Amazon SCS-C03 시험

Question No : 1

A company wants to prevent SSH access through the use of SSH key pairs for any Amazon Linux 2 Amazon EC2 instances in its AWS account. However, a system administrator occasionally will need to access these EC2 instances through SSH in an emergency. For auditing purposes, the company needs to record any commands that a user runs in an EC2 instance.
What should a security engineer do to configure access to these EC2 instances to meet these requirements?

• A.Use the EC2 serial console Configure the EC2 serial console to save all commands that are entered to an Amazon S3 bucket. Provide the EC2 instances with an IAM role that allows the EC2 serial console to access Amazon S3. Configure an IAM account for the system administrator. Provide an IAM policy that allows the IAM account to use the EC2 serial console.
• B.Use EC2 Instance Connect Configure EC2 Instance Connect to save all commands that are entered to Amazon CloudWatch Logs. Provide the EC2 instances with an IAM role that allows the EC2 instances to access CloudWatch Logs Configure an IAM account for the system administrator. Provide an IAM policy that allows the IAM account to use EC2 Instance Connect.
• C.Use an EC2 key pair with an EC2 instance that needs SSH access Access the EC2 instance with this key pair by using SS
• D.Configure the EC2 instance to save all commands that are entered to Amazon CloudWatch Logs. Provide the EC2 instance with an IAM role that allows the EC2 instance to access Amazon S3 and CloudWatch Logs.
• E.Use AWS Systems Manager Session Manager Configure Session Manager to save all commands that are entered in a session to an Amazon S3 bucket. Provide the EC2 instances with an IAM role that allows Systems Manager to manage the EC2 instances. Configure an IAM account for the system administrator Provide an IAM policy that allows the IAM account to use Session Manager.

답을 확인하기

정답:
Explanation:
Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/. In the navigation pane, choose Session Manager. Choose the Preferences tab, and then choose Edit. Select the check box next to Enable under S3 logging. (Recommended) Select the check box next to Allow only encrypted S3 buckets. With this option turned on, log data is encrypted using the server-side encryption key specified for the bucket. If you don't want to encrypt the log data that is sent to Amazon S3, clear the check box. You must also clear the check box if encryption isn't allowed on the S3 bucket.

Question No : 2

A security engineer receives a notice from the AWS Abuse team about suspicious activity from a Linux-based Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS>-based storage The instance is making connections to known malicious addresses
The instance is in a development account within a VPC that is in the us-east-1 Region The VPC contains an internet gateway and has a subnet in us-east-1a and useasMb Each subnet is associate with a route table that uses the internet gateway as a default route Each subnet also uses the default network ACL The suspicious EC2 instance runs within the us-east-1 b subnet. During an initial investigation a security engineer discovers that the suspicious instance is the only instance that runs in the subnet
Which response will immediately mitigate the attack and help investigate the root cause?

• A.Log in to the suspicious instance and use the netstat command to identify remote connections Use the IP addresses from these remote connections to create deny rules in the security group of the instance Install diagnostic tools on the instance for investigation Update the outbound network ACL for the subnet in us-east- lb to explicitly deny all connections as the first rule during the investigation of the instance
• B.Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule Replace the security group with a new security group that allows connections only from a diagnostics security group Update the outbound network ACL for the us-east-1b subnet to remove the deny all rule Launch a new EC2 instance that has diagnostic tools Assign the new security group to the new EC2 instance Use the new EC2 instance to investigate the suspicious instance
• C.Ensure that the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the suspicious EC2 instance will not delete upon termination Terminate the instance Launch a new EC2 instance in us-east-1a that has diagnostic tools Mount the EBS volumes from the terminated instance for investigation
• D.Create an AWS WAF web ACL that denies traffic to and from the suspicious instance Attach the AWS WAF web ACL to the instance to mitigate the attack Log in to the instance and install diagnostic tools to investigate the instance

답을 확인하기

정답:
Explanation:
This option suggests updating the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule, replacing the security group with a new one that only allows connections from a diagnostics security group, and launching a new EC2 instance with diagnostic tools to investigate the suspicious instance. This option will immediately mitigate the attack and provide the necessary tools for investigation.

