Sure Pass Exam SCS-C02 PDF

The below diagram from an IAM blog shows how security groups can be monitored

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A is invalid because you need to use Cloudwatch Events to check for chan,

Option B is invalid because you need to use Cloudwatch Events to check for chang

Option C is invalid because IAM inspector is not used to monitor the activity on Security Groups

For more information on monitoring security groups, please visit the below URL:

Ihttpsy/IAM.amazon.com/blogs/security/how-to-automatically-revert-and-receive-notifications-about-changes-to-your-amazonj 'pc-security-groups/

The correct answer is: Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.

Submit your Feedback/Queries to our Experts

The correct answer is A because it allows the security engineer to add the X-Frame-Options header to the HTTPS responses from the application origin without modifying the origin itself. A Lambda@Edge function is a Lambda function that runs in response to CloudFront events, such as viewer request, origin request, origin response, or viewer response. By configuring the function to runin response to the origin response event, the security engineer can modify the response headers that CloudFront receives from the origin before sending them to the viewer1. The function can include code to add the X-Frame-Options header with the desired value, suchas DENY or SAMEORIGIN, to prevent frame-related cross-site scripting attacks2.

The other options are incorrect because they are either less efficient or less secure than option A. Option B is incorrect because configuring the Lambda@Edge function to run in response to the viewer request event is not optimal, as it adds latency to the request processing and does not modify the response headers that CloudFront receives from the origin. Option C is incorrect because adding X-Frame-Options to custom headers in the origin settings does not affect the response headers that CloudFront sends to the viewer. Custom headers are only used to send additional information to the origin when CloudFront forwards a request3. Option D is incorrect because customizing the EC2 hosted application to add the X-Frame-Options header to the responses requires changing the origin code, which may not be feasible or desirable for the security engineer.

Understand the Problem:

The inability of external users to log in indicates potential issues with configuration or permissions.

Review Cognito Configuration:

Check for recent changes in Cognito user pool settings, such as password policies or authentication flow configurations.

Ensure the app client settings (e.g., callback URLs, OAuth flows) are correctly configured.

Review IAM Policies and Role Trust Relationships:

Verify that IAM roles used by Cognito (e.g., for identity providers) have the correct policies attached.

Ensure trust relationships for roles are properly configured to allow Cognito to assume them.

Advantages of Reviewing Configurations:

Addresses the root cause of login failures without disrupting user experience (e.g., resetting passwords).

Next Steps:

If no issues are found in the configuration, proceed with detailed logging and monitoring using CloudTrail (Option A).

Troubleshooting Amazon Cognito User Pools

Configuring App Clients in Cognito

IAM Roles for Cognito