Quiz IT certification exam

Question 1

A recent security audit found that AWS CloudTrail logs are insufficiently protected from tampering and unauthorized access Which actions must the Security Engineer take to address these audit findings? (Select THREE )

Become a Premium Member for full access

Unlock Premium Member

Accepted Answer

Ensure CloudTrail log file validation is turned on

Accepted Answer

Use Amazon Inspector to monitor the file integrity of CloudTrail log files.

Accepted Answer

Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files

Answer

Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage

Answer

Use an S3 bucket with tight access controls that exists m a separate account

Answer

Encrypt the CloudTrail log files with server-side encryption with AWS KMS-managed keys (SSEKMS)

Question 2

A company's Security Auditor discovers that users are able to assume roles without using multifactor authentication (MFA). An example of a current policy being applied to these users is as follows:<img alt="Amazon SCS-C01 image Question 442 7560 09162024005924000000"   width="778" height="328" src="https://examgecko.com/getfile/20d78f3f-d762-469b-96a3-d3280d8e6bc5">The Security Auditor finds that the users who are able to assume roles without MFA are alt coming from the AWS CLI. These users are using long-term AWS credentials. Which changes should a Security Engineer implement to resolve this security issue? (Select TWO.)

Accepted Answer

Accepted Answer

Question 3

A company hosts multiple externally facing applications, each isolated in its own AWS account The company'B Security team has enabled AWS WAF. AWS Config. and Amazon GuardDuty on all accounts. The company's Operations team has also joined all of the accounts to AWS Organizations and established centralized logging for CloudTrail. AWS Config, and GuardDuty. The company wants the Security team to take a reactive remediation in one account, and automate implementing this remediation as proactive prevention in all the other accounts.How should the Security team accomplish this?

Accepted Answer

Use GuardDuty alerts to write an AWS Lambda function that updates all accounts by adding additional NACLs on the Amazon EC2 instances to block known malicious IP addresses.

Answer

Update the AWS WAF rules in the affected account and use AWS Firewall Manager to push updated AWS WAF rules across all other accounts.

Answer

Use GuardDuty centralized logging and Amazon SNS to set up alerts to notify all application teams of security incidents.

Answer

Use AWS Shield Advanced to identify threats in each individual account and then apply the account-based protections to all other accounts through Organizations.

Question 4

A company is using AWS Secrets Manager to store secrets for its production Amazon RDS database.The Security Officer has asked that secrets be rotated every 3 months. Which solution would allow the company to securely rotate the secrets? (Select TWO.)

Accepted Answer

Place the RDS instance in a private subnet and an AWS Lambda function inside the VPC in the private subnet. Configure the private subnet to use a NAT gateway. Schedule the Lambda function to run every 3 months to rotate the secrets.

Accepted Answer

Place the RDS instance in a private subnet and an AWS Lambda function inside the VPC in the private subnet. Configure a Secrets Manager interface endpoint. Schedule the Lambda function to run every 3 months to rotate the secrets.

Answer

Place the RDS instance in a public subnet and an AWS Lambda function outside the VPC. Schedule the Lambda function to run every 3 months to rotate the secrets.

Answer

Place the RDS instance in a private subnet and an AWS Lambda function outside the VPC.Configure the private subnet to use an internet gateway. Schedule the Lambda function to run every 3 months lo rotate the secrets.

Answer

Place the RDS instance in a private subnet and an AWS Lambda function inside the VPC in the private subnet. Schedule the Lambda function to run quarterly to rotate the secrets.

Question 5

A corporation is preparing to acquire several companies. A Security Engineer must design a solution to ensure that newly acquired AWS accounts follow the corporation's security best practices. The solution should monitor each Amazon S3 bucket for unrestricted public write access and use AWS managed services.What should the Security Engineer do to meet these requirements?

Accepted Answer

Set up AWS Systems Manager to monitor S3 bucket policies for public write access.

Answer

Configure Amazon Macie to continuously check the configuration of all S3 buckets.

Answer

Enable AWS Config to check the configuration of each S3 bucket.

