Question # 1
A company uses Amazon GuardDuty. The company's security team wants all High severity findings to automatically generate a ticket in a third-party ticketing system through email integration. Which solution will meet this requirement? | A. Create a verified identity for the third-party ticketing email system in Amazon Simple Email Service (Amazon SES). Create an Amazon EventBridge rule that includes an event pattern that matches High severity GuardDuty findings. Specify the SES identity as the target for the EventBridge rule. | B. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the thirdparty ticketing email system to the SNS topic. Create an Amazon EventBridge rule that includes an event pattern that matches High severity GuardDuty findings. Specify the SNS topic as the target for the EventBridge rule. | C. Use the GuardDuty CreateFilter API operation to build a filter in GuardDuty to monitor for High severity findings. Export the results of the filter to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third-party ticketing email system to the SNS topic. | D. Use the GuardDuty CreateFilter API operation to build a filter in GuardDuty to monitor for High severity findings. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third-party ticketing email system to the SNS topic. Create an Amazon EventBridge rule that includes an event pattern that matches GuardDuty findings that are selected by the filter. Specify the SNS topic as the target for the EventBridge rule. |
B. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the thirdparty ticketing email system to the SNS topic. Create an Amazon EventBridge rule that includes an event pattern that matches High severity GuardDuty findings. Specify the SNS topic as the target for the EventBridge rule.
Explanation: The correct answer is B. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third-party ticketing email system to the SNS topic. Create an Amazon EventBridge rule that includes an event pattern that matches High severity GuardDuty findings. Specify the SNS topic as the target for the Event-Bridge rule. According to the AWS documentation1, you can use Amazon EventBridge to create rules that match events from GuardDuty and route them to targets such as Amazon SNS topics. You can use event patterns to filter events based on criteria such as severity, type, or resource. For example, you can create a rule that matches only High severity findings and sends them to an SNS topic that is subscribed by a third-party ticketing email system. This way, you can automate the creation of tickets for High severity findings and notify the security team.
Question # 2
A team is using AWS Secrets Manager to store an application database password. Only a limited number of IAM principals within the account can have access to the secret. The principals who require access to the secret change frequently. A security engineer must create a solution that maximizes flexibility and scalability. Which solution will meet these requirements? | A. Use a role-based approach by creating an IAM role with an inline permissions policy that allows access to the secret. Update the IAM principals in the role trust policy as required. | B. Deploy a VPC endpoint for Secrets Manager. Create and attach an endpoint policy that specifies the IAM principals that are allowed to access the secret. Update the list of IAM principals as required. | C. Use a tag-based approach by attaching a resource policy to the secret. Apply tags to the secret and the IAM principals. Use the aws:PrincipalTag and aws:ResourceTag IAM condition keys to control access. | D. Use a deny-by-default approach by using IAM policies to deny access to the secret explicitly. Attach the policies to an IAM group. Add all IAM principals to the IAM group. Remove principals from the group when they need access. Add the principals to the group again when access is no longer allowed. |
C. Use a tag-based approach by attaching a resource policy to the secret. Apply tags to the secret and the IAM principals. Use the aws:PrincipalTag and aws:ResourceTag IAM condition keys to control access.
Question # 3
A corporation is preparing to acquire several companies. A Security Engineer must design a solution to ensure that newly acquired IAM accounts follow the corporation's security best practices. The solution should monitor each Amazon S3 bucket for unrestricted public write access and use IAM managed services. What should the Security Engineer do to meet these requirements? | A. Configure Amazon Macie to continuously check the configuration of all S3 buckets. | B. Enable IAM Config to check the configuration of each S3 bucket | C. Set up IAM Systems Manager to monitor S3 bucket policies for public write access | D. Configure an Amazon EC2 instance to have an IAM role and a cron job that checks the status of all S3 buckets. |
C. Set up IAM Systems Manager to monitor S3 bucket policies for public write access
Explanation: Because this is a solution that can monitor each S3 bucket for unrestricted public write access and use IAM managed services. S3 is a service that provides object storage in the cloud. Systems Manager is a service that helps you automate and manage your AWS resources. You can use Systems Manager to monitor S3 bucket policies for public write access by using a State Manager association that runs a predefined document called AWS-FindS3BucketWithPublicWriteAccess. This document checks each S3 bucket in an account and reports any bucket that has public write access enabled. The other options are either not suitable or not feasible for meeting the requirements.
Question # 4
There are currently multiple applications hosted in a VPC. During monitoring it has been noticed that multiple port scans are coming in from a specific IP Address block. The internal security team has requested that all offending IP Addresses be denied for the next 24 hours. Which of the following is the best method to quickly and temporarily deny access from the specified IP Address's. Please select: | A. Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block. | B. Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block. | C. Add a rule to all of the VPC Security Groups to deny access from the IP Address block. | D. Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block. |
B. Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.
