← Back to exam page

AWS-Certified-Security-Specialty-SCS-C01 AWS Certified Security - Specialty (SCS-C01)

Loading demo links...

Showing 13–15 of 20 questions

Question 13

In your LAMP application, you have some developers that say they would like access to your logs. However, since you are using an IAM Auto Scaling group, your instances are constantly being re-created. What would you do to make sure that these developers can access these log files? Choose the correct answer from the options below

Please select:

Select an option, then click Submit answer.

  • Give only the necessary access to the Apache servers so that the developers can gain access to the log files.

  • Give root access to your Apache servers to the developers.

  • Give read-only access to your developers to the Apache servers.

  • Set up a central logging server that you can use to archive your logs; archive these logs to an S3 bucket for developer-access.
Question 14

Company policy requires that all insecure server protocols, such as FTP, Telnet, HTTP, etc be disabled on all servers. The security team would like to regularly check all servers to ensure compliance with this requirement by using a scheduled CloudWatch event to trigger a review of the current infrastructure. What process will check compliance of the company's EC2 instances?

Please select:

Select an option, then click Submit answer.

  • Trigger an IAM Config Rules evaluation of the restricted-common-ports rule against every EC2 instance.

  • Query the Trusted Advisor API for all best practice security checks and check for "action recommened" status.

  • Enable a GuardDuty threat detection analysis targeting the port configuration on every EC2 instance.

  • Run an Amazon inspector assessment using the Runtime Behavior Analysis rules package against every EC2 instance.
Question 15

A company plans to create individual child accounts within an existing organization in IAM Organizations for each of its DevOps teams. IAM CloudTrail has been enabled and configured on all accounts to write audit logs to an Amazon S3 bucket in a centralized IAM account. A security engineer needs to ensure that DevOps team members are unable to modify or disable this configuration.

How can the security engineer meet these requirements?

Select an option, then click Submit answer.

  • Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the IAM account root user.

  • Create an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the IAM account root user in the source account.

  • Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations.

  • Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to a new IAM group. Have team members use individual IAM accounts that are members of the new IAM group.