CertsTopics Logo

Weekend Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

New Release SCS-C02 AWS Certified Specialty Questions

Page: 2 / 31
Total 417 questions
Get SCS-C02 Full Access Download SCS-C02 PDF

AWS Certified Security - Specialty Questions and Answers

Question 5

A company's Security Engineer is copying all application logs to centralized Amazon S3 buckets. Currently, each of the company's applications is in its own IAM account, and logs are pushed into S3 buckets associated with each account. The Engineer will deploy an IAMLambda function into each account that copies the relevant log files to the centralized S3 bucket.

The Security Engineer is unable to access the log files in the centralized S3 bucket. The Engineer's IAM user policy from the centralized account looks like this:

The centralized S3 bucket policy looks like this:

Why is the Security Engineer unable to access the log files?

Options:

A.

The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.

B.

The object ACLs are not being updated to allow the users within the centralized account to access the objects

C.

The Security Engineers IAM policy does not grant permissions to read objects in the S3 bucket

D.

The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level

Question 6

A company's security engineer is designing an isolation procedure for Amazon EC2 instances as part of an incident response plan. The security engineer needs to isolate a target instance to block any traffic to and from the target instance, except for traffic from the company's forensics team. Each of the company's EC2 instances has its own dedicated security group. The EC2 instances are deployed in subnets of a VPC. A subnet can contain multiple instances.

The security engineer is testing the procedure for EC2 isolation and opens an SSH session to the target instance. The procedure starts to simulate access to the target instance by an attacker. The security engineer removes the existing security group rules and adds security group rules to give the forensics team access to the target instance on port 22.

After these changes, the security engineer notices that the SSH connection is still active and usable. When the security engineer runs a ping command to the public IP address of the target instance, the ping command is blocked.

What should the security engineer do to isolate the target instance?

Options:

A.

Add an inbound rule to the security group to allow traffic from 0.0.0.0/0 for all ports. Add an outbound rule to the security group to allow traffic to 0.0.0.0/0 for all ports. Then immediately delete these rules.

B.

Remove the port 22 security group rule. Attach an instance role policy that allows AWS Systems Manager Session Manager connections so that the forensics team can access the target instance.

C.

Create a network ACL that is associated with the target instance's subnet. Add a rule at the top of the inbound rule set to deny all traffic from 0.0.0.0/0. Add a rule at the top of the outbound rule set to deny all traffic to 0.0.0.0/0.

D.

Create an AWS Systems Manager document that adds a host-level firewall rule to block all inbound traffic and outbound traffic. Run the document on the target instance.

Question 7

A company has enabled Amazon GuardDuty in all AWS Regions as part of its security monitoring strategy. In one of its VPCs, the company hosts an Amazon EC2 instance that works as an FTP server. A high number of clients from multiple locations contact the FTP server. GuardDuty identifies this activity as a bruteforce attack because of the high number of connections that happen every hour.

The company has flagged the finding as a false positive, but GuardDuty continues to raise the issue. A security engineer must improve the signal-to-noise ratio without compromising the companys visibility of potential anomalous behavior.

Which solution will meet these requirements?

Options:

A.

Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed.

B.

Add the FTP server to a trusted IP list. Deploy the list to GuardDuty to stop receiving the notifications.

C.

Create a suppression rule in GuardDuty to filter findings by automatically archiving new findings that match the specified criteria.

D.

Create an AWS Lambda function that has the appropriate permissions to de-lete the finding whenever a new occurrence is reported.

Question 8

A security engineer is configuring account-based access control (ABAC) to allow only specific principals to put objects into an Amazon S3 bucket. The principalsalready have access to Amazon S3.

The security engineer needs to configure a bucket policy that allows principals to put objects into the S3 bucket only if the value of the Team tag on the object matches the value of the Team tag that is associated with the principal. During testing, the security engineer notices that a principal can still put objects into the S3 bucket when the tag values do not match.

Which combination of factors are causing the PutObject operation to succeed when the tag values are different? (Select TWO.)

Options:

A.

The principal's identity-based policy grants access to put objects into the S3 bucket with no conditions.

B.

The principal's identity-based policy overrides the condition because the identity-based policy contains an explicit allow.

C.

The S3 bucket's resource policy does not deny access to put objects.

D.

The S3 bucket's resource policy cannot allow actions to the principal.

E.

The bucket policy does not apply to principals in the same zone of trust.

Page: 2 / 31
Total 417 questions
Get SCS-C02 Full Access Download SCS-C02 PDF