AWS Certified Security - Specialty SCS-C02
A company has an application that uses dozens of Amazon DynamoDB tables to store data. Auditors find that the tables do not comply with the
company's data protection policy.
The company's retention policy states that all data must be backed up twice each month: once at midnight on the 15th day of the month and again
at midnight on the 25th day of the month. The company must retain the backups for 3 months.
Which combination of steps should a security engineer take to meet these requirements? (Choose two.)
Use the DynamoDB on-demand backup capability to create a backup plan. Configure a lifecycle policy to expire backups after 3 months.
Use AWS DataSync to create a backup plan. Add a backup rule that includes a retention period of 3 months.
Use AWS Backup to create a backup plan. Add a backup rule that includes a retention period of 3 months. Most Voted
Set the backup frequency by using a cron schedule expression. Assign each DynamoDB table to the backup plan. Most Voted
Set the backup frequency by using a rate schedule expression. Assign each DynamoDB table to the backup plan.
A company needs a security engineer to implement a scalable solution for multi-account authentication and authorization. The solution should
not introduce additional user-managed architectural components. Native AWS features should be used as much as possible. The security engineer
has set up AWS Organizations with all features activated and AWS IAM Identity Center (AWS Single Sign-On) enabled.
Which additional steps should the security engineer take to complete the task?
Use AD Connector to create users and groups for all employees that require access to AWS accounts. Assign AD Connector groups to AWS
accounts and link to the IAM roles in accordance with the employees’ job functions and access requirements. Instruct employees to access
AWS accounts by using the AWS Directory Service user portal.
Use an IAM Identity Center default directory to create users and groups for all employees that require access to AWS accounts. Assign
groups to AWS accounts and link to permission sets in accordance with the employees’ job functions and access requirements. Instruct
employees to access AWS accounts by using the IAM Identity Center user portal. Most Voted
Use an IAM Identity Center default directory to create users and groups for all employees that require access to AWS accounts. Link IAM
Identity Center groups to the IAM users present in all accounts to inherit existing permissions. Instruct employees to access AWS accounts by
using the IAM Identity Center user portal.
Use AWS Directory Service for Microsoft Active Directory to create users and groups for all employees that require access to AWS
accounts. Enable AWS Management Console access in the created directory and specify IAM Identity Center as a source of information for
integrated accounts and permission sets. Instruct employees to access AWS accounts by using the AWS Directory Service user portal.
A company has deployed Amazon GuardDuty and now wants to implement automation for potential threats. The company has decided to start
with RDP brute force attacks that come from Amazon EC2 instances in the company's AWS environment. A security engineer needs to implement
a solution that blocks the detected communication from a suspicious instance until investigation and potential remediation can occur.
Which solution will meet these requirements?
Configure GuardDuty to send the event to an Amazon Kinesis data stream. Process the event with an Amazon Kinesis Data Analytics for
Apache Flink application that sends a notification to the company through Amazon Simple Notification Service (Amazon SNS). Add rules to
the network ACL to block traffic to and from the suspicious instance.
Configure GuardDuty to send the event to Amazon EventBridge. Deploy an AWS WAF web ACL. Process the event with an AWS Lambda
function that sends a notification to the company through Amazon Simple Notification Service (Amazon SNS) and adds a web ACL rule to
block traffic to and from the suspicious instance.
Enable AWS Security Hub to ingest GuardDuty findings and send the event to Amazon EventBridge. Deploy AWS Network Firewall. Process
the event with an AWS Lambda function that adds a rule to a Network Firewall firewall policy to block traffic to and from the suspicious
instance. Most Voted
Enable AWS Security Hub to ingest GuardDuty findings. Configure an Amazon Kinesis data stream as an event destination for Security Hub.
Process the event with an AWS Lambda function that replaces the security group of the suspicious instance with a security group that does
not allow any connections.
A company has an AWS account that hosts a production application. The company receives an email notification that Amazon GuardDuty has
detected an Impact:IAMUser/AnomalousBehavior finding in the account. A security engineer needs to run the investigation playbook for this
security incident and must collect and analyze the information without affecting the application.
Which solution will meet these requirements MOST quickly?
Log in to the AWS account by using read-only credentials. Review the GuardDuty finding for details about the IAM credentials that were
used. Use the IAM console to add a DenyAll policy to the IAM principal.
Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding.
Use Amazon Detective to review the API calls in context. Most Voted
Log in to the AWS account by using administrator credentials. Review the GuardDuty finding for details about the IAM credentials that were
used. Use the IAM console to add a DenyAll policy to the IAM principal.
Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding.
Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context.
Company A has an AWS account that is named Account A. Company A recently acquired Company B, which has an AWS account that is named
Account B. Company B stores its files in an Amazon S3 bucket. The administrators need to give a user from Account A full access to the S3
bucket in Account B.
After the administrators adjust the IAM permissions for the user in Account A to access the S3 bucket in Account B, the user still cannot access
any files in the S3 bucket.
Which solution will resolve this issue?
In Account B, create a bucket ACL to allow the user from Account A to access the S3 bucket in Account B.
In Account B, create an object ACL to allow the user from Account A to access all the objects in the S3 bucket in Account B.
In Account B, create a bucket policy to allow the user from Account A to access the S3 bucket in Account B. Most Voted
In Account B, create a user policy to allow the user from Account A to access the S3 bucket in Account B.
Unlock All Questions
You are viewing the free preview. Purchase a plan to access all questions, answers, and detailed explanations.
