Amazon SCS-C02 AWS Certified Security - Specialty Exam Practice Test

Page: 1 / 14
Total 422 questions

Want more questions? Get Premium Access.
()

Question 1

[Infrastructure Security]

A company uses Amazon GuardDuty. The company's security team wants all High severity findings to automatically generate a ticket in a third-party ticketing system through email integration.

Which solution will meet this requirement?

ACreate a verified identity for the third-party ticketing email system in Amazon Simple Email Service (Amazon SES). Create an Amazon EventBridge rule that includes an event pattern that matches High severity GuardDuty findings. Specify the SES identity as the target for the EventBridge rule.

BCreate an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third-party ticketing email system to the SNS topic. Create an Amazon EventBridge rule that includes an event pattern that matches High severity GuardDuty findings. Specify the SNS topic as the target for the EventBridge rule.

CUse the GuardDuty CreateFilter API operation to build a filter in GuardDuty to monitor for High severity findings. Export the results of the filter to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third-party ticketing email system to the SNS topic.

DUse the GuardDuty CreateFilter API operation to build a filter in GuardDuty to monitor for High severity findings. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third-party ticketing email system to the SNS topic. Create an Amazon EventBridge rule that includes an event pattern that matches GuardDuty findings that are selected by the filter. Specify the SNS topic as the target for the EventBridge rule.

Answer : B

The correct answer is B. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third-party ticketing email system to the SNS topic. Create an Amazon EventBridge rule that includes an event pattern that matches High severity GuardDuty findings. Specify the SNS topic as the target for the Event-Bridge rule.

According to the AWS documentation1, you can use Amazon EventBridge to create rules that match events from GuardDuty and route them to targets such as Amazon SNS topics. You can use event patterns to filter events based on criteria such as severity, type, or resource. For example, you can create a rule that matches only High severity findings and sends them to an SNS topic that is subscribed by a third-party ticketing email system. This way, you can automate the creation of tickets for High severity findings and notify the security team.

Question 2

[Logging and Monitoring]

A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture:

1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets.

3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other

4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols

5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required

Which of the following accurately reflects the access control mechanisms the Architect should verify1?

AOutbound SG configuration on database servers Inbound SG configuration on application servers inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet

BInbound SG configuration on database serversOutbound SG configuration on application serversInbound and outbound network ACL configuration on the database subnetInbound and outbound network ACL configuration on the application server subnet

CInbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet

DInbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet.

Answer : A

this is the accurate reflection of the access control mechanisms that the Architect should verify. Access control mechanisms are methods that regulate who can access what resources and how. Security groups and network ACLs are two types of access control mechanisms that can be applied to EC2 instances and subnets. Security groups are stateful, meaning they remember and return traffic that was previously allowed. Network ACLs are stateless, meaning they do not remember or return traffic that was previously allowed. Security groups and network ACLs can have inbound and outbound rules that specify the source, destination, protocol, and port of the traffic. By verifying the outbound security group configuration on database servers, the inbound security group configuration on application servers, and the inbound and outbound network ACL configuration on both the database and application server subnets, the Architect can check if there are any misconfigurations or conflicts thatprevent the application servers from initiating a connection to the database servers. The other options are either inaccurate or incomplete for verifying the access control mechanisms.

Question 3

[Identity and Access Management]

A company is using Amazon Elastic Container Service (Amazon ECS) to run its container-based application on AWS. The company needs to ensure that the container images contain no severe vulnerabilities. The company also must ensure that only specific IAM roles and specific AWS accounts can access the container images.

Which solution will meet these requirements with the LEAST management overhead?

APull images from the public container registry. Publish the images to Amazon Elastic Container Registry (Amazon ECR) repositories with scan on push configured in a centralized AWS account.Use a CI/CD pipeline to deploy the images to different AWS accounts. Use identity-based policies to restrict access to which IAM principals can access the images.

BPull images from the public container registry. Publish the images to a private container registry that is hosted on Amazon EC2 instances in a centralized AWS account. Deploy host-based container scanning tools to EC2 instances that run Amazon ECS. Restrict access to the container images by using basic authentication over HTTPS.

CPull images from the public container registry. Publish the images to Amazon Elastic Container Registry (Amazon ECR) repositories with scan on push configured in a centralized AWS account. Use a CI/CD pipeline to deploy the images to different AWS accounts. Use repository policies and identity-based policies to restrict access to which IAM principals and accounts can access the images.

DPull images from the public container registry. Publish the images to AWS CodeArtifact repositories in a centralized AWS account. Use a CI/CD pipeline to deploy the images to different AWS accounts. Use repository policies and identity-based policies to restrict access to which IAM principals and accounts can access the images.

Answer : C

The correct answer is C. Pull images from the public container registry. Publish the images to Amazon Elastic Container Registry (Amazon ECR) repositories with scan on push configured in a centralized AWS account. Use a CI/CD pipeline to deploy the images to different AWS accounts. Use repository policies and identity-based policies to restrict access to which IAM principals and accounts can access the images.

This solution meets the requirements because:

Amazon ECR is a fully managed container registry service that supports Docker and OCI images and artifacts1. It integrates with Amazon ECS and other AWS services to simplify the development and deployment of container-based applications.

Amazon ECR provides image scanning on push, which uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project to detect software vulnerabilities in container images2.The scan results are available in the AWS Management Console, AWS CLI, orAWS SDKs2.

Amazon ECR supports cross-account access to repositories, whichallows sharing images across multiple AWS accounts3.This can be achieved by using repository policies, which are resource-based policies that specify which IAM principals and accounts can access the repositories and what actions they can perform4.Additionally, identity-based policies can be used to control which IAM roles in each account can access the repositories5.

The other options are incorrect because:

A . This option does not use repository policies to restrict cross-account access to the images, which is a requirement.Identity-based policies alone are not sufficient to control access to Amazon ECR repositories5.

B . This option does not use Amazon ECR, which is a fully managed service that provides image scanning and cross-account access features. Hosting a private container registry on EC2 instances would require more management overhead and additional security measures.

D .This option uses AWS CodeArtifact, which is a fully managed artifact repository service that supports Maven, npm, NuGet, PyPI, and generic package formats6. However, AWS CodeArtifact does not support Docker or OCI container images, which are required for Amazon ECS applications.

Question 4

[Logging and Monitoring]

A company has deployed AWS Control Tower and an organization in AWS Organizations to manage its AWS accounts. The company needs to implement the AWS Foundational Security Best Practices standard and must centrally log findings for the organization into one account.

Which solution will meet these requirements?

ADeploy AWS CloudTrail centralized logging for the organization from the AWS Control Tower management account. Enable Amazon GuardDuty. Enable the GuardDuty AWS Foundational Security Best Practices standard.

BAutomatically deploy the AWS Foundational Security Best Practices standard by configuring a delegated administrator for Amazon GuardDuty from the AWS Control Tower audit account.

CConfigure a delegated administrator for AWS Security Hub from the AWS Control Tower management account. Enable the Security Hub AWS Foundational Security Best Practices standard in the AWS Control Tower audit account.

DDeploy AWS CloudTrail centralized logging for the organization from the AWS Control Tower log archive account. Enable AWS Security Hub. Enable the Security Hub AWS Foundational Security Best Practices standard.

Answer : A

Question 5

[Incident Response]

A company has created a set of AWS Lambda functions to automate incident response steps for incidents that occur on Amazon EC2 instances. The Lambda functions need to collect relevant artifacts, such as instance ID and security group configuration. The Lambda functions must then write a summary to an Amazon S3 bucket.

The company runs its workloads in a VPC that uses public subnets and private subnets. The public subnets use an internet gateway to access the internet. The private subnets use a NAT gateway to access the internet.

All network traffic to Amazon S3 that is related to the incident response process must use the AWS network. This traffic must not travel across the internet.

Which solution will meet these requirements?

