CertsTopics Logo

New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Sure Pass Exam SCS-C01 PDF

Page: 19 / 44
Total 589 questions
Get SCS-C01 Full Access Download SCS-C01 PDF

AWS Certified Security - Specialty Questions and Answers

Question 73

A security engineer has noticed that VPC Flow Logs are getting a lot REJECT traffic originating from a single Amazon EC2 instance in an Auto Scaling group. The security engineer is concerned that this EC2 instance may be compromised.

What immediate action should the security engineer take?

What immediate action should the security engineer take?

Options:

A.

Remove me instance from the Auto Seating group Close me security group mm ingress only from a single forensic P address to perform an analysis.

B.

Remove me instance from the Auto Seating group Change me network ACL rules to allow traffic only from a single forensic IP address to perform en analysis Add a rule to deny all other traffic.

C.

Remove the instance from the Auto Scaling group Enable Amazon GuardDuty in that IAM account Install the Amazon Inspector agent cm the suspicious EC 2 instance to perform a scan.

D.

Take a snapshot of the suspicious EC2 instance. Create a new EC2 instance from me snapshot in a closed security group with ingress only from a single forensic IP address to perform an analysis

Question 74

A company has a serverless application for internal users deployed on IAM. The application uses IAM Lambda for the front end and for business logic. The Lambda function accesses an Amazon RDS database inside a VPC The company uses IAM Systems Manager Parameter Store for storing database credentials. A recent security review highlighted the following issues

  • The Lambda function has internet access.
  • The relational database is publicly accessible.
  • The database credentials are not stored in an encrypted state.

Which combination of steps should the company take to resolve these security issues? (Select THREE)

Options:

A.

Disable public access to the RDS database inside the VPC

B.

Move all the Lambda functions inside the VPC.

C.

Edit the IAM role used by Lambda to restrict internet access.

D.

Create a VPC endpoint for Systems Manager. Store the credentials as a string parameter. Change the parameter type to an advanced parameter.

E.

Edit the IAM role used by RDS to restrict internet access.

F.

Create a VPC endpoint for Systems Manager. Store the credentials as a SecureString parameter.

Question 75

The Development team receives an error message each time the team members attempt to encrypt or decrypt a Secure String parameter from the SSM Parameter Store by using an IAM KMS customer managed key (CMK).

Which CMK-related issues could be responsible? (Choose two.)

Options:

A.

The CMK specified in the application does not exist.

B.

The CMK specified in the application is currently in use.

C.

The CMK specified in the application is using the CMK KeyID instead of CMK Amazon Resource Name.

D.

The CMK specified in the application is not enabled.

E.

The CMK specified in the application is using an alias.

Question 76

A company has a compliance requirement to rotate its encryption keys on an annual basis. A Security Engineer needs a process to rotate the KMS Customer Master Keys (CMKs) that were created using imported key material.

How can the Engineer perform the key rotation process MOST efficiently?

Options:

A.

Create a new CMK, and redirect the existing Key Alias to the new CMK

B.

Select the option to auto-rotate the key

C.

Upload new key material into the existing CMK.

D.

Create a new CMK, and change the application to point to the new CMK

Page: 19 / 44
Total 589 questions
Get SCS-C01 Full Access Download SCS-C01 PDF