Summer Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

AWS Certified Specialty SCS-C03 Release Date

Page: 14 / 17
Total 231 questions

AWS Certified Security – Specialty Questions and Answers

Question 53

A company uses AWS IAM Identity Center with SAML 2.0 federation. The company decides to change its federation source from one identity provider (IdP) to another. The underlying directory for both IdPs is Active Directory.

Which solution will meet this requirement?

Options:

A.

Disable all existing users and groups within IAM Identity Center that were part of the federation with the original IdP.

B.

Modify the attribute mappings within the IAM Identity Center trust relationship to match information that the new IdP sends.

C.

Reconfigure all existing IAM roles in the company ' s AWS accounts to explicitly trust the new IdP as the principal.

D.

Confirm that the Network Time Protocol (NTP) clock skew is correctly set between IAM Identity Center and the new IdP endpoints.

Question 54

A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided. The company ' s security engineer must secure this system against SQL injection attacks within 24 hours. The security engineer’s solution must involve the least amount of effort and maintain normal operations during implementation.

What should the security engineer do to meet these requirements?

Options:

A.

Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.

B.

Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.

C.

Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.

D.

Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances. Test to ensure the vulnerability has been mitigated, then restore the security group to the original setting.

Question 55

A company needs the ability to identify the root cause of security findings in an AWS account. The company has enabled VPC Flow Logs, Amazon GuardDuty, and AWS CloudTrail. The company must investigate any IAM roles that are involved in the security findings and must visualize the findings.

Which solution will meet these requirements?

Options:

A.

Use Amazon Detective to run investigations on the IAM roles and to visualize the findings.

B.

Use Amazon Inspector to run investigations on the IAM roles and visualize the findings.

C.

Export GuardDuty findings to Amazon S3 and analyze them with Amazon Athena.

D.

Enable AWS Security Hub and use custom actions to investigate IAM roles.

Question 56

A company has an organization in AWS Organizations. The company’s security team is developing automation to capture Amazon EC2 forensic evidence within any AWS account in the organization. The company has encrypted the Amazon EBS volumes of all the EC2 instances in the organization by default by using the AWS managed key. The automation consists of AWS Lambda functions and AWS Step Functions state machines.

The automation assumes an IAM role in the target AWS account. The automation takes snapshots of suspicious EC2 instances and assigns permissions to allow the security team’s account to copy the snapshots. The security team has an AWS KMS key to encrypt the snapshots. During testing, the automation fails to copy the snapshots into the security team’s AWS account.

Which combination of steps should the security team take so that the automation can capture EC2 forensic evidence in all AWS accounts in the organization? (Select THREE.)

Options:

A.

In the target AWS account, update the KMS key policy on the AWS managed key to explicitly allow the kms:Decrypt and kms:CreateGrant actions to the automation’s IAM role.

B.

In the target AWS account, create a customer managed KMS key. Update the automation’s IAM role to allow the kms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, and kms:CreateGrant actions.

C.

In the security team’s AWS account, update the automation’s IAM role to allow the kms:Encrypt, kms:Decrypt, and kms:CreateGrant actions for the AWS managed key.

D.

In the security team’s AWS account, update the automation’s IAM role to allow the kms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, and kms:CreateGrant actions for the customer managed KMS key.

E.

In the security team’s AWS account, update the automation code to take EBS snapshots and to use the AWS managed key.

F.

In the security team’s AWS account, update the automation code to take EBS snapshots and to use the customer managed KMS key.

Page: 14 / 17
Total 231 questions