New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

Free SCS-C02 Questions Attempt

Page: 14 / 24
Question 56

A company is running an Amazon RDS for MySQL DB instance in a VPC. The VPC must not send or receive network traffic through the internet.

A security engineer wants to use AWS Secrets Manager to rotate the DB instance credentials automatically. Because of a security policy, the security engineer cannot use the standard AWS Lambda function that Secrets Manager provides to rotate the credentials.

The security engineer deploys a custom Lambda function in the VPC. The custom Lambda function will be responsible for rotating the secret in Secrets Manager. The security engineer edits the DB instance's security group to allow connections from this function. When the function is invoked, the function cannot communicate with Secrets Manager to rotate the secret properly.

What should the security engineer do so that the function can rotate the secret?

Options:

A.

Add an egress-only internet gateway to the VPC. Allow only the Lambda function's subnet to route traffic through the egress-only internet gateway.

B.

Add a NAT gateway to the VPC. Configure only the Lambda function's subnet with a default route through the NAT gateway.

C.

Configure a VPC peering connection to the default VPC for Secrets Manager. Configure the Lambda function's subnet to use the peering connection for routes.

D.

Configure a Secrets Manager interface VPC endpoint. Include the Lambda function's private subnet during the configuration process.

Question 57

A company is testing its incident response plan for compromised credentials. The company runs a database on an Amazon EC2 instance and stores the sensitive data-base credentials as a secret in AWS Secrets Manager. The secret has rotation configured with an AWS Lambda function that uses the generic rotation function template. The EC2 instance and the Lambda function are deployed in the same pri-vate subnet. The VPC has a Secrets Manager VPC endpoint.

A security engineer discovers that the secret cannot rotate. The security engi-neer determines that the VPC endpoint is working as intended. The Amazon Cloud-Watch logs contain the following error:

"setSecret: Unable to log into database".

Which solution will resolve this error?

Options:

A.

Use the AWS Management Console to edit the JSON structure of the secret in Secrets Manager so that the secret automatically conforms with the struc-ture that the database requires.

B.

Ensure that the security group that is attached to the Lambda function al-lows outbound connections to the EC2 instance. Ensure that the security group that is attached to the EC2 instance allows inbound connections from the security group that is attached to the Lambda function.

C.

Use the Secrets Manager list-secrets command in the AWS CLI to list the secret. Identify the database credentials. Use the Secrets Manager rotate-secret command in the AWS CLI to force the immediate rotation of the se-cret.

D.

Add an internet gateway to the VPC. Create a NAT gateway in a public sub-net. Update the VPC route tables so that traffic from the Lambda function and traffic from the EC2 instance can reach the Secrets Manager public endpoint.

Question 58

A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised

Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)

Options:

A.

Open a support case with the IAM Security team and ask them to remove the malicious code from the affected instance

B.

Respond to the notification and list the actions that have been taken to address the incident

C.

Delete all IAM users and resources in the account

D.

Detach the internet gateway from the VPC remove aft rules that contain 0.0.0.0V0 from the security groups, and create a NACL rule to deny all traffic Inbound from the internet

E.

Delete the identified compromised instances and delete any associated resources that the Security team did not create.

Question 59

A security engineer needs to build a solution to turn IAM CloudTrail back on in multiple IAM Regions in case it is ever turned off.

What is the MOST efficient way to implement this solution?

Options:

A.

Use IAM Config with a managed rule to trigger the IAM-EnableCloudTrail remediation.

B.

Create an Amazon EventBridge (Amazon CloudWatch Events) event with a cloudtrail.amazonIAM.com event source and a StartLogging event name to trigger an IAM Lambda function to call the StartLogging API.

C.

Create an Amazon CloudWatch alarm with a cloudtrail.amazonIAM.com event source and a StopLogging event name to trigger an IAM Lambda function to call the StartLogging API.

D.

Monitor IAM Trusted Advisor to ensure CloudTrail logging is enabled.

Page: 14 / 24
Exam Code: SCS-C02
Exam Name: AWS Certified Security - Specialty
Last Update: Dec 27, 2024
Questions: 338
SCS-C02 pdf

SCS-C02 PDF

$25.5  $84.99
SCS-C02 Engine

SCS-C02 Testing Engine

$28.5  $94.99
SCS-C02 PDF + Engine

SCS-C02 PDF + Testing Engine

$40.5  $134.99