Amazon AWS Certified Security - Specialty (old) SCS-C02 Exam Questions

Page: 1 / 14
Total 467 questions

Want more questions? Get Premium Access.
()

Question 1

[Incident Response]

A company hosts its microservices application on Amazon Elastic Kubernetes Service (Amazon EKS). The company has set up continuous deployments to update the application on demand. A security engineer must implement a solution to provide automatic detection of anomalies in application logs in near real time. The solution also must send notifications about these anomalies to the security team. Which solution will meet these requirements?

AConfigure Amazon CloudWatch Container Insights to collect and aggregate EKS application logs. Create a CloudWatch alarm to monitor for anomalies. Configure the alarm to launch an AWS Lambda function to alert the security team when anomalies are detected.

BConfigure Amazon EKS to send application logs to Amazon CloudWatch. Create a CloudWatch alarm based on a log group metric filter. Specify anomaly detection as the threshold type. Configure the alarm to use Amazon Simple Notification Service (Amazon SNS) to alert the security team.

CConfigure Amazon EKS to export logs to Amazon S3. Use Amazon Athena queries to analyze the logs for anomalies. Use Amazon QuickSight to visualize and monitor user access requests for anomalies. Configure Amazon Simple Notification Service (Amazon SNS) notifications to alert the security team.

DConfigure AWS App Mesh to monitor the traffic to the microservices in Amazon EKS. Integrate App Mesh with AWS CloudTrail for logging. Use Amazon Detective to analyze the logs for anomalies and to alert the security team when anomalies are detected.

Answer : B

Comprehensive Detailed Explanation with all AWS References

To achieve automatic detection of anomalies in application logs in near real time and notify the security team, the following solution is appropriate:

1. Configure Amazon EKS to Send Application Logs to Amazon CloudWatch:

Log Collection:Set up Fluent Bit or Fluentd as a DaemonSet within your EKS cluster to collect application logs and forward them to Amazon CloudWatch Logs. This setup ensures that all application logs are centralized in CloudWatch for monitoring and analysis.

2. Create a CloudWatch Log Group Metric Filter and Alarm with Anomaly Detection:

Metric Filter:In CloudWatch Logs, define a metric filter to extract specific metrics from the log data. For instance, you can create a filter that counts the number of error messages or specific patterns indicative of anomalies.

Anomaly Detection:Enable CloudWatch Anomaly Detection on the metric to automatically establish a baseline of expected values and detect deviations that may indicate anomalies.

Alarm Configuration:Set up a CloudWatch Alarm using the anomaly detection model as the threshold. This alarm will trigger when the metric deviates from the expected baseline, indicating a potential anomaly.

3. Configure Notifications to the Security Team via Amazon SNS:

SNS Topic:Create an Amazon Simple Notification Service (SNS) topic dedicated to security alerts.

Subscription:Subscribe the security team's email addresses or communication channels to the SNS topic to ensure they receive notifications promptly.

Alarm Action:Configure the CloudWatch Alarm to publish a message to the SNS topic when it detects an anomaly. This setup ensures that the security team is alerted in near real time whenever an anomaly is detected in the application logs.

This solution leverages AWS managed services to provide a scalable and efficient method for real-time anomaly detection and alerting, aligning with AWS best practices for monitoring and security.

Question 2

[Identity and Access Management]

An organization must establish the ability to delete an IAM KMS Customer Master Key (CMK) within a 24-hour timeframe to keep it from being used for encrypt or decrypt operations Which of tne following actions will address this requirement?

AManually rotate a key within KMS to create a new CMK immediately

BUse the KMS import key functionality to execute a delete key operation

CUse the schedule key deletion function within KMS to specify the minimum wait period for deletion

DChange the KMS CMK alias to immediately prevent any services from using the CMK.

Answer : C

the schedule key deletion function within KMS allows you to specify a waiting period before deleting a customer master key (CMK)4.The minimum waiting period is 7 days and the maximum is 30 days5.This function prevents the CMK from being used for encryption or decryption operations during the waiting period4. The other options are either invalid or ineffective for deleting a CMK within a 24-hour timeframe.

