SCS-C02 AWS Certified SecuritySpecialty - Practice Questions

Question 1

A company's AWS CloudTrail logs are all centrally stored in an Amazon S3 bucket. The security team controls the company's AWS account. The security team must prevent unauthorized access and tampering of the CloudTrail logs.

Which combination of steps should the security team take? (Choose three.)

Select all that apply, then click Submit answer.

○
Configure server-side encryption with AWS KMS managed encryption keys (SSE-KMS)
○
Compress log file with secure gzip.
○
Create an Amazon EventBridge (Amazon CloudWatch Events) rule to notify the security team of any modifications on CloudTrail log files.
○
Implement least privilege access to the S3 bucket by configuring a bucket policy.
○
Configure CloudTrail log file integrity validation.
○
Configure Access Analyzer for S3.

Question 2

A website currently runs on Amazon EC2, wan mostly statics content on the site. Recently the site was subjected to a DDoS attack a security engineer was (asked was redesigning the edge security to help

Mitigate this risk in the future.

What are some ways the engineer could achieve this (Select THREE)? A. Use IAM X-Ray to inspect the trafc going to the EC2 instances.

B. Move the static content to Amazon S3, and front this with an Amazon Cloud Front distribution.

C. Change the security group conguration to block the source of the attack trafc

D. Use IAM WAF security rules to inspect the inbound trafc.

E. Use Amazon Inspector assessment templates to inspect the inbound traffic.

F. Use Amazon Route 53 to distribute trafc.

Answer: B D F

Explanation:

Select all that apply, then click Submit answer.

○
Move the static content to Amazon S3, and front this with an Amazon Cloud Front distribution.
○
Change the security group conguration to block the source of the attack trafc
○
Use IAM WAF security rules to inspect the inbound trafc.
○
Use Amazon Inspector assessment templates to inspect the inbound traffic.
○
Use Amazon Route 53 to distribute trafc.

Question 3

A company is migrating one of its legacy systems from an on-premises data center to AWS. The application server will run on AWS, but the database must remain in the on-premises data center for compliance reasons. The database is sensitive to network latency. Additionally, the data that travels between the on-premises data center and AWS must have IPsec encryption.

Which combination of AWS solutions will meet these requirements? (Choose two.)

Select all that apply, then click Submit answer.

○
AWS Site-to-Site VPN
AWS Site-to-Site VPN is a service that allows you to securely connect your on-premises data center to yourAWS VPC over the internet using IPsec encryption. This solution meets the requirement of encrypting the data in transit between the on-premises data center and AWS.
○
AWS Direct Connect
AWS Direct Connect is a service that allows you to establish a dedicated network connection between youron-premises data center and your AWS VPC. This solution meets the requirement of reducing network latency between the on-premises data center and AWS.
○
AWS VPN CloudHub
AWS VPN CloudHub is a service that allows you to connect multiple VPN connections from differentlocations to the same virtual private gateway in your AWS VPThis solution is not relevant for this scenario, as there is only one on-premises data center involved.
○
VPC peering
VPC peering is a service that allows you to connect two or more VPCs in the same or different regionsusing private IP addresses. This solution does not meet the requirement of connecting an on-premises data center to AWS, as it only works for VPCs.
○
NAT gateway

NAT gateway is a service that allows you to enable internet access for instances in a private subnet in yourAWS VPC. This solution does not meet the requirement of connecting an on-premises data center to AWS, as it only works for outbound traffic from your VPC.

Reference / correct answer:

AWS Site-to-Site VPN
AWS Site-to-Site VPN is a service that allows you to securely connect your on-premises data center to yourAWS VPC over the internet using IPsec encryption. This solution meets the requirement of encrypting the data in transit between the on-premises data center and AWS.

AWS Direct Connect
AWS Direct Connect is a service that allows you to establish a dedicated network connection between youron-premises data center and your AWS VPC. This solution meets the requirement of reducing network latency between the on-premises data center and AWS.

The correct combination of AWS solutions that will meet these requirements is A. AWS Site-to-Site VPN and B. AWS Direct Connect.

A. AWS Site-to-Site VPN is a service that allows you to securely connect your on-premises data center to yourAWS VPC over the internet using IPsec encryption. This solution meets the requirement of encrypting the data in transit between the on-premises data center and AWS.

B. AWS Direct Connect is a service that allows you to establish a dedicated network connection between youron-premises data center and your AWS VPC. This solution meets the requirement of reducing network latency between the on-premises data center and AWS.

C. AWS VPN CloudHub is a service that allows you to connect multiple VPN connections from differentlocations to the same virtual private gateway in your AWS VPC. This solution is not relevant for this scenario, as there is only one on-premises data center involved.

D. VPC peering is a service that allows you to connect two or more VPCs in the same or different regionsusing private IP addresses. This solution does not meet the requirement of connecting an on-premises data center to AWS, as it only works for VPCs.

E. NAT gateway is a service that allows you to enable internet access for instances in a private subnet in yourAWS VPC. This solution does not meet the requirement of connecting an on-premises data center to AWS, as it only works for outbound traffic from your VPC.

SCS-C02 – AWS Certified SecuritySpecialty