CloudWatch cross-account log data sharing with subscriptions in each account. Send the logs to Amazon Kinesis Data Firehose in the Security Engineer's account.
Suggested Answer: D
NOTE: Answer is :D
Explanation :Option D represents the most practical and efficient solution. Amazon CloudWatch supports subscription filters for real-time processing of log data, and Kinesis Data Firehose is designed to load streaming data into data stores in near-real time. This allows the security engineer to analyze data almost as soon as it's generated, which makes the solution optimal for detecting any anomalies.
Question #19 Topic 1

A Security Engineer for a large company is managing a data processing application used by 1,500 subsidiary companies. The parent and subsidiary companies all use AWS. The application uses TCP port 443 and runs on Amazon EC2 behind a Network Load Balancer (NLB). For compliance reasons, the application should only be accessible to the subsidiaries and should not be available on the public internet. To meet the compliance requirements for restricted access, the Engineer has received the public and private CIDR block ranges for each subsidiary. What solution should the Engineer use to implement the appropriate access restrictions for the application?

  • A Create a NACL to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the NACL to both the NLB and EC2 instances
  • B Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group to the NLB. Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group.
  • C Create an AWS PrivateLink endpoint service in the parent company account attached to the NLB. Create an AWS security group for the instances to allow access on TCP port 443 from the AWS PrivateLink endpoint. Use AWS PrivateLink interface endpoints in the 1,500 subsidiary AWS accounts to connect to the data processing application.
  • D Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.
Suggested Answer: B
NOTE: Answer is :C
Explanation :Using AWS PrivateLink allows the data processing application to be accessed over the AWS network, which is safer and more reliable than accessing it over the internet. This is also the only option that doesn't involve managing CIDR block ranges from 1500 different subsidiary companies, which is more simpler and compliance
Question #20 Topic 1

A company has enabled Amazon GuardDuty in all Regions as part of its security monitoring strategy. In one of the VPCs, the company hosts an Amazon EC2 instance working as an FTP server that is contacted by a high number of clients from multiple locations. This is identified by GuardDuty as a brute force attack due to the high number of connections that happen every hour. The finding has been flagged as a false positive. However, GuardDuty keeps raising the issue. A Security Engineer has been asked to improve the signal-to-noise ratio. The Engineer needs to ensure that changes do not compromise the visibility of potential anomalous behavior. How can the Security Engineer address the issue?

  • A Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed
  • B Add the FTP server to a trusted IP list and deploy it to GuardDuty to stop receiving the notifications
  • C Use GuardDuty filters with auto archiving enabled to close the findings
  • D Create an AWS Lambda function that closes the finding whenever a new occurrence is reported
Suggested Answer: C
NOTE: Answer is :C
Explanation :The GuardDuty filters with auto archiving enabled have the capability to close the findings automatically. This will improve the signal-to-noise ratio as legitimate activities will not be flagged as threats thereby reducing false positives.
Previous Questions Next Questions