Summer Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

SCS-C03 Exam Questions Tutorials

Page: 3 / 17
Total 231 questions

AWS Certified Security – Specialty Questions and Answers

Question 9

A company operates an Amazon EC2 instance that is registered as a target of a Network Load Balancer (NLB). The NLB is associated with a security group. The security group allows inbound TCP traffic on port 22 from 10.0.0.0/23.

The company maps the NLB to two subnets that share the same network ACL and route table. The route table has a route for 0.0.0.0/0 to an internet gateway. The network ACL has one inbound rule that has a priority of 20 and that allows TCP traffic on port 22 from 10.0.0.0/16.

A security engineer receives an alert that there is an unauthorized SSH session on the EC2 instance. The unauthorized session originates from 10.0.1.5. The company ' s incident response procedure requires unauthorized SSH sessions to beimmediately interrupted. The instance must remain running, and its memory must remain intact.

Which solution will meet these requirements?

Options:

A.

Restart the EC2 instance from either the AWS Management Console or the AWS CLI.

B.

Add a new inbound rule that has a priority of 10 to the network ACL to deny TCP traffic on port 22 from 10.0.1.5.

C.

Remove the security group rule that allows inbound TCP traffic on port 22 from 10.0.0.0/16.

D.

Update the route table to remove the route to the internet gateway.

Question 10

A company operates a web application that runs on Amazon EC2 instances. The application listens on port 80 and port 443. The company uses an Application Load Balancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the application instances only on port 80.

The ALB is in public subnets that are associated with a network ACL named NACL1. The application instances are in dedicated private subnets that are associated with a network ACL named NACL2. An Amazon RDS for PostgreSQL DB instance that uses port 5432 is in a dedicated private subnet that is associated with a network ACL named NACL3. All the network ACLs currently allow all inbound and outbound traffic.

Which set of network ACL changes will increase the security of the application while ensuring functionality?

Options:

A.

Make the following changes to NACL3:

• Add a rule that allows inbound traffic on port 5432 from NACL2.

• Add a rule that allows outbound traffic on ports 1024-65536 to NACL2.

• Remove the default rules that allow all inbound and outbound traffic.

B.

Make the following changes to NACL3:

• Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the application instance subnets.

• Add a rule that allows outbound traffic on ports 1024-65536 to the application instance subnets.

• Remove the default rules that allow all inbound and outbound traffic.

C.

Make the following changes to NACL2:

• Add a rule that allows outbound traffic on port 5432 to the CIDR blocks of the RDS subnets.

• Remove the default rules that allow all inbound and outbound traffic.

D.

Make the following changes to NACL2:

• Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the RDS subnets.

• Add a rule that allows outbound traffic on port 5432 to the RDS subnets.

Question 11

A company has AWS accounts in an organization in AWS Organizations. An Amazon S3 bucket in one account is publicly accessible. A security engineer must remove public access and ensure the bucket cannot be made public again.

Which solution will meet these requirements?

Options:

A.

Enforce KMS encryption and deny s3:GetObject by SCP.

B.

Enable PublicAccessBlock and deny s3:GetObject by SCP.

C.

Enable PublicAccessBlock and deny s3:PutPublicAccessBlock by SCP.

D.

Enable Object Lock governance and deny s3:PutPublicAccessBlock by SCP.

Question 12

AWS Config cannot deliver configuration snapshots to Amazon S3.

Which TWO actions will remediate this issue?

Options:

A.

Verify the S3 bucket policy allows config.amazonaws.com.

B.

Verify the IAM role has s3:GetBucketAcl and s3:PutObject permissions.

C.

Verify the S3 bucket can assume the IAM role.

D.

Verify IAM policy allows AWS Config to write logs.

E.

Modify AWS Config API permissions.

Page: 3 / 17
Total 231 questions