AWS Certified Security Specialty (SCS)

The AWS Certified Security Specialty (SCS) were last updated on today.
  • Viewing page 7 out of 121 pages.
  • Viewing questions 31-35 out of 605 questions
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.and Azure
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.and Azure

Topic 1 - Exam A

Question #31 Topic 1

Which approach will generate automated security alerts should too many unauthorized AWS API requests be identified?

  • A Create an Amazon CloudWatch metric filter that looks for API call error codes and then implement an alarm based on that metric's rate.
  • B Configure AWS CloudTrail to stream event data to Amazon Kinesis. Configure an AWS Lambda function on the stream to alarm when the threshold has been exceeded.
  • C Run an Amazon Athena SQL query against CloudTrail log files. Use Amazon QuickSight to create an operational dashboard.
  • D Use the Amazon Personal Health Dashboard to monitor the account's use of AWS services, and raise an alert if service error rates increase.
Suggested Answer: B
NOTE: Answer is :A
Explanation :Creating an Amazon CloudWatch metric filter that looks for API call error codes and then implementing an alarm based on that metric's rate would provide an automated way of generating security alerts in case too many unauthorized AWS API requests are identified.
Question #32 Topic 1

An Application team has requested a new AWS KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different AWS services to limit blast radius. How can an AWS KMS customer master key (CMK) be constrained to work with only Amazon S3?

  • A Configure the CMK key policy to allow only the Amazon S3 service to use the kms:Encrypt action.
  • B Configure the CMK key policy to allow AWS KMS actions only when the kms:ViaService condition matches the Amazon S3 service name.
  • C Configure the IAM user's policy to allow KMS to pass a role to Amazon S3.
  • D Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK.
Suggested Answer: B
NOTE: Answer is :B
Explanation :By configuring the CMK key policy to allow only AWS KMS actions when the kms:ViaService condition matches the Amazon S3 service name, you can limit the damage radius by specifying the service only on S3.
Question #33 Topic 1

A company wants to encrypt the private network between its on-premises environment and AWS. The company also wants a consistent network experience for its employees. What should the company do to meet these requirements?

  • A Establish an AWS Direct Connect connection with AWS and set up a Direct Connect gateway. In the Direct Connect gateway configuration, enable IPsec and BGP, and then leverage native AWS network encryption between Availability Zones and Regions.
  • B Establish an AWS Direct Connect connection with AWS and set up a Direct Connect gateway. Using the Direct Connect gateway, create a private virtual interface and advertise the customer gateway private IP addresses. Create a VPN connection using the customer gateway and the virtual private gateway.
  • C Establish a VPN connection with the AWS virtual private cloud over the Internet.
  • D Establish an AWS Direct Connect connection with AWS and establish a public virtual interface. For prefixes that need to be advertised, enter the customer gateway public IP addresses. Create a VPN connection over Direct Connect using the customer gateway and the virtual private gateway.
Suggested Answer: B
NOTE: Answer is :B
Explanation :Establishing an AWS Direct Connect connection and setting up a Direct Connect gateway would enable secure and reliable connectivity. Using the Direct Connect gateway to create a private virtual interface and then advertising the customer gateway private IP addresses would meet the criteria of having a private network. A subsequent VPN connection that uses the customer gateway and the virtual private gateway would provide the desired encryption. This would in-turn facilitate a consistent network experience.
Question #34 Topic 1

A company's Security Engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other AWS services. The contractor's IAM account must not be able to gain access to any other AWS service, even if the IAM account is assigned additional permissions based on IAM group membership. What should the Security Engineer do to meet these requirements?

  • A Create an Inline IAM user policy that allows for Amazon EC2 access for the contractor's IAM user.
  • B Create an IAM permissions boundary policy that allows Amazon EC2 access. Associate the contractor's IAM account with the IAM permissions boundary policy.
  • C Create an IAM group with an attached policy that allows for Amazon EC2 access. Associate the contractor's IAM account with the IAM group.
  • D Create an IAM role that allows for EC2 and explicitly denies all other services. Instruct the contractor to always assume this role.
Suggested Answer: B
NOTE: Answer is :B
Explanation :An IAM permissions boundary is an advanced feature in which you set the maximum permissions that an entity (user or role) can have. When you set a permissions boundary for an entity, it can perform only the actions that are allowed by both its identity-based policies and its permissions boundaries. In this case, the permissions boundary will allow access to Amazon EC2 and deny all other services, effectively restricting the contractor's IAM account as required.
Question #35 Topic 1

A company's database developer has just migrated an Amazon RDS database credential to be stored and managed by AWS Secrets Manager. The developer has also enabled rotation of the credential within the Secrets Manager console and set the rotation to change every 30 days. After a short period of time, a number of existing applications have failed with authentication errors. What is the MOST likely cause of the authentication errors?

  • A Migrating the credential to RDS requires that all access come through requests to the Secrets Manager.
  • B Enabling rotation in Secrets Manager causes the secret to rotate immediately, and the applications are using the earlier credential.
  • C The Secrets Manager IAM policy does not allow access to the RDS database.
  • D The Secrets Manager IAM policy does not allow access for the applications.
Suggested Answer: B
NOTE: Answer is :B
Explanation :Rotation of the secrets causes the stored credentials to change. If the applications were using the old credentials, they would now fail to authenticate.
Previous Questions Next Questions