Answer

Configure an Amazon EC2 instance to have an IAM role and a cron job that checks the status of all S3 buckets.

Question 6

A Security Engineer is troubleshooting an issue with a company's custom logging application. The application logs are written to an Amazon S3 bucket with event notifications enabled to send events lo an Amazon SNS topic. All logs are encrypted at rest using an AWS KMS CMK. The SNS topic is subscribed to an encrypted Amazon SQS queue. The logging application polls the queue for new messages that contain metadata about the S3 object. The application then reads the content of the object from the S3 bucket for indexing.The Logging team reported that Amazon CloudWatch metrics for the number of messages sent or received is showing zero. No togs are being received. What should the Security Engineer do to troubleshoot this issue?

Accepted Answer

Add the following statement to the CMK key policy:

Answer

Add the following statement to the AWS managed CMKs:

Question 7

Developers in an organization have moved from a standard application deployment to containers.The Security Engineer is tasked with ensuring that the containers are secure. Which strategies will reduce the attack surface and enhance the security of the containers? (Select TWO.)

Accepted Answer

Use the containers to automate security deployments.

Accepted Answer

Segregate containers by host, function, and data classification.

Answer

Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries.

Answer

Use Docker Notary framework to sign task definitions.

Answer

Enable container breakout at the host kernel.

Question 8

An organization wants to log all AWS API calls made within all of its AWS accounts, and must have a central place to analyze these logs. What steps should be taken to meet these requirements in the MOST secure manner? (Select TWO)

Accepted Answer

Turn on AWS CloudTrail in each AWS account

Accepted Answer

Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it

Answer

Turn on CloudTrail in only the account that will be storing the logs

Answer

Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it

Answer

Create a service-based role for CloudTrail and associate it with CloudTrail in each account

Question 9

An IT department currently has a Java web application deployed on Apache Tomcat running on Amazon EC2 instances. All traffic to the EC2 instances is sent through an internet-facing Application Load Balancer (ALB) The Security team has noticed during the past two days thousands of unusual read requests coming from hundreds of IP addresses. This is causing the Tomcat server to run out of threads and reject new connections Which the SIMPLEST change that would address this server issue?

Accepted Answer

Create an Amazon CloudFront distribution and configure the ALB as the origin

Answer

Block the malicious IPs with a network access list (NACL).

Answer

Create an AWS Web Application Firewall (WAF). and attach it to the ALB

Answer

Map the application domain name to use Route 53

Question 10

An organization has a multi-petabyte workload that it is moving to Amazon S3, but the CISO is concerned about cryptographic wear-out and the blast radius if a key is compromised. How can the CISO be assured that AWS KMS and Amazon S3 are addressing the concerns? (Select TWO )

Accepted Answer

S3 uses KMS to generate a unique data key for each individual object.

Accepted Answer

The KMS encryption envelope digitally signs the master key during encryption to prevent cryptographic wear-out

Answer

There is no API operation to retrieve an S3 object in its encrypted form.

Answer

Encryption of S3 objects is performed within the secure boundary of the KMS service.

Answer

Using a single master key to encrypt all data includes having a single place to perform audits and usage validation.

Question 11

A company wants to deploy a distributed web application on a fleet of EC2 instances. The fleet will be fronted by a Classic Load Balancer that will be configured to terminate the TLS connection The company wants to make sure that all past and current TLS traffic to the Classic Load Balancer stays secure even if the certificate private key is leaked. To ensure the company meets these requirements, a Security Engineer can configure a Classic Load Balancer with:

Accepted Answer

An HTTPS listener that uses a custom security policy that allows only perfect forward secrecycipher suites

Answer

An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.

Answer

An HTTPS listener that uses the latest AWS predefined ELBSecuntyPolicy-TLS-1 -2-2017-01 securitypolicy

Answer

A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.

Question 12

A company has two AW5 accounts within AWS Organizations. In Account-1. Amazon EC2 Auto Scaling is launched using a service-linked role. In Account-2. Amazon EBS volumes are encrypted with an AWS KMS key A Security Engineer needs to ensure that the service-linked role can launch instances with these encrypted volumes Which combination of steps should the Security Engineer take in both accounts? (Select TWO.)

