Amazon (SCS-C01) Exam Questions And Answers page 32
AWS CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected.
What initial actions should be taken to allow delivery of CloudTrail events to S3? (Choose two.)
What initial actions should be taken to allow delivery of CloudTrail events to S3? (Choose two.)
Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs.
Remove any lifecycle policies on the S3 bucket that are archiving objects to Amazon Glacier.
Verify that the S3 bucket defined in CloudTrail exists.
Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.
Incident Response
Logging and Monitoring
Compliance requirements state that all communications between company on-premises hosts and EC2 instances be encrypted in transit. Hosts use custom proprietary protocols for their communication, and EC2 instances need to be fronted by a load balancer for increased availability.
Which of the following solutions will meet these requirements?
Which of the following solutions will meet these requirements?
Offload SSL termination onto an SSL listener on a Classic Load Balancer, and use a TCP connection between the load balancer and the EC2 instances.
Route all traffic through a TCP listener on a Classic Load Balancer, and terminate the TLS connection on the EC2 instances.
Create an HTTPS listener using an Application Load Balancer, and route all of the communication through that load balancer.
Offload SSL termination onto an SSL listener using an Application Load Balancer, and re-spawn and SSL connection between the load balancer and the EC2 instances.
Infrastructure Security
Identity and Access Management
Developers in an organization have moved from a standard application deployment to containers. The Security Engineer is tasked with ensuring that containers are secure.
Which strategies will reduce the attack surface and enhance the security of the containers? (Choose two.)
Which strategies will reduce the attack surface and enhance the security of the containers? (Choose two.)
Use the containers to automate security deployments.
Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries.
Segregate container by host, function, and data classification.
Use Docker Notary framework to sign task definitions.
Enable container breakout at the host kernel.
Infrastructure Security
Identity and Access Management
Due to new compliance requirements, a Security Engineer must enable encryption with customer-provided keys on corporate data that is stored in DynamoDB. The company wants to retain full control of the encryption keys.
Which DynamoDB feature should the Engineer use to achieve compliance'?
Which DynamoDB feature should the Engineer use to achieve compliance'?
Use AWS Certificate Manager to request a certificate. Use that certificate to encrypt data prior to uploading it to DynamoDB.
Enable S3 server-side encryption with the customer-provided keys. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB
Create a KMS master key. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoDS. Dispose of the cleartext and encrypted data keys after encryption without storing.
Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.
Data Protection
During a manual review of system logs from an Amazon Linux EC2 instance, a Security Engineer noticed that there are sudo commands that were never properly alerted or reported on the Amazon CloudWatch Logs agent.
Why were there no alerts on the sudo commands?
Why were there no alerts on the sudo commands?
The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch.
There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs.
CloudWatch Logs status is set to ON versus SECURE, which prevents if from pulling in OS security event logs.
The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.
Logging and Monitoring
During a recent internal investigation, it was discovered that all API logging was disabled in a production account, and the root user had created new API keys that appear to have been used several times.
What could have been done to detect and automatically remediate the incident?
What could have been done to detect and automatically remediate the incident?
Using Amazon Inspector, review all of the API calls and configure the inspector agent to leverage SNS topics to notify security of the change to AWS CloudTrail, and revoke the new API keys for the root user.
Using AWS Config, create a config rule that detects when AWS CloudTrail is disabled, as well as any calls to the root user create-api-key. Then use a Lambda function to re-enable CloudTrail logs and deactivate the root API keys.
Using Amazon CloudWatch, create a CloudWatch event that detects AWS CloudTrail deactivation and a separate Amazon Trusted Advisor check to automatically detect the creation of root API keys. Then use a Lambda function to enable AWS CloudTrail and deactivate the root API keys.
Using Amazon CloudTrail, create a new CloudTrail event that detects the deactivation of CloudTrail logs, and a separate CloudTrail event that detects the creation of root API keys. Then use a Lambda function to enable CloudTrail and deactivate the root API keys.
Logging and Monitoring
Infrastructure Security
During a recent security audit, it was discovered that multiple teams in a large organization have placed restricted data in multiple Amazon S3 buckets, and the data may have been exposed. The auditor has requested that the organization identify all possible objects that contain personally identifiable information (PII) and then determine whether this information has been accessed.
What solution will allow the Security team to complete this request?
What solution will allow the Security team to complete this request?
Enable Amazon GuardDuty and enable the PII rule set on the S3 buckets that were impacted, then perform data classification. Using the PII findings report from GuardDuty, query the S3 bucket logs by using Athena for GET operations.
Using Amazon Athena, query the impacted S3 buckets by using the PII query identifier function. Then, create a new Amazon CloudWatch metric for Amazon S3 object access to alert when the objects are accessed.
Enable Amazon Macie on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, use the research function for auditing AWS CloudTrail logs and S3 bucket logs for GET operations.
Enable Amazon Inspector on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, query the S3 bucket logs by using Athena for GET operations.
Identity and Access Management
Data Protection
During a security event, it is discovered that some Amazon EC2 instances have not been sending Amazon CloudWatch logs.
Which steps can the Security Engineer take to troubleshoot this issue? (Choose two.)
Which steps can the Security Engineer take to troubleshoot this issue? (Choose two.)
Connect to the EC2 instances that are not sending the appropriate logs and verify that the CloudWatch Logs agent is running.
Log in to the AWS account and select CloudWatch Logs. Check for any monitored EC2 instances that are in the Alerting state and restart them using the EC2 console.
Verify that the EC2 instances have a route to the public AWS API endpoints.
Connect to the EC2 instances that are not sending logs. Use the command prompt to verify that the right permissions have been set for the Amazon SNS topic.
Verify that the network access control lists and security groups of the EC2 instances have the access to send logs over SNMP.
Incident Response
Logging and Monitoring
Example.com hosts its internal document repository on Amazon EC2 instances. The application runs on EC2 instances and previously stored the documents on encrypted Amazon EBS volumes. To optimize the application for scale, example.com has moved the files to Amazon S3. The security team has mandated that all the files are securely deleted from the EBS volume, and it must certify that the data is unreadable before releasing the underlying disks.
Which of the following methods will ensure that the data is unreadable by anyone else?
Which of the following methods will ensure that the data is unreadable by anyone else?
Change the volume encryption on the EBS volume to use a different encryption mechanism. Then, release the EBS volumes back to AWS.
Release the volumes back to AWS. AWS immediately wipes the disk after it is deprovisioned.
Delete the encryption key used to encrypt the EBS volume. Then, release the EBS volumes back to AWS.
Delete the data by using the operating system delete commands. Run Quick Format on the drive and then release the EBS volumes back to AWS.
Identity and Access Management
Example.com is hosted on Amazon EC2 instance behind an Application Load Balancer (ALB). Third-party host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host. The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers.
What is the MOST secure way to meet these requirements?
What is the MOST secure way to meet these requirements?
Enable TLS pass through on the ALB, and handle decryption at the server using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.
Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server.
Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do not enable Perfect Forward Secrecy (PFS).
Create a listener on the ALB that does not enable Perfect Forward Secrecy (PFS) cipher suites, and use encrypted connections to the servers using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.
Infrastructure Security
Identity and Access Management
Comments