CertsTopics Logo

New Year Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

SCS-C03 Exam Questions Tutorials

Page: 3 / 6
Total 81 questions
Get SCS-C03 Full Access Download SCS-C03 PDF

AWS Certified Security – Specialty Questions and Answers

Question 9

A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided. The company's security engineer must secure this system against SQL injection attacks within 24 hours. The solution must involve the least amount of effort and maintain normal operations during implementation.

What should the security engineer do to meet these requirements?

Options:

A.

Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.

B.

Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.

C.

Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.

D.

Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances.

Question 10

A company’s data scientists use Amazon SageMaker with datasets stored in Amazon S3. Data older than 45 days must be removed according to policy.

Which action should enforce this policy?

Options:

A.

Configure an S3 Lifecycle rule to delete objects after 45 days.

B.

Create a Lambda function triggered on object upload to delete old data.

C.

Create a scheduled Lambda function to delete old objects monthly.

D.

Configure S3 Intelligent-Tiering.

Question 11

A company has decided to move its fleet of Linux-based web server instances to an Amazon EC2 Auto Scaling group. Currently, the instances are static and are launched manually. When an administrator needs to view log files, the administrator uses SSH to establish a connection to the instances and retrieves the logs manually.

The company often needs to query the logs to produce results about application sessions and user issues. The company does not want its new automatically scaling architecture to result in the loss of any log files when instances are scaled in.

Which combination of steps should a security engineer take to meet these requirements MOST cost-effectively? (Select TWO.)

Options:

A.

Configure a cron job on the instances to forward the log files to Amazon S3 periodically.

B.

Configure AWS Glue and Amazon Athena to query the log files.

C.

Configure the Amazon CloudWatch agent on the instances to forward the logs to Amazon CloudWatch Logs.

D.

Configure Amazon CloudWatch Logs Insights to query the log files.

E.

Configure the instances to write the logs to an Amazon Elastic File System (Amazon EFS) volume.

Question 12

A company that uses AWS Organizations is using AWS IAM Identity Center to administer access to AWS accounts. A security engineer is creating a custom permission set in IAM Identity Center. The company will use the permission set across multiple accounts. An AWS managed policy and a customer managed policy are attached to the permission set. The security engineer has full administrative permissions and is operating in the management account.

When the security engineer attempts to assign the permission set to an IAM Identity Center user who has access to multiple accounts, the assignment fails.

What should the security engineer do to resolve this failure?

Options:

A.

Create the customer managed policy in every account where the permission set is assigned. Give the customer managed policy the same name and same permissions in each account.

B.

Remove either the AWS managed policy or the customer managed policy from the permission set. Create a second permission set that includes the removed policy. Apply the permission sets separately to the user.

C.

Evaluate the logic of the AWS managed policy and the customer managed policy. Resolve any policy conflicts in the permission set before deployment.

D.

Do not add the new permission set to the user. Instead, edit the user's existing permission set to include the AWS managed policy and the customer managed policy.

Page: 3 / 6
Total 81 questions
Get SCS-C03 Full Access Download SCS-C03 PDF