SCS-C02 Amazon Web Services AWS Certified Security - Specialty Free Practice Exam Questions (2025 Updated)

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/troubleshooting-launch.html#troubleshooting-launch-internal

Multi-factor authentication can add one more layer of security to your IAM account Even when you go to your Security Credentials dashboard one of the items is to enable MFA on your root account

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A is invalid because you need to have a good password policy Option B is invalid because there is no IAM Geo-Lock Option D is invalid because this is not a recommended practices For more information on MFA, please visit the below URL

http://docs.IAM.amazon.com/IAM/latest/UserGuide/id credentials mfa.htmll

The correct answer is: Use MFA on all users and accounts, especially on the root account.

Submit your Feedback/Queries to our Experts

Amazon CloudWatch monitoring is a service that collects and tracksmetrics fromAWS resources and applications, and provides visualization tools and alarms to monitor performance and availability1. The health status data in format can be sent to CloudWatch as custom metrics2, and then displayed in CloudWatch dashboards3. The other options are either inefficient or insecure for monitoring application availability in near-real time.

The correct answer is A. Revoke all versions of the signing profile assigned to the developer.

According to the AWS documentation1, AWS Signer is a fully managed code-signing service that helps you ensure the trust and integrity of your code. You can use Signer to sign code artifacts, such as Lambda deployment packages, with code-signing certificates that you control and manage.

A signing profile is a collection of settings that Signer uses to sign your code artifacts. A signing profile includes information such as the following:

The type of signature that you want to create (for example, a code-signing signature).

The signing algorithm that you want Signer to use to sign your code.

The code-signing certificate and its private key that you want Signer to use to sign your code.

You can create multiple versions of a signing profile, each with a different code-signing certificate. You can also revoke a version of a signing profile if you no longer want to use it for signing code artifacts.

In this case, the company wants to ensure that all the code that the developer wrote can no longer be deployed to the Lambda functions. One way to achieve this is to revoke all versions of the signing profile that was assigned to the developer. This will prevent Signer from using that signing profile to sign any new code artifacts, and also invalidate any existing signatures that were created with that signing profile. This way, the company can ensure that only trusted and authorized code can be deployed to the Lambda functions.

The other options are incorrect because:

B. Examining the developer’s IAM roles and removing all permissions that grant access to Signer may not be sufficient to prevent the deployment of the developer’s code. The developer may have already signed some code artifacts with a valid signing profile before leaving the company, and those signatures may still be accepted by Lambda unless the signing profile is revoked.

C. Re-encrypting all source code with a new AWS Key Management Service (AWS KMS) key may not be effective or practical. AWS KMS is a service that lets you create and manage encryption keys for your data. However, Lambda does not require encryption keys for deploying code artifacts, only valid signatures from Signer. Therefore, re-encrypting the source code may not prevent the deployment of the developer’s code if it has already been signed with a valid signing profile. Moreover, re-encrypting all source code may be time-consuming and disruptive for other developers who are working on the same code base.

D. Using Amazon CodeGuru to profile all the code that the Lambda functions use may not help with preventing the deployment of the developer’s code. Amazon CodeGuru is a service that provides intelligent recommendations to improve your code quality and identify an application’s most expensive lines of code. However, CodeGuru does not perform any security checks or validations on your code artifacts, nor does it interact with Signer or Lambda in any way. Therefore, using CodeGuru may not prevent unauthorized or untrusted code from being deployed to the Lambda functions.

Establishing a VPC peering connection between the VPCs in Account A and Account B and updating route tables, network ACLs, and security groups to permit the necessary traffic ensures private connectivity for the application to write to the S3 bucket without traversing the public internet. This solution is efficient and maintains network security and integrity.

these are the recommended actions to take when you receive an abuse notice fromAWS8. You shouldreview the abuse notice to see what content or activity was reported and detach the internet gateway from the VPC to isolate the affected instances from the internet. You should also remove any rules that allow inbound traffic from 0.0.0.0/0 from the security groups and create a network access control list (NACL) rule to deny all traffic inbound from the internet. You should then delete the compromised instances and any associated resources that you did not create. The other options are either inappropriate or unnecessary for responding to the abuse notice.

AWS Secrets Manager is a service that helps you manage, retrieve, and rotate secrets such as database credentials, API keys, and other sensitive information. By configuring automatic rotation of credentials in AWS Secrets Manager, you can ensure that your secrets are changed regularly and securely, without requiring manual intervention or application downtime. You can also specify the rotation frequency and the rotation function that performs the logic of changing the credentials on the database and updating the secret in Secrets Manager1.

E. Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.

By configuring the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials, you can avoid hard-coding the credentials in your application code or configuration files. This way, your application can dynamically obtain the latest credentials from Secrets Manager whenever the password is rotated, without needing to restart or redeploy the application. To enable this, you need to grant permission to the instance role associated with the EC2 instance to access Secrets Manager using IAM policies2. You can also usethe AWS SDK for Java to integrate your application with Secrets Manager3.

Enable Amazon GuardDuty:

GuardDuty is a threat detection service that natively supports detecting cryptocurrency mining activity on Amazon EC2 instances.

Enable GuardDuty for the account and all AWS Regions to ensure comprehensive coverage.

