SCS-C02 Exam Results

AWS Certified Security - Specialty Questions and Answers

Question 37

An application has been built with Amazon EC2 instances that retrieve messages from Amazon SQS. Recently, IAM changes were made and the instances can no longer retrieve messages.

What actions should be taken to troubleshoot the issue while maintaining least privilege? (Select TWO.)

Options:

A. Configure and assign an MFA device to the role used by the instances.

B. Verify that the SQS resource policy does not explicitly deny access to the role used by the instances.

C. Verify that the access key attached to the role used by the instances is active.

D. Attach the AmazonSQSFullAccest. managed policy to the role used by the instances.

E Verify that the role attached to the instances contains policies that allow access to the queue

Question 38

A Security Engineer is working with a Product team building a web application on AWS. The application uses Amazon S3 to host the static content, Amazon API

Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider.

Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)

Options:

Create a custom authorization service using AWS Lambda.

Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.

Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.

Configure an Amazon Cognito identity pool to integrate with social login providers.

Update DynamoDB to store the user email addresses and passwords.

Update API Gateway to use a COGNITO_USER_POOLS authorizer.

Answer:

B, C, F

Explanation:

The combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs are:

B. Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.This is a necessary step to federate the existing users from the SAML identity provider to the Amazon Cognito user pool, which will be used for authentication and authorization1.

C. Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.This is a necessary step to establish a trust relationship between the SAML identity provider and the Amazon Cognito user pool, which will allow the users to sign in using their existing credentials2.

F. Update API Gateway to use a COGNITO_USER_POOLS authorizer.This is a necessary step to enable API Gateway to use the Amazon Cognito user pool as an authorizer for the RESTful services, which will validate the identity or access tokens that are issued by AmazonCognito when a user signs in successfully3.

The other options are incorrect because:

A.Creating a custom authorization service using AWS Lambda is not a necessary step, because Amazon Cognito user pools can provide built-in authorization features, such as scopes and groups, that can be used to control access toAPI resources4.

D.Configuring an Amazon Cognitoidentity pool to integrate with social login providers is not a necessary step, because the users already exist in a directory that is exposed through a SAML identity provider, and there is no requirement to support social login providers5.

E.Updating DynamoDB to store the user email addresses and passwords is not a necessary step, because the user credentials are already stored in the SAML identity provider, and there is no need to duplicate them in DynamoDB6.

[References:, 1:Using Tokens with User Pools2:Adding SAML Identity Providers to a User Pool3:Control Access to a REST API Using Amazon Cognito User Pools as Authorizer4:API Authorization with Resource Servers and OAuth 2.0 Scopes5:Using Identity Pools (Federated Identities)6: Amazon DynamoDB, , , , , ]

Question 39

A company is expanding its group of stores. On the day that each new store opens, the company wants to launch a customized web application for that store. Each store's application will have a non-production environment and a production environment. Each environment will be deployed in a separate AWS account. The company uses AWS Organizations and has an OU that is used only for these accounts.

The company distributes most of the development work to third-party development teams. A security engineer needs to ensure that each team follows the company's

deployment plan for AWS resources. The security engineer also must limit access to the deployment plan to only the developers who need access. The security engineer already has created an AWS CloudFormation template that implements the deployment plan.

What should the security engineer do next to meet the requirements in the MOST secure way?

Options:

Create an AWS Service Catalog portfolio in the organization's management account. Upload the CloudFormation template. Add the template to theportfolio's product list. Share the portfolio with the OIJ.

Use the CloudFormation CLI to create a module from the CloudFormation template. Register the module as a private extension in the CloudFormationregistry. Publish the extension. In the OU, create an SCP that allows access to the extension.

Create an AWS Service Catalog portfolio in the organization's management account. Upload the CloudFormation template. Add the template to theportfolio's product list. Create an IAM role that has a trust policy that allows cross-account access to the portfolio for users in the OU accounts. Attach theAWSServiceCatalogEndUserFullAccess managed policy to the role.

Answer:

Explanation:

The correct answer is A. Create an AWS Service Catalog portfolio in the organization’s management account. Upload the CloudFormation template. Add the template to the portfolio’s product list. Share the portfolio with the OU.

According to the AWS documentation, AWS Service Catalog is a service that allows you to create and manage catalogs of IT services that are approved for use on AWS. You can use Service Catalog to centrally manage commonly deployed IT services and help achieve consistent governance and compliance requirements, while enabling users to quickly deploy only the approved IT services they need.

To use Service Catalog with multiple AWS accounts, you need to enable AWS Organizations with all features enabled. This allows you to centrally manage your accounts and apply policies across your organization. You can also use Service Catalog as a service principal for AWS Organizations, which lets you share your portfolios with organizational units (OUs) or accounts in your organization.

To create a Service Catalog portfolio, you need to use an administrator account, such as the organization’s management account. You can upload your CloudFormation template as a product in your portfolio, and define constraints and tags for it. You can then share your portfolio with the OU that contains the accounts for the web applications. This will allow the developers in those accounts to launch products from the shared portfolio using the Service Catalog end user console.

Option B is incorrect because CloudFormation modules are reusable components that encapsulate one or more resources and their configurations. They are not meant to be used as templates for deploying entire stacks of resources. Moreover, sharing a module with an OU does not grant access to launch stacks from it.

Option C is incorrect because creating an IAM role that has a trust policy that allows cross-account access to the portfolio is not secure. It would allow any user in the OU accounts to assume the role and access the portfolio, regardless of their job function or access requirements.

Option D is incorrect because sharing a module with an OU does not grant access to launch stacks from it. It also does not limit access to the deployment plan to only the developers who need access.

Question 40

A company is operating a website using Amazon CloudFornt. CloudFront servers some content from Amazon S3 and other from web servers running EC2 instances behind an Application. Load Balancer (ALB). Amazon DynamoDB is used as the data store. The company already uses IAM Certificate Manager (ACM) to store a public TLS certificate that can optionally secure connections between the website users and CloudFront. The company has a new requirement to enforce end-to-end encryption in transit.

Which combination of steps should the company take to meet this requirement? (Select THREE.)

Options:

Update the CloudFront distribution. configuring it to optionally use HTTPS when connecting to origins on Amazon S3

Update the web application configuration on the web servers to use HTTPS instead of HTTP when connecting to DynamoDB

Update the CloudFront distribution to redirect HTTP corrections to HTTPS

Configure the web servers on the EC2 instances to listen using HTTPS using the public ACM TLS certificate Update the ALB to connect to the target group using HTTPS

Update the ALB listen to listen using HTTPS using the public ACM TLS certificate. Update the CloudFront distribution to connect to the HTTPS listener.

Create a TLS certificate Configure the web servers on the EC2 instances to use HTTPS only with that certificate. Update the ALB to connect to the target group using HTTPS.

Weekend Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

AWS Certified Security - Specialty Questions and Answers

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

CompTIA

Fortinet

Microsoft

Salesforce