CertsTopics Logo

New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Changed SCS-C01 Exam Questions

Page: 44 / 44
Total 589 questions
Get SCS-C01 Full Access Download SCS-C01 PDF

AWS Certified Security - Specialty Questions and Answers

Question 173

During a recent internal investigation, it was discovered that all API logging was disabled in a production account, and the root user had created new API keys that appear to have been used several times.

What could have been done to detect and automatically remediate the incident?

Options:

A.

Using Amazon Inspector, review all of the API calls and configure the inspector agent to leverage SNS topics to notify security of the change to IAM CloudTrail, and revoke the new API keys for the root user.

B.

Using IAM Config, create a config rule that detects when IAM CloudTrail is disabled, as well as any calls to the root user create-api-key. Then use a Lambda function to re-enable CloudTrail logs and deactivate the root API keys.

C.

Using Amazon CloudWatch, create a CloudWatch event that detects IAM CloudTrail deactivation and a separate Amazon Trusted Advisor check to automatically detect the creation of root API keys. Then use a Lambda function to enable IAM CloudTrail and deactivate the root API keys.

D.

Using Amazon CloudTrail, create a new CloudTrail event that detects the deactivation of CloudTrail logs, and a separate CloudTrail event that detects the creation of root API keys. Then use a Lambda function to enable CloudTrail and deactivate the root API keys.

Question 174

A Systems Engineer has been tasked with configuring outbound mail through Simple Email Service (SES) and requires compliance with current TLS standards.

The mail application should be configured to connect to which of the following endpoints and corresponding ports?

Options:

A.

email.us-east-1.amazonIAM.com over port 8080

B.

email-pop3.us-east-1.amazonIAM.com over port 995

C.

email-smtp.us-east-1.amazonIAM.com over port 587

D.

email-imap.us-east-1.amazonIAM.com over port 993

Question 175

Which of the following is the most efficient way to automate the encryption of IAM CloudTrail logs using a Customer Master Key (CMK) in IAM KMS?

Options:

A.

Use the KMS direct encrypt function on the log data every time a CloudTrail log is generated.

B.

Use the default Amazon S3 server-side encryption with S3-managed keys to encrypt and decrypt the CloudTrail logs.

C.

Configure CloudTrail to use server-side encryption using KMS-managed keys to encrypt and decrypt CloudTrail logs.

D.

Use encrypted API endpoints so that all IAM API calls generate encrypted CloudTrail log entries using the TLS certificate from the encrypted API call.

Page: 44 / 44
Total 589 questions
Get SCS-C01 Full Access Download SCS-C01 PDF