Amazon (SCS-C01) Exam Questions And Answers page 25
A Security Engineer has created an Amazon CloudWatch event that invokes an AWS Lambda function daily. The Lambda function runs an Amazon Athena query that checks AWS CloudTrail logs in Amazon S3 to detect whether any IAM user accounts or credentials have been created in the past 30 days. The results of the Athena query are created in the same S3 bucket. The Engineer runs a test execution of the Lambda function via the AWS Console, and the function runs successfully.
After several minutes, the Engineer finds that his Athena query has failed with the error message: Insufficient Permissions . The IAM permissions of the Security Engineer and the Lambda function are shown below:
Security Engineer
Lambda function execution role
What is causing the error?
After several minutes, the Engineer finds that his Athena query has failed with the error message: Insufficient Permissions . The IAM permissions of the Security Engineer and the Lambda function are shown below:
Security Engineer
Lambda function execution role
What is causing the error?
The Security Engineer does not have permissions to start the Athena query execution.
The Athena service does not support invocation through Lambda.
The Lambda function does not have permissions to access the CloudTrail S3 bucket.
Logging and Monitoring
Infrastructure Security
A Security Engineer has created an Amazon CloudWatch event that invokes an AWS Lambda function daily. The Lambda function runs an Amazon Athena query that checks AWS CloudTrail logs in Amazon S3 to detect whether any IAM user accounts or credentials have been created in the past 30 days. The results of the Athena query are created in the same S3 bucket. The Engineer runs a test execution of the Lambda function via the AWS Console, and the function runs successfully.
After several minutes, the Engineer finds that his Athena query has failed with the error message: Insufficient Permissions . The IAM permissions of the Security Engineer and the Lambda function are shown below:
Security Engineer
Lambda function execution role
What is causing the error?
After several minutes, the Engineer finds that his Athena query has failed with the error message: Insufficient Permissions . The IAM permissions of the Security Engineer and the Lambda function are shown below:
Security Engineer
Lambda function execution role
What is causing the error?
The Lambda function does not have permissions to start the Athena query execution.
The Security Engineer does not have permissions to start the Athena query execution.
The Athena service does not support invocation through Lambda.
The Lambda function does not have permissions to access the CloudTrail S3 bucket.
Logging and Monitoring
Infrastructure Security
A Security Engineer has discovered that, although encryption was enabled on the Amazon S3 bucket examplebucket, anyone who has access to the bucket has the ability to retrieve the files. The Engineer wants to limit access to each IAM user can access an assigned folder only.
What should the Security Engineer do to achieve this?
What should the Security Engineer do to achieve this?
Use envelope encryption with the AWS-managed CMK aws/s3.
Create a customer-managed CMK with a key policy granting kms:Decrypt based on the ${aws:username} variable.
Create a customer-managed CMK for each user. Add each user as a key user in their corresponding key policy.
Change the applicable IAM policy to grant S3 access to Resource : arn:aws:s3:::examplebucket/${aws:username}/*
Infrastructure Security
Identity and Access Management
A security engineer has enabled AWS Security Hub in their AWS account, and has enabled the Center for Internet Security (CIS) AWS Foundations compliance standard. No evaluation results on compliance are returned in the Security Hub console after several hours. The engineer wants to ensure that Security Hub can evaluate their resources for CIS AWS Foundations compliance.
Which steps should the security engineer take to meet these requirements?
Which steps should the security engineer take to meet these requirements?
Add full Amazon Inspector IAM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation.
Ensure that AWS Trusted Advisor is enabled in the account, and that the Security Hub service role has permissions to retrieve the Trusted Advisor security-related recommended actions.
Ensure that AWS Config is enabled in the account, and that the required AWS Config rules have been created for the CIS compliance evaluation.
Ensure that the correct trail in AWS CloudTrail has been configured for monitoring by Security Hub, and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrail s Amazon S3 bucket.
Incident Response
Logging and Monitoring
A Security Engineer has launched multiple Amazon EC2 instances from a private AMI using an AWS CloudFormation template. The Engineer notices instances terminating right after they are launched.
What could be causing these terminations?
