Spring Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Activedumpsnet Logo
  1. Home
  2. Amazon Web Services
  3. AWS Certified Specialty
  4. SCS-C03
  5. SCS-C03 - AWS Certified Security – Specialty

Amazon Web Services SCS-C03 AWS Certified Security – Specialty Exam Practice Test

Page: 1 / 13
Total 126 questions
Get SCS-C03 Full Access Download SCS-C03 PDF

AWS Certified Security – Specialty Questions and Answers

Question 1

A company is running an application in the eu-west-1 Region. The application uses an AWS Key Management Service (AWS KMS) customer managed key to encrypt sensitive data. The company plans to deploy the application in the eu-north-1 Region. A security engineer needs to implement a key management solution for the application deployment in the new Region. The security engineer must minimize changes to the application code.

Which change should the security engineer make to the AWS KMS configuration to meet these requirements?

Options:

A.

Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same customer managed key as the application in eu-west-1.

B.

Allocate a new customer managed key to eu-north-1 to be used by the application that is deployed in that Region.

C.

Allocate a new customer managed key to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias.

D.

Allocate a new customer managed key to eu-north-1. Create an alias for eu--1. Change the application code to point to the alias for eu--1.

Question 2

A company runs a web application on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are in the same VPC subnet as other workloads.

A security engineer deploys Amazon GuardDuty and integrates it with AWS Security Hub. The security engineer needs to implement an automated solution to detect and respond to anomalous traffic patterns. The solution must follow AWS best practices for initial incident response and must minimize disruption to the web application.

Which solution will meet these requirements?

Options:

A.

Disable the instance profile access keys by using AWS Lambda.

B.

Remove the affected instance from the Auto Scaling group and isolate it with a restricted security group by using AWS Lambda.

C.

Update the network ACL to block the detected traffic source.

D.

Send GuardDuty findings to Amazon SNS for email notification.

Question 3

A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1, the company cannot access the key that was used to encrypt the original database.

What should the company do to set up the snapshot in us-west-1 with proper encryption?

Options:

A.

Use AWS Secrets Manager to store the customer managed key in us-west-1 as a secret. Use this secret to encrypt the snapshot in us-west-1.

B.

Create a new customer managed key in us-west-1. Use this new key to encrypt the snapshot in us-west-1.

C.

Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn:aws:kms:us-west-1:* as the principal.

D.

Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn:aws:rds:us-west-1:* as the principal.

Question 4

A security engineer has designed a VPC to segment private traffic from public traffic. The VPC includes two Availability Zones. The security engineer has provisioned each Availability Zone with one private subnet and one public subnet. The security engineer has created three route tables for use with the environment. One route table is for the public subnets, and two route tables are for the private subnets (one route table for the private subnet in each Availability Zone).

The security engineer discovers that all four subnets are attempting to route traffic out through the internet gateway that is attached to the VPC.

Which combination of steps should the security engineer take to remediate this scenario? (Select TWO.)

Options:

A.

Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.

B.

Verify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.

C.

Modify the route tables that are associated with each of the public subnets. Create a new route for local destinations to the VPC CIDR range.

D.

Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the NAT gateway in the public subnet of the same Availability Zone as the target of the route.

E.

Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the internet gateway as the target of the route.

Question 5

A security engineer for a company is investigating suspicious traffic on a web application in the AWS Cloud. The web application is protected by an Application Load Balancer (ALB) behind an Amazon CloudFront distribution. There is an AWS WAF web ACL associated with the ALB. The company stores AWS WAF logs in an Amazon S3 bucket.

The engineer notices that all incoming requests in the AWS WAF logs originate from a small number of IP addresses that correspond to CloudFront edge locations. The security engineer must identify the source IP addresses of the clients that are initiating the suspicious requests.

Which solution will meet this requirement?

Options:

A.

Enable VPC Flow Logs in the VPC where the ALB is deployed. Examine the source field to capture the client IP addresses.

B.

Inspect the X-Forwarded-For header in the AWS WAF logs to determine the original client IP addresses.

C.

Modify the CloudFront distribution to disable ALB connection reuse. Examine the clientIp field in the AWS WAF logs to identify the original client IP addresses.

D.

Configure CloudFront to add a custom header named Client-IP to origin requests that are sent to the ALB.