Question No : 3

A company needs to encrypt all of its data stored in Amazon S3. The company wants to use IAM Key Management Service (IAM KMS) to create and manage its encryption keys. The company's security policies require the ability to Import the company's own key material for the keys, set an expiration date on the keys, and delete keys immediately, if needed.
How should a security engineer set up IAM KMS to meet these requirements?

• A.Configure IAM KMS and use a custom key store. Create a customer managed CMK with no key material Import the company's keys and key material into the CMK
• B.Configure IAM KMS and use the default Key store Create an IAM managed CMK with no key material Import the company's key material into the CMK
• C.Configure IAM KMS and use the default key store Create a customer managed CMK with no key material import the company's key material into the CMK
• D.Configure IAM KMS and use a custom key store. Create an IAM managed CMK with no key material. Import the company's key material into the CM

답을 확인하기

정답:

Question No : 4

A security engineer is configuring a new website that is named example.com. The security engineer wants to secure communications with the website by requiring users to connect to example.com through HTTPS.
Which of the following is a valid option for storing SSL/TLS certificates?

• A.Custom SSL certificate that is stored in AWS Key Management Service (AWS KMS)
• B.Default SSL certificate that is stored in Amazon CloudFront.
• C.Custom SSL certificate that is stored in AWS Certificate Manager (ACM)
• D.Default SSL certificate that is stored in Amazon S3

답을 확인하기

정답:

Question No : 5

Your company has a set of EC2 Instances defined in IAM. These Ec2 Instances have strict security groups attached to them. You need to ensure that changes to the Security groups are noted and acted on accordingly.
How can you achieve this?
Please select:

• A.Use Cloudwatch logs to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.
• B.Use Cloudwatch metrics to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.
• C.Use IAM inspector to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS f the notification.
• D.Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.

답을 확인하기

정답:
Explanation:
The below diagram from an IAM blog shows how security groups can be monitored



Option A is invalid because you need to use Cloudwatch Events to check for chan, Option B is invalid because you need to use Cloudwatch Events to check for chang
Option C is invalid because IAM inspector is not used to monitor the activity on Security Groups For more information on monitoring security groups, please visit the below URL:
Ihttpsy/IAM.amazon.com/blogs/security/how-to-automatically-revert-and-receive-notifications-about-changes-to 'pc-security-groups/
The correct answer is: Use Cloudwatch events to be triggered for any changes to the Security Groups.
Configure the Lambda function for email notification as well.
Submit your Feedback/Queries to our Experts

Question No : 6

A company has enabled Amazon GuardDuty in all AWS Regions as part of its security monitoring strategy. In one of its VPCs, the company hosts an Amazon EC2 instance that works as an FTP server. A high number of clients from multiple locations contact the FTP server. GuardDuty identifies this activity as a brute force attack because of the high number of connections that happen every hour.
The company has flagged the finding as a false positive, but GuardDuty continues to raise the issue. A security engineer must improve the signal-to-noise ratio without compromising the companys visibility of potential anomalous behavior.
Which solution will meet these requirements?

• A.Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed.
• B.Add the FTP server to a trusted IP list. Deploy the list to GuardDuty to stop receiving the notifications.
• C.Create a suppression rule in GuardDuty to filter findings by automatically archiving new findings that match the specified criteria.
• D.Create an AWS Lambda function that has the appropriate permissions to de-lete the finding whenever a new occurrence is reported.

답을 확인하기

정답:
Explanation:
"When you create an Amazon GuardDuty filter, you choose specific filter criteria, name the filter and can enable the auto-archiving of findings that the filter matches. This allows you to further tune GuardDuty to your unique environment, without degrading the ability to identify threats. With auto-archive set, all findings are still generated by GuardDuty, so you have a complete and immutable history of all suspicious activity."