Accepted Answer

Create a KMS grant for the service-linked role with these actions CreateGrant, DescnbeKey Encrypt GenerateDataKey Decrypt, and ReEncrypt

Accepted Answer

Attach an IAM policy to the role attached to the EC2 instances with KMS actions and then allow Account-1 in the KMS key policy.

Answer

Allow Account-1 to access the KMS key in Account-2 using a key policy

Answer

Attach an IAM policy to the service-linked role in Account-1 that allows these actions CreateGrant. DescnbeKey, Encrypt, GenerateDataKey, Decrypt, and ReEncrypt

Answer

Attach an IAM policy to the user who is launching EC2 instances and allow the user to access the KMS key policy of Account-2.

Question 13

During a manual review of system logs from an Amazon Linux EC2 instance, a Security Engineer noticed that there are sudo commands that were never properly alerted or reported on the Amazon CloudWatch Logs agent Why were there no alerts on the sudo commands?

Accepted Answer

The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch

Answer

There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs

Answer

CloudWatch Logs status is set to ON versus SECURE, which prevents it from pulling in OS security event logs

Answer

The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.

Question 14

A large corporation is creating a multi-account strategy and needs to determine how its employees should access the AWS infrastructure. Which of the following solutions would provide the MOST scalable solution?

Accepted Answer

Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider Use cross-account roles to allow the federated users to assume their target role in the resource accounts.

Answer

Create dedicated IAM users within each AWS account that employees can assume through federation based upon group membership in their existing identity provider

Answer

Configure the AWS Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access AWS resources directly

Answer

Configure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider allowing users to assume the role based off their SAML token

Question 15

An Incident Response team is investigating an AWS access key leak that resulted in Amazon EC2 instances being launched. The company did not discover the incident until many months later The Director of Information Security wants to implement new controls that will alert when similar incidents happen in the future Which controls should the company implement to achieve this? {Select TWO.)

Accepted Answer

Enable VPC Flow Logs in all VPCs Create a scheduled AWS Lambda function that downloads and parses the logs, and sends an Amazon SNS notification for violations.

Accepted Answer

Verify that Amazon GuardDuty is enabled in all Regions, and create an Amazon CloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as the rule's target

Answer

Use AWS CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3 bucket to receive all the CloudTrail log files

Answer

Add the following bucket policy to the company's AWS CloudTrail bucket to prevent log tampering{ "Version": "2012-10-17-, "Statement": { "Effect": "Deny", "Action": "s3:PutObject", "Principal": "-", "Resource": "arn:aws:s3:::cloudtrail/AWSLogs/111122223333/*" }} Create an Amazon S3 data event for an PutObject attempts, which sends notifications to an Amazon SNS topic.

Answer

Create a Security Auditor role with permissions to access Amazon CloudWatch Logs m all Regions Ship the logs to an Amazon S3 bucket and make a lifecycle policy to ship the logs to Amazon S3 Glacier.

Question 16

A company's Security Engineer is copying all application logs to centralized Amazon S3 buckets.Currently, each of the company's applications is in its own AWS account, and logs are pushed into S3 buckets associated with each account. The Engineer will deploy an AWS Lambda function into each account that copies the relevant log files to the centralized S3 bucket.The Security Engineer is unable to access the log files in the centralized S3 bucket. The Engineer's IAM user policy from the centralized account looks like this: Amazon SCS-C01 image Question 456 7574 09162024005924000000

The centralized S3 bucket policy looks like this: Amazon SCS-C01 image Question 456 7574 09162024005924000000

Why is the Security Engineer unable to access the log files?

Accepted Answer

The Security Engineers IAM policy does not grant permissions to read objects in the S3 bucket

Answer

The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.

Answer

The object ACLs are not being updated to allow the users within the centralized account to access the objects

Answer

The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level

Question 17

Example.com is hosted on Amazon EC2 instances behind an Application Load Balancer (ALB). Thirdparty host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host. The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers. What is the MOST secure way to meet these requirements?