Question 6

A company runs an application on a fleet of Amazon EC2 instances. The application is accessible to users around the world. The company associates an AWS WAF web ACL with an Application Load Balancer (ALB) that routes traffic to the EC2 instances.

A security engineer is investigating a sudden increase in traffic to the application. The security engineer discovers a significant amount of potentially malicious requests coming from hundreds of IP addresses in two countries. The security engineer wants to quickly limit the potentially malicious requests but does not want to prevent legitimate users from accessing the application.

Which solution will meet these requirements?

Options:

A.

Use AWS WAF to implement a rate-based rule for all incoming requests.

B.

Use AWS WAF to implement a geographical match rule to block all incoming traffic from the two countries.

C.

Edit the ALB security group to include a geographical match rule to block all incoming traffic from the two countries.

D.

Add deny rules to the ALB security group that prohibit incoming requests from the IP addresses.

Question 7

A security engineer discovers that a company's user passwords have no required minimum length. The company uses the following identity providers (IdPs):

• AWS Identity and Access Management (IAM) federated with on-premises Active Directory

• Amazon Cognito user pools that contain the user database for an AWS Cloud application

Which combination of actions should the security engineer take to implement a required minimum password length? (Select TWO.)

Options:

A.

Update the password length policy in the IAM configuration.

B.

Update the password length policy in the Amazon Cognito configuration.

C.

Update the password length policy in the on-premises Active Directory configuration.

D.

Create an SCP in AWS Organizations to enforce minimum password length.

E.

Create an IAM policy with a minimum password length condition.

Question 8

An application is running on an Amazon EC2 instance that has an IAM role attached. The IAM role provides access to an AWS Key Management Service (AWS KMS) customer managed key and an Amazon S3 bucket. The key is used to access 2 TB of sensitive data that is stored in the S3 bucket. A security engineer discovers a potential vulnerability on the EC2 instance that could result in the compromise of the sensitive data. Due to other critical operations, the security engineer cannot immediately shut down the EC2 instance for vulnerability patching.

What is the FASTEST way to prevent the sensitive data from being exposed?

Options:

A.

Download the data from the existing S3 bucket to a new EC2 instance. Then delete the data from the S3 bucket. Re-encrypt the data with a client-based key. Upload the data to a new S3 bucket.

B.

Block access to the public range of S3 endpoint IP addresses by using a host-based firewall. Ensure that internet-bound traffic from the affected EC2 instance is routed through the host-based firewall.

C.

Revoke the IAM role’s active session permissions. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile.

D.

Disable the current key. Create a new KMS key that the IAM role does not have access to, and re-encrypt all the data with the new key. Schedule the compromised key for deletion.

Question 9

A company uses an organization in AWS Organizations to manage its 250 member accounts. The company also uses AWS IAM Identity Center with a SAML external identity provider (IdP). IAM Identity Center has been delegated to a member account. The company's security team has access to the delegated account.

The security team has been investigating a malicious internal user who might be accessing sensitive accounts. The security team needs to know when the user logged into the organization during the last 7 days.

Which solution will quickly identify the access attempts?

Options:

A.

In the delegated account, use Amazon CloudWatch Logs to search for events that match the user details for all successful attempts.

B.

In each member account, use the IAM Identity Center console to search for events that match the user details for all attempts.

C.

In the external IdP, use Amazon EventBridge to search for events that match the user details for all attempts.

D.

In the organization's management account, use AWS CloudTrail to search for events that match the user details for all successful attempts.

Question 10

A company uses several AWS CloudFormation stacks to handle the deployment of a suite of applications. The leader of the company's application development team notices that the stack deployments fail with permission errors when some team members try to deploy the stacks. However, other team members can deploy the stacks successfully.

The team members access the account by assuming a role that has a specific set of permissions. All team members have permissions to perform operations on the stacks.

Which combination of steps will ensure consistent deployment of the stacks MOST securely? (Select THREE.)

Options:

A.

Create a service role that has a composite principal that contains each service that needs the necessary permissions.

B.

Create a service role that has cloudformation.amazonaws.com as the service principal.

C.

Add policies that reference each CloudFormation stack ARN.

D.

Add policies that reference the ARNs of each AWS service that requires permissions.

E.

Update each stack to use the service role.

