AWS Certified Security Specialty (SCS)

The AWS Certified Security Specialty (SCS) were last updated on today.
  • Viewing page 8 out of 121 pages.
  • Viewing questions 36-40 out of 605 questions
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.and Azure
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.and Azure

Topic 1 - Exam A

Question #36 Topic 1

What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account? (Choose two.)

  • A Use the AWS account root user access keys instead of the AWS Management Console
  • B Enable multi-factor authentication for the AWS IAM users with the AdministratorAccess managed policy attached to them
  • C Enable multi-factor authentication for the AWS account root user
  • D Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days
  • E Do not create access keys for the AWS account root user; instead, create AWS IAM users
Suggested Answer: BC
NOTE: Answer is :C, E
Explanation :Enabling multi-factor authentication for the AWS account root user adds an additional layer of protection to your account. Also, it's a security best practice to not create access keys for the AWS account root user. Instead, create individual IAM users so that you can enforce fine-grained control over who has access to your AWS resources.
Question #37 Topic 1

A company plans to move most of its IT infrastructure to AWS. They want to leverage their existing on-premises Active Directory as an identity provider for AWS. Which combination of steps should a Security Engineer take to federate the company's on-premises Active Directory with AWS? (Choose two.)

  • A Create IAM roles with permissions corresponding to each Active Directory group.
  • B Create IAM groups with permissions corresponding to each Active Directory group.
  • C Configure Amazon Cloud Directory to support a SAML provider.
  • D Configure Active Directory to add relying party trust between Active Directory and AWS.
  • E Configure Amazon Cognito to add relying party trust between Active Directory and AWS.
Suggested Answer: BD
NOTE: Answer is :A, D
Explanation :To federate on-premises Active Directory with AWS, the Security Engineer should first, create IAM roles with permissions corresponding to each Active Directory group, this allows for a direct correlation between directory groups, and their counterpart AWS IAM roles, affording appropriate permissions to those users. Furthermore, the engineer should configure Active Directory to add a relying party trust between Active Directory and AWS. This trust relationship allows AWS to authenticate users from the on-premises Active Directory.
Question #38 Topic 1

A Security Engineer is defining the logging solution for a newly developed product. Systems Administrators and Developers need to have appropriate access to event log files in AWS CloudTrail to support and troubleshoot the product. Which combination of controls should be used to protect against tampering with and unauthorized access to log files? (Choose two.)

  • A Ensure that the log file integrity validation mechanism is enabled.
  • B Ensure that all log files are written to at least two separate Amazon S3 buckets in the same account.
  • C Ensure that Systems Administrators and Developers can edit log files, but prevent any other access.
  • D Ensure that Systems Administrators and Developers with job-related need-to-know requirements only are capable of viewing " but not modifying " the log files.
  • E Ensure that all log files are stored on Amazon EC2 instances that allow SSH access from the internal corporate network only.
Suggested Answer: AD
NOTE: Answer is :A, D
Explanation :A and D are the appropriate answers because these choices ensure both the protection of log file integrity and restrict log access to only those with the necessary job-related requirement, such as Systems Administrators and Developers. B only introduces redundancy without addressing unauthorized access or tampering, and C allows for potential unwanted modifications to the files. E is irrelevant to the issue of unauthorized access or tampering with AWS CloudTrail log files.
Question #39 Topic 1

Which of the following minimizes the potential attack surface for applications?

  • A Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level.
  • B Use network ACLs to provide stateful firewalls at the VPC level to prevent access to any specific AWS resource.
  • C Use AWS Direct Connect for secure trusted connections between EC2 instances within private subnets.
  • D Design network security in a single layer within the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) to facilitate quicker responses to threats.
Suggested Answer: A
NOTE: Answer is :A
Explanation :It's because security groups serve as a virtual firewall for your instance to control inbound and outbound traffic. Security groups provide stateful firewalls at the hypervisor level, which can greatly reduce the potential attack surface for applications.
Question #40 Topic 1

An application outputs logs to a text file. The logs must be continuously monitored for security incidents. Which design will meet the requirements with MINIMUM effort?

  • A Create a scheduled process to copy the component's logs into Amazon S3. Use S3 events to trigger a Lambda function that updates Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
  • B Install and configure the Amazon CloudWatch Logs agent on the application's EC2 instance. Create a CloudWatch metric filter to monitor the application logs. Set up CloudWatch alerts based on the metrics.
  • C Create a scheduled process to copy the application log files to AWS CloudTrail. Use S3 events to trigger Lambda functions that update CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
  • D Create a file watcher that copies data to Amazon Kinesis when the application writes to the log file. Have Kinesis trigger a Lambda function to update Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
Suggested Answer: B
NOTE: Answer is :B
Explanation :To achieve continuous monitoring of logs with minimum effort, the best way is to use the native capabilities of AWS. In AWS, Amazon CloudWatch Logs agent can be directly installed and configured on the application's EC2 instance. With the logs agent, you can create a CloudWatch metric filter to monitor the application logs and set up CloudWatch alerts based on the metrics. This is more efficient than creating scheduled processes or file watchers, as it involves less steps and utilizes the built-in features of AWS.
Previous Questions Next Questions