Explanation: NACL acts as a firewall at the subnet level of the VPC and we can deny the offending IP address block at the subnet level using NACL rules to block the incoming traffic to the VPC instances. Since NACL rules are applied as per the Rule numbers make sure that this rule number should take precedence over other rule numbers if there are any such rules that will allow traffic from these IP ranges. The lowest rule number has more precedence over a rule that has a higher number.
The IAM Documentation mentions the following as a best practices for IAM users For extra security, enable multi-factor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or APIs). With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP). Users must provide both their normal credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone).
Options C is invalid because these options are not available Option D is invalid because there is not root access for users
For more information on IAM best practices, please visit the below URL: https://docs.IAM.amazon.com/IAM/latest/UserGuide/best-practices.html
The correct answer is: Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.
Question # 5
A company deployed Amazon GuardDuty In the us-east-1 Region. The company wants all DNS logs that relate to the company's Amazon EC2 instances to be inspected. What should a security engineer do to ensure that the EC2 instances are logged? | A. Use IPv6 addresses that are configured for hostnames. | B. Configure external DNS resolvers as internal resolvers that are visible only to IAM. | C. Use IAM DNS resolvers for all EC2 instances. | D. Configure a third-party DNS resolver with logging for all EC2 instances. |
C. Use IAM DNS resolvers for all EC2 instances.
Explanation: To ensure that the EC2 instances are logged, the security engineer should do the following: Use AWS DNS resolvers for all EC2 instances. This allows the security engineer to use Amazon-provided DNS servers that resolve public DNS hostnames to private IP addresses within their VPC, and that log DNS queries in Amazon CloudWatch Logs.
Question # 6
A startup company is using a single AWS account that has resources in a single AWS Region. A security engineer configures an AWS Cloud Trail trail in the same Region to deliver log files to an Amazon S3 bucket by using the AWS CLI. Because of expansion, the company adds resources in multiple Regions. The secu-rity engineer notices that the logs from the new Regions are not reaching the S3 bucket. What should the security engineer do to fix this issue with the LEAST amount of operational overhead? | A. Create a new CloudTrail trail. Select the new Regions where the company added resources. | B. Change the S3 bucket to receive notifications to track all actions from all Regions. | C. Create a new CloudTrail trail that applies to all Regions. | D. Change the existing CloudTrail trail so that it applies to all Regions. |
D. Change the existing CloudTrail trail so that it applies to all Regions.
Explanation: The correct answer is D. Change the existing CloudTrail trail so that it applies to all Regions.
According to the AWS documentation1, you can configure CloudTrail to deliver log files from multiple Regions to a single S3 bucket for a single account. To change an existing single-Region trail to log in all Regions, you must use the AWS CLI and add the -is-multiregion- trail option to the update-trail command2. This will ensure that you log global service events and capture all management event activity in your account.
Option A is incorrect because creating a new CloudTrail trail for each Region will incur additional costs and increase operational overhead. Option B is incorrect because changing the S3 bucket to receive notifications will not affect the delivery of log files from other Regions. Option C is incorrect because creating a new CloudTrail trail that applies to all Regions will result in duplicate log files for the original Region and also incur additional costs.
Question # 7
A company has hundreds of AWS accounts in an organization in AWS Organizations. The company operates out of a single AWS Region. The company has a dedicated security tooling AWS account in the organization. The security tooling account is configured as the organization's delegated administrator for Amazon GuardDuty and AWS Security Hub. The company has configured the environment to automatically enable GuardDuty and Security Hub for existing AWS accounts and new AWS accounts.
The company is performing control tests on specific GuardDuty findings to make sure that the company's security team can detect and respond to security events. The security team launched an Amazon EC2 instance and attempted to run DNS requests against a test domain, example.com, to generate a DNS finding. However, the GuardDuty finding was never created in the Security Hub delegated administrator account. Why was the finding was not created in the Security Hub delegated administrator account? | A. VPC flow logs were not turned on for the VPC where the EC2 instance was launched. | B. The VPC where the EC2 instance was launched had the DHCP option configured for a custom OpenDNS resolver. | C. The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated. | D. Cross-Region aggregation in Security Hub was not configured. |
C. The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.
Explanation: The correct answer is C. The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated. According to the AWS documentation1, GuardDuty findings are automatically sent to Security Hub only if the GuardDuty integration with Security Hub is enabled in the same account and Region. This means that the security tooling account, which is the delegated administrator for both GuardDuty and Security Hub, must enable the GuardDuty integration with Security Hub in each member account and Region where GuardDuty is enabled.