Accepted Answer

Create a listener on the ALB that does not enable Perfect Forward Secrecy (PFS) cipher suites, and use encrypted connections to the servers using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.

Answer

Enable TLS pass through on the ALB, and handle decryption at the server using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.

Answer

Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman(ECDHE) cipher suites, and pass the traffic in the clear to the server.

Answer

Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman(ECDHE) cipher suites, and use encrypted connections to the servers that do not enable Perfect Forward Secrecy (PFS).

Question 18

A company's Chief Security Officer has requested that a Security Analyst review and improve the security posture of each company AWS account The Security Analyst decides to do this by Improving AWS account root user security. Which actions should the Security Analyst take to meet these requirements? (Select THREE.)

Accepted Answer

Delete the access keys for the account root user in every account.

Accepted Answer

Enable multi-factor authentication (MFA) on every account root user in all accounts.

Accepted Answer

Create a custom IAM policy to limit permissions to required actions for the account root user and attach the policy to the account root user.

Answer

Create an admin IAM user with administrative privileges and delete the account root user in every account.

Answer

Implement a strong password to help protect account-level access to the AWS Management Console by the account root user.

Answer

Attach an IAM role to the account root user to make use of the automated credential rotation in AWS STS.

Question 19

A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture:1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets. 3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other 4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols 5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required Which of the following accurately reflects the access control mechanisms the Architect should verify1?

Accepted Answer

Outbound SG configuration on database servers Inbound SG configuration on application servers inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet

Answer

Inbound SG configuration on database serversOutbound SG configuration on application serversInbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet

Answer

Inbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet

Answer

Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet.

Question 20

A Security Engineer receives alerts that an Amazon EC2 instance on a public subnet is under an SFTP brute force attack from a specific IP address, which is a known malicious bot. What should the Security Engineer do to block the malicious bot?

Accepted Answer

Modify the hosted zone in Amazon Route 53 and create a DNS sinkhole for the malicious IP

Answer

Add a deny rule to the public VPC security group to block the malicious IP

Answer

Add the malicious IP to AWS WAF backhsted IPs

Answer

Configure Linux iptables or Windows Firewall to block any traffic from the malicious IP

Question 21

A System Administrator is unable to start an Amazon EC2 instance in the eu-west-1 Region using an IAM role The same System Administrator is able to start an EC2 instance in the eu-west-2 and euwest- 3 Regions. The AWSSystemAdministrator access policy attached to the System Administrator IAM role allows unconditional access to all AWS services and resources within the account Which configuration caused this issue?

Accepted Answer

A permission boundary policy is attached to the System Administrator role with the following permission statement:

Answer

An SCP is attached to the account with the following permission statement:

Answer

A permission boundary is attached to the System Administrator role with the following permission statement:

Answer

An SCP is attached to the account with the following statement:

Question 22

A company manages three separate AWS accounts for its production, development, and test environments, Each Developer is assigned a unique IAM user under the development account. A new application hosted on an Amazon EC2 instance in the developer account requires read access to the archived documents stored in an Amazon S3 bucket in the production account. How should access be granted?

Accepted Answer

Create an IAM role in the production account and allow EC2 instances in the development account to assume that role using the trust policy. Provide read access for the required S3 bucket to this role.

Answer

Use a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket.

Answer

Create a temporary IAM user for the application to use in the production account.

Answer

Create a temporary IAM user in the production account and provide read access to Amazon S3.Generate the temporary IAM user's access key and secret key and store these on the EC2 instance used by the application in the development account.

Question 23

A company is operating a website using Amazon CloudFornt. CloudFront servers some content from Amazon S3 and other from web servers running EC2 instances behind an Application. Load Balancer (ALB). Amazon DynamoDB is used as the data store. The company already uses AWS Certificate Manager (ACM) to store a public TLS certificate that can optionally secure connections between the website users and CloudFront. The company has a new requirement to enforce end-to-end encryption in transit.Which combination of steps should the company take to meet this requirement? (Select THREE.)

Accepted Answer

Update the web application configuration on the web servers to use HTTPS instead of HTTP whenconnecting to DynamoDB

Accepted Answer

Update the CloudFront distribution to redirect HTTP corrections to HTTPS

Accepted Answer

Update the ALB listen to listen using HTTPS using the public ACM TLS certificate. Update theCloudFront distribution to connect to the HTTPS listener.

Answer

Update the CloudFront distribution. configuring it to optionally use HTTPS when connecting toorigins on Amazon S3

Answer

Configure the web servers on the EC2 instances to listen using HTTPS using the public ACM TLScertificate Update the ALB to connect to the target group using HTTPS

Answer

Create a TLS certificate Configure the web servers on the EC2 instances to use HTTPS only with thatcertificate. Update the ALB to connect to the target group using HTTPS.

Question 24

A company has a web-based application using Amazon CloudFront and running on Amazon Elastic Container Service (Amazon ECS) behind an Application Load Balancer (ALB). The ALB is terminating TLS and balancing load across ECS service tasks A security engineer needs to design a solution to ensure that application content is accessible only through CloudFront and that I is never accessible directly. How should the security engineer build the MOST secure solution?

Accepted Answer

Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS. Set theorigin protocol policy to HTTPS only Update the application to validate the CloudFront customheader

Answer

Add an origin custom header Set the viewer protocol policy to HTTP and HTTPS Set the originprotocol pokey to HTTPS only Update the application to validate the CloudFront custom header

Answer

Add an origin custom header Set the viewer protocol policy to HTTPS only Set the origin protocolpolicy to match viewer Update the application to validate the CloudFront custom header.

Answer

Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS Set theorigin protocol policy to HTTP only Update the application to validate the CloudFront custom header.

Question 25

A company needs to use HTTPS when connecting to its web applications to meet compliancerequirements. These web applications run in Amazon VPC on Amazon EC2 instances behind anApplication Load Balancer (ALB). A security engineer wants to ensure that the load balancer win onlyaccept connections over port 443. even if the ALB is mistakenly configured with an HTTP listenerWhich configuration steps should the security engineer take to accomplish this task?

Accepted Answer

Create a security group with a single inbound rule that allows connections from 0.0.0 0/0 on port 443. Ensure this security group is the only one associated with the ALB

Answer

Create a security group with a rule that denies Inbound connections from 0.0.0 0/0 on port 00.Attach this security group to the ALB to overwrite more permissive rules from the ALB's default security group.

Answer

Create a network ACL that denies inbound connections from 0 0.0.0/0 on port 80 Associate the network ACL with the VPC s internet gateway

Answer

Create a network ACL that allows outbound connections to the VPC IP range on port 443 only.Associate the network ACL with the VPC's internet gateway.

Question 26

A company created an AWS account for its developers to use for testing and learning purposes Because MM account will be shared among multiple teams of developers, the company wants to restrict the ability to stop and terminate Amazon EC2 instances so that a team can perform these actions only on the instances it owns.Developers were Instructed to tag al their instances with a Team tag key and use the team name in the tag value One of the first teams to use this account is Business Intelligence A security engineer needs to develop a highly scalable solution for providing developers with access to the appropriate resources within the account The security engineer has already created individual 1AM roles for each team. Which additional configuration steps should the security engineer take to complete the task?

Accepted Answer

For each team, create an AM policy similar to the one that fellows Populate the ec2:ResourceTag/Team condition key with a proper team name Attach resulting policies to the corresponding 1AM roles.

Answer

For each team create an 1AM policy similar to the one that follows Populate the aws TagKeys/Team condition key with a proper team name. Attach the resuming policies to the corresponding 1AM roles.

Answer

Tag each 1AM role with a Team lag key. and use the team name in the tag value. Create an 1AM policy similar to the one that follows, and attach 4 to all the 1AM roles used by developers.

Answer

Tag each IAM role with the Team key, and use the team name in the tag value. Create an IAM policy similar to the one that follows, and it to all the IAM roles used by developers.