Question 3

[Logging and Monitoring]

A web application gives users the ability to log in verify their membership's validity and browse artifacts that are stored in an Amazon S3 bucket. When a user attempts to download an object, the application must verify the permission to access the object and allow the user to download the object from a custom domain name such as example com.

What is the MOST secure way for a security engineer to implement this functionality?

AConfigure read-only access to the object by using a bucket ACL. Remove the access after a set time has elapsed.

BImplement an IAM policy to give the user read access to the S3 bucket.

CCreate an S3 presigned URL Provide the S3 presigned URL to the user through the application.

DCreate an Amazon CloudFront signed URL. Provide the CloudFront signed URL to the user through the application.

Answer : D

For this scenario you would need to set up static website hosting because a custom domain name is listed as a requirement. 'Amazon S3 website endpoints do not support HTTPS or access points. If you want to use HTTPS, you can use Amazon CloudFront to serve a static website hosted on Amazon S3.' This is not secure. https://docs.aws.amazon.com/AmazonS3/latest/userguide/website-hosting-custom-domain-walkthrough.html CloudFront signed URLs allow much more fine-grained control as well as HTTPS access with custom domain names:https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html

Question 4

[Infrastructure Security]

A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided. The company's security engineer must secure this system against SQL injection attacks within 24 hours. The security engineer's solution must involve the least amount of effort and maintain normal operations during implementation.

What should the security engineer do to meet these requirements?

ACreate an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.

BCreate an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.

CObtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.

DUpdate the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances. Test to ensure the vulnerability has been mitigated, then restore the security group to the original setting.
Comprehensive and Detailed Explanation From Exact Extract:
Using AWS WAF with an Application Load Balancer (ALB) allows you to mitigate SQL injection attacks quickly by deploying managed rule groups designed for common web exploits. This method allows the existing EC2 instances to continue operating without changes, minimizing disruption.
By fronting the EC2 instances with an ALB, you can then:
Apply WAF rules
Redirect DNS records from Route 53 to the ALB
Restrict direct EC2 access via security groups
This approach is rapid, low effort, and preserves availability, making it ideal for critical, time-sensitive security mitigations.

Answer : A

Question 5

[Identity and Access Management]

A security engineer discovers that the Lambda function is failing to create the report. The security engineer must implement a solution that corrects the issue and provides least privilege permissions. Which solution will meet these requirements?

ACreate a resource based policy that allows Security Hub access to the ARN of the Lambda function.

BAttach the AWSSecurityHubReedOnlyAccess AWS managed policy to the Lambda function's execution role.

CGrant the Lambda function s execution role read-only permissions to access Amazon Inspector and Security Hub.

DCreate a custom 1AM policy that grants the Security Hub Get' List' Batch' and Desert*' permissions on the arn aws securityhub us-west-2 productaws/inspector' resource Anacn the policy to the Lambda function's execution role.

Answer : D

To resolve the issue of the Lambda function failing to create the report while adhering to the principle of least privilege, follow these steps:

Identify Required Permissions:

Determine the specific AWS Security Hub and Amazon Inspector actions the Lambda function needs to perform.

Common actions include:

securityhub:Get*

securityhub:List*

securityhub:Batch*

securityhub:Describe*

Create a Custom IAM Policy:

In the AWS Management Console, navigate to the IAM service.

Create a new policy with permissions tailored to the Lambda function's needs.

Define the policy to allow the necessary actions on the specific Security Hub resource.

For example:

{

'Version': '2012-10-17',

'Statement':

[

{

'Effect': 'Allow',

'Action':

[

'securityhub:Get*',

'securityhub:List*',

'securityhub:Batch*',

'securityhub:Describe*'

'Resource': 'arn:aws:securityhub:us-west-2::product/aws/inspector'

}

]

}

This policy grants the Lambda function the necessary read-only permissions to interact with Security Hub and Amazon Inspector.

Attach the Policy to the Lambda Execution Role:

Identify the IAM role associated with your Lambda function.

Attach the newly created custom policy to this role.

This ensures the Lambda function has the required permissions when invoked.

Test the Lambda Function:

Invoke the Lambda function to verify it can successfully create the report without permission errors.

Monitor the function's execution to ensure it operates as expected.

Implement Least Privilege Principle:

Regularly review and adjust the permissions to ensure they remain aligned with the function's requirements.

Remove any unnecessary permissions to minimize security risks.

Defining Lambda function permissions with an execution role: This AWS documentation provides guidance on creating and managing execution roles for Lambda functions, emphasizing the importance of granting least privilege access.

AWS Documentation

Managing permissions in AWS Lambda: This resource offers insights into best practices for managing permissions, including the use of identity-based and resource-based policies to control access to Lambda resources.

AWS Documentation

Grant least privilege access: Part of the AWS Well-Architected Framework, this document discusses the principle of least privilege and provides strategies for implementing it effectively within AWS environments.

AWS Documentation

AWS managed policies for AWS Lambda: This page details the AWS managed policies available for Lambda, which can serve as a starting point for creating custom policies tailored to specific needs.

AWS Documentation

Applying the principles of least privilege in AWS Lambda: This guide explores how to apply the principle of least privilege in AWS Lambda functions, focusing on avoiding granting wildcard permissions in IAM policies.

Orchestra

By following these steps and utilizing the referenced AWS documentation, you can ensure that your Lambda function has the necessary permissions to create the report while adhering to the principle of least privilege.

Question 6

[Identity and Access Management]

A company has a web server in the AWS Cloud. The company will store the content for the web server in an Amazon S3 bucket. A security engineer must use an Amazon CloudFront distribution to speed up delivery of the content. None of the files can be publicly accessible from the S3 bucket direct.

Which solution will meet these requirements?

AConfigure the permissions on the individual files in the S3 bucket so that only the CloudFront distribution has access to them.

BCreate an origin access identity (OAI). Associate the OAI with the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI can access the files in the S3 bucket.

CCreate an S3 role in AWS Identity and Access Management (IAM). Allow only the CloudFront distribution to assume the role to access the files in the S3 bucket.

DCreate an S3 bucket policy that uses only the CloudFront distribution ID as the principal and the Amazon Resource Name (ARN) as the target.

Answer : B

Question 7

[Logging and Monitoring]

A company suspects that an attacker has exploited an overly permissive role to export credentials from Amazon EC2 instance metadat

a. The company uses Amazon GuardDuty and AWS Audit Manager. The company has enabled AWS CloudTrail logging and Amazon CloudWatch logging for all of its AWS accounts.

A security engineer must determine if the credentials were used to access the company's resources from an external account.

Which solution will provide this information?

AReview GuardDuty findings to find InstanceCredentialExfiltration events.

BReview assessment reports in the Audit Manager console to find InstanceCredentialExfiltration events.

CReview CloudTrail logs for GetSessionToken API calls to AWS Security Token Service (AWS STS) that come from an acount ID from outside the company.

DReview CloudWatch logs for GetSessionToken API calls to AWS Security Token Service (AWS STS) that come from an account ID from outside the company.

Answer : A

The correct answer is A because GuardDuty can detect and alert on EC2 instance credential exfiltration events.These events indicate that the credentials obtained from the EC2 instance metadata service are being used from an IP address that is owned by a differentAWS account than the one that owns the instance1.GuardDuty can also provide details such as the source and destination IP addresses, the AWS account ID of the attacker, and the API calls made using the exfiltrated credentials2.

The other options are incorrect because they do not provide the information needed to determine if the credentials were used to access the company's resources from an external account. Option B is incorrect because Audit Manager does not generate InstanceCredentialExfiltration events.Audit Manager is a service that helpsyou continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards3. Option C is incorrect because CloudTrail logs do not show the account ID of the caller for GetSessionToken API calls to AWS STS.CloudTrail logs show the account ID of the identity whose credentials were used to call the API4. Option D is incorrect because CloudWatch logs do not show the GetSessionToken API calls to AWS STS by default.CloudWatch logs can show the API calls made by AWS Lambda functions, Amazon API Gateway, and other AWS services that integrate with CloudWatch5.