AWS Certified Security Specialty (SCS)

The AWS Certified Security Specialty (SCS) were last updated on today.
  • Viewing page 9 out of 121 pages.
  • Viewing questions 41-45 out of 605 questions
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.and Azure
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.and Azure

Topic 1 - Exam A

Question #41 Topic 1

A company has multiple production AWS accounts. Each account has AWS CloudTrail configured to log to a single Amazon S3 bucket in a central account. Two of the production accounts have trails that are not logging anything to the S3 bucket. Which steps should be taken to troubleshoot the issue? (Choose three.)

  • A Verify that the log file prefix is set to the name of the S3 bucket where the logs should go.
  • B Verify that the S3 bucket policy allows access for CloudTrail from the production AWS account IDs.
  • C Create a new CloudTrail configuration in the account, and configure it to log to the account's S3 bucket.
  • D Confirm in the CloudTrail Console that each trail is active and healthy.
  • E Open the global CloudTrail configuration in the master account, and verify that the storage location is set to the correct S3 bucket.
  • F Confirm in the CloudTrail Console that the S3 bucket name is set correctly.
Suggested Answer: BDF
NOTE: Answer is :B,D,E
Explanation :The problem describes that CloudTrail is not logging data to a S3 bucket from two production AWS accounts. Therefore, the first step should be to ensure the bucket policy (B) allows access for CloudTrail from these accounts. Then, check in the CloudTrail Console (D) that each trail is active and healthy. Finally, since there is a central account for logging, we need to check the master account to verify the storage location is set correctly (E).
Question #42 Topic 1

A recent security audit found that AWS CloudTrail logs are insufficiently protected from tampering and unauthorized access. Which actions must the Security Engineer take to access these audit findings? (Choose three.)

  • A Ensure CloudTrail log file validation is turned on.
  • B Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage.
  • C Use an S3 bucket with tight access controls that exists in a separate account.
  • D Use Amazon Inspector to monitor the file integrity of CloudTrail log files.
  • E Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files.
  • F Encrypt the CloudTrail log files with server-side encryption AWS KMS-managed keys (SSE-KMS).
Suggested Answer: ACD
NOTE: Answer is :A,C,F
Explanation :Option A is correct because ensuring CloudTrail log file validation is turned on is a recommended way to protect logs from unauthorized access and tampering. Option C is correct because using an S3 bucket with tight access controls that exists in a separate account can further secure the logs. Option F is correct because encrypting the logs with server-side encryption AWS KMS-managed keys (SSE-KMS) adds an additional layer of security.
Question #43 Topic 1

A Security Engineer received an AWS Abuse Notice listing EC2 instance IDs that are reportedly abusing other hosts. Which action should the Engineer take based on this situation? (Choose three.)

  • A Use AWS Artifact to capture an exact image of the state of each instance.
  • B Create EBS Snapshots of each of the volumes attached to the compromised instances.
  • C Capture a memory dump.
  • D Log in to each instance with administrative credentials to restart the instance.
  • E Revoke all network ingress and egress except for to/from a forensics workstation.
  • F Run Auto Recovery for Amazon EC2.
Suggested Answer: ABE
NOTE: Answer is :B, C, E
Explanation :B: Creating EBS Snapshots of each of the volumes attached to the compromised instances helps ensure data integrity and facilitate analysis. C: Capturing a memory dump can help identify the cause of the reported abusive behavior. E: By revoking all network ingress and egress except for to/from a forensics workstation, the Engineer can isolate the instances and prevent further potential abuse while investigating.
Question #44 Topic 1

An organization policy states that all encryption keys must be automatically rotated every 12 months. Which AWS Key Management Service (KMS) key type should be used to meet this requirement?

  • A AWS managed Customer Master Key (CMK)
  • B Customer managed CMK with AWS generated key material
  • C Customer managed CMK with imported key material
  • D AWS managed data key
Suggested Answer: B
NOTE: Answer is :B
Explanation :A Customer managed CMK with AWS generated key material is the suitable choice as it allows for key rotation to be set to occur annually in line with the organization's policy.
Question #45 Topic 1

A global company must mitigate and respond to DDoS attacks at Layers 3, 4 and 7. All of the company's AWS applications are serverless with static content hosted on Amazon S3 using Amazon CloudFront and Amazon Route 53. Which solution will meet these requirements?

  • A Use AWS WAF with an upgrade to the AWS Business support plan.
  • B Use AWS Certificate Manager with an Application Load Balancer configured with an origin access identity.
  • C Use AWS Shield Advanced.
  • D Use AWS WAF to protect AWS Lambda functions encrypted with AWS KMS, and a NACL restricting all ingress traffic.
Suggested Answer: C
NOTE: Answer is :C
Explanation :AWS Shield Advanced provides cost effective, 24/7 protections against DDoS attacks on EC2, ELB, CloudFront, Route 53 etc. A or D may also provide partial protection, but they would not be as effective as AWS Shield Advanced. B does not provide any protection against DDoS attacks.
Previous Questions Next Questions