Pass the Amazon Web Services AWS Certified Specialty SCS-C02 Questions and answers with ValidTests

Exam SCS-C02 Premium Access

View all detail and faqs for the SCS-C02 exam

Go to Exam

Viewing page 3 out of 15 pages

Viewing questions 21-30 out of questions

Questions # 21:

A security team is working on a solution that will use Amazon EventBridge (Amazon CloudWatch Events) to monitor new Amazon S3 objects. The solution will monitor for public access and for changes to any S3 bucket policy or setting that result in public access. The security team configures EventBridge to watch for specific API calls that are logged from AWS CloudTrail. EventBridge has an action to send an email notification through Amazon Simple Notification Service (Amazon SNS) to the security team immediately with details of the API call.

Specifically, the security team wants EventBridge to watch for the s3:PutObjectAcl, s3:DeleteBucketPolicy, and s3:PutBucketPolicy API invocation logs from CloudTrail. While developing the solution in a single account, the security team discovers that the s3:PutObjectAcl API call does not invoke an EventBridge event. However, the s3:DeleteBucketPolicy API call and the s3:PutBucketPolicy API call do invoke an event.

The security team has enabled CloudTrail for AWS management events with a basic configuration in the AWS Region in which EventBridge is being tested. Verification of the EventBridge event pattern indicates that the pattern is set up correctly. The security team must implement a solution so that the s3:PutObjectAcl API call will invoke an EventBridge event. The solution must not generate false notifications.

Which solution will meet these requirements?

Options:

Modify the EventBridge event pattern by selecting Amazon S3. Select All Events as the event type.

Modify the EventBridge event pattern by selecting Amazon S3. Select Bucket Level Operations as the event type.

Enable CloudTrail Insights to identify unusual API activity.

Enable CloudTrail to monitor data events for read and write operations to S3 buckets.

Expert Solution

Answer

Explanation

The correct answer is D. Enable CloudTrail to monitor data events for read and write operations to S3 buckets.

According to the AWS documentation1, CloudTrail data events are the resource operations performed on or within a resource. These are also known as data plane operations. Data events are often high-volume activities. For example, Amazon S3 object-level API activity (such as GetObject, DeleteObject, and PutObject) is a data event.

By default, trails do not log data events. To record CloudTrail data events, you must explicitly add the supported resources or resource types for which you want to collect activity.For more information, see Logging data events in the Amazon S3 User Guide2.

In this case, the security team wants EventBridge to watch for the s3:PutObjectAcl API invocation logs from CloudTrail.This API uses the acl subresource to set the access control list (ACL) permissions for a new or existing object in an S3 bucket3. This is a data event that affects the S3 object resource type. Therefore, the security team must enable CloudTrail to monitor data events for read and write operations to S3 buckets in order to invoke an EventBridge event for this API call.

The other options are incorrect because:

A. Modifying the EventBridge event pattern by selecting Amazon S3 and All Events as the event type will not capture the s3:PutObjectAcl API call, because this is a data event and not a management event. Management events provide information about management operations that are performed on resources in your AWS account.These are also known as control plane operations4.

B. Modifying the EventBridge event pattern by selecting Amazon S3 and Bucket Level Operations as the event type will not capture the s3:PutObjectAcl API call, because this is a data event that affects the S3 object resource type and not the S3 bucket resource type.Bucket level operations are management events that affect the configuration or metadata of an S3 bucket5.

C. Enabling CloudTrail Insights to identify unusual API activity will not help the security team monitor new S3 objects or changes to any S3 bucket policy or setting that result in public access.CloudTrail Insights helps AWS users identify andrespond to unusual activity associated with API calls and API error rates by continuously analyzing CloudTrail management events6. It does not analyze data events or generate EventBridge events.

[References:, 1:CloudTrail log event reference - AWS CloudTrail2:Logging data events - AWS CloudTrail3:PutObjectAcl - Amazon Simple Storage Service4: [Logging management events - AWS CloudTrail]5: [Amazon S3 Event Types - Amazon Simple Storage Service]6:Logging Insights events for trails - AWS CloudTrail, , , , ]

Questions # 22:

There are currently multiple applications hosted in a VPC. During monitoring it has been noticed that multiple port scans are coming in from a specific IP Address block. The internal security team has requested that all offending IP Addresses be denied for the next 24 hours. Which of the following is the best method to quickly and temporarily deny access from the specified IP Address's.

Please select:

Options:

Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.

Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.

Add a rule to all of the VPC Security Groups to deny access from the IP Address block.

Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block.

Expert Solution

Questions # 23:

A company has configured an organization in AWS Organizations for its AWS accounts. AWS CloudTrail is enabled in all AWS Regions. A security engineer must implement a solution to prevent CloudTrail from being disabled. Which solution will meet this requirement?

Options:

Enable CloudTrail log file integrity validation from the organization's management account.

Enable server-side encryption with AWS KMS keys (SSE-KMS) for CloudTrail logs. Create a KMS key Attach a policy to the key to prevent decryption of the logs

Create an SCP that includes an explicit Deny rule for the StopLogging action and the DeleteTrail action. Attach the SCP to the root OU.

Create 1AM policies for all the company's users to prevent the users from performing the DescribeTrails action and the GetTrailStatus action.

Expert Solution

Questions # 24:

An Amazon API Gateway API invokes an AWS Lambda function that needs to interact with a software-as-a-service (SaaS) platform. A unique client token is generated in the SaaS platform to grant access to the Lambda function. A security engineer needs to design a solution to encrypt the access token at rest and pass the token to the Lambda function at runtime.

Which solution will meet these requirements MOST cost-effectively?

Options:

Store the client token as a secret in AWS Secrets Manager. Use th^AWS SDK to retneve the secret in the Lambda function.

Configure a token-based Lambda authorizer in API Gateway.

Store the client token as a SecureString parameter in AWS Systems Manager Parameter Store. Use the AWS SDK to retrieve the value of the SecureString parameter in the Lambda function.

Use AWS Key Management Service (AWS KMS) to encrypt the client token. Pass the token to the Lambda function at runtime through an environment variable.

Expert Solution

Questions # 25:

A company is running an application in The eu-west-1 Region. The application uses an IAM Key Management Service (IAM KMS) CMK to encrypt sensitive data. The company plans to deploy the application in the eu-north-1 Region.

A security engineer needs to implement a key management solution for the application deployment in the new Region. The security engineer must minimize changes to the application code.

Which change should the security engineer make to the IAM KMS configuration to meet these requirements?

Options:

Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same CMK as the application in eu-west-1.

Allocate a new CMK to eu-north-1 to be used by the application that is deployed in that Region.

Allocate a new CMK to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias.

Allocate a new CMK to eu-north-1. Create an alias for eu-'-1. Change the application code to point to the alias for eu-'-1.

Expert Solution

Questions # 26:

A company deploys a set of standard IAM roles in AWS accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented AWS Organizations SCPs to restrict access to critical security services in all company accounts.

All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP that is attached. The security engineer needs to ensure that no one candisable Amazon GuardDuty and AWS Security Hub. The security engineer also must not override other permissions that are granted by IAM policies that are defined in the accounts.

Which SCP should the security engineer attach to the root of the organization to meet these requirements?

Question # 26

Options:

Option

Option D

Expert Solution

Questions # 27:

A company has deployed servers on Amazon EC2 instances in a VPC. External vendors access these servers over the internet. Recently, the company deployed a new application on EC2 instances in a new CIDR range. The company needs to make the application available to the vendors.

A security engineer verified that the associated security groups and network ACLs are allowing the required ports in the inbound diction. However, the vendors cannot connect to the application.

Which solution will provide the vendors access to the application?

Options:

Modify the security group that is associated with the EC2 instances to have the same outbound rules as inbound rules.

Modify the network ACL that is associated with the CIDR range to allow outbound traffic to ephemeral ports.

Modify the inbound rules on the internet gateway to allow the required ports.

Modify the network ACL that is associated with the CIDR range to have the same outbound rules as inbound rules.

Expert Solution

Answer

Explanation

The correct answer is B. Modify the network ACL that is associated with the CIDR range to allow outbound traffic to ephemeral ports.

This answer is correct because network ACLs are stateless, which means that they do not automatically allow return traffic for inbound connections. Therefore, the network ACL that is associated with the CIDR range of the new application must have outbound rules that allow traffic to ephemeral ports, which are the temporary ports used by the vendors’ machines to communicate with the application servers.Ephemeral ports are typically in the range of 1024-655351. If the network ACL does not have such rules, the vendors will not be able to connect to the application.

The other options are incorrect because:

A. Modifying the security group that is associated with the EC2 instances to have the same outbound rules as inbound rules is not a solution, because security groups are stateful, which means that they automatically allow return traffic for inbound connections.Therefore, there is no need to add outbound rules to the security group for the vendors to access the application2.

C. Modifying the inbound rules on the internet gateway to allow the required ports is not a solution, because internet gateways do not have inbound or outbound rules. Internet gateways are VPC components that enable communication between instances in a VPC and the internet.They do not filter traffic based on ports or protocols3.

D. Modifying the network ACL that is associated with the CIDR range to have the same outbound rules as inbound rules is not a solution, because it does not address the issue of ephemeral ports.The outbound rules of the network ACL must matchthe ephemeral port range of the vendors’ machines, not necessarily the inbound rules of the network ACL4.

[References:, 1:Ephemeral port - Wikipedia2:Security groups for your VPC - Amazon Virtual Private Cloud3:Internet gateways - Amazon Virtual Private Cloud4:Network ACLs - Amazon Virtual Private Cloud, , , , , ]

Questions # 28:

A company’s security team needs to receive a notification whenever an AWS access key has not been rotated in 90 or more days. A security engineer must develop a solution that provides these notifications automatically.

Which solution will meet these requirements with the LEAST amount of effort?

Options:

Deploy an AWS Config managed rule to run on a periodic basis of 24 hours. Select the access-keys-rotated managed rule, and set the maxAccessKeyAge parameter to 90 days. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern that matches the compliance type of NON_COMPLIANT from AWS Config for the managed rule. Configure EventBridge (CloudWatch Events) to send an Amazon Simple Notification Service (Amazon SNS) not

Create a script to export a .csv file from the AWS Trusted Advisor check for IAM access key rotation. Load the script into an AWS Lambda function that will upload the .csv file to an Amazon S3 bucket. Create an Amazon Athena table query that runs when the .csv file is uploaded to the S3 bucket. Publish the results for any keys older than 90 days by using an invocation of an Amazon Simple Notification Service (Amazon SNS) notification to the

Create a script to download the IAM credentials report on a periodic basis. Load the script into an AWS Lambda function that will run on a schedule through Amazon EventBridge (Amazon CloudWatch Events). Configure the Lambda script to load the report into memory and to filter the report for records in which the key was last rotated at least 90 days ago. If any records are detected, send an Amazon Simple Notification Service (Amazon SNS) noti

Create an AWS Lambda function that queries the IAM API to list all the users. Iterate through the users by using the ListAccessKeys operation. Verify that the value in the CreateDate field is not at least 90 days old. Send an Amazon Simple Notification Service (Amazon SNS) notification to the security team if the value is at least 90 days old. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to schedule the Lambda function to ru

Expert Solution

Questions # 29:

A company runs a web application on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are in the same VPC subnet as other workloads.

A security engineer deploys an Amazon GuardDuty detector in the same AWS Region as the EC2 instances. The security engineer also sets up an AWS Security Hub integration with GuardDuty.

The security engineer needs to implement an automated solution to detect and appropriately respond to anomalous traffic patterns for the web application. The solution must comply with AWS best practices for initial response to security incidents and must minimize disruption to the web application.

Which solution will meet these requirements?

Options:

Create an Amazon EventBridge rule that detects the Behavior:EC2/TrafficVolumeUnusual GuardDuty finding. Configure the rule to invoke an AWS Lambda function to disable the EC2 instance profile access keys.

Create an Amazon EventBridge rule that invokes an AWS Lambda function when GuardDuty detects anomalous traffic. Program the Lambda function to disassociate the identified instance from the Auto Scaling group and to isolate the instance by using a new restricted security group.

Create a Security Hub automated response that updates the network ACL that is associated with the subnet of the EC2 instances. Configure the response to update the network ACL to deny traffic from the source of detected anomalous traffic.

Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security engineer's email address to the SNS topic. Configure GuardDuty to send all findings to the SNS topic.

Expert Solution

Questions # 30:

A company’s public Application Load Balancer (ALB) recently experienced a DDoS attack. To mitigate this issue. the company deployed Amazon CloudFront in front of the ALB so that users would not directly access the Amazon EC2 instances behind the ALB.

The company discovers that some traffic is still coming directly into the ALB and is still being handled by the EC2 instances.

Which combination of steps should the company take to ensure that the EC2 instances will receive traffic only from CloudFront? (Choose two.)

Options:

Configure CloudFront to add a cache key policy to allow a custom HTTP header that CloudFront sends to the ALB.

Configure CloudFront to add a custom: HTTP header to requests that CloudFront sends to the ALB.

Configure the ALB to forward only requests that contain the custom HTTP header.

Configure the ALB and CloudFront to use the X-Forwarded-For header to check client IP addresses.

Configure the ALB and CloudFront to use the same X.509 certificate that is generated by AWS Certificate Manager (ACM).

Expert Solution

Viewing page 3 out of 15 pages

Viewing questions 21-30 out of questions

Pre-Summer Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: validbest

Pass the Amazon Web Services AWS Certified Specialty SCS-C02 Questions and answers with ValidTests

Exam SCS-C02 Premium Access

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options: