Free Preparation Discussions
MENU
Amazon SCS-C02 Exam
- Topic 1: Detect security threats and anomalies by using AWS services/ Respond to compromised resources and workloads
- Topic 2: Develop a strategy to centrally deploy and manage AWS accounts/ Identify security gaps through architectural reviews and cost analysis
- Topic 3: Design and implement a logging solution/ Troubleshoot security monitoring and alerting
- Topic 4: Design and implement network security controls/ Design and implement controls to manage the lifecycle of data at rest
- Topic 5: Implement a secure and consistent deployment strategy for cloud resources/ Design and implement security controls for compute workloads
- Topic 6: Design and implement monitoring and alerting to address security events/ Design and implement an incident response plan
- Topic 7: Design, implement, and troubleshoot authorization for AWS resources/ Evaluate the compliance of AWS resources
- Topic 8: Threat Detection and Incident Response/ Security Logging and Monitoring
- Topic 9: Management and Security Governance/ Design and implement security controls for edge services
Free Amazon SCS-C02 Exam Actual Questions
The questions for SCS-C02 were last updated On Apr. 29, 2024
A company has a web-based application that runs behind an Application Load Balancer (ALB). The application is experiencing a credential stuffing attack that is producing many failed login attempts. The attack is coming from many IP addresses. The login attempts are using a user agent string of a known mobile device emulator.
A security engineer needs to implement a solution to mitigate the credential stuffing attack. The solution must still allow legitimate logins to the application.
Which solution will meet these requirements?
To mitigate a credential stuffing attack against a web-based application behind an Application Load Balancer (ALB), creating an AWS WAF web ACL with a custom rule to block requests containing the known malicious user agent string is an effective solution. This approach allows for precise targeting of the attack vector (the user agent string of the device emulator) without impacting legitimate users. AWS WAF provides the capability to inspect HTTP(S) requests and block those that match defined criteria, such as specific strings in the user agent header, thereby preventing malicious requests from reaching the application.
A company runs workloads in the us-east-1 Region. The company has never deployed resources to other AWS Regions and does not have any multi-Region resources.
The company needs to replicate its workloads and infrastructure to the us-west-1 Region.
A security engineer must implement a solution that uses AWS Secrets Manager to store secrets in both Regions. The solution must use AWS Key Management Service (AWS KMS) to encrypt the secrets. The solution must minimize latency and must be able to work if only one Region is available.
The security engineer uses Secrets Manager to create the secrets in us-east-1.
What should the security engineer do next to meet the requirements?
To ensure minimal latency and regional availability of secrets, encrypting secrets in us-east-1 with a customer-managed KMS key and then replicating them to us-west-1 for encryption with the same key is the optimal approach. This method leverages customer-managed KMS keys for enhanced control and ensures that secrets are available in both regions, adhering to disaster recovery principles and minimizing latency by using regional endpoints.
A company runs an online game on AWS. When players sign up for the game, their username and password credentials are stored in an Amazon Aurora database.
The number of users has grown to hundreds of thousands of players. The number of requests for password resets and login assistance has become a burden for the company's customer service team.
The company needs to implement a solution to give players another way to log in to the game. The solution must remove the burden of password resets and login assistance while securely protecting each player's credentials.
Which solution will meet these requirements?
The best solution to meet the company's requirements of offering an alternative login method while securely protecting player credentials and reducing the burden of password resets is to use Amazon Cognito with user pools. Amazon Cognito provides a fully managed service that facilitates the authentication, authorization, and user management for web and mobile applications. By configuring Amazon Cognito user pools to federate access with third-party Identity Providers (IdPs), such as social media platforms or Google, the company can allow users to sign in through these external IdPs, thereby eliminating the need for traditional username and password logins. This not only enhances user convenience but also offloads the responsibility of managing user credentials and the associated challenges like password resets to Amazon Cognito, thereby reducing the burden on the company's customer service team. Additionally, Amazon Cognito integrates seamlessly with other AWS services and follows best practices for security and compliance, ensuring that the player's credentials are protected.
A company runs workloads in the us-east-1 Region. The company has never deployed resources to other AWS Regions and does not have any multi-Region resources.
The company needs to replicate its workloads and infrastructure to the us-west-1 Region.
A security engineer must implement a solution that uses AWS Secrets Manager to store secrets in both Regions. The solution must use AWS Key Management Service (AWS KMS) to encrypt the secrets. The solution must minimize latency and must be able to work if only one Region is available.
The security engineer uses Secrets Manager to create the secrets in us-east-1.
What should the security engineer do next to meet the requirements?
To ensure minimal latency and regional availability of secrets, encrypting secrets in us-east-1 with a customer-managed KMS key and then replicating them to us-west-1 for encryption with the same key is the optimal approach. This method leverages customer-managed KMS keys for enhanced control and ensures that secrets are available in both regions, adhering to disaster recovery principles and minimizing latency by using regional endpoints.
A company operates a web application that runs on Amazon EC2 instances. The application listens on port 80 and port 443. The company uses an Application Load Balancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the application instances only on port 80.
The ALB is in public subnets that are associated with a network ACL that is named NACL1. The application instances are in dedicated private subnets that are associated with a network ACL that is named NACL2. An Amazon RDS for PostgreSQL DB instance that uses port 5432 is in a dedicated private subnet that is associated with a network ACL that is named NACL3. All the network ACLs currently allow all inbound and outbound traffic.
Which set of network ACL changes will increase the security of the application