Amazon AWS Certified Security - Specialty SCS-C02 Exam Practice Questions (P. 2)
- Full Access (297 questions)
- Six months of Premium Access
- Access to one million comments
- Seamless ChatGPT Integration
- Ability to download PDF files
- Anki Flashcard files for revision
- No Captcha & No AdSense
- Advanced Exam Configuration
Question #6
A company has an application that uses dozens of Amazon DynamoDB tables to store data. Auditors find that the tables do not comply with the company's data protection policy.
The company's retention policy states that all data must be backed up twice each month: once at midnight on the 15th day of the month and again at midnight on the 25th day of the month. The company must retain the backups for 3 months.
Which combination of steps should a security engineer take to meet these requirements? (Choose two.)
The company's retention policy states that all data must be backed up twice each month: once at midnight on the 15th day of the month and again at midnight on the 25th day of the month. The company must retain the backups for 3 months.
Which combination of steps should a security engineer take to meet these requirements? (Choose two.)
- AUse the DynamoDB on-demand backup capability to create a backup plan. Configure a lifecycle policy to expire backups after 3 months.
- BUse AWS DataSync to create a backup plan. Add a backup rule that includes a retention period of 3 months.
- CUse AWS Backup to create a backup plan. Add a backup rule that includes a retention period of 3 months.
- DSet the backup frequency by using a cron schedule expression. Assign each DynamoDB table to the backup plan.
- ESet the backup frequency by using a rate schedule expression. Assign each DynamoDB table to the backup plan.
Correct Answer:
DC
DC
GPT-4o - Answer
AWS Backup enables the setup of automatic backup plans per the specified schedule, fitting the company’s need to back up on the 15th and 25th days of each month and retain these for three months. Additionally, using a cron schedule for backup frequency eases the adherence to very specific periodic backup requirements, especially those on fixed days each month. AWS DataSync isn't appropriate here as its primary use is for data transfer rather than backup tasks. Thus, utilizing AWS Backup in combination with cron scheduled expressions provides a comprehensive solution that directly addresses the company's requirements.
Question #7
A company needs a security engineer to implement a scalable solution for multi-account authentication and authorization. The solution should not introduce additional user-managed architectural components. Native AWS features should be used as much as possible. The security engineer has set up AWS Organizations with all features activated and AWS IAM Identity Center (AWS Single Sign-On) enabled.
Which additional steps should the security engineer take to complete the task?
Which additional steps should the security engineer take to complete the task?
- AUse AD Connector to create users and groups for all employees that require access to AWS accounts. Assign AD Connector groups to AWS accounts and link to the IAM roles in accordance with the employees’ job functions and access requirements. Instruct employees to access AWS accounts by using the AWS Directory Service user portal.
- BUse an IAM Identity Center default directory to create users and groups for all employees that require access to AWS accounts. Assign groups to AWS accounts and link to permission sets in accordance with the employees’ job functions and access requirements. Instruct employees to access AWS accounts by using the IAM Identity Center user portal.
- CUse an IAM Identity Center default directory to create users and groups for all employees that require access to AWS accounts. Link IAM Identity Center groups to the IAM users present in all accounts to inherit existing permissions. Instruct employees to access AWS accounts by using the IAM Identity Center user portal.
- DUse AWS Directory Service for Microsoft Active Directory to create users and groups for all employees that require access to AWS accounts. Enable AWS Management Console access in the created directory and specify IAM Identity Center as a source of information for integrated accounts and permission sets. Instruct employees to access AWS accounts by using the AWS Directory Service user portal.
Correct Answer:
B
B
GPT-4o - Answer
In managing multi-account authentication and authorization without introducing extraneous user-managed architectural elements, leveraging AWS IAM Identity Center (formerly AWS Single Sign-On) proves most efficient. It inherently simplifies user and group creation, managing permissions, and benefits from AWS-native integration. This not only reduces administrative overhead by eliminating the need for duplicated IAM user configurations across accounts but also aligns perfectly with the use of AWS native features and streamlined operations without on-premise dependencies. Thus, the initial setup through AWS IAM Identity Center using its default directory is indeed the correct approach to satisfy these requirements.
Question #8
A company has deployed Amazon GuardDuty and now wants to implement automation for potential threats. The company has decided to start with RDP brute force attacks that come from Amazon EC2 instances in the company's AWS environment. A security engineer needs to implement a solution that blocks the detected communication from a suspicious instance until investigation and potential remediation can occur.
Which solution will meet these requirements?
Which solution will meet these requirements?
- AConfigure GuardDuty to send the event to an Amazon Kinesis data stream. Process the event with an Amazon Kinesis Data Analytics for Apache Flink application that sends a notification to the company through Amazon Simple Notification Service (Amazon SNS). Add rules to the network ACL to block traffic to and from the suspicious instance.
- BConfigure GuardDuty to send the event to Amazon EventBridge. Deploy an AWS WAF web ACL. Process the event with an AWS Lambda function that sends a notification to the company through Amazon Simple Notification Service (Amazon SNS) and adds a web ACL rule to block traffic to and from the suspicious instance.
- CEnable AWS Security Hub to ingest GuardDuty findings and send the event to Amazon EventBridge. Deploy AWS Network Firewall. Process the event with an AWS Lambda function that adds a rule to a Network Firewall firewall policy to block traffic to and from the suspicious instance.
- DEnable AWS Security Hub to ingest GuardDuty findings. Configure an Amazon Kinesis data stream as an event destination for Security Hub. Process the event with an AWS Lambda function that replaces the security group of the suspicious instance with a security group that does not allow any connections.
Correct Answer:
A
A
GPT-4o - Answer
The selected answer, which involves using Amazon Kinesis data stream, effectively leverages AWS services for real-time processing of GuardDuty events to automate threat response actions. By having Kinesis Data Analytics process events and trigger responses such as notifications via SNS and modifying Network ACLs to block traffic, the solution is not only responsive but also minimizes potential damages by isolating the suspicious instance swiftly. This approach is more aligned with Amazon best practices for handling real-time security events, ensuring a robust defense mechanism is in place against threats like RDP brute force attacks on EC2 instances.
Question #9
A company has an AWS account that hosts a production application. The company receives an email notification that Amazon GuardDuty has detected an Impact:IAMUser/AnomalousBehavior finding in the account. A security engineer needs to run the investigation playbook for this security incident and must collect and analyze the information without affecting the application.
Which solution will meet these requirements MOST quickly?
Which solution will meet these requirements MOST quickly?
- ALog in to the AWS account by using read-only credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.
- BLog in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use Amazon Detective to review the API calls in context.
- CLog in to the AWS account by using administrator credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.
- DLog in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context.
Correct Answer:
B
B
GPT-4o - Answer
Option B is the most efficient method in this scenario for investigating the security incident reported by GuardDuty. Utilizing read-only credentials ensures that the security checkup does not interfere with application function or data integrity. Amazon Detective's integration with GuardDuty facilitates rapid analysis by providing contextual insight into the suspicious API activities, enhancing the speed and accuracy of the investigation process. This approach is not only swift but also maintains a high level of security compliance by avoiding any modifications to existing permissions or settings.
Question #10
Company A has an AWS account that is named Account A. Company A recently acquired Company B, which has an AWS account that is named Account B. Company B stores its files in an Amazon S3 bucket. The administrators need to give a user from Account A full access to the S3 bucket in Account B.
After the administrators adjust the IAM permissions for the user in Account A to access the S3 bucket in Account B, the user still cannot access any files in the S3 bucket.
Which solution will resolve this issue?
After the administrators adjust the IAM permissions for the user in Account A to access the S3 bucket in Account B, the user still cannot access any files in the S3 bucket.
Which solution will resolve this issue?
- AIn Account B, create a bucket ACL to allow the user from Account A to access the S3 bucket in Account B.
- BIn Account B, create an object ACL to allow the user from Account A to access all the objects in the S3 bucket in Account B.
- CIn Account B, create a bucket policy to allow the user from Account A to access the S3 bucket in Account B.
- DIn Account B, create a user policy to allow the user from Account A to access the S3 bucket in Account B.
Correct Answer:
A
A
GPT-4o - Answer
The correct approach here involves setting the appropriate access permissions at the S3 bucket policy level, as multiple users suggested. For cross-account accessibility, the S3 bucket policy in Account B should be configured to identify and allow actions from the principal (user/account ID) in Account A. This setup directly aligns permissions with the bucket, facilitating seamless access without modifying individual object ACLs or requiring complex user policy configurations. It's a common practice that ensures broader and more manageable access controls for resources shared across different AWS accounts.
All Pages