SCS-C02 Amazon Web Services AWS Certified Security

AWS Certified Security - Specialty

Last Update 12 hours ago Total Questions : 467

The AWS Certified Security - Specialty content is now fully updated, with all current exam questions added 12 hours ago. Deciding to include SCS-C02 practice exam questions in your study plan goes far beyond basic test preparation.

You'll find that our SCS-C02 exam questions frequently feature detailed scenarios and practical problem-solving exercises that directly mirror industry challenges. Engaging with these SCS-C02 sample sets allows you to effectively manage your time and pace yourself, giving you the ability to finish any AWS Certified Security - Specialty practice test comfortably within the allotted time.

Question # 51

A company uploads data files as objects into an Amazon S3 bucket. A vendor downloads the objects to perform data processing.

A security engineer must implement a solution that prevents objects from residing in the S3 bucket for longer than 72 hours.

Which solution will meet this requirement?

Configure S3 Versioning to expire object versions that have been in the S3 bucket for 72 hours.

Configure an S3 Lifecycle configuration rule on the S3 bucket to expire objects that have been in the S3 bucket for 72 hours.

Use the S3 Intelligent-Tiering storage class for all objects in the S3 bucket. Configure S3 Intelligent-Tiering to expire objects that have been in the S3 bucket for 72 hours.

Generate S3 presigned URLs for the vendor to use to download the objects. Expire the URLs after 72 hours.

Question # 52

An organization must establish the ability to delete an IAM KMS Customer Master Key (CMK) within a 24-hour timeframe to keep it from being used for encrypt or decrypt operations Which of tne following actions will address this requirement?

Manually rotate a key within KMS to create a new CMK immediately

Use the KMS import key functionality to execute a delete key operation

Use the schedule key deletion function within KMS to specify the minimum wait period for deletion

Change the KMS CMK alias to immediately prevent any services from using the CMK.

Question # 53

A company hosts its microservices application on Amazon Elastic Kubernetes Service (Amazon EKS). The company has set up continuous deployments to update the application on demand. A security engineer must implement a solution to provide automatic detection of anomalies in application logs in near real time. The solution also must send notifications about these anomalies to the security team. Which solution will meet these requirements?

Configure Amazon CloudWatch Container Insights to collect and aggregate EKS application logs. Create a CloudWatch alarm to monitor for anomalies. Configure the alarm to launch an AWS Lambda function to alert the security team when anomalies are detected.

Configure Amazon EKS to send application logs to Amazon CloudWatch. Create a CloudWatch alarm based on a log group metric filter. Specify anomaly detection as the threshold type. Configure the alarm to use Amazon Simple Notification Service (Amazon SNS) to alert the security team.

Configure Amazon EKS to export logs to Amazon S3. Use Amazon Athena queries to analyze the logs for anomalies. Use Amazon QuickSight to visualize and monitor user access requests for anomalies. Configure Amazon Simple Notification Service (Amazon SNS) notifications to alert the security team.

Configure AWS App Mesh to monitor the traffic to the microservices in Amazon EKS. Integrate App Mesh with AWS CloudTrail for logging. Use Amazon Detective to analyze the logs for anomalies and to alert the security team when anomalies are detected.

Answer:

Explanation:

Comprehensive Detailed Explanation with all AWS References

To achieve automatic detection of anomalies in application logs in near real time and notify the security team, the following solution is appropriate:

1. Configure Amazon EKS to Send Application Logs to Amazon CloudWatch:

Log Collection:Set up Fluent Bit or Fluentd as a DaemonSet within your EKS cluster to collect application logs and forward them to Amazon CloudWatch Logs. This setup ensures that all application logs are centralized in CloudWatch for monitoring and analysis.

[Reference:Logging and monitoring on Amazon EKS, 2. Create a CloudWatch Log Group Metric Filter and Alarm with Anomaly Detection:, Metric Filter:In CloudWatch Logs, define a metric filter to extract specific metrics from the log data. For instance, you can create a filter that counts the number of error messages or specific patterns indicative of anomalies., Reference:Monitoring & Logging Setup of Application Deployed in EKS, Anomaly Detection:Enable CloudWatch Anomaly Detection on the metric to automatically establish a baseline of expected values and detect deviations that may indicate anomalies., Reference:Unlocking Insights: Turning Application Logs into Actionable Metrics, Alarm Configuration:Set up a CloudWatch Alarm using the anomaly detection model as the threshold. This alarm will trigger when the metric deviates from the expected baseline, indicating a potential anomaly., 3. Configure Notifications to the Security Team via Amazon SNS:, SNS Topic:Create an Amazon Simple Notification Service (SNS) topic dedicated to security alerts., Subscription:Subscribe the security team's email addresses or communication channels to the SNS topic to ensure they receive notifications promptly., Alarm Action:Configure the CloudWatch Alarm to publish a message to the SNS topic when it detects an anomaly. This setup ensures that the security team is alerted in near real time whenever an anomaly is detected in the application logs., This solution leverages AWS managed services to provide a scalable and efficient method for real-time anomaly detection and alerting, aligning with AWS best practices for monitoring and security., , , , , ]

Question # 54

A company runs a cron job on an Amazon EC2 instance on a predefined schedule The cron job calls a bash script that encrypts a 2 KB file. A security engineer creates an AWS Key Management Service (AWS KMS) customer managed key with a key policy. The key policy and the EC2 instance rote have the necessary configuration for this job.