What could be causing these terminations?
The IAM user launching those instances is missing ec2:RunInstances permissions
The AMI used was encrypted and the IAM user does not have the required AWS KMS permissions
The instance profile used with the EC2 instances is unable to query instance metadata
AWS currently does not have sufficient capacity in the Region
Incident Response
Infrastructure Security
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer s access logs.
How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?
How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?
Add a rule to the Application Load Balancer to route the traffic originating from the IP address in question and show a static webpage.
Implement a rate-based rule with AWS WAF.
Use AWS Shield to limit the originating traffic hit rate.
Implement the GeoLocation feature in Amazon Route 53.
Logging and Monitoring
Infrastructure Security
A security engineer has noticed that VPC Flow Logs are getting a lot of REJECT traffic originating from a single Amazon EC2 instance in an Auto Scaling group. The security engineer is concerned that this EC2 instance may be compromised.
What immediate action should the security engineer take?
What immediate action should the security engineer take?
Remove the instance from the Auto Scaling group. Close the security group with ingress only from a single forensic IP address to perform an analysis.
Remove the instance from the Auto Scaling group. Change the network ACL rules to allow traffic only from a single forensic IP address to perform an analysis. Add a rule to deny all other traffic.
Remove the instance from the Auto Scaling group. Enable Amazon GuardDuty in that AWS account. Install the Amazon Inspector agent on the suspicious EC2 instance to perform a scan.
Take a snapshot of the suspicious EC2 instance. Create a new EC2 instance from the snapshot in a closed security group with ingress only from a single forensic IP address to perform an analysis.
Incident Response
Logging and Monitoring
A Security Engineer has several thousand Amazon EC2 instances split across production and development environments. Each instance is tagged with its environment. The Engineer needs to analyze and patch all the development EC2 instances to ensure they are not currently exposed to any common vulnerabilities or exposures (CVEs).
Which combination of steps is the MOST efficient way for the Engineer to meet these requirements? (Choose two.)
Which combination of steps is the MOST efficient way for the Engineer to meet these requirements? (Choose two.)
Log on to each EC2 instance, check and export the different software versions installed, and verify this against a list of current CVEs.
Install the Amazon Inspector agent on all development instances. Build a custom rule package, and configure Inspector to perform a scan using this custom rule on all instances tagged as being in the development environment.
Install the Amazon Inspector agent on all development instances. Configure Inspector to perform a scan using this CVE rule package on all instances tagged as being in the development environment.
Install the Amazon EC2 System Manager agent on all development instances. Issue the Run command to EC2 System Manager to update all instances.
Use AWS Trusted Advisor to check that all EC2 instances have been patched to the most recent version of operating system and installed software.
Infrastructure Security
Identity and Access Management
A security engineer is analyzing Amazon GuardDuty findings. The security engineer observes an Impact value for ThreatPurpose in a GuardDuty finding.
What does this value indicate?
What does this value indicate?
An adversary has compromised an AWS resource so that the resource is capable of contacting its home command and control (C&C) server to receive further instructions for malicious activity.
GuardDuty is detecting activity or activity patterns that are different from the established baseline for a particular AWS resource.
GuardDuty is detecting activity or activity patterns that suggest that an adversary is attempting to manipulate, interrupt, or destroy the company s systems and data.
GuardDuty is detecting activity or activity patterns that an adversary might use to expand its knowledge of the company s systems and internal networks.
Incident Response
Logging and Monitoring
A Security Engineer is asked to update an AWS CloudTrail log file prefix for an existing trail. When attempting to save the change in the CloudTrail console, the Security Engineer receives the following error message: There is a problem with the bucket policy.
What will enable the Security Engineer to save the change?
What will enable the Security Engineer to save the change?
Create a new trail with the updated log file prefix, and then delete the original trail. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.
Update the existing bucket policy in the Amazon S3 console to allow the Security Engineer s Principal to perform PutBucketPolicy, and then update the log file prefix in the CloudTrail console.
Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.
Update the existing bucket policy in the Amazon S3 console to allow the Security Engineer s Principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console.
Logging and Monitoring
Comments