AWS Certified Security Specialty (SCS)

The AWS Certified Security Specialty (SCS) were last updated on today.

Viewing page 5 out of 121 pages.
Viewing questions 21-25 out of 605 questions

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.and Azure
- Trademarks, certification & product names are used for reference only and belong to Amazon.and Azure

Topic 1 - Exam A

Question #21 Topic 1

The Information Technology department has stopped using Classic Load Balancers and switched to Application Load Balancers to save costs. After the switch, some users on older devices are no longer able to connect to the website. What is causing this situation?

A Application Load Balancers do not support older web browsers.
B The Perfect Forward Secrecy settings are not configured correctly.
C The intermediate certificate is installed within the Application Load Balancer.
D The cipher suites on the Application Load Balancers are blocking connections.

Suggested Answer: A
NOTE: Answer is :A
Explanation :Older devices are likely not supported due to outdated browsers which are incompatible with Application Load Balancers.

Question #22 Topic 1

A company plans to migrate a sensitive dataset to Amazon S3. A Security Engineer must ensure that the data is encrypted at rest. The encryption solution must enable the company to generate its own keys without needing to manage key storage or the encryption process. What should the Security Engineer use to accomplish this?

A Server-side encryption with Amazon S3-managed keys (SSE-S3)
B Server-side encryption with AWS KMS-managed keys (SSE-KMS)
C Server-side encryption with customer-provided keys (SSE-C)
D Client-side encryption with an AWS KMS-managed CMK

Suggested Answer: B
NOTE: Answer is :B
Explanation :AWS KMS lets you create and manage cryptographic keys and control their use across a wide range of AWS services. Thus this service fully meets the requirement of the company having data stored on S3 bucket encrypted and managed by themselves without manual intervention.

Question #23 Topic 1

A Security Engineer has discovered that, although encryption was enabled on the Amazon S3 bucket examplebucket, anyone who has access to the bucket has the ability to retrieve the files. The Engineer wants to limit access to each IAM user can access an assigned folder only. What should the Security Engineer do to achieve this?

A Use envelope encryption with the AWS-managed CMK aws/s3.
B Create a customer-managed CMK with a key policy granting kms:Decrypt based on the ${aws:username} variable.
C Create a customer-managed CMK for each user. Add each user as a key user in their corresponding key policy.
D Change the applicable IAM policy to grant S3 access to Resource: arn:aws:s3:::examplebucket/${aws:username}/*

Suggested Answer: D
NOTE: The Security Engineer should change the applicable IAM policy to grant S3 access to Resource: arn:aws:s3:::examplebucket/${aws:username}/*, which limits access to each IAM user to their assigned folder only. This can be achieved by using the ${aws:username} variable to specify the user-specific folder in the S3 bucket.

Question #24 Topic 1

A Security Engineer discovered a vulnerability in an application running on Amazon ECS. The vulnerability allowed attackers to install malicious code. Analysis of the code shows it exfiltrates data on port 5353 in batches at random time intervals. While the code of the containers is being patched, how can Engineers quickly identify all compromised hosts and stop the egress of data on port 5353?

A Enable AWS Shield Advanced and AWS WAF. Configure an AWS WAF custom filter for egress traffic on port 5353
B Enable Amazon Inspector on Amazon ECS and configure a custom assessment to evaluate containers that have port 5353 open. Update the NACLs to block port 5353 outbound.
C Create an Amazon CloudWatch custom metric on the VPC Flow Logs identifying egress traffic on port 5353. Update the NACLs to block port 5353 outbound.
D Use Amazon Athena to query AWS CloudTrail logs in Amazon S3 and look for any traffic on port 5353. Update the security groups to block port 5353 outbound.

Suggested Answer: C
NOTE: Answer is :C
Explanation :Creating an Amazon CloudWatch custom metric on the VPC Flow Logs identifying egress traffic on port 5353. Updating the NACLs to block port 5353 outbound is an immediate and direct method to stop the egress of data. This will also help in identifying all compromised hosts as those would be the ones still making attempts to send data on port 5353.

Question #25 Topic 1

A company has decided to migrate sensitive documents from on-premises data centers to Amazon S3. Currently, the hard drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key. Which of the following requires the LEAST amount of configuration when implementing this approach?

A Place each file into a different S3 bucket. Set the default encryption of each bucket to use a different AWS KMS customer managed key.
B Put all the files in the same S3 bucket. Using S3 events as a trigger, write an AWS Lambda function to encrypt each file as it is added using different AWS KMS data keys.
C Use the S3 encryption client to encrypt each file individually using S3-generated data keys.
D Place all the files in the same S3 bucket. Use server-side encryption with AWS KMS-managed keys (SSE-KMS) to encrypt the data.

Suggested Answer: A
NOTE: Answer is :B
Explanation :This action requires the least amount of configuration because it uses a serverless architecture utilizing S3 Events which trigger Lambda functions to perform file encryption. This eliminates the need to manually manage the encryption process and also provides granular control hence meeting the requirement of employing a different key for each file.