ADeploy the Lambda functions to a private subnet in the VPC. Configure the Lambda functions to access the S3 service through the NAT gateway.

BDeploy the Lambda functions to a private subnet in the VPC. Create an S3 gateway endpoint to access the S3 service.

CDeploy the S3 bucket and the Lambda functions in the same private subnet. Configure the Lambda functions to use the default endpoint for the S3 service.

DDeploy an Amazon Simple Queue Service (Amazon SOS) queue and the Lambda functions in the same private subnet. Configure the Lambda functions to send data to the SQS queue. Configure the SOS queue to send data to the S3 bucket.

Answer : B

Understanding the Requirements:

The Lambda functions need access to S3 for writing summaries.

All traffic to S3 must stay within the AWS network and not traverse the internet.

Deploy Lambda Functions in a Private Subnet:

Place the Lambda functions in a private subnet to ensure they do not directly access the internet.

Create an S3 Gateway Endpoint:

Set up a VPC gateway endpoint for Amazon S3.

The endpoint ensures all traffic to S3 stays within AWS's private network.

Update Route Table:

Modify the route table for the private subnet to include the gateway endpoint.

IAM Permissions for the Lambda Function:

Ensure the Lambda function's execution role has permissions to write to the specified S3 bucket.

Advantages:

Cost-Effective: Eliminates NAT gateway costs for S3 traffic.

Secure: Keeps all S3 traffic within AWS's private network.

VPC Endpoint for Amazon S3

Using Lambda in VPC

Question 6

[Identity and Access Management]

A company's security engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other IAM services The contractors IAM account must not be able to gain access to any other IAM service, even it the IAM account rs assigned additional permissions based on IAM group membership

What should the security engineer do to meet these requirements''

ACreate an mime IAM user policy that allows for Amazon EC2 access for the contractor's IAM user

BCreate an IAM permissions boundary policy that allows Amazon EC2 access Associate the contractor's IAM account with the IAM permissions boundary policy

CCreate an IAM group with an attached policy that allows for Amazon EC2 access Associate the contractor's IAM account with the IAM group

DCreate a IAM role that allows for EC2 and explicitly denies all other services Instruct the contractor to always assume this role

Answer : B

To restrict the contractor's IAM account access to the EC2 console without providing access to any other AWS services, the security engineer should do the following:

Create an IAM permissions boundary policy that allows EC2 access. This is a policy that defines the maximum permissions that an IAM entity can have.

Associate the contractor's IAM account with the IAM permissions boundary policy. This means that even if the contractor's IAM account is assigned additional permissions based on IAM group membership, those permissions are limited by the permissions boundary policy.

Question 7

[Infrastructure Security]

A security engineer is designing security controls for a fleet of Amazon EC2 instances that run sensitive workloads in a VPC. The security engineer needs to implement a solution to detect and mitigate software vulnerabilities on the EC2 instances.

Which solution will meet this requirement?

AScan the EC2 instances by using Amazon Inspector. Apply security patches and updates by using AWS Systems Manager Patch Manager.

BInstall host-based firewall and antivirus software on each EC2 instance. Use AWS Systems Manager Run Command to update the firewall and antivirus software.

CInstall the Amazon CloudWatch agent on the EC2 instances. Enable detailed logging. Use Amazon EventBridge to review the software logs for anomalies.

DScan the EC2 instances by using Amazon GuardDuty Malware Protection. Apply security patches and updates by using AWS Systems Manager Patch Manager.
Comprehensive and Detailed Explanation From Exact Extract:
Amazon Inspector is an automated vulnerability management service that continuously scans Amazon EC2 instances for software vulnerabilities and unintended network exposure. It uses a combination of the EC2 instance's metadata and installed packages to detect CVEs (Common Vulnerabilities and Exposures).
AWS Systems Manager Patch Manager automates the process of patching managed instances with both security-related and other types of updates. Together, these services provide detection and remediation capabilities, fulfilling both the detection and mitigation requirements.
This approach is directly aligned with AWS Security Specialty best practices for Infrastructure Security.

Answer : A