Amazon SCS-C02 Exam Questions Instant Access

Question 1

[Incident Response]

A company has a new web-based account management system for an online game Players create a unique username and password to log in to the system.

The company has implemented an AWS WAF web ACL for the system. The web ACL includes the core rule set (CRS) AWS managed rule group on the Application Load Balancer that serves the system.

The company's security team finds that the system was the target of a credential stuffing attack Credentials that were exposed in other breaches were used to try to log in to the system

The security team must implement a solution to reduce the chance of a successful credential stuffing attack in the future The solution also must minimize impact on legitimate users of the system

Which combination of actions will meet these requirements? (Select TWO.)

ACreate an Amazon CloudWatch custom metric to analyze the number of successful login responses from a single IP address

BAdd the account takeover prevention (ATP) AWS managed rule group to the web ACL Configure the rule group to inspect login requests to the system Block any requests that have the awswaf managed awsatp signal credential_compromised label

CConfigure a default web ACL action that requires all users to solve a CAPTCHA puzzle when they log in

DImplement IP-based match rules in the web ACL for any IP addresses that generate many successful login responses Block any IP addresses that generate many successful logins

ECreate a custom block response that redirects users to a secure workflow to reset their password inside the system

Answer : B, E

Question 2

[Logging and Monitoring]

A company is evaluating its security posture. In the past, the company has observed issues with specific hosts and host header combinations that affected

the company's business. The company has configured AWS WAF web ACLs as an initial step to mitigate these issues.

The company must create a log analysis solution for the AWS WAF web ACLs to monitor problematic activity. The company wants to process all the AWS WAF logs in a central location. The company must have the ability to filter out requests based on specific hosts.

A security engineer starts to enable access logging for the AWS WAF web ACLs.

What should the security engineer do next to meet these requirements with the MOST operational efficiency?

ASpecify Amazon Redshift as the destination for the access logs. Deploy the Amazon Athena Redshift connector. Use Athena to query the data from Amazon Redshift and to filter the logs by host.

BSpecify Amazon CloudWatch as the destination for the access logs. Use Amazon CloudWatch Logs Insights to design a query to filter the logs by host.

CSpecify Amazon CloudWatch as the destination for the access logs. Export the CloudWatch logs to an Amazon S3 bucket. Use Amazon Athena to query the logs and to filter the logs by host.

DSpecify Amazon CloudWatch as the destination for the access logs. Use Amazon Redshift Spectrum to query the logs and to filter the logs by host.

Answer : C

The correct answer is C. Specify Amazon CloudWatch as the destination for the access logs. Export the CloudWatch logs to an Amazon S3 bucket. Use Amazon Athena to query the logs and to filter the logs by host.

According to the AWS documentation1, AWS WAF offers logging for the traffic that your web ACLs analyze. The logs include information such as the time that AWS WAF received the request from your protected AWS resource, detailed information about the request, and the action setting for the rule that the request matched. You can send yourlogs to an Amazon CloudWatch Logs log group, an Amazon Simple Storage Service (Amazon S3) bucket, or an Amazon Kinesis Data Firehose.

To create a log analysis solution for the AWS WAF web ACLs, you can use Amazon Athena, which is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL2. You can use Athena to query and filter the AWS WAF logs by host or any other criteria. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries that you run.

To use Athena with AWS WAF logs, you need to export the CloudWatch logs to an S3 bucket.You can do this by creating a subscription filter that sends your log events to a Kinesis Data Firehose delivery stream, which then delivers the data to an S3 bucket3.Alternatively, you can use AWS DMS to migrate your CloudWatch logs to S34.

After you have exported your CloudWatch logs to S3, you can create a table in Athena that points to your S3 bucket and use the AWS service log format that matches your log schema5. For example, if you are using format for your AWS WAF logs, you can use the AWSSerDe serde. Then you can run SQL queries on your Athena table and filter the results by host or any other field in your log data.

Therefore, this solution meets the requirements of creating a log analysis solution for the AWS WAF web ACLs with the most operational efficiency. This solution does not require setting up any additional infrastructure or services, and it leverages the existing capabilities of CloudWatch, S3, and Athena.