F.

Add a policy to each member role to allow the iam:PassRole action for the service role.

Question 11

A company sends Apache logs from EC2 Auto Scaling instances to a CloudWatch Logs log group with 1-year retention. A suspicious IP address appears in logs. A security engineer needs to analyze the past week of logs to count requests from that IP and list requested URLs.

What should the engineer do with the LEAST effort?

Options:

A.

Export to S3 and use Macie.

B.

Stream to OpenSearch and analyze.

C.

Use CloudWatch Logs Insights with queries.

D.

Export to S3 and use AWS Glue.

Question 12

A company is developing an application that runs across a combination of Amazon EC2 On-Demand Instances and Spot Instances. A security engineer needs to provide a logging solution that makes logs for all instances available from a single location. The solution must allow only a specific set of users to analyze the logs for event patterns. The users must be able to use SQL queries on the logs to perform root cause analysis.

Which solution will meet these requirements?

Options:

A.

Configure the EC2 instances to send application logs to a single Amazon CloudWatch Logs log group. Allow only specific users to access the log group. Use CloudWatch Logs Insights to query the log group.

B.

Configure the EC2 instances to send application logs to a single Amazon S3 bucket. Allow only specific users to access the S3 bucket. Use Amazon CloudWatch Logs Insights to query the log files in the S3 bucket.

C.

Configure each EC2 instance to send its application logs to its own specific Amazon CloudWatch Logs log group. Allow only specific users to access the log groups. Use Amazon Athena to query all the log groups.

D.

Configure the EC2 instances to send application logs to a single Amazon CloudWatch Logs log group. Grant Amazon Detective access to the log group. Allow only specific users to use Detective to analyze the logs.

Question 13

A company stores infrastructure and application code in web-based, third-party, Git-compatible code repositories outside of AWS. The company wants to give the code repositories the ability to securely authenticate and assume an existing IAM role within the company's AWS account by using OpenID Connect (OIDC).

Which solution will meet these requirements?

Options:

A.

Create an OIDC identity provider (IdP) by using AWS Identity and Access Management (IAM) federation. Modify the trust policy of the IAM role to allow the code repositories to assume the IAM role.

B.

Use AWS Identity and Access Management (IAM) Roles Anywhere to create a trust anchor that uses OIDC. Modify the trust policy of the IAM role to allow the code repositories to assume the IAM role.

C.

Set up an account instance of AWS IAM Identity Center. Configure access to the code repositories as a customer managed OIDC application. Grant the application access to the IAM role.

D.

Use AWS Resource Access Manager (AWS RAM) to create a new resource share that uses OIDC. Limit the resource share to the specified code repositories. Grant the IAM role access to the resource share.

Question 14

A company runs a global ecommerce website that is hosted on AWS. The company uses Amazon CloudFront to serve content to its user base. The company wants to block inbound traffic from a specific set of countries to comply with recent data regulation policies.

Which solution will meet these requirements MOST cost-effectively?

Options:

A.

Create an AWS WAF web ACL with an IP match condition to deny the countries' IP ranges. Associate the web ACL with the CloudFront distribution.

B.

Create an AWS WAF web ACL with a geo match condition to deny the specific countries. Associate the web ACL with the CloudFront distribution.

C.

Use the geo restriction feature in CloudFront to deny the specific countries.

D.

Use geolocation headers in CloudFront to deny the specific countries.

Question 15

A company must inventory sensitive data across all Amazon S3 buckets in all accounts from a single security account.

Options:

A.

Delegate Amazon Macie and Security Hub administration.

B.

Use Amazon Inspector with Security Hub.

C.

Use Inspector with Trusted Advisor.

D.

Use Macie with Trusted Advisor.

Question 16

A company needs centralized log monitoring with automatic detection across hundreds of AWS accounts.

Which solution meets these requirements with the LEAST operational effort?

Options:

A.

Designate a GuardDuty administrator account and enable protections.

B.

Centralize CloudWatch logs and use Inspector.

C.

Centralize CloudTrail logs and query with Athena.

D.

Stream logs to Kinesis and process with Lambda.

Question 17

A company has a web application that reads from and writes to an Amazon S3 bucket. The company needs to use AWS credentials to authenticate all S3 API calls to the S3 bucket.

