AWS Certified Security Specialty (SCS)

The AWS Certified Security Specialty (SCS) were last updated on today.
  • Viewing page 6 out of 121 pages.
  • Viewing questions 26-30 out of 605 questions
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.and Azure
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.and Azure

Topic 1 - Exam A

Question #26 Topic 1

A Security Engineer is asked to update an AWS CloudTrail log file prefix for an existing trail. When attempting to save the change in the CloudTrail console, the Security Engineer receives the following error message: `There is a problem with the bucket policy.` What will enable the Security Engineer to save the change?

  • A Create a new trail with the updated log file prefix, and then delete the original trail. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.
  • B Update the existing bucket policy in the Amazon S3 console to allow the Security Engineer's Principal to perform PutBucketPolicy, and then update the log file prefix in the CloudTrail console.
  • C Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.
  • D Update the existing bucket policy in the Amazon S3 console to allow the Security Engineer's Principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console.
Suggested Answer: C
NOTE: Answer is :C
Explanation :The error message indicates there's a problem with the bucket policy which needs to be corrected. In this context, updating the existing bucket policy with the new log file prefix in the S3 console should solve the problem, afterwards, the log file prefix in the CloudTrail console can be updated
Question #27 Topic 1

A Security Engineer is working with a Product team building a web application on AWS. The application uses Amazon S3 to host the static content, Amazon API Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider. Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)

  • A Create a custom authorization service using AWS Lambda.
  • B Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.
  • C Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.
  • D Configure an Amazon Cognito identity pool to integrate with social login providers.
  • E Update DynamoDB to store the user email addresses and passwords.
  • F Update API Gateway to use a COGNITO_USER_POOLS authorizer.
Suggested Answer: BCF
NOTE: Answer is :B, C, F
Explanation :B and C are required to integrate the already existing users in a directory into the AWS Cognito user pool using SAML identity provider while F is required for the API Gateway to utilize the user pool for authorization
Question #28 Topic 1

A Security Engineer must implement mutually authenticated TLS connections between containers that communicate inside a VPC. Which solution would be MOST secure and easy to maintain?

  • A Use AWS Certificate Manager to generate certificates from a public certificate authority and deploy them to all the containers.
  • B Create a self-signed certificate in one container and use AWS Secrets Manager to distribute the certificate to the other containers to establish trust.
  • C Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then create the private keys in the containers and sign them using the ACM PCA API.
  • D Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use AWS Certificate Manager to generate the private certificates and deploy them to all the containers.
Suggested Answer: C
NOTE: Answer is :D
Explanation :The solution D is the most secure as it uses AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, and uses AWS Certificate Manager to generate the private certificates and deploy them to all the containers. This maintains a high security level by generating private certificates and deploying them securely. In addition, it's easy to maintain because it benefits from the simplicity and integration of AWS services.
Question #29 Topic 1

While analyzing a company's security solution, a Security Engineer wants to secure the AWS account root user. What should the Security Engineer do to provide the highest level of security for the account?

  • A Create a new IAM user that has administrator permissions in the AWS account. Delete the password for the AWS account root user.
  • B Create a new IAM user that has administrator permissions in the AWS account. Modify the permissions for the existing IAM users.
  • C Replace the access key for the AWS account root user. Delete the password for the AWS account root user.
  • D Create a new IAM user that has administrator permissions in the AWS account. Enable multi-factor authentication for the AWS account root user.
Suggested Answer: D
NOTE: Answer is :D
Explanation :Enabling multi-factor authentication for the root user adds an additional layer of security as it requires additional evidence to authenticate. Creating a new IAM user that has administrative permissions in the AWS account allows the engineer to give out permissions without endangering the root account
Question #30 Topic 1

An Amazon EC2 instance is denied access to a newly created AWS KMS CMK used for decrypt actions. The environment has the following configuration: The instance is allowed the kms:Decrypt action in its IAM role for all resources The AWS KMS CMK status is set to enabled The instance can communicate with the KMS API using a configured VPC endpoint What is causing the issue?

  • A The kms:GenerateDataKey permission is missing from the EC2 instance's IAM role
  • B The ARN tag on the CMK contains the EC2 instance's ID instead of the instance's ARN
  • C The kms:Encrypt permission is missing from the EC2 IAM role
  • D The KMS CMK key policy that enables IAM user permissions is missing
Suggested Answer: D
NOTE: Answer is :A
Explanation :The issue is caused by the lack of kms:GenerateDataKey permission in the EC2 instance's IAM role. Although the instance has the kms:Decrypt action, it also requires the kms:GenerateDataKey permission to decrypt anything using KMS CMKs.
Previous Questions Next Questions