Answer

Option A

Answer

Option B

Answer

Option C

Answer

Option D

Question 27

An ecommerce website was down for 1 hour following a DDoS attack Users were unable to connect to the website during the attack period. The ecommerce company's security team is worried about future potential attacks and wants to prepare for such events The company needs to minimize downtime in its response to similar attacks in the future. Which steps would help achieve this9 (Select TWO )

Accepted Answer

Subscribe to AWS Shield Advanced and reach out to AWS Support in the event of an attack.

Accepted Answer

Use AWS WAF to create rules to respond to such attacks

Answer

Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access.

Answer

Use VPC Flow Logs to monitor network: traffic and an AWS Lambda function to automatically block an attacker's IP using security groups.

Answer

Set up an Amazon CloudWatch Events rule to monitor the AWS CloudTrail events in real time use AWS Config rules to audit the configuration, and use AWS Systems Manager for remediation.

Question 28

A security engineer must troubleshoot an administrator's inability to make an existing Amazon S3 bucket public in an account that is part of an organization n AWS Organizations. The administrator switched the role from the master account to a member account and then attempted to make one S3 bucket public. This action was immediately denied Which actions should the security engineer take to troubleshoot the permissions issue? (Select TWO.)

Accepted Answer

Review the role permissions m the master account and ensure it has sufficient privileges to perform S3 operations

Accepted Answer

Ensure the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action for the role m the member account

Answer

Review the cross-account role permissions and the S3 bucket policy Verify that the Amazon S3 block public access option in the member account is deactivated.

Answer

Filter AWS CloudTrail logs for the master account to find the original deny event and update the cross-account role m the member account accordingly Verify that the Amazon S3 block public access option in the master account is deactivated.

Answer

Evaluate the SCPs covering the member account and the permissions boundary of the role in the member account for missing permissions and explicit denies.

Question 29

Attach the following SCP to the OU that contains this account:In the Amazon EC2 console, select the Always Encrypt new EBS volumes setting for each AWS Region.<img alt="Amazon SCS-C01 image Question 469 7587 09162024005924000000"   width="731" height="221" src="https://examgecko.com/getfile/b158653e-7b9e-4106-91aa-ac857273f357">

Accepted Answer

For each finding In the audit report, run the ec2 copy-snapshot command and use the encrypted flag specifying an AWS Key Management Service (AWS KMS) CMK

Answer

Create a private AMI for the company Configure encryption for the private AMI by selecting the custom AMI in the Amazon EC2 console, the destination AWS Region and the source account s AWS Key Management Service (AWS KMS) master key.

Question 30

A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code In the company's source code repository A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates. The solution must also minimize administrate overhead Which solution meets these requirements?

Accepted Answer

Use AWS Secrets Manager to store database credentials. Use 1AM roles for ECS tasks to restrict access to database credentials to specific containers only.

Answer

Use the AWS Systems Manager Parameter Store to generate database credentials. Use an 1AM profile for ECS tasks to restrict access to database credentials to specific containers only.

Answer

Use AWS Secrets Manager to store database credentials. Use an 1AM inline policy for ECS tasks to restrict access to database credentials to specific containers only.

Answer

Use the AWS Systems Manager Parameter Store to store database credentials. Use 1AM roles for ECS tasks to restrict access to database credentials lo specific containers only

Question 31

A company needs to encrypt all of its data stored in Amazon S3. The company wants to use AWS Key Management Service (AWS KMS) to create and manage its encryption keys. The company's security policies require the ability to Import the company's own key material for the keys, set an expiration date on the keys, and delete keys immediately, if needed. How should a security engineer set up AWS KMS to meet these requirements?

Accepted Answer

Configure AWS KMS and use a custom key store. Create a customer managed CMK with no key material Import the company's keys and key material into the CMK

Answer

Configure AWS KMS and use the default Key store Create an AWS managed CMK with no key material Import the company's key material into the CMK

Answer

Configure AWS KMS and use the default key store Create a customer managed CMK with no key material import the company's key material into the CMK

Answer

Configure AWS KMS and use a custom key store. Create an AWS managed CMK with no key material. Import the company's key material into the CMK.