The other options are incorrect because:

A . Specifying Amazon Redshift as the destination for the access logs is not possible, because AWS WAF does not support sending logs directly to Redshift. You would need to use an intermediate service such as Kinesis Data Firehose or AWS DMS to load the data from CloudWatch or S3 to Redshift.Deploying the Amazon Athena Redshift connector is not necessary, because you can query Redshift data directly from Athena without using a connector6. This solution would also incur additional costs and operational overhead of managing a Redshift cluster.

B . Specifying Amazon CloudWatch as the destination for the access logs is possible, but using Amazon CloudWatch Logs Insights to design a query to filter the logs by host is not efficient or scalable.CloudWatch Logs Insights is a feature that enables you to interactively search and analyze your log data in CloudWatch Logs7.However, CloudWatch Logs Insights has somelimitations, such as a maximum query duration of 20 minutes, a maximum of 20 log groups per query, and a maximum retention period of 24 months8. These limitations may affect your ability to perform complex and long-running analysis on your AWS WAF logs.

D . Specifying Amazon CloudWatch as the destination for the access logs is possible, but using Amazon Redshift Spectrum to query the logs and filter them by host is not efficient or cost-effective.Redshift Spectrum is a feature of Amazon Redshift that enables you to run queries against exabytes of data in S3 without loading or transforming any data9. However, Redshift Spectrum requires a Redshift cluster to process the queries, which adds additional costs and operational overhead.Redshift Spectrum also charges you based on the number ofbytes scanned by each query, which can be expensive if you have large volumes of log data10.

References:

1:Logging AWS WAF web ACL traffic - AmazonWeb Services2:What Is Amazon Athena? - Amazon Athena3:Streaming CloudWatch Logs Data to Amazon S3 - Amazon CloudWatch Logs4:Migrate data from CloudWatch Logs using AWS Database Migration Service - AWS Database Migration Service5:Querying AWS service logs - Amazon Athena6:Querying data from Amazon Redshift - Amazon Athena7:Analyzing log data with CloudWatch LogsInsights - Amazon CloudWatch Logs8:CloudWatch Logs Insights quotas - Amazon CloudWatch9:Querying external data using Amazon Redshift Spectrum - Amazon Redshift10:Amazon Redshift Spectrum pricing - Amazon Redshift

Question 3

[Logging and Monitoring]

A company has AWS accounts that are in an organization in AWS Organizations. A security engineer needs to set up AWS Security Hub in a dedicated account for securitymonitoring.

The security engineer must ensure that Security Hub automatically manages all existing accounts and all new accounts that are added to the organization. Security Hubalso must receive findings from all AWS Regions.

Which combination of actions will meet these requirements with the LEAST operational overhead? (Select TWO.)

AConfigure a finding aggregation Region for Security Hub. Link the other Regions to the aggregation Region.

BCreate an AWS Lambda function that routes events from other Regions to the dedicated Security Hub account. Create an Amazon EventBridge rule to invokethe Lambda function.

CTurn on the option to automatically enable accounts for Security Hub.

DCreate an SCP that denies the securityhub DisableSecurityHub permission. Attach the SCP to the organization's root account.

EConfigure services in other Regions to write events to an AWS CloudTrail organization trail. Configure Security Hub to read events from the trail.

Answer : A, C

To set up AWS Security Hub for centralized security monitoring across all accounts in an AWS Organization with the least operational overhead, the best actions to take are:

Solution A: Configure a finding aggregation Region for Security Hub. This allows Security Hub to aggregate findings from multiple regions into a single designated region, simplifying monitoring and analysis. By centralizing findings, the security team can have a unified view of security alerts and compliance statuses across all accounts and regions, enhancing the efficiency of security operations.

Solution C: Turn on the option to automatically enable accounts for Security Hub within the AWS Organization. This ensures that as new accounts are created and added to the organization, they are automatically enrolled in Security Hub, and their findings are included in the centralized monitoring. This automation reduces the manual effort required to manage account enrollment and ensures comprehensive coverage of security monitoring across the organization.

These actions collectively ensure that Security Hub is effectively configured to manage security findings across all accounts and regions, providing a comprehensive and automated approach to security monitoring with minimal manual intervention.

Question 4

[Logging and Monitoring]

An Amazon EC2 Auto Scaling group launches Amazon Linux EC2 instances and installs the Amazon CloudWatch agent to publish logs to Amazon CloudWatch Logs. The EC2 instances launch with an IAM role that has an IAM policy attached. The policy provides access to publish custom metrics to CloudWatch. The EC2 instances run in a private subnet inside a VPC. The VPC provides ^ccess to the internet for private subnets through a NAT gateway.