Monitor GuardDuty Findings:

GuardDuty generates findings for activities associated with cryptocurrency mining (e.g., unauthorized mining, DNS queries to known mining domains).

Create an EventBridge Rule:

Define an EventBridge rule that triggers on specific GuardDuty findings related to cryptocurrency activity.

Configure the rule to send notifications to an Amazon SNS topic.

Example Rule:

{

"Source": ["aws.guardduty"],

"DetailType": ["GuardDuty Finding"],

"Detail": {

"type": ["CryptoCurrency:EC2/BitcoinTool.B"]

}

}

Advantages of GuardDuty:

Automated Threat Detection: Requires no additional setup or custom rules.

Near-Real-Time Alerts: Delivers findings and notifications with minimal delay.

Amazon GuardDuty Documentation

Creating EventBridge Rules for GuardDuty Findings

To resolve CloudTrail's failure to deliver events to S3, verifying the S3 bucket policy for CloudTrail's write permissions (A) and ensuring the existence of the specified S3 bucket (D) are critical initial steps. These actions ensure that CloudTrail has the necessary permissions and a valid destination for log file delivery, addressing common configuration issues that can interrupt event logging.

The correct answer is B because it preserves the forensic evidence from the instance in the correct order. The first step is to take a memory snapshot of the instance and store it in an S3 bucket, as memory data is volatile and can be lost when the instance is stopped. The second step is to stop the instance, which will prevent any further changes to the EBS volume. The third step is to take an EBS volume snapshot of the instance and store it in an S3 bucket, which will capture the disk state of the instance. The last two steps are to detach the instance from the Auto Scaling group and deregister it from the ALB, which will isolate the instance from the rest of the application.

The other options are incorrect because they do not preserve the forensic evidence in the correct order. Option A takes the EBS volume snapshot before the memory snapshot, which can result in inconsistent data. Option C detaches and deregisters the instance before taking any snapshots, which can affect the availability of the application. Option D stops the instance before taking the memory snapshot, which can cause the loss of memory data.

To resolve the issue of the Lambda function failing to create the report while adhering to the principle of least privilege, follow these steps:

Identify Required Permissions:

Determine the specific AWS Security Hub and Amazon Inspector actions the Lambda function needs to perform.

Common actions include:

securityhub:Get*

securityhub:List*

securityhub:Batch*

securityhub:Describe*

Create a Custom IAM Policy:

In the AWS Management Console, navigate to the IAM service.

Create a new policy with permissions tailored to the Lambda function's needs.

Define the policy to allow the necessary actions on the specific Security Hub resource.

For example:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"securityhub:Get*",

"securityhub:List*",

"securityhub:Batch*",

"securityhub:Describe*"

],

"Resource": "arn:aws:securityhub:us-west-2::product/aws/inspector"

}

]

}

This policy grants the Lambda function the necessary read-only permissions to interact with Security Hub and Amazon Inspector.

Attach the Policy to the Lambda Execution Role:

Identify the IAM role associated with your Lambda function.

Attach the newly created custom policy to this role.

This ensures the Lambda function has the required permissions when invoked.

Test the Lambda Function:

Invoke the Lambda function to verify it can successfully create the report without permission errors.

Monitor the function's execution to ensure it operates as expected.

Implement Least Privilege Principle:

Regularly review and adjust the permissions to ensure they remain aligned with the function's requirements.

Remove any unnecessary permissions to minimize security risks.

Defining Lambda function permissions with an execution role: This AWS documentation provides guidance on creating and managing execution roles for Lambda functions, emphasizing the importance of granting least privilege access.

AWS Documentation

Managing permissions in AWS Lambda: This resource offers insights into best practices for managing permissions, including the use of identity-based and resource-based policies to control access to Lambda resources.

AWS Documentation

Grant least privilege access: Part of the AWS Well-Architected Framework, this document discusses the principle of least privilege and provides strategies for implementing it effectively within AWS environments.

AWS Documentation

AWS managed policies for AWS Lambda: This page details the AWS managed policies available for Lambda, which can serve as a starting point for creating custom policies tailored to specific needs.

AWS Documentation

Applying the principles of least privilege in AWS Lambda: This guide explores how to apply the principle of least privilege in AWS Lambda functions, focusing on avoiding granting wildcard permissions in IAM policies.

Orchestra

By following these steps and utilizing the referenced AWS documentation, you can ensure that your Lambda function has the necessary permissions to create the report while adhering to the principle of least privilege.

NACL acts as a firewall at the subnet level of the VPC and we can deny the offending IP address block at the subnet level using NACL rules to block the incoming traffic to the VPC instances. Since NACL rules are applied as per the Rule numbers make sure that this rule number should take precedence over other rule numbers if there are any such rules that will allow traffic from these IP ranges. The lowest rule number has more precedence over a rule that has a higher number.

The IAM Documentation mentions the following as a best practices for IAM users

For extra security, enable multi-factor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or APIs). With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP). Users must provide both their normal credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone).

Options C is invalid because these options are not available

Option D is invalid because there is not root access for users

For more information on IAM best practices, please visit the below URL:

https://docs.IAM.amazon.com/IAM/latest/UserGuide/best-practices.html

The correct answer is: Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.

omit your Feedback/Queries to our Experts