Which solution will provide the application with AWS credentials to make S3 API calls?

Options:

A.

Integrate with Cognito identity pools and use GetId to obtain AWS credentials.

B.

Integrate with Cognito identity pools and use AssumeRoleWithWebIdentity to obtain AWS credentials.

C.

Integrate with Cognito user pools and use the ID token to obtain AWS credentials.

D.

Integrate with Cognito user pools and use the access token to obtain AWS credentials.

Question 18

A company has AWS accounts in an organization in AWS Organizations. The organization includes a dedicated security account.

All AWS account activity across all member accounts must be logged and reported to the dedicated security account. The company must retain all the activity logs in a secure storage location within the dedicated security account for 2 years. No changes or deletions of the logs are allowed.

Which combination of steps will meet these requirements with the LEAST operational overhead? (Select TWO.)

Options:

A.

In the dedicated security account, create an Amazon S3 bucket. Configure S3 Object Lock in compliance mode with a retention period of 2 years. Set the bucket policy to allow the organization’s management account to write to the S3 bucket.

B.

In the dedicated security account, create an Amazon S3 bucket. Configure S3 Object Lock in compliance mode with a retention period of 2 years. Set the bucket policy to allow the organization’s member accounts to write to the S3 bucket.

C.

In the dedicated security account, create an Amazon S3 bucket with an S3 Lifecycle configuration that expires objects after 2 years. Allow member accounts to write to the bucket.

D.

Create an AWS CloudTrail organization trail. Configure logs to be delivered to the Amazon S3 bucket in the dedicated security account.

E.

Turn on AWS CloudTrail in each account and forward logs to the dedicated security account by using AWS Lambda and Amazon Data Firehose.

Question 19

A company has a PHP-based web application that uses Amazon S3 as an object store for user files. The S3 bucket is configured for server-side encryption with Amazon S3 managed keys (SSE-S3). New requirements mandate full control of encryption keys.

Which combination of steps must a security engineer take to meet these requirements? (Select THREE.)

Options:

A.

Create a new customer managed key in AWS Key Management Service (AWS KMS).

B.

Change the SSE-S3 configuration on the S3 bucket to server-side encryption with customer-provided keys (SSE-C).

C.

Configure the PHP SDK to use the SSE-S3 key before upload.

D.

Create an AWS managed key for Amazon S3 in AWS KMS.

E.

Change the SSE-S3 configuration on the S3 bucket to server-side encryption with AWS KMS managed keys (SSE-KMS).

F.

Change all the S3 objects in the bucket to use the new encryption key.

Question 20

A company stores sensitive data in an Amazon S3 bucket. The company encrypts the data at rest by using server-side encryption with Amazon S3 managed keys (SSE-S3). A security engineer must prevent any modifications to the data in the S3 bucket.

Which solution will meet this requirement?

Options:

A.

Configure S3 bucket policies to deny DELETE and PUT object permissions.

B.

Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled.

C.

Change the encryption on the S3 bucket to use AWS Key Management Service (AWS KMS) customer managed keys.

D.

Configure the S3 bucket with multi-factor authentication (MFA) delete protection.

Question 21

A company runs its microservices architecture in Kubernetes containers on AWS by using Amazon Elastic Kubernetes Service (Amazon EKS) and Amazon Aurora. The company has an organization in AWS Organizations to manage hundreds of AWS accounts that host different microservices.

The company needs to implement a monitoring solution for logs from all AWS resources across all accounts. The solution must include automatic detection of security-related issues.

Which solution will meet these requirements with the LEAST operational effort?

Options:

A.

Designate an Amazon GuardDuty administrator account in the organization’s management account. Enable GuardDuty for all accounts. Enable EKS Protection and RDS Protection in the GuardDuty administrator account.

B.

Designate a monitoring account. Share Amazon CloudWatch Logs from all accounts. Use Amazon Inspector to evaluate the logs.

C.

Centralize CloudTrail logs in Amazon S3 and analyze them with Amazon Athena.

D.

Stream CloudWatch Logs to Amazon Kinesis and analyze them with custom AWS Lambda functions.

Question 22

A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The website is experiencing a global DDoS attack from a specific IoT device brand that uses a unique user agent. A security engineer is creating an AWS WAF web ACL and will associate it with the ALB.

