Online SCS-C02 Questions Video

AWS Certified Security - Specialty Questions and Answers

Question 93

A development team is creating an open source toolset to manage a company's SaaS application. The company stores the code in a public repository so that anyone can view and download the toolset's code.

The company discovers that the code contains an IAM access key and secret key that provide access to internal resources in the company's AWS environment.

A security engineer must implement a solution to identify whether unauthorized usage of the exposed credentials has occurred. The solution also must prevent any additional usage of the exposed credentials.

Which combination of steps will meet these requirements? (Select TWO.)

Options:

Use AWS Identity and Access Management Access Analyzer to determine which resources the exposed credentials accessed and who used them.

Deactivate the exposed IAM access key from the user's IAM account.

Create a rule in Amazon GuardDuty to block the access key in the source code from being used.

Create a new IAM access key and secret key for the user whose credentials were exposed.

Generate an IAM credential report. Check the report to determine when the user that owns the access key last logged in.

Question 94

A company is planning to migrate its applications to AWS in a single AWS Region. The company's applications will use a combination of Amazon EC2 instances, Elastic Load Balancing (ELB) load balancers, and Amazon S3 buckets. The company wants to complete the migration as quickly as possible. All the applications must meet the following requirements:

• Data must be encrypted at rest.

• Data must be encrypted in transit.

• Endpoints must be monitored for anomalous network traffic.

Which combination of steps should a security engineer take to meet these requirements with the LEAST effort? (Select THREE.)

Options:

Install the Amazon Inspector agent on EC2 instances by using AWS Systems Manager Automation.

Enable Amazon GuardDuty in all AWS accounts.

Create VPC endpoints for Amazon EC2 and Amazon S3. Update VPC route tables to use only the secure VPC endpoints.

Configure AWS Certificate Manager (ACM). Configure the load balancers to use certificates from ACM.

Use AWS Key Management Service (AWS KMS) for key management. Create an S3 bucket policy to deny any PutObject command with a condition for x-amz-meta-side-encryption.

Use AWS Key Management Service (AWS KMS) for key management. Create an S3 bucket policy to deny any PutObject command with a condition for x-amz-server-side-encryption.

Question 95

Within a VPC, a corporation runs an Amazon RDS Multi-AZ DB instance. The database instance is connected to the internet through a NAT gateway via two subnets.

Additionally, the organization has application servers that are hosted on Amazon EC2 instances and use the RDS database. These EC2 instances have been deployed onto two more private subnets inside the same VPC. These EC2 instances connect to the internet through a default route via the same NAT gateway. Each VPC subnet has its own route table.

The organization implemented a new security requirement after a recent security examination. Never allow the database instance to connect to the internet. A security engineer must perform this update promptly without interfering with the network traffic of the application servers.

How will the security engineer be able to comply with these requirements?

Options:

Remove the existing NAT gateway. Create a new NAT gateway that only the application server subnets can use.

Configure the DB instanceג€™s inbound network ACL to deny traffic from the security group ID of the NAT gateway.

Modify the route tables of the DB instance subnets to remove the default route to the NAT gateway.

Configure the route table of the NAT gateway to deny connections to the DB instance subnets.

Question 96

A security engineer wants to forward custom application-security logs from an Amazon EC2 instance to Amazon CloudWatch. The security engineer installs

the CloudWatch agent on the EC2 instance and adds the path of the logs to the CloudWatch configuration file.

However, CloudWatch does not receive the logs. The security engineer verifies that the awslogs service is running on the EC2 instance.

What should the security engineer do next to resolve the issue?

Options:

Add AWS CloudTrail to the trust policy of the EC2 instance. Send the custom logs to CloudTrail instead of CloudWatch.

Add Amazon S3 to the trust policy of the EC2 instance. Configure the application to write the custom logs to an S3 bucket that CloudWatch can use to ingest the logs.

Add Amazon Inspector to the trust policy of the EC2 instance. Use Amazon Inspector instead of the CloudWatch agent to collect the custom logs.

Attach the CloudWatchAgentServerPolicy AWS managed policy to the EC2 instance role.

Answer:

Explanation:

The correct answer is D. Attach the CloudWatchAgentServerPolicy AWS managed policy to the EC2 instance role.

According to the AWS documentation1, the CloudWatch agent is a software agent that you can install on your EC2 instances to collect system-level metrics and logs. To use the CloudWatch agent, you need to attach an IAM role or user to the EC2 instance thatgrants permissions for the agent to perform actions on your behalf.The CloudWatchAgentServerPolicy is an AWS managed policy that provides the necessary permissions for the agent to write metrics and logs to CloudWatch2. By attaching this policy to the EC2 instance role, the security engineer can resolve the issue of CloudWatch not receiving the custom application-security logs.

The other options are incorrect for the following reasons:

A.Adding AWS CloudTrail to the trust policy of the EC2 instance is not relevant, because CloudTrail is a service that records API activity in your AWS account, not custom application logs3. Sending the custom logs to CloudTrail instead of CloudWatch would not meet the requirement of forwarding them to CloudWatch.

B.Adding Amazon S3 to the trust policy of the EC2 instance is not necessary, because S3 is a storage service that does not require any trust relationship with EC2 instances4. Configuring the application to write the custom logs to an S3 bucket that CloudWatch can use to ingest the logs would be an alternative solution, but it would be more complex and costly than using the CloudWatch agent directly.

C.Adding Amazon Inspector to the trust policy of theEC2 instance is not helpful, because Inspector is a service that scans EC2 instances for software vulnerabilities and unintended network exposure, not custom application logs5. Using Amazon Inspector instead of the CloudWatch agent would not meet the requirement of forwarding them to CloudWatch.

[References:, 1:Collect metrics, logs, and traces with the CloudWatch agent - Amazon CloudWatch2:CloudWatchAgentServerPolicy - AWS Managed Policy3:What Is AWS CloudTrail? - AWS CloudTrail4:Amazon S3 FAQs - Amazon Web Services5:Automated Software Vulnerability Management - Amazon Inspector - AWS, , , , , ]

Big Cyber Monday Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

AWS Certified Security - Specialty Questions and Answers

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

CompTIA

Fortinet

Microsoft

Salesforce