Question 32

Amazon GuardDuty has detected communications to a known command and control endpoint from a company's Amazon EC2 instance. The instance was found to be running a vulnerable version of a common web framework. The company's security operations team wants to quickly identity other compute resources with the specific version of that framework installed. Which approach should the team take to accomplish this task?

Accepted Answer

Scan all the EC2 instances with AWS Systems Manager to identify the vulnerable version of the web framework

Answer

Scan all the EC2 instances for noncompliance with AWS Config. Use Amazon Athena to query AWS CloudTrail logs for the framework installation

Answer

Scan all the EC2 instances with the Amazon Inspector Network Reachability rules package to identity instances running a web server with RecognizedPortWithListener findings

Answer

Scan an the EC2 instances with AWS Resource Access Manager to identify the vulnerable version of the web framework

Question 33

A company's security engineer has been tasked with restricting a contractor's 1AM account access to the company's Amazon EC2 console without providing access to any other AWS services The contractors 1AM account must not be able to gain access to any other AWS service, even it the 1AM account rs assigned additional permissions based on 1AM group membership What should the security engineer do to meet these requirements''

Accepted Answer

Create an 1AM permissions boundary policy that allows Amazon EC2 access Associate the contractor's 1AM account with the 1AM permissions boundary policy

Answer

Create an mime 1AM user policy that allows for Amazon EC2 access for the contractor's 1AM user

Answer

Create an 1AM group with an attached policy that allows for Amazon EC2 access Associate the contractor's 1AM account with the 1AM group

Answer

Create a 1AM role that allows for EC2 and explicitly denies all other services Instruct the contractor to always assume this role

Question 34

A security engineer has enabled AWS Security Hub in their AWS account, and has enabled the Center for internet Security (CIS) AWS Foundations compliance standard. No evaluation results on compliance are returned in the Security Hub console after several hours. The engineer wants to ensure that Security Hub can evaluate their resources for CIS AWS Foundations compliance. Which steps should the security engineer take to meet these requirements?

Accepted Answer

Add full Amazon Inspector 1AM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation

Answer

Ensure that AWS Trusted Advisor Is enabled in the account and that the Security Hub service role has permissions to retrieve the Trusted Advisor security-related recommended actions

Answer

Ensure that AWS Config. is enabled in the account, and that the required AWS Config rules have been created for the CIS compliance evaluation

Answer

Ensure that the correct trail in AWS CloudTrail has been configured for monitoring by Security Hub and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrails Amazon S3 bucket

Question 35

A developer 15 building a serverless application hosted on AWS that uses Amazon Redshift in a data store. The application has separate modules for read/write and read-only functionality. The modules need their own database users tor compliance reasons.Which combination of steps should a security engineer implement to grant appropriate access'(Select TWO )

Accepted Answer

Configure cluster security groups for each application module to control access to database users that are required for read-only and read/write.

Accepted Answer

Configure an 1AM policy for each module Specify the ARN of an 1AM user that allows the GetClusterCredentials API call

Answer

Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write

Answer

Configure an 1AM poky for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call

Answer

Create focal database users for each module

Question 36

A company uses an Amazon S3 bucket to store reports Management has mandated that all new objects stored in this bucket must be encrypted at rest using server-side encryption with a clientspecified AWS Key Management Service (AWS KMS) CMK owned by the same account as the S3 bucket. The AWS account number is 111122223333, and the bucket name Is report bucket. The company's security specialist must write the S3 bucket policy to ensure the mandate can be Implemented Which statement should the security specialist include in the policy?

Accepted Answer

Question 37

A company's policy requires that all API keys be encrypted and stored separately from source code in a centralized security account. This security account is managed by the company's security team However, an audit revealed that an API key is steed with the source code of an AWS Lambda function m an AWS CodeCommit repository in the DevOps account How should the security learn securely store the API key?

