Summer Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Free SCS-C03 Questions Attempt

Page: 6 / 17
Total 231 questions

AWS Certified Security – Specialty Questions and Answers

Question 21

A company ' s public website consists of an Application Load Balancer (ALB), a set of Amazon EC2 instances that run a stateless application behind the ALB, and an Amazon DynamoDB table from which the application reads data. The company is concerned about malicious scanning and DDoS attacks. The company wants to impose a restriction in which each client IP address can read the data only3 times in any 5-minute period.

Which solution will meet this requirement with the LEAST effort?

Options:

A.

Set up AWS WAF in front of the ALB. Create a rule that blocks requests that exceed the limit of 3 requests in any 5-minute period for each IP address.

B.

Create an AWS Lambda function based on an Amazon CloudWatch request. Configure the Lambda function to count the requests for each IP address in rolling 5-minute intervals and to provide notification if the count exceeds 3.

C.

Modify the EC2 application to count the source IP address of requests and calculate a rolling 5-minute sum. Return an error message if the count sum is greater than 3.

D.

Add source IP address and request time to the DynamoDB table. Add a 5-minute TTL setting based on request time. Change the read capacity of the DynamoDB table throughput to 3.

Question 22

A company ' s security team wants to receive near-real-time email notifications about AWS abuse reports related to DoS attacks. An Amazon SNS topic already exists and is subscribed to by the security team.

What should the security engineer do next?

Options:

A.

Poll Trusted Advisor for abuse notifications by using a Lambda function.

B.

Create an Amazon EventBridge rule that matches AWS Health events for AWS_ABUSE_DOS_REPORT and publishes to SNS.

C.

Poll the AWS Support API for abuse cases by using a Lambda function.

D.

Detect abuse reports by using CloudTrail logs and CloudWatch alarms.

Question 23

A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running in Amazon Elastic Container Service (Amazon ECS). This solution must also handle volatile traffic patterns.

Which solution would have the MOST scalability and LOWEST latency?

Options:

A.

Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.

B.

Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.

C.

Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers.

D.

Configure Amazon Route 53 to use multivalue answer routing to send traffic to the containers.

Question 24

A company has the following security policy for its Amazon Aurora MySQL databases for a single AWS account:

• Database storage must be encrypted at rest.

• Deletion protection must be enabled.

• Databases must not be publicly accessible.

• Database audit logs must be published to Amazon CloudWatch Logs.

A security engineer must implement a solution thatcontinuously monitorsall Aurora MySQL resources for compliance with this policy. The solution must be able todisplay a database ' s compliance state for each part of the policy at any time.

Which solution will meet these requirements?

Options:

A.

Enable AWS Audit Manager. Configure Audit Manager to use a custom framework that matches the security requirements. Create an assessment report to view the compliance state.

B.

Enable AWS Config. Implement AWS Config managed rules that monitor all Aurora MySQL resources for the security requirements. View the compliance state in the AWS Config dashboard.

C.

Enable AWS Security Hub. Create a configuration policy that includes the security requirements. Apply the configuration policy to all Aurora MySQL resources. View the compliance state in Security Hub.

D.

Create an Amazon EventBridge rule that runs when an Aurora MySQL resource is created or modified. Create an AWS Lambda function to verify the security requirements and to send the compliance state to a CloudWatch custom metric.

Page: 6 / 17
Total 231 questions