amazon AWS Certified Security - Specialty SCS-C01 online exam

Question 1

A company is developing an ecommerce application. The application uses Amazon EC2 instances and an Amazon RDS
MySQL database. For compliance reasons, data must be secured in transit and at rest. The company needs a solution that
minimizes operational overhead and minimizes cost.
Which solution meets these requirements?

• A. Use TLS certificates from AWS Certificate Manager (ACM) with an Application Load Balancer. Deploy self-signed certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Enable encryption of the RDS DB instance. Enable encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that support the EC2 instances.
• B. Use TLS certificates from a third-party vendor with an Application Load Balancer. Install the same certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use AWS Secrets Manager for client-side encryption of application data.
• C. Use AWS CloudHSM to generate TLS certificates for the EC2 instances. Install the TLS certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use the encryption keys form CloudHSM for client-side encryption of application data.
• D. Use Amazon CloudFront with AWS WAF. Send HTTP connections to the origin EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use AWS Key Management Service (AWS KMS) for client-side encryption of application data before the data is stored in the RDS database.

Answer:

A

Explanation:
Reference: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html

Question 2

A company has decided to migrate sensitive documents from on-premises data centers to Amazon S3. Currently, the hard
drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by
encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a
single exposed key.
Which of the following requires the LEAST amount of configuration when implementing this approach?

• A. Place each file into a different S3 bucket. Set the default encryption of each bucket to use a different AWS KMS customer managed key.
• B. Put all the files in the same S3 bucket. Using S3 events as a trigger, write an AWS Lambda function to encrypt each file as it is added using different AWS KMS data keys.
• C. Use the S3 encryption client to encrypt each file individually using S3-generated data keys.
• D. Place all the files in the same S3 bucket. Use server-side encryption with AWS KMS-managed keys (SSE-KMS) to encrypt the data.

Answer:

D

Explanation:
Reference: https://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html

Question 3

A company has a customer master key (CMK) with imported key materials. Company policy requires that all encryption keys
must be rotated every year.
What can be done to implement the above policy?

• A. Enable automatic key rotation annually for the CMK.
• B. Use AWS Command Line Interface to create an AWS Lambda function to rotate the existing CMK annually.
• C. Import new key material to the existing CMK and manually rotate the CMK.
• D. Create a new CMK, import new key material to it, and point the key alias to the new CMK.

Answer:

D

Question 4

A security engineer is designing an incident response plan to address the risk of a compromised Amazon EC2 instance. The
plan must recommend a solution to meet the following requirements:
A trusted forensic environment must be provisioned.

Automated response processes must be orchestrated.

Which AWS services should be included in the plan? (Choose two.)

• A. AWS CloudFormation
• B. Amazon GuardDuty
• C. Amazon Inspector
• D. Amazon Macie
• E. AWS Step Functions

Answer:

A B

Explanation:
Reference: https://aws.amazon.com/blogs/security/how-to-automate-incident-response-in-aws-cloud-for-ec2-instances/

Question 5

A companys security engineer has been asked to monitor and report all AWS account root user activities.
Which of the following would enable the security engineer to monitor and report all root user activities? (Choose two.)

• A. Configuring AWS Organizations to monitor root user API calls on the paying account
• B. Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported
• C. Configuring Amazon Inspector to scan the AWS account for any root user activity
• D. Configuring AWS Trusted Advisor to send an email to the security team when the root user logs in to the console
• E. Using Amazon SNS to notify the target group

Answer:

B E

Question 6

A company plans to use custom AMIs to launch Amazon EC2 instances across multiple AWS accounts in a single Region to
perform security monitoring and analytics tasks. The EC2 instances are launched in EC2 Auto Scaling groups. To increase
the security of the solution, a Security Engineer will manage the lifecycle of the custom AMIs in a centralized account and will
encrypt them with a centrally managed AWS KMS CMK. The Security Engineer configured the KMS key policy to allow
cross-account access. However, the EC2 instances are still not being properly launched by the EC2 Auto Scaling groups.
Which combination of configuration steps should the Security Engineer take to ensure the EC2 Auto Scaling groups have
been granted the proper permissions to execute tasks?

• A. Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Create an IAM role in all applicable accounts and configure its access policy to allow the use of the centrally managed CMK for cryptographical operations. Configure EC2 Auto Scaling groups within each applicable account to use the created IAM role to launch EC2 instances.
• B. Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Create an IAM role in all applicable accounts and configure its access policy with permissions to create grants for the centrally managed CMK. Use this IAM role to create a grant for the centrally managed CMK with permissions to perform cryptographical operations and with the EC2 Auto Scaling service-linked role defined as the grantee principal.
• C. Create a customer-managed CMK or an AWS managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Use the CMK administrator to create a CMK grant that includes permissions to perform cryptographical operations that define EC2 Auto Scaling service-linked roles from all other accounts as the grantee principal.
• D. Create a customer-managed CMK or an AWS managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Modify the access policy for the EC2 Auto Scaling roles to perform cryptographical operations against the centrally managed CMK.

Answer:

D

Explanation:
Reference: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html

Question 7

A companys Developers plan to migrate their on-premises applications to Amazon EC2 instances running Amazon Linux
AMIs. The applications are accessed by a group of partner companies. The Security Engineer needs to implement the
following host-based security measures for these instances:
Block traffic from documented known bad IP addresses.

Detect known software vulnerabilities and CIS Benchmarks compliance.

Which solution addresses these requirements?

• A. Launch the EC2 instances with an IAM role attached. Include a user data script that uses the AWS CLI to retrieve the list of bad IP addresses from AWS Secrets Manager, and uploads it as a threat list in Amazon GuardDuty. Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.
• B. Launch the EC2 instances with an IAM role attached. Include a user data script that uses the AWS CLI to create NACLs blocking ingress traffic from the known bad IP addresses in the EC2 instances subnets. Use AWS Systems Manager to scan the instances for known software vulnerabilities, and AWS Trusted Advisor to check instances for CIS Benchmarks compliance.
• C. Launch the EC2 instances with an IAM role attached. Include a user data script that uses the AWS CLI to create and attach security groups that only allow an allow listed source IP address range inbound. Use Amazon Inspector to scan the instances for known software vulnerabilities, and AWS Trusted Advisor to check instances for CIS Benchmarks compliance.
• D. Launch the EC2 instances with an IAM role attached. Include a user data script that creates a cron job to periodically retrieve the list of bad IP addresses from Amazon S3, and configures iptables on the instances blocking the list of bad IP addresses. Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.

Answer:

C

Question 8

A company has two AWS accounts: Account A and Account
B. Account A has an IAM role that IAM users in Account B assume when they need to upload sensitive documents to
Amazon S3 buckets in Account A.
A new requirement mandates that users can assume the role only if they are authenticated with multi-factor authentication
(MFA). A security engineer must recommend a solution that meets this requirement with minimum risk and effort.
Which solution should the security engineer recommend?

• A. Add an aws:MultiFactorAuthPresent condition to the role’s permissions policy.
• B. Account A has an IAM role that IAM users in Account B assume when they need to upload sensitive documents to Amazon S3 buckets in Account A. A new requirement mandates that users can assume the role only if they are authenticated with multi-factor authentication (MFA). A security engineer must recommend a solution that meets this requirement with minimum risk and effort. Which solution should the security engineer recommend? Add an aws:MultiFactorAuthPresent condition to the roles trust policy.
• C. Add an aws:MultiFactorAuthPresent condition to the session policy.
• D. Add an aws:MultiFactorAuthPresent condition to the S3 bucket policies.

Answer:

D

Question 9

Two Amazon EC2 instances in different subnets should be able to connect to each other but cannot. It has been confirmed
that other hosts in the same subnets are able to communicate successfully, and that security groups have valid ALLOW
rules in place to permit this traffic. Which of the following troubleshooting steps should be performed?

• A. Check inbound and outbound security groups, looking for DENY rules
• B. Check inbound and outbound Network ACL rules, looking for DENY rules
• C. Review the rejected packet reason codes in the VPC Flow Logs
• D. Use AWS X-Ray to trace the end-to-end application flow

Answer:

C

Question 10

A company requires that IP packet data be inspected for invalid or malicious content. Which of the following approaches
achieve this requirement? (Choose two.)

• A. Configure a proxy solution on Amazon EC2 and route all outbound VPC traffic through it. Perform inspection within proxy software on the EC2 instance.
• B. Configure the host-based agent on each EC2 instance within the VPC. Perform inspection within the host-based agent.
• C. Enable VPC Flow Logs for all subnets in the VPPerform inspection from the Flow Log data within Amazon CloudWatch Logs.
• D. Configure Elastic Load Balancing (ELB) access logs. Perform inspection from the log data within the ELB access log files.
• E. Configure the CloudWatch Logs agent on each EC2 instance within the VPC. Perform inspection from the log data within CloudWatch Logs.

Answer:

A B