A security engineer notices that no logs are being published to CloudWatch Logs for the EC2 instances that the Auto Scaling group launches. The security engineer validates that the CloudWatch Logs agent is running and is configured properly on the EC2 instances. In addition, the security engineer validates that network communications are working properly to AWS services.

What can the security engineer do to ensure that the logs are published to CloudWatch Logs?

AConfigure the IAM policy in use by the IAM role to have access to the required cloudwatch: API actions thatwill publish logs.

BAdjust the Amazon EC2 Auto Scaling service-linked role to have permissions to write to CloudWatch Logs.

CConfigure the IAM policy in use by the IAM role to have access to the required AWS logs: API actions that willpublish logs.

DAdd an interface VPC endpoint to provide a route to CloudWatch Logs.

Answer : C

Adjusting the IAM policy attached to the IAM role used by EC2 instances to include the necessary AWS Logs API actions for publishing logs to CloudWatch Logs addresses the issue. This ensures that the EC2 instances have the required permissions to interact with CloudWatch Logs, facilitating the successful publication of logs from the instances.

Question 5

[Data Protection]

A company is running internal microservices on Amazon Elastic Container Service (Amazon ECS) with the Amazon EC2 launch type. The company is using Amazon Elastic Container Registry (Amazon ECR) private repositories.

A security engineer needs to encrypt the private repositories by using AWS Key Management Service (AWS KMS). The security engineer also needs to analyze the container images for any common vulnerabilities and exposures (CVEs).

Which solution will meet these requirements?

AEnable KMS encryption on the existing ECR repositories. Install Amazon Inspector Agent from the ECS container instances' user data. Run an assessment with the CVE rules.

BRecreate the ECR repositories with KMS encryption and ECR scanning enabled. Analyze the scan report after the next push of images.

CRecreate the ECR repositories with KMS encryption and ECR scanning enabled. Install AWS Systems Manager Agent on the ECS container instances. Run an inventory report.

DEnable KMS encryption on the existing ECR repositories. Use AWS Trusted Advisor to check the ECS container instances and to verily the findings against a list of current CVEs.

Answer : B

Question 6

[Infrastructure Security]

A Development team has built an experimental environment to test a simple stale web application It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer a NAT gateway, and an internet gateway. The private subnet holds ail of the Amazon EC2 instances

There are 3 different types of servers Each server type has its own Security Group that limits access lo only required connectivity. The Security Groups nave both inbound and outbound rules applied Each subnet has both inbound and outbound network ACls applied to limit access to only required connectivity

Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Select THREE.)

AThe route tables and the outbound rules on the appropriate private subnet security group

BThe outbound network ACL rules on the private subnet and the Inbound network ACL rules on the public subnet

CThe outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet

DThe rules on any host-based firewall that may be applied on the Amazon EC2 instances

EThe Security Group applied to the Application Load Balancer and NAT gateway

FThat the 0.0.0./0 route in the private subnet route table points to the internet gateway in the public subnet

Answer : C, E, F

because these are the factors that could affect the outbound connection to the internet from a server in a private subnet.The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet must allow the traffic to pass through8.The security group applied to the application load balancer and NAT gateway must also allow the traffic from the private subnet9.The 0.0.0.0/0 route in the private subnet route table must point to the NAT gateway in the public subnet, not the internet gateway10. The other options are either irrelevant or incorrect for troubleshooting the outbound connection issue.

Question 7

A solutions architect is designing a web application that uses Amazon CloudFront an Elastic Load Balancing Application Load Balancer and an Auto Scaling group of Amazon EC2 instances. The load balancer and EC2 instances are in the US West (Oregon) region. It has been decided that encryption in transit is necessary by using a customer-branded domain name from the client to CloudFront and from CloudFront to the load balancer.

Assuming that AWS Certificate Manager is used how many certificates will need to be generated'?

AOne in the US West (Oregon) region and one in the US East (Virginia) region

BTwo in the US West (Oregon) region and none in the US East (Virginia) region

COne in the US West (Oregon) region and none in the US East (Virginia) region

DTwo in the US East (Virginia) region and none in the US West (Oregon) region

Answer : A

Amazon AWS Certified Security - Specialty (old) SCS-C02 Exam Questions