Which process should the bash script use to encrypt the file?

Use the aws kms encrypt command to encrypt the file by using the existing KMS key.

Use the aws kms create-grant command to generate a grant for the existing KMS key.

Use the aws kms encrypt command to generate a data key. Use the plaintext data key to encrypt the file.

Use the aws kms generate-data-key command to generate a data key. Use the encrypted data key to encrypt the file.

Question # 55

A company needs a solution to protect critical data from being permanently deleted. The data is stored in Amazon S3 buckets.

The company needs to replicate the S3 objects from the company's primary AWS Region to a secondary Region to meet disaster recovery requirements. The company must also ensure that users who have administrator access cannot permanently delete the data in the secondary Region.

Which solution will meet these requirements?

Configure AWS Backup to perform cross-Region S3 backups. Select a backup vault in the secondary Region. Enable AWS Backup Vault Lock in governance mode for the backups in the secondary Region

Implement S3 Object Lock in compliance mode in the primary Region. Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region.

Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region. Create an S3 bucket policy to deny the s3:ReplicateDelete action on the S3 bucket in the secondary Region

Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region. Configure S3 object versioning on the S3 bucket in the secondary Region.

Question # 56

A company is hosting a static website on Amazon S3 The company has configured an Amazon CloudFront distribution to serve the website contents The company has associated an IAM WAF web ACL with the CloudFront distribution. The web ACL ensures that requests originate from the United States to address compliance restrictions.

THE company is worried that the S3 URL might still be accessible directly and that requests can bypass the CloudFront distribution

Which combination of steps should the company take to remove direct access to the S3 URL? (Select TWO. )

Select "Restrict Bucket Access" in the origin settings of the CloudFront distribution

Create an origin access identity (OAI) for the S3 origin

Update the S3 bucket policy to allow s3 GetObject with a condition that the IAM Referer key matches the secret value Deny all other requests

Configure the S3 bucket poky so that only the origin access identity (OAI) has read permission for objects in the bucket

Add an origin custom header that has the name Referer to the CloudFront distribution Give the header a secret value.

Question # 57

A company has a legacy application that runs on a single Amazon EC2 instance. A security audit shows that the application has been using an IAM access key within its code to access an Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET1 in the same AWS account. This access key pair has the s3:GetObject permission to all objects in only this S3 bucket. The company takes the application offline because the application is not compliant with the company’s security policies for accessing other AWS resources from Amazon EC2.

A security engineer validates that AWS CloudTrail is turned on in all AWS Regions. CloudTrail is sending logs to an S3 bucket that is named DOC-EXAMPLE-BUCKET2. This S3 bucket is in the same AWS account as DOC-EXAMPLE-BUCKET1. However, CloudTrail has not been configured to send logs to Amazon CloudWatch Logs.

The company wants to know if any objects in DOC-EXAMPLE-BUCKET1 were accessed with the IAM access key in the past 60 days. If any objects were accessed, the company wants to know if any of the objects that are text files (.txt extension) contained personally identifiable information (PII).

Which combination of steps should the security engineer take to gather this information? (Choose two.)

Configure Amazon Macie to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII and that were available to the access key.

Use Amazon CloudWatch Logs Insights to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII and that were available to the access key.

Use Amazon OpenSearch Service (Amazon Elasticsearch Service) to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for API calls that used the access key to access an object that contained PII.

Use Amazon Athena to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for any API calls that used the access key to access an object that contained PII.

Use AWS Identity and Access Management Access Analyzer to identify any API calls that used the access key to access objects that contained PII in DOC-EXAMPLE-BUCKET1.

Question # 58

A company has enabled Amazon GuardDuty in all AWS Regions as part of its security monitoring strategy. In one of its VPCs, the company hosts an Amazon EC2 instance that works as an FTP server. A high number of clients from multiple locations contact the FTP server. GuardDuty identifies this activity as a bruteforce attack because of the high number of connections that happen every hour.

The company has flagged the finding as a false positive, but GuardDuty continues to raise the issue. A security engineer must improve the signal-to-noise ratio without compromising the companys visibility of potential anomalous behavior.

Which solution will meet these requirements?

Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed.

Add the FTP server to a trusted IP list. Deploy the list to GuardDuty to stop receiving the notifications.

Create a suppression rule in GuardDuty to filter findings by automatically archiving new findings that match the specified criteria.

Create an AWS Lambda function that has the appropriate permissions to de-lete the finding whenever a new occurrence is reported.