Question No : 7

A company receives a notification from the AWS Abuse team about an AWS account The notification indicates that a resource in the account is compromised The company determines that the compromised resource is an Amazon EC2 instance that hosts a web application The compromised EC2 instance is part of an EC2 Auto Scaling group
The EC2 instance accesses Amazon S3 and Amazon DynamoDB resources by using an 1AM access key and secret key The 1AM access key and secret key are stored inside the AMI that is specified in the Auto Scaling
group's launch configuration The company is concerned that the credentials that are stored in the AMI might also have been exposed
The company must implement a solution that remediates the security concerns without causing downtime for the application The solution must comply with security best practices
Which solution will meet these requirements'?

• A.Rotate the potentially compromised access key that the EC2 instance uses Create a new AM I without the potentially compromised credentials Perform an EC2 Auto Scaling instance refresh
• B.Delete or deactivate the potentially compromised access key Create an EC2 Auto Scaling linked 1AM role that includes a custom policy that matches the potentially compromised access key permission Associate the new 1AM role with the Auto Scaling group Perform an EC2 Auto Scaling instance refresh.
• C.Delete or deactivate the potentially compromised access key Create a new AMI without the potentially compromised credentials Create an 1AM role that includes the correct permissions Create a launch template for the Auto Scaling group to reference the new AMI and 1AM role Perform an EC2 Auto Scaling instance refresh
• D.Rotate the potentially compromised access key Create a new AMI without the potentially compromised access key Use a user data script to supply the new access key as environmental variables in the Auto Scaling group's launch configuration Perform an EC2 Auto Scaling instance refresh

답을 확인하기

정답:
Explanation:
The AWS documentation states that you can create a new AMI without the potentially compromised credentials and create an 1AM role that includes the correct permissions. You can then create a launch template for the Auto Scaling group to reference the new AMI and 1AM role. This method is the most secure way to remediate the security concerns without causing downtime for the application.
References: : AWS Security Best Practices

Question No : 8

A development team is using an IAM Key Management Service (IAM KMS) CMK to try to encrypt and decrypt a secure string parameter from IAM Systems Manager Parameter Store. However, the development team receives an error message on each attempt.
Which issues that are related to the CMK could be reasons for the error? (Select TWO.)

• A.The CMK that is used in the attempt does not exist.
• B.The CMK that is used in the attempt needs to be rotated.
• C.The CMK that is used in the attempt is using the CMK's key ID instead of the CMK AR
• D.The CMK that is used in the attempt is not enabled.
• E.The CMK that is used in the attempt is using an alias.

답을 확인하기

정답:

Question No : 9

A company has retail stores The company is designing a solution to store scanned copies of customer receipts on Amazon S3 Files will be between 100 KB and 5 MB in PDF format Each retail store must have a unique encryption key Each object must be encrypted with a unique key
Which solution will meet these requirements?

• A.Create a dedicated AWS Key Management Service (AWS KMS) customer managed key for each retail store Use the S3 Put operation to upload the objects to Amazon S3 Specify server-side encryption with AWS KMS keys (SSE-KMS) and the key ID of the store's key
• B.Create a new AWS Key Management Service (AWS KMS) customer managed key every day for each retail store Use the KMS Encrypt operation to encrypt objects Then upload the objects to Amazon S3
• C.Run the AWS Key Management Service (AWS KMS) GenerateDataKey operation every day for each retail store Use the data key and client-side encryption to encrypt the objects Then upload the objects to Amazon S3
• D.Use the AWS Key Management Service (AWS KMS) ImportKeyMaterial operation to import new key material to AWS KMS every day for each retail store Use a customer managed key and the KMS Encrypt operation to encrypt the objects Then upload the objects to Amazon S3

답을 확인하기

정답:
Explanation:
To meet the requirements of storing scanned copies of customer receipts on Amazon S3, where files will be between 100 KB and 5 MB in PDF format, each retail store must have a unique encryption key, and each object must be encrypted with a unique key, the most appropriate solution would be to create a dedicated AWS Key Management Service (AWS KMS) customer managed key for each retail store. Then, use the S3 Put operation to upload the objects to Amazon S3, specifying server-side encryption with AWS KMS keys (SSE-KMS) and the key ID of the store’s key.
References: : Amazon S3 - Amazon Web Services : AWS Key Management Service - Amazon Web
Services : Amazon S3 - Amazon Web Services : AWS Key Management Service - Amazon Web Services

Question No : 10

Your company is planning on using bastion hosts for administering the servers in IAM.
Which of the following is the best description of a bastion host from a security perspective?

• A.A Bastion host should be on a private subnet and never a public subnet due to security concerns
• B.A Bastion host sits on the outside of an internal network and is used as a gateway into the private network and is considered the critical strong point of the network
• C.Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources.
• D.A Bastion host should maintain extremely tight security and monitoring as it is available to the public

답을 확인하기

정답:
Explanation:
A bastion host acts as a fortified gateway to access the private network, usually having stringent security controls to fend off unauthorized access. It is indeed considered a critical strong point in the network because it is exposed to the public internet, and a compromise of the bastion host could potentially give an attacker access to the internal network. It sits in a public subnet and forms a bridge to the private network, allowing authorized users to access resources in the private network securely.
Option D is also somewhat correct but less comprehensive than option B. It is indeed essential for a bastion host to maintain high levels of security and monitoring due to its exposure to the public internet.
Option A is incorrect because a bastion host needs to be in a public subnet so that it can be accessed from the internet to serve as a gateway to the private network.
Option C is partially correct as it describes the function of a bastion host but doesn't encapsulate the entire essence of its role as a security measure.

Question No : 11

A company uses several AWS CloudFormation stacks to handle the deployment of a suite of applications. The leader of the company's application development team notices that the stack deployments fail with permission errors when some team members try to deploy the stacks. However, other team members can deploy the stacks successfully.
The team members access the account by assuming a role that has a specific set of permissions that are necessary for the job responsibilities of the team members. All team members have permissions to perform operations on the stacks.
Which combination of steps will ensure consistent deployment of the stacks MOST securely? (Select THREE.)

• A.Create a service role that has a composite principal that contains each service that needs the necessary permissions. Configure the role to allow the sts:AssumeRole action.
• B.Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts:AssumeRole action.
• C.For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each CloudFormation stack in the resource field of each policy.
• D.For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each service that needs the per-missions in the resource field of the corresponding policy.
• E.Update each stack to use the service role.
• F.Add a policy to each member role to allow the iam:PassRole action. Set the policy's resource field to the ARN of the service role.

답을 확인하기

정답:

Question No : 12

A developer has created an AWS Lambda function in a company's development account. The Lambda function requires the use of an AWS Key Management Service (AWS KMS) customer managed key that exists in a security account that the company's security team controls. The developer obtains the ARN of the KMS key from a previous Lambda function in the development account. The previous Lambda function had been working properly with the KMS key.
When the developer uses the ARN and tests the new Lambda function an error message states that access is denied to the KMS key in the security account. The developer tests the previous Lambda function that uses the same KMS key and discovers that the previous Lambda function still can encrypt data as expected.
A security engineer must resolve the problem so that the new Lambda function in the development account can use the KMS key from the security account.
Which combination of steps should the security engineer take to meet these requirements? (Select TWO.)

• A.In the security account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.
• B.In the development account configure an IAM role for the new Lambda function. Attach a key policy that allows access to the KMS key in the security account.
• C.In the development account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.
• D.Configure a key policy for the KMS key m the security account to allow access to the IAM role of the new Lambda function in the security account.
• E.Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account.

답을 확인하기

정답:
Explanation:
To allow cross-account access to a KMS key, the key policy of the KMS key must grant permission to the external account or principal, and the IAM policy of the external account or principal must delegate the key policy permission. In this case, the new Lambda function in the development account needs to use the KMS key in the security account, so the key policy of the KMS key must allow access to the IAM role of the new Lambda function in the development account (option E), and the IAM role of the new Lambda function in the development account must have an IAM policy that allows access to the KMS key in the security account (option C). Option A is incorrect because it creates an IAM role for the new Lambda function in the security account, not in the development account. Option B is incorrect because it attaches a key policy to an IAM role, which is not valid. Option D is incorrect because it allows access to the IAM role of the new Lambda function in the security account, not in the development account. Verified References:
https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html
https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html

Question No : 13

A company is using AWS Organizations to manage multiple AWS accounts for its hu-man resources, finance, software development, and production departments. All the company's developers are part of the software development AWS account.
The company discovers that developers have launched Amazon EC2 instances that were preconfigured with software that the company has not approved for use. The company wants to implement a solution to ensure that developers can launch EC2 instances with only approved software applications and only in the software development AWS account.
Which solution will meet these requirements?

• A.In the software development account, create AMIS of preconfigured instanc-es that include only approved software. Include the AMI IDs in the condition section of an AWS CloudFormation template to launch the appropriate AMI based on the AWS Region. Provide the developers with the CloudFor-mation template to launch EC2 instances in the software development account.
• B.Create an Amazon EventBridge rule that runs when any EC2 Runlnstances API event occurs in the software development account. Specify AWS Systems Man-ager Run Command as a target of the rule. Configure Run Command to run a script that will install all approved software onto the instances that the developers launch.
• C.Use an AWS Service Catalog portfolio that contains EC2 products with ap-propriate AMIS that include only approved software. Grant the developers permission to portfolio access only the Service Catalog to launch a product in the software development account.
• D.In the management account, create AMIS of preconfigured instances that include only approved software. Use AWS CloudFormation StackSets to launch the AMIS across any AWS account in the organization. Grant the developers permission to launch the stack sets within the management account.

답을 확인하기

정답:

Question No : 14

A company is implementing a new application in a new IAM account. A VPC and subnets have been created for the application. The application has been peered to an existing VPC in another account in the same IAM Region for database access. Amazon EC2 instances will regularly be created and terminated in the application VPC, but only some of them will need access to the databases in the peered VPC over TCP port 1521. A security engineer must ensure that only the EC2 instances that need access to the databases can access them through the network.
How can the security engineer implement this solution?

• A.Create a new security group in the database VPC and create an inbound rule that allows all traffic from the IP address range of the application VP
• B.Add a new network ACL rule on the database subnets. Configure the rule to TCP port 1521 from the IP address range of the application VP
• C.Attach the new security group to the database instances that the application instances need to access.
• D.Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Create a new security group in the database VPC with an inbound rule that allows the IP address range of the application VPC over port 1521. Attach the new security group to the database instances and the application instances that need database access.
• E.Create a new security group in the application VPC with no inbound rules. Create a new security group in the database VPC with an inbound rule that allows TCP port 1521 from the new application security group in the application VP
• F.Attach the application security group to the application instances that need database access, and attach the database security group to the database instances.
• G.Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Add a new network ACL rule on the database subnets. Configure the rule to allow all traffic from the IP address range of the application VP
• H.Attach the new security group to the application instances that need database access.

답을 확인하기

정답:

Question No : 15

A company has a web server in the AWS Cloud. The company will store the content for the web server in an Amazon S3 bucket. A security engineer must use an Amazon CloudFront distribution to speed up delivery of the content. None of the files can be publicly accessible from the S3 bucket direct.
Which solution will meet these requirements?

• A.Configure the permissions on the individual files in the S3 bucket so that only the CloudFront distribution has access to them.
• B.Create an origin access identity (OAI). Associate the OAI with the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI can access the files in the S3 bucket.
• C.Create an S3 role in AWS Identity and Access Management (IAM). Allow only the CloudFront distribution to assume the role to access the files in the S3 bucket.
• D.Create an S3 bucket policy that uses only the CloudFront distribution ID as the principal and the Amazon Resource Name (ARN) as the target.

답을 확인하기

정답: