Summer Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

AWS Certified Specialty SCS-C03 Reddit Questions

Page: 10 / 17
Total 231 questions

AWS Certified Security – Specialty Questions and Answers

Question 37

A company runs a web application on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are in the same VPC subnet as other workloads.

A security engineer deploys an Amazon GuardDuty detector in the same AWS Region as the EC2 instances and integrates GuardDuty with AWS Security Hub.

The security engineer needs to implement an automated solution to detect and appropriately respond to anomalous traffic patterns for the web application. The solution must comply with AWS best practices forinitial response to security incidentsand mustminimize disruptionto the web application.

Which solution will meet these requirements?

Options:

A.

Disable the EC2 instance profile credentials by using AWS Lambda.

B.

Create an Amazon EventBridge rule that invokes an AWS Lambda function when GuardDuty detects anomalous traffic. Configure the function to remove the affected instance from the Auto Scaling group and attach a restricted security group.

C.

Update the subnet network ACL to block traffic from the detected source IP addresses.

D.

Send GuardDuty findings to Amazon SNS for email notification.

Question 38

A company manages multiple AWS accounts through an organization in AWS Organizations. The company enables all features in the organization.

A security team must implement a solution to centrally manage VPC security groups across the accounts. The company uses an existing reference security group with the required configuration. The solution must detect if security group rules have been modified to deviate from the reference security group. The solution must automatically restore any noncompliant security groups to match the reference security group.

The security team needs to select a solution that does not require custom development or scripting.

Which solution will meet these requirements?

Options:

A.

Use AWS Firewall Manager to manage security group rules through security group policy rules.

B.

Create an AWS Systems Manager Automation runbook to identify and align noncompliant security groups with the reference security group.

C.

Use a custom AWS Config rule with auto remediation. Compare to the reference security group for compliance.

D.

Manage security groups through AWS CloudFormation StackSets. Use the reference security group for the initial rules.

Question 39

A company wants to establish separate AWS Key Management Service (AWS KMS) keys to use for different AWS services. The company ' s security engineer created the following key policy to allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructureDeployment IAM role:

{

" Version " : " 2012-10-17 " ,

" Id " : " key-policy-ebs " ,

" Statement " : [

{

" Sid " : " Enable IAM User Permissions " ,

" Effect " : " Allow " ,

" Principal " : {

" AWS " : " arn:aws:iam::123456789012:root "

},

" Action " : " kms:* " ,

" Resource " : " * "

},

{

" Sid " : " Allow use of the key " ,

" Effect " : " Allow " ,

" Principal " : {

" AWS " : " arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/InfrastructureDeployment "

},

" Action " : [

" kms:Encrypt " ,

" kms:Decrypt " ,

" kms:ReEncrypt* " ,

" kms:GenerateDataKey* " ,

" kms:DescribeKey " ,

" kms:CreateGrant " ,

" kms:ListGrants " ,

" kms:RevokeGrant "

],

" Resource " : " * " ,

" Condition " : {

" StringEquals " : {

" kms:ViaService " : " ec2.us-west-2.amazonaws.com "

}

}

}

]

}

The security engineer recently discovered that IAM rolesother thanthe InfrastructureDeployment role used this key for other services.

Which change to the policy should the security engineer make to resolve these issues?

Options:

A.

In the statement block that contains the Sid " Allow use of the key " , under theConditionblock, change StringEquals to StringLike.

B.

In the policy document, remove the statement block that contains the Sid " Enable IAM User Permissions " . Add key management policies to the KMS policy.

C.

In the statement block that contains the Sid " Allow use of the key " , under theConditionblock, change the kms:ViaService value to ec2.us-east-1.amazonaws.com.

D.

In the policy document, add a new statement block that grants the kms:Disable* permission to the security engineer ' s IAM role.

Question 40

A company uploads data files as objects into an Amazon S3 bucket. A vendor downloads the objects to perform data processing.

A security engineer must implement a solution that prevents objects from residing in the S3 bucket for longer than 72 hours.

Options:

A.

Configure S3 Versioning to expire object versions that have been in the bucket for 72 hours.

B.

Configure an S3 Lifecycle configuration rule on the bucket to expire objects after 72 hours.

C.

Use the S3 Intelligent-Tiering storage class and configure expiration after 72 hours.

D.

Generate presigned URLs that expire after 72 hours.

Page: 10 / 17
Total 231 questions