Question # 59

A security engineer configures Amazon S3 Cross-Region Replication (CRR) for all objects that are in an S3 bucket in the us-east-1. Region Some objects in this S3 bucket use server-side encryption with AWS KMS keys (SSE-KMS) for encryption at test. The security engineer creates a destination S3 bucket in the us-west-2 Region. The destination S3 bucket is in the same AWS account as the source S3 bucket.

The security engineer also creates a customer managed key in us-west-2 to encrypt objects at rest in the destination S3 bucket. The replication configuration is set to use the key in us-west-2 to encrypt objects in the destination S3 bucket. The security engineer has provided the S3 replication configuration with an IAM role to perform the replication in Amazon S3.

After a day, the security engineer notices that no encrypted objects from the source S3 bucket are replicated to the destination S3 bucket. However, all the unencrypted objects are replicated.

Which combination of steps should the security engineer take to remediate this issue? (Select THREE.)

Change the replication configuration to use the key in us-east-1 to encrypt the objects that are in the destination S3 bucket.

Grant the IAM role the kms. Encrypt permission for the key in us-east-1 that encrypts source objects.

Grant the IAM role the s3 GetObjectVersionForReplication permission for objects that are in the source S3 bucket.

Grant the IAM role the kms. Decrypt permission for the key in us-east-1 that encrypts source objects.

Change the key policy of the key in us-east-1 to grant the kms. Decrypt permission to the security engineer's IAM account.

Grant the IAM role the kms Encrypt permission for the key in us-west-2 that encrypts objects that are in the destination S3 bucket.

Question # 60

A security engineer needs to run an AWS CloudFormation script. The CloudFormation script builds AWS infrastructure to support a stack that includes web servers and a MySQL database. The stack has been deployed in pre-production environments and is ready for production.

The production script must comply with the principle of least privilege. Additionally, separation of duties must exist between the security engineer's IAM account and CloudFormation.

Which solution will meet these requirements?

Use IAM Access Analyzer policy generation to generate a policy that allows the CloudFormation script to run and manage the stack. Attach the policy to a newIAM role. Modify the security engineer's IAM permissions to be able to pass the new role to CloudFormation.

Create an IAM policy that allows ec2:* and rds:* permissions. Attach the policy to a new IAM role. Modify the security engineer's IAM permissions to be able toassume the new role.

Use IAM Access Analyzer policy generation to generate a policy that allows the CloudFormation script to run and manage the stack. Modify the securityengineer's IAM permissions to be able to run the CloudFormation script.

Create an IAM policy that allows ec2:* and rds:* permissions. Attach the policy to a new IAM role. Use the IAM policy simulator to confirm that the policy allows the AWS API calls that are necessary to build the stack. Modify the security engineer's IAM permissions to be able to pass the new role to CloudFormation.

Answer:

Explanation:

The correct answer is A. Use IAM Access Analyzer policy generation to generate a policy that allows the CloudFormation script to run and manage the stack. Attach the policy to a new IAM role. Modify the security engineer’s IAM permissions to be able to pass the new role to CloudFormation.

According to the AWS documentation, IAM Access Analyzer is a service that helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. You can also use IAM Access Analyzer to generate fine-grained policies that grant least privilege access based on access activity and access attempts.

To use IAM Access Analyzer policy generation, you need to enable IAM Access Analyzer in your account or organization. You can then use the IAM console or the AWSCLI to generate a policy for a resource based on its access activity or access attempts. You can review and edit the generated policy before applying it to the resource.

To use IAM Access Analyzer policy generation with CloudFormation, you can follow these steps:

Run the CloudFormation script in a pre-production environment and monitor its access activity or access attempts using IAM Access Analyzer.

Use IAM Access Analyzer policy generation to generate a policy that allows the CloudFormation script to run and manage the stack. The policy will include only the permissions that are necessary for the script to function.

Attach the policy to a new IAM role that has a trust relationship with CloudFormation. This will allow CloudFormation to assume the role and execute the script.

Modify the security engineer’s IAM permissions to be able to pass the new role to CloudFormation. This will allow the security engineer to launch the stack using the role.

Run the CloudFormation script in the production environment using the new role.

This solution will meet the requirements of least privilege and separation of duties, as it will limit the permissions of both CloudFormation and the security engineer to only what is needed for running and managing the stack.

Option B is incorrect because creating an IAM policy that allows ec2:* and rds:* permissions is not following the principle of least privilege, as it will grant more permissions than necessary for running and managing the stack. Moreover, modifying the security engineer’s IAM permissions to be able to assume the new role is not ensuring separation of duties, as it will allow the security engineer to bypass CloudFormation and directly access the resources.

Option C is incorrect because modifying the security engineer’s IAM permissions to be able to run the CloudFormation script is not ensuring separation of duties, as it will allow the security engineer to execute the script without using CloudFormation.

Option D is incorrect because creating an IAM policy that allows ec2:* and rds:* permissions is not following the principle of least privilege, as it will grant more permissions than necessary for running and managing the stack. Using the IAM policy simulator to confirm that the policy allows the AWS API calls that are necessary to build the stack is not sufficient, as it will not generate a fine-grained policy based on access activity or access attempts.

Go to page: