SCS-C02 Premium Exam Questions

The solution to receiving automated email notifications when AWS access keys are detected on code repository sites is to use Amazon EventBridge with Amazon GuardDuty findings. Specifically, creating an EventBridge rule that targets Amazon GuardDuty findings, particularly theUnauthorizedAccess:IAMUser/InstanceCredentialExfiltrationfinding type, allows for the detection of potential unauthorized use or exposure of AWS credentials. When such a finding is detected, EventBridge can then trigger an action to send a notification via Amazon Simple Notification Service (Amazon SNS). By configuring an SNS topic to send emails, stakeholders can be promptly informed of such security incidents. This approach leverages AWS's native security and monitoring services to provide timely alerts with minimal operational overhead, ensuring that the company can respond quickly to potential security breaches involving exposed AWS credentials.

Comprehensive and Detailed Explanation From Exact Extract:

B. Amazon Inspector now supports Lambda scanning for vulnerabilities. Designating a delegated administrator provides centralized visibility into findings across the organization.

C. Tag-based suppression enables filtering of findings for non-production resources (e.g., test or dev Lambda functions). By using tags and configuring suppression filters in Inspector, only relevant production findings appear in the dashboard.

This approach provides continuous monitoring, centralized reporting, and filtering based on environment, fulfilling Infrastructure Security requirements.

Generate a Data Key:

Use theaws kms generate-data-keycommand to request a data key from AWS KMS.

The data key will include both a plaintext version and an encrypted version.

Example command:

bash

aws kms generate-data-key --key-id --key-spec AES_256

Encrypt the File:

Use the plaintext data key to encrypt the 2 KB file using standard encryption libraries or utilities (e.g., OpenSSL).

Secure the Encrypted Data Key:

Store the encrypted version of the data key alongside the encrypted file for future decryption.

Least Privilege Principle:

Ensure the EC2 instance role has the minimum necessary permissions to callkms:GenerateDataKeyandkms:Decrypt.

Testing and Validation:

Verify that the encrypted file can be successfully decrypted using the stored encrypted data key and the KMS key.

AWS KMS GenerateDataKey API

AWS KMS Best Practices

Encrypting Data with AWS KMS

Options A and B are incorrect since you need to add an inline policy just for the user

Option C is invalid because you don't assign an IAM role to a user

The IAM Documentation mentions the following

An inline policy is a policy that's embedded in a principal entity (a user, group, or role)—that is, the policy is an inherent part of the principal entity. You can create a policy and embed it in a principal entity, either when you create the principal entity or later.

For more information on IAM Access and Inline policies, just browse to the below URL:

The correct answer is: Add an inline policy for the user Submit your Feedback/Queries to our Experts