Which rule statement will mitigate the current attack and future attacks from these IoT devices without blocking legitimate customers?

Options:

A.

Use an IP set match rule statement.

B.

Use a geographic match rule statement.

C.

Use a rate-based rule statement.

D.

Use a string match rule statement on the user agent.

Question 23

A company has a single AWS account and uses an Amazon EC2 instance to test application code. The company recently discovered that the instance was compromised and was serving malware. Analysis showed that the instance was compromised 35 days ago. A security engineer must implement a continuous monitoring solution that automatically notifies the security team by email for high severity findings as soon as possible.

Which combination of steps should the security engineer take to meet these requirements? (Select THREE.)

Options:

A.

Enable AWS Security Hub in the AWS account.

B.

Enable Amazon GuardDuty in the AWS account.

C.

Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team's email distribution list to the topic.

D.

Create an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the security team's email distribution list to the queue.

E.

Create an Amazon EventBridge rule for GuardDuty findings of high severity. Configure the rule to publish a message to the topic.

F.

Create an Amazon EventBridge rule for Security Hub findings of high severity. Configure the rule to publish a message to the queue.

Question 24

A company has the following security policy for its Amazon Aurora MySQL databases for a single AWS account:

• Database storage must be encrypted at rest.

• Deletion protection must be enabled.

• Databases must not be publicly accessible.

• Database audit logs must be published to Amazon CloudWatch Logs.

A security engineer must implement a solution that continuously monitors all Aurora MySQL resources for compliance with this policy. The solution must be able to display a database's compliance state for each part of the policy at any time.

Which solution will meet these requirements?

Options:

A.

Enable AWS Audit Manager. Configure Audit Manager to use a custom framework that matches the security requirements. Create an assessment report to view the compliance state.

B.

Enable AWS Config. Implement AWS Config managed rules that monitor all Aurora MySQL resources for the security requirements. View the compliance state in the AWS Config dashboard.

C.

Enable AWS Security Hub. Create a configuration policy that includes the security requirements. Apply the configuration policy to all Aurora MySQL resources. View the compliance state in Security Hub.

D.

Create an Amazon EventBridge rule that runs when an Aurora MySQL resource is created or modified. Create an AWS Lambda function to verify the security requirements and to send the compliance state to a CloudWatch custom metric.

Question 25

A company experienced a security incident caused by a vulnerable container image that was pushed from an external CI/CD pipeline into Amazon ECR.

Which solution will prevent vulnerable images from being pushed?

Options:

A.

Enable ECR enhanced scanning with Lambda blocking.

B.

Use Amazon Inspector with EventBridge and Lambda.

C.

Integrate Amazon Inspector into the CI/CD pipeline using SBOM generation and fail the pipeline on critical findings.

D.

Enable basic continuous ECR scanning.

Question 26

A company's security engineer is designing an isolation procedure for Amazon EC2 instances as part of an incident response plan. The security engineer needs to isolate a target instance to block any traffic to and from the target instance, except for traffic from the company's forensics team. Each of the company's EC2 instances has its own dedicated security group. The EC2 instances are deployed in subnets of a VPC. A subnet can contain multiple instances.

The security engineer is testing the procedure for EC2 isolation and opens an SSH session to the target instance. The procedure starts to simulate access to the target instance by an attacker. The security engineer removes the existing security group rules and adds security group rules to give the forensics team access to the target instance on port 22.

After these changes, the security engineer notices that the SSH connection is still active and usable. When the security engineer runs a ping command to the public IP address of the target instance, the ping command is blocked.

What should the security engineer do to isolate the target instance?

Options:

A.

Add an inbound rule to the security group to allow traffic from 0.0.0.0/0 for all ports. Add an outbound rule to the security group to allow traffic to 0.0.0.0/0 for all ports. Then immediately delete these rules.

B.

Remove the port 22 security group rule. Attach an instance role policy that allows AWS Systems Manager Session Manager connections so that the forensics team can access the target instance.

C.

Create a network ACL that is associated with the target instance's subnet. Add a rule at the top of the inbound rule set to deny all traffic from 0.0.0.0/0. Add a rule at the top of the outbound rule set to deny all traffic to 0.0.0.0/0.

D.

Create an AWS Systems Manager document that adds a host-level firewall rule to block all inbound traffic and outbound traffic. Run the document on the target instance.

Question 27

A company operates an Amazon EC2 instance that is registered as a target of a Network Load Balancer (NLB). The NLB is associated with a security group. The security group allows inbound TCP traffic on port 22 from 10.0.0.0/23.

The company maps the NLB to two subnets that share the same network ACL and route table. The route table has a route for 0.0.0.0/0 to an internet gateway. The network ACL has one inbound rule that has a priority of 20 and that allows TCP traffic on port 22 from 10.0.0.0/16.

A security engineer receives an alert that there is an unauthorized SSH session on the EC2 instance. The unauthorized session originates from 10.0.1.5. The company's incident response procedure requires unauthorized SSH sessions to be immediately interrupted. The instance must remain running, and its memory must remain intact.

Which solution will meet these requirements?

Options:

A.

Restart the EC2 instance from either the AWS Management Console or the AWS CLI.

B.

Add a new inbound rule that has a priority of 10 to the network ACL to deny TCP traffic on port 22 from 10.0.1.5.

C.

Remove the security group rule that allows inbound TCP traffic on port 22 from 10.0.0.0/16.

D.

Update the route table to remove the route to the internet gateway.

Question 28

A company’s application team needs a new AWS Key Management Service (AWS KMS) customer managed key to use with Amazon S3. The company’s security policy requires separate keys for different AWS services to limit security exposure.

How can a security engineer limit the KMS customer managed key to work with only Amazon S3?

Options:

A.

Configure the key policy to allow only Amazon S3 to perform the kms:Encrypt action.

B.

Configure the key policy to allow KMS actions only when the value for the kms:ViaService condition key matches the Amazon S3 service name.

C.

Configure the application’s IAM role policy to allow Amazon S3 to perform the iam:PassRole action.

D.

Configure the application’s IAM role policy to allow only S3 operations when the operations are combined with the KMS customer managed key.

Question 29

A company's security team wants to receive near-real-time email notifications about AWS abuse reports related to DoS attacks. An Amazon SNS topic already exists and is subscribed to by the security team.

What should the security engineer do next?

Options:

A.

Poll Trusted Advisor for abuse notifications by using a Lambda function.

B.

Create an Amazon EventBridge rule that matches AWS Health events for AWS_ABUSE_DOS_REPORT and publishes to SNS.

C.

Poll the AWS Support API for abuse cases by using a Lambda function.

D.

Detect abuse reports by using CloudTrail logs and CloudWatch alarms.

Question 30

A company needs to deploy AWS CloudFormation templates that configure sensitive database credentials. The company already uses AWS Key Management Service (AWS KMS) and AWS Secrets Manager.

Which solution will meet the requirements?

Options:

A.

Use a dynamic reference in the CloudFormation template to reference the database credentials in Secrets Manager.

B.

Use encrypted parameters in the CloudFormation template.

C.

Use SecureString parameters to reference Secrets Manager.

D.

Use SecureString parameters encrypted by AWS KMS.

Question 31

A security engineer needs to implement a logging solution that captures detailed information about objects in an Amazon S3 bucket. The solution must include details such as the IAM identity that makes the request and the time the object was accessed. The data must be structured and available in near real time.

Which solution meets these requirements?

Options:

A.

Enable Amazon S3 server access logging on the S3 bucket. Create a new S3 bucket to store the logs. Analyze the logs from the logging S3 bucket.

B.

Enable AWS CloudTrail data event logging. Create a new S3 bucket to store the logs. Analyze the logs from the logging S3 bucket.

C.

Configure AWS Config rules to log access to the objects stored in the S3 bucket.

D.

Enable Amazon Macie to log access to the objects stored in the S3 bucket.

Question 32

A security engineer is responding to an incident that is affecting an AWS account. The ID of the account is 123456789012. The attack created workloads that are distributed across multiple AWS Regions.

The security engineer contains the attack and removes all compute and storage resources from all affected Regions. However, the attacker also created an AWS KMS key. The key policy on the KMS key explicitly allows IAM principal kms:* permissions.

The key was scheduled to be deleted the previous day. However, the key is still enabled and usable. The key has an ARN of

arn:aws:kms:us-east-2:123456789012:key/mrk-0bb0212cd9864fdea0dcamzo26efb5670.