Accepted Answer

Create a secret in AWS Secrets Manager in the security account to store the API key using AWS Key Management Service (AWS KMS) tor encryption Grant access to the 1AM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API

Answer

Create a CodeCommit repository in the security account using AWS Key Management Service (AWS KMS) tor encryption Require the development team to migrate the Lambda source code to this repository

Answer

Store the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Create a resigned URL tor the S3 key. and specify the URL m a Lambda environmental variable in the AWS CloudFormation template Update the Lambda function code to retrieve the key using the URL and call the API

Answer

Create an encrypted environment variable for the Lambda function to store the API key using AWS Key Management Service (AWS KMS) tor encryption Grant access to the 1AM role used by the Lambda function so that the function can decrypt the key at runtime

Question 38

A company Is planning to use Amazon Elastic File System (Amazon EFS) with its on-premises servers.The company has an existing AWS Direct Connect connection established between its on-premises data center and an AWS Region Security policy states that the company's on-premises firewall should only have specific IP addresses added to the allow list and not a CIDR range. The company also wants to restrict access so that only certain data center-based servers have access to Amazon EFS How should a security engineer implement this solution''

Accepted Answer

Assign an Elastic IP address to Amazon EFS and add the Elastic IP address to the allow list for the data center firewall Install the AWS CLI on the data center-based servers to mount the EFS file system In the EFS security group, add the IP addresses of the data center servers to the allow list Mount the EFS using the Elastic IP address

Answer

Add the file-system-id efs aws-region amazonaws com URL to the allow list for the data center firewall Install the AWS CLI on the data center-based servers to mount the EFS file system in the EFS security group add the data center IP range to the allow list Mount the EFS using the EFS file system name

Answer

Add the EFS file system mount target IP addresses to the allow list for the data center firewall In the EFS security group, add the data center server IP addresses to the allow list Use the Linux terminal to mount the EFS file system using the IP address of one of the mount targets

Answer

Assign a static range of IP addresses for the EFS file system by contacting AWS Support In the EFS security group add the data center server IP addresses to the allow list Use the Linux terminal to mount the EFS file system using one of the static IP addresses

Question 39

A company needs to retain tog data archives for several years to be compliant with regulations. The tog data is no longer used but It must be retained What Is the MOST secure and cost-effective solution to meet these requirements?

Accepted Answer

Archive the data to Amazon S3 Glacier and apply a Vault Lock policy

Answer

Archive the data to Amazon S3 and apply a restrictive bucket policy to deny the s3 DeleteOotect API

Answer

Archive the data to Amazon S3 and replicate it to a second bucket in a second AWS Region Choose the S3 Standard-Infrequent Access (S3 Standard-1A) storage class and apply a restrictive bucket policy to deny the s3 DeleteObject API

Answer

Migrate the log data to a 16 T8 Amazon Elastic Block Store (Amazon EBS) volume Create a snapshot of the EBS volume

Question 40

A company is running workloads in a single AWS account on Amazon EC2 instances and Amazon EMR clusters a recent security audit revealed that multiple Amazon Elastic Block Store (Amazon EBS) volumes and snapshots are not encrypted The company's security engineer is working on a solution that will allow users to deploy EC2 Instances and EMR clusters while ensuring that all new EBS volumes and EBS snapshots are encrypted at rest. The solution must also minimize operational overhead Which steps should the security engineer take to meet these requirements?

Accepted Answer

Use the AWS Management Console or AWS CLi to enable encryption by default for EBS volumes in each AWS Region where the company operates.

Answer

Create an Amazon Event Bridge (Amazon Cloud watch Events) event with an EC2 instance as the source and create volume as the event trigger. When the event is triggered invoke an AWS Lambda function to evaluate and notify the security engineer if the EBS volume that was created is not encrypted.

Answer

Use a customer managed IAM policy that will verify that the encryption flag of the Createvolume context is set to true. Apply this rule to all users.

Answer

Create an AWS Config rule to evaluate the configuration of each EC2 instance on creation or modification. Have the AWS Config rule trigger an AWS Lambdafunction to alert the security team and terminate the instance it the EBS volume is not encrypted. 5

Amazon SCS-C01 Practice Test 12

Amazon SCS-C01 Practice Tests