SCS-C01 – AWS Certified Security Specialty

SCS-C01 – AWS Certified Security Specialty

Exam Questions

  1. Conflicts between AWS S3 bucket polices and IAM Polices
    1. https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/
  2. How do you restrict access to S3 Buckets;
    • Restrict access to S3 Buckets using Polices and Pre-Signed URLs
    • IAM polices, S3 bucket polices, and S3 ACLs
    • AWS follows the least-privilege principle, so by default everything is denied.
    • If you allow something, it only takes on of the explicit deny for the result to be denied.
    • An explicit deny will always override an allow.
    • $aws s3 presign s3://<mybucket>/<myobject> –expres-in 120
  3. What is required trust relationship for Active Directory and AWS SSO?
    • ADFS is trusted ID provider in AWS
    • AWS is a trusted replying party in ADFS
  4. In a VPC, all subnets are routed by default, But, how can you prevent network traffic between them?
    • ACLs and Security Groups.
    • Remove the default routes.
    • ACLS and IAM Polices.
    • Answer: ACLs and Security Groups.
  5. Your company is serving content through a CloudFront distribution. Your IR team wishes to review data to identify possible indicators of compromise or anomalous events. In particular they are looking for source IP address, the original request, the referrer and protocol information. Where should they look for this data?
    • CloudFront access logs for the distribution.
  6. You need to create a logging strategy for your company’s accounts. The logging data must be kept securely and be readily usable for 90 days. After 90 days, the logs probably will not be required, but must still be retained for compliance for 10 years. What solutions ensures that your logs are securely retained for the entirety of the required duration in the most cost-effective manner?
    • Send all logs to central logging account S3 bucket. Ensure that the bucket is protected with a bucket policy that only allows read access to security admins, denying all other access. Create a lifecycle policy that automatically moves the data to Amazon S3 Glacier after 90 days, and then automatically deletes the logs after 10 years.
  7. Your company has created a centralised logging account where all AWS CloudWatch and AWS CloudTrail logs are delivered. You’ve created a new account using AWS CloudFormation. In this account, you’ve built a Lambda function to stream the generated logs and send them to your logging account’s S3 bucket. When completing a test run of your Lambda function, a 403 error is returned. What change will quickly resolve this issues without sacrificing security best practices?
    • Change you permissions statement on the Lambda function to allow access to the logging account S3 Bucket.
  8. A recent security review discovered that your company’s ecommerce site accepts an SSL session with a non-compliant cipher. You must prevent this specific cipher from being used to secure a client’s session when communicating to and from the elastic load balancer. What steps should you take?
  9. You are responding to a DDoS attack on your company’s application. The application is composed of a dynamic website running on EC2 instances behind a CloudFormation distribution. The attack is being launched from a large number of IP address across many different countries. The attack is targeting valid URI, but seems to have a common misspelling in the query string that were passed. What quick solution could you implement to block this attack?
  10. Your company has public-facing three-tiered application that uses an ALB in the front of the presentation layer and a second ALB connecting the presentation layer to the application layer. The application is being targeted by a variant of a sophisticated SQL injection attack. The attacks are coming from blocks of IP addresses that are in use by existing legitimate customers. What is the easiest way to protect your applications?
    1. Block the attack by implementing AWS WAF and use rules that look for SQL injection.
  11. Your company, BigBank, has set up automated penetrating testing and vulnerability analysis from servers under their control (on EC2 instances). This is working well, buy you notice that it is causing excessive numbers of alarms in Amazon GuardDuty. What is the simplest way to hide these false positives?
    1. Allocate an elastic IP address for the EC2 instances and then update the trusted IP address list in GuardDuty.
  12. You are building a mobile app for consumers to post images online. You will be storing the images in Amazon S3. You want to implement user authentication cheaply and simply. Which one if these options allows you to build a photo-sharing application that meets costs and effort requirements?
    1. Build the application using AWS Cognito and web identity federation to allow users to login using Facebook or Google accounts. Once they are logged, the the secret token paused to that user is used to directly access resources on AWS like Amazon S3.
  13. You are the security architect at BigPharma and you are concerned about infrastructure security for EC2 instances. In particular, you known that your company developers will want to make API requests from those instances. What should you recommend as a best practice?
    1. Developers should use IAM roles to grant permissions to EC2 instances. Thy should create multiple re-usable roles and assign the one that matches the least privileges required.
  14. You are the security administrator at BigPhoneCompany, the national telecommunication carrier. You want to be able to automate isolation of specific instances in several public subnets that contain EC2 instances. What is the simplest way to do this?
    1. Create a Lambda function that modifies the security group to block inbound traffic.
  15. A corporate web application is deployed within a Amazon Virtual Private Cloud (Amazon VPC) and is connected to the corporate data centre via an iPsec VPN. The application must authenticate against the on-premises LDAP server. After authentication, each logged-in user can only access an S3 keyspace specific to that user. Which approaches can fulfil these goals?