The security engineer must delete the key as quickly as possible.

Which solution will meet this requirement?

Options:

A.

Log in to the account by using the account root user credentials. Re-issue the deletion request for the KMS key with a waiting period of 7 days.

B.

Identify the other Regions where the KMS key ID is present and schedule the key for deletion in 7 days.

C.

Update the IAM principal to allow kms:* permissions on the KMS key ARN. Re-issue the deletion request for the KMS key with a waiting period of 7 days.

D.

Disable the KMS key. Re-issue the deletion request for the KMS key in 30 days.

Question 33

A company has configured an organization in AWS Organizations for its AWS accounts. AWS CloudTrail is enabled in all AWS Regions.

A security engineer must implement a solution to prevent CloudTrail from being disabled.

Which solution will meet this requirement?

Options:

A.

Enable CloudTrail log file integrity validation from the organization's management account.

B.

Enable server-side encryption with AWS KMS keys (SSE-KMS) for CloudTrail logs. Create a KMS key. Attach a policy to the key to prevent decryption of the logs.

C.

Create a service control policy (SCP) that includes an explicit Deny rule for the cloudtrail:StopLogging action and the cloudtrail:DeleteTrail action. Attach the SCP to the root OU.

D.

Create IAM policies for all the company's users to prevent the users from performing the DescribeTrails action and the GetTrailStatus action.

Question 34

A company is planning to deploy a new log analysis environment. The company needs to analyze logs from multiple AWS services in near real time. The solution must provide the ability to search the logs and must send alerts to an existing Amazon Simple Notification Service (Amazon SNS) topic when specific logs match detection rules.

Which solution will meet these requirements?

Options:

A.

Analyze the logs by using Amazon OpenSearch Service. Search the logs from the OpenSearch API. Use OpenSearch Service Security Analytics to match logs with detection rules and to send alerts to the SNS topic.

B.

Analyze the logs by using AWS Security Hub. Search the logs from the Findings page in Security Hub. Create custom actions to match logs with detection rules and to send alerts to the SNS topic.

C.

Analyze the logs by using Amazon CloudWatch Logs. Use a subscription filter to match logs with detection rules and to send alerts to the SNS topic. Search the logs manually by using CloudWatch Logs Insights.

D.

Analyze the logs by using Amazon QuickSight. Search the logs by listing the query results in a dashboard. Run queries to match logs with detection rules and to send alerts to the SNS topic.

Question 35

A company has an AWS account that hosts a production application. The company receives an email notification that Amazon GuardDuty has detected an Impact:IAMUser/AnomalousBehavior finding in the account. A security engineer needs to run the investigation playbook for this security incident and must collect and analyze the information without affecting the application.

Which solution will meet these requirements MOST quickly?

Options:

A.

Log in to the AWS account by using read-only credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.

B.

Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use Amazon Detective to review the API calls in context.

C.

Log in to the AWS account by using administrator credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.

D.

Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context.

Question 36

Notify when IAM roles are modified.

Options:

A.

Use Amazon Detective.

B.

Use EventBridge with CloudTrail events.

C.

Use CloudWatch metric filters.

D.

Use CloudWatch subscription filters.

Question 37

A company runs a web application on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are in the same VPC subnet as other workloads.

A security engineer deploys an Amazon GuardDuty detector in the same AWS Region as the EC2 instances and integrates GuardDuty with AWS Security Hub.

The security engineer needs to implement an automated solution to detect and appropriately respond to anomalous traffic patterns for the web application. The solution must comply with AWS best practices for initial response to security incidents and must minimize disruption to the web application.

Which solution will meet these requirements?

Options:

A.

Disable the EC2 instance profile credentials by using AWS Lambda.

B.

Create an Amazon EventBridge rule that invokes an AWS Lambda function when GuardDuty detects anomalous traffic. Configure the function to remove the affected instance from the Auto Scaling group and attach a restricted security group.

C.

Update the subnet network ACL to block traffic from the detected source IP addresses.

D.

Send GuardDuty findings to Amazon SNS for email notification.

Load More SCS-C03 Questions 
Page: 1 / 13
Total 126 questions
Get SCS-C03 Full Access Download SCS-C03 PDF