Otherwise, the findings from GuardDuty will not be visible in Security Hub. The other options are incorrect because: VPC flow logs are not required for GuardDuty to generate DNS findings. GuardDuty uses VPC DNS logs, which are automatically enabled for all VPCs, to detect malicious or unauthorized DNS activity. The DHCP option configured for a custom OpenDNS resolver does not affect GuardDuty’s ability to generate DNS findings. GuardDuty uses its own threat intelligence sources to identify malicious domains, regardless of the DNS resolver used by the EC2 instance. Cross-Region aggregation in Security Hub is not relevant for this scenario, because the company operates out of a single AWS Region. Cross-Region aggregation allows Security Hub to aggregate findings from multiple Regions into a single Region.
References: 1: Managing GuardDuty accounts with AWS Organizations : Amazon GuardDuty Findings : How Amazon GuardDuty Works : Cross-Region aggregation in AWS Security Hub
Amazon Web Services SCS-C02 Exam Dumps
5 out of 5
Pass Your AWS Certified Security - Specialty Exam in First Attempt With SCS-C02 Exam Dumps. Real AWS Certified Specialty Exam Questions As in Actual Exam!
— 327 Questions With Valid Answers
— Updation Date : 3-Oct-2024
— Free SCS-C02 Updates for 90 Days
— 98% AWS Certified Security - Specialty Exam Passing Rate
Speciality
Additional Information
Testimonials
Related Exams
- Number 1 Amazon Web Services AWS Certified Specialty study material online
- Regular SCS-C02 dumps updates for free.
- AWS Certified Security - Specialty Practice exam questions with their answers and explaination.
- Our commitment to your success continues through your exam with 24/7 support and long after with discounts on future study programs.
- Free SCS-C02 dumps updates for 90 days
- 97% more cost effective than traditional training
- AWS Certified Security - Specialty Practice Questions to boost your knowledge
- 100% correct AWS Certified Specialty questions answers compiled by senior IT professionals
Amazon Web Services SCS-C02 Braindumps
Realbraindumps.com is providing AWS Certified Specialty SCS-C02 braindumps which are accurate and of high-quality verified by the team of experts. The Amazon Web Services SCS-C02 dumps are comprised of AWS Certified Security - Specialty questions answers available in printable PDF files and online practice test formats. Our best recommended and an economical package is AWS Certified Specialty PDF file + test engine discount package along with 3 months free updates of SCS-C02 exam questions. We have compiled AWS Certified Specialty exam dumps question answers pdf file for you so that you can easily prepare for your exam. Our Amazon Web Services braindumps will help you in exam. Obtaining valuable professional Amazon Web Services AWS Certified Specialty certifications with SCS-C02 exam questions answers will always be beneficial to IT professionals by enhancing their knowledge and boosting their career.
Yes, really its not as tougher as before. Websites like Realbraindumps.com are playing a significant role to make this possible in this competitive world to pass exams with help of AWS Certified Specialty SCS-C02 dumps questions. We are here to encourage your ambition and helping you in all possible ways. Our excellent and incomparable Amazon Web Services AWS Certified Security - Specialty exam questions answers study material will help you to get through your certification SCS-C02 exam braindumps in the first attempt.
Pass Exam With Amazon Web Services AWS Certified Specialty Dumps. We at Realbraindumps are committed to provide you AWS Certified Security - Specialty braindumps questions answers online. We recommend you to prepare from our study material and boost your knowledge. You can also get discount on our Amazon Web Services SCS-C02 dumps. Just talk with our support representatives and ask for special discount on AWS Certified Specialty exam braindumps. We have latest SCS-C02 exam dumps having all Amazon Web Services AWS Certified Security - Specialty dumps questions written to the highest standards of technical accuracy and can be instantly downloaded and accessed by the candidates when once purchased. Practicing Online AWS Certified Specialty SCS-C02 braindumps will help you to get wholly prepared and familiar with the real exam condition. Free AWS Certified Specialty exam braindumps demos are available for your satisfaction before purchase order.
Send us mail if you want to check Amazon Web Services SCS-C02 AWS Certified Security - Specialty DEMO before your purchase and our support team will send you in email.
If you don't find your dumps here then you can request what you need and we shall provide it to you.
Bulk Packages
$60
- Get 3 Exams PDF
- Get $33 Discount
- Mention Exam Codes in Payment Description.
Buy 3 Exams PDF
$90
- Get 5 Exams PDF
- Get $65 Discount
- Mention Exam Codes in Payment Description.
Buy 5 Exams PDF
$110
- Get 5 Exams PDF + Test Engine
- Get $105 Discount
- Mention Exam Codes in Payment Description.
Buy 5 Exams PDF + Engine
Jessica Doe
AWS Certified Specialty
We are providing Amazon Web Services SCS-C02 Braindumps with practice exam question answers. These will help you to prepare your AWS Certified Security - Specialty exam. Buy AWS Certified Specialty SCS-C02 dumps and boost your knowledge.
|