Pass the Amazon Web Services AWS Certified Specialty SCS-C02 Questions and answers with ValidTests

The correct answer is D.

To stop the data exfiltration from the compromised EC2 instances, the security engineer needs to implement a solution that can deny access to any S3 bucket that is outside thecompany’s organization. The solution should also allow the EC2 instances to access the required S3 buckets within the company’s organization for the analysis process.

Option A is incorrect because updating the policy on the S3 gateway endpoint will not affect the access to S3 buckets that are outside the company’s organization. The S3 gateway endpoint only applies to S3 buckets that are in the same AWS Region as the VPC. The compromised EC2 instances can still access S3 buckets in other Regions or other AWS accounts through the internet gateway or NAT device.

Option B is incorrect because updating the policy on the instance profile role will not prevent the compromised EC2 instances from using other credentials or methods to access S3 buckets outside the company’s organization. The instance profile role only applies to requests that are made using the credentials of that role. The compromised EC2 instances can still use other IAM users, roles, or access keys to access S3 buckets outside the company’s organization.

Option C is incorrect because adding a network ACL rule to block outgoing connections on port 443 will also block legitimate connections to S3 buckets within the company’s organization. The network ACL rule will prevent the EC2 instances from accessing any S3 bucket through HTTPS, regardless of whether it is inside or outside the company’s organization.

Option D is correct because applying an SCP on the AWS account will effectively deny access to any S3 bucket that is outside the company’s organization. The SCP will apply to all IAM users, roles, and resources in the AWS account, regardless of how they access S3. The SCP will use the aws:ResourceOrgID and aws:PrincipalOrgID condition keys to check whether the S3 bucket and the principal belong to the same organization as the AWS account. If they do not match, the SCP will deny the S3 actions.

The correct answer is C. Use AWS Resource Access Manager (AWS RAM) to share Account-A’s VPC subnets with the remaining member accounts. Configure the member accounts to use the shared subnets to launch workloads.

This answer is correct because AWS RAM is a service that helps you securely share your AWS resources across AWS accounts, within your organization or organizational units (OUs), and with IAM roles and users for supported resource types1.One of the supported resource types is VPC subnets2, which means you can share the subnets in Account-A’s VPC with the other member accounts using AWS RAM. This way, you can meet the requirements of using a centrally managed VPC, avoiding duplicate VPCs in each account, and launching workloads in shared subnets.You can also control the access to the shared subnets by using IAM policies and resource-based policies3, which can prevent one account from modifying another account’s resources.

The other options are incorrect because:

A.Using aCloudFormation template in the member accounts to launch workloads and using the Fn::ImportValue function to obtain the subnet ID values is not a solution, because Fn::ImportValue can only import values that have been exported by another stack within the same region4. This means that you cannot use Fn::ImportValue to reference the subnet IDs that are exported by Account-A’s CloudFormation template, unless all the member accounts are in the same region as Account-A. This option also does not avoid creating duplicate VPCs in each account, which is one of the requirements.

B. Using a transit gateway in the VPC within Account-A and configuring the member accounts to use the transit gateway to access the subnets in Account-A to launch workloads is not a solution, because a transit gateway does not allow you to launch workloads in another account’s subnets.A transit gateway is a network transit hub that enables you to route traffic between your VPCs and on-premises networks5, but it does not enable you to share subnets across accounts.

D. Creating a peering connection between Account-A and the remaining member accounts and configuring the member accounts to use the subnets in Account-A through the VPC peering connection to launch workloads is not a solution, because a VPC peering connection does not allow you to launch workloads in another account’s subnets.A VPC peering connection is a networking connection betweentwo VPCs that enables you to route traffic between them privately6, but it does not enable you to share subnets across accounts.

Collect Operating System Logs:

Install the Amazon CloudWatch agent on the bastion hosts to collect logs, including failed login attempts from/var/log/auth.logor equivalent files.

Create a Metric Filter:

Use CloudWatch Logs to create a metric filter for failed login attempts by identifying log patterns (e.g.,Failed password).

Set Up a CloudWatch Alarm:

Define an alarm in CloudWatch to trigger when the metric exceeds a threshold of 5 failed attempts within a 5-minute period.

Configure SNS for Notifications:

Use Amazon SNS to send alerts to system administrators.

Use SNS message filtering to ensure only the designated administrator for the specific bastion host receives the notification.

Monitoring CloudWatch Logs

SNS Message Filtering

https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/import-key-material.html

aws kms import-key-material \

--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \

--encrypted-key-material fileb://EncryptedKeyMaterial.bin \

--import-token fileb://ImportToken.bin \

--expiration-model KEY_MATERIAL_EXPIRES \

--valid-to 2021-09-21T19:00:00Z

The correct answer is A. A customer managed CMK that uses customer provided key material.

A customer managed CMK is a KMS key that you create, own, and manage in your AWS account. You have full control over the key configuration, permissions, rotation, and deletion.You can use a customer managed CMK to encrypt and decrypt data in AWS services that are integrated with AWS KMS, such as Amazon EBS1.

A customer managed CMK can use either AWS provided key material or customer provided key material. AWS provided key material is generated by AWS KMS and never leaves the service unencrypted. Customer provided key material is generated outside of AWS KMS and imported into a customer managed CMK.You can specify an expiration date for the imported key material, after which the CMK becomes unusable until you reimport new key material2.

To meet the criteria of automatically expiring the key material in 90 days, you need to use customer provided key material and set the expiration date accordingly. This way, you can ensure that the data encrypted with the CMK will not be accessible after 90 days unless you reimport new key material and re-encrypt the data.

The other options are incorrect for the following reasons:

B. A customer managed CMK that uses AWS provided key material does not expire automatically. You can enable automatic rotation of the key material every year, but this does not prevent access to the data encrypted with the previous key material.You would need to manually delete the CMK and its backing key material to make the data inaccessible3.

C. An AWS managed CMK is a KMS key that is created, owned, and managed by an AWS service on your behalf. You have limited control over the key configuration, permissions, rotation, and deletion. You cannot use an AWS managed CMK to encrypt data in other AWS services or applications.You also cannot set an expiration date for the key material of an AWS managed CMK4.

D. Operation system-native encryption that uses GnuPG is not a solution that uses AWS KMS. GnuPG is a command line tool that implements the OpenPGP standard for encrypting and signing data. It does not integrate with Amazon EBS or other AWS services.It also does not provide a way toautomatically expire the key material used for encryption5.

these are the recommended actions to take when you receive an abuse notice fromAWS8. You shouldreview the abuse notice to see what content or activity was reported and detach the internet gateway from the VPC to isolate the affected instances from the internet. You should also remove any rules that allow inbound traffic from 0.0.0.0/0 from the security groups and create a network access control list (NACL) rule to deny all traffic inbound from the internet. You should then delete the compromised instances and any associated resources that you did not create. The other options are either inappropriate or unnecessary for responding to the abuse notice.

you need to configure the Amazon Inspector agent to use the CVE rule package, which is a set of rules that check for vulnerabilitiesand exposures on your EC2 instances5. You also need to install an additional integration library that enables communication between the Amazon Inspector agent and Security Hub6. Security Hub is a service that provides you with a comprehensive view of your securitystate in AWS and helps you check your environment against security industry standards and best practices7. The other options are either incorrect or incomplete for meeting the requirement.

Requirement Analysis:

The application should only be accessible to subsidiary companies over TCP port 443.

Direct public internet access must be restricted.

Use AWS PrivateLink:

AWS PrivateLink allows secure access to services across accounts and VPCs without exposing them to the public internet.

Steps to Implement:

Parent Account:

Create aPrivateLink Endpoint Servicelinked to the Network Load Balancer (NLB).

Update the security group for the EC2 instances to allow traffic from the PrivateLink endpoint on TCP port 443.

Subsidiary Accounts:

CreateInterface Endpointsin the subsidiary VPCs. These endpoints securely route traffic to the parent company's application via PrivateLink.

Advantages of This Solution:

Compliance: Ensures secure communication without internet exposure.

Scalability: Easily supports all 1,500 subsidiaries.

Operational Simplicity: Centralized service in the parent account, while subsidiaries connect securely via endpoints.

AWS PrivateLink Documentation

Using Security Groups with AWS PrivateLink