    1. The application authenticates against LDAP and retrieves the name of an IAM role associated with the user. The application then calls AWS STS to assume that IAM role. The application cam use the temporary credentials to access the bucket.
    2. Develop an identity bucket that authenticates against LDAP and then calls AWS STS to get IAM federated user credentials. The application calls the identity broker to get IAM federated user credentials with access to the bucket.
  16. Your organisation has hundreds of developers, testers and QA staff. You are about to begin using AWS on a large scale for the first time. You want to integrate with your existing identity management system running on Microsoft Active Directory. How should you manager your AWS identities in the simplest manner?
    1. Use a large AWS Directory Services AD Connector.
  17. You have a client whose application creates extremely sensitive data from user input. This data needs to be securely transmitted to a data store and requires end-to-end encryption with controlled access to the sensitive data. Which of the following options offer the most data protection while still making the data available to authenticated users?
    1. Upload the data to Amazon S3, and make sure the bucket has a policy to only allow put/get access if secure transport is enabled, using AES-256 SSE-S3 managed encryption keys.
  18. When using an encrypted file system to protect your data at rest, what steps are required to ensure that you protect your data and metadata in the most cost-effective and simple manner?
    1. Create an Amazon Elastic File System (Amazon EFS) using AWS KMS key encryption.
    2. Create an Amazon CloudWatch alarm to detect unencrypted file system.
  19. You have been tasked with creating a strategy to enforce encryption of your data in transit. What can you do to ensure that your data is protected in transit.
    1. Enable HTTPS listeners for your load balancers. Don’t allow non-protected ports in your load balancer security group.
  20. Your company needs to monitor active/realtime traffic (for full packet analysis and replay capture) within their AWS environment. They would like to do full packet analysis of traffic to/from specific EC2 instances. What is the easiest way to do this?
  21. AWS Certified Security – Specialty (SCS-C01) Sample Exam Questions
  22. An application running on an Amazon Elastic Compute Cloud (Amazon EC2) instance must use user credentials to access a database. The developer has stored those secrets in the AWS Systems Manager Parameter Store using the default AWS Key Management Service (AWS KMS) customer master key. Which steps allow the application to access the secrets via the API?  (Select TWO.) 
    1. Add permissions to read the Systems Manager parameter to the EC2 instance role.
    2. Add permission to use the AWS KMS key to decrypt to the EC2 instance role.
  23. A company is using AWS CloudTrail to log all AWS API activity for all Regions in all of its accounts. The chief information security officer has asked the team to take additional steps to protect the integrity of the log files. Which steps will protect the log files from unintentional changes? (Select TWO.)
    1. Create an Amazon S3 bucket in a dedicated log account and grant the other account write-only access. Deliver all log files from every account to the S3 bucket.
    2. Enable CloudTrail logs file integrity validation.
  24. A company requires that data stored in AWS be encrypted at rest. Which approaches best achieve this requirement? (Select TWO.)
    1. When storing data in Amazon EBS, encrypt the volume using AWS KMS.
    2. When storing data in Amazon S3, enable server-side encryption.
  25. A company is deploying a new web application on AWS. Based on the company’s other web applications, it anticipates being the target of frequent distributed denial of service (DDoS) attacks. Which steps can the company use to protect its application? (Select TWO.)
    1. Use an Application Load Balancer and an Auto Scaling group to scape and absorb application-layer traffic.
    2. Use Amazon CloudFront to prevent malicious traffic from reaching the application.
  26. A security engineer must ensure the monitoring of all infrastructure launched in the company AWS account for deviation from compliance rules. Specifically, the engineer must ensure that all EC2 instances launch from a specific list of Amazon Machine Images (AMIs) and that all attached Amazon EBS volumes are encrypted. The security engineer must terminate infrastructure that is not in compliance. What are the best solutions to ensure compliance rules are enforced? (Select TWO.)
    1. Trigger an AWS Lambda function from a scheduled CloudWatch event that terminates non-compliant infrastructure.
    2. Monitor compliance with AWS Config rules triggered by configuration changes.
  27. A company currently has an Amazon S3 bucket hosted in an AWS account. The bucket holds information that a partner account needs to access. What are the most secure ways to allow the partner account to access the S3 bucket in the AWS account? (Select TWO.)
    1. Ensure that the partner users an external ID and then makes the request.
    2. Provide an Amazon Resource Name (ARN) for the role to the partner account.
  28. A company has mandated that all calls to the AWS KMS service be recorded. How can this task be achieved?
    1. Enable trails in AWS CloudTrail
  29. A company has enabled automatic key rotation for an existing customer master key (CMK) where the customer manages the backing key, when is the CMK rotated?
    1. After 1 year
  30. An AWS Lambda function reads metadata from an Amazon S3 object and stores the metadata in an Amazon DynamoDB table. Storing an object within the S3 bucket triggers the function. How should a company give the Lambda function access to the DynamoDB table?
    1. Create an IAM role with permissions to write to the DynamoDB table Associate the role with Lambda function.
  31. A company has an EC2 instance set up in a test environment in AWS. The developer installed the required application and then promoted the server to a production environment. The IT security team has advised that there may be traffic flowing in from an unknown IP address to port 22. How can the developer immediately mitigate this situation without impacting the application?
    1. Remove the rule for incoming traffic on port 22 for the security group.
  32. Each day, a security team must brief the chief information security officer with a report about which of hundreds of Amazon EC2 instances and on-premises servers lack the latest security patches. The security team must bring all instances and servers into compliance within 24 hours so they do not show up on the next day’s report. How can the security team fulfill these requirements?
    1. Use AWS Systems Manager Patch Manager to generate the report and install the missing patches on all instances and servers.
  33. A company is hosting a website that must be accessible to users for HTTPS traffic. Port 22 should be open for administrative purposes. Which security group configurations are the MOST secure but still functional to support these requirements? (Select TWO.)
    1. Port 443 coming from 0.0.0.0/0
    2. Port 22 coming from 10.0.0.0/16
  34. A company has defined a number of Amazon EC2 instances over a period of 6 months. The company wants to know if any of the security groups allow unrestricted access to a resource. Which option best accomplishes this requirement?
    1. Use AWS Trusted Advisor to see which security groups have compromised access.
  35. A company wants to have a secure way of generating, storing, and managing cryptographic keys. The company also wants to have exclusive access for the keys. Which option can the company use for this purpose?
    1. Use AWS CloudHSM
  36. Which AWS service manages authentication from social sign-in providers for mobile applications?
    1. AWS Cognito
  37. What can be used to troubleshoot network issues, including traffic going into and out of your instances?
    1. VPC Flow logs
  38. Which statements below correctly describe the AWS Global infrastructure? Select TWO.
    1. Availability Zones consist of one or more data centers.
    2. Regions have geographically dispersed Availability Zones.
  39. Which of the statements below provides an example of how AWS helps customers meet their security and compliance needs?
    1. AWS assists customers in integrating their existing control frameworks.
  40. Which statement below is performed by AWS as an example regarding security OF the cloud?
    1. Decommissioning storage devices according to NIST 800-88
  41. What type of AWS credentials is required to SSH directly into an Amazon EC2 instance?
    1. EC2 key pairs
  42. Which statement is true when describing your AWS account root user credentials?
    1. They provide unrestricted access to your AWS account resources.
  43. How can AWS CloudFormation be used in an incident response solution?
    1. Deploying pre-configured instances for forensics analysis
  44. Where can you find account activity information on API calls performed via the AWS Management Console or the AWS CLI?
    1. AWS CloudTrail logs
  45. Which AWS service feature helps secure your Amazon VPC resources by providing isolation at the instance level?
    1. Security groups
  46. Which AWS services below can be used in tandem to help protect against DDoS attacks? Select THREE.
    1. Amazon CloudFront
    2. Amazon Route 53
    3. AWS Shield
  47. Which feature helps secure your Amazon VPC resources by providing isolation at the subnet level?
    1. Network ACLs
  48. Which statement is true regarding the AWS Well-Architected Tool?
    1. It provides information on potential risks in your workload.
  49. Which statement is true regarding Amazon S3 default (SSE-S3) server-side encryption?
    1. Amazon S3 generates and manages the encryption keys.
  50. Which AWS services/features can be used to provide data protection at rest and in transit? Select THREE.
    1. AWS KMS
    2. AWS Certificate Manager
    3. VPN connectiity
  51. Your security team has been informed that one of your IAM username/passwords pairs has been published to social media and has been used several times by unauthorized sources. How can the security team stop the unauthorized access, and determine what actions were taken with the compromised account, with minimal impact on existing account resources?
    • Immediately change the IAM user password, and analyze CloudTrail logs for unauthorized actions. 
  52. An application running in EC2 has a requirement for independent, periodic security checks against the application code. These checks can send notifications upon warning, but for critical alerts they must shut down the application in the instance. How can your security team perform these checks without injecting code into the application, while meeting the notification and active response requirement?
    • Deploy a second application on the EC2 instance with the security audit code. Send security audit results to CloudWatch Events, and create a rule to send warning events to SNS, and critical events to SSM Run Command to stop the application. 
  53. You’ve been asked to stream application logs from CloudWatch Logs to Splunk. There is an existing subscription to filter on the log group, set up for kinesis Firehose to S3. What is the most appropriate way to ingest the logs in near real-time for Splunk analysis?
    • Enable Source record transformation on the Kinesis Firehose. Create a Lambda function using the Splunk blueprints which decompresses the log entries and pushes to Splunk.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.