New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

AWS Certified Specialty SCS-C02 Exam Questions and Answers PDF

Page: 6 / 24
Total 327 questions

AWS Certified Security - Specialty Questions and Answers

Question 21

A company wants to receive an email notification about critical findings in AWS Security Hub. The company does not have an existing architecture that supports this functionality.

Which solution will meet the requirement?

Options:

A.

Create an AWS Lambda function to identify critical Security Hub findings. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target of the Lambda function. Subscribe an email endpoint to the SNS topic to receive published messages.

B.

Create an Amazon Kinesis Data Firehose delivery stream. Integrate the delivery stream with Amazon EventBridge. Create an EventBridge rule that has a filter to detect critical Security Hub findings. Configure the delivery stream to send the findings to an email address.

C.

Create an Amazon EventBridge rule to detect critical Security Hub findings. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target of the EventBridge rule. Subscribe an email endpoint to the SNS topic to receive published messages.

D.

Create an Amazon EventBridge rule to detect critical Security Hub findings. Create an Amazon Simple Email Service (Amazon SES) topic as the target of the EventBridge rule. Use the Amazon SES API to format the message. Choose an email address to be the recipient of the message.

Question 22

A company deployed an Amazon EC2 instance to a VPC on AWS. A recent alert indicates that the EC2 instance is receiving a suspicious number of requests over an open TCP port from an external source. The TCP port remains open for long periods of time.

The company's security team needs to stop all activity to this port from the external source to ensure that the EC2 instance is not being compromised. The application must remain available to other users.

Which solution will mefet these requirements?

Options:

A.

Update the network ACL that is attached to the subnet that is associated with the EC2 instance. Add a Deny statement for the port and the source IP addresses.

B.

Update the elastic network interface security group that is attached to the EC2 instance to remove the port from theinbound rule list.

C.

Update the elastic network interface security group that is attached to the EC2 instance by adding a Deny entry in the inbound list for the port and the source

IP addresses.

D.

Create a new network ACL for the subnet. Deny all traffic from the EC2 instance to prevent data from being removed.

Question 23

Your company uses IAM to host its resources. They have the following requirements

1) Record all API calls and Transitions

2) Help in understanding what resources are there in the account

3) Facility to allow auditing credentials and logins Which services would suffice the above requirements

Please select:

Options:

A.

IAM Inspector, CloudTrail, IAM Credential Reports

B.

CloudTrail. IAM Credential Reports, IAM SNS

C.

CloudTrail, IAM Config, IAM Credential Reports

D.

IAM SQS, IAM Credential Reports, CloudTrail

Question 24

A company is using Amazon Macie, AWS Firewall Manager, Amazon Inspector, and AWS Shield Advanced in its AWS account. The company wants to receive alerts if a DDoS attack occurs against the account.

Which solution will meet this requirement?

Options:

A.

Use Macie to detect an active DDoS event. Create Amazon CloudWatch alarms that respond to Macie findings.

B.

Use Amazon Inspector to review resources and to invoke Amazon CloudWatch alarms for any resources that are vulnerable to DDoS attacks.

C.

Create an Amazon CloudWatch alarm that monitors Firewall Manager metrics for an active DDoS event.

D.

Create an Amazon CloudWatch alarm that monitors Shield Advanced metrics for an active DDoS event.

Page: 6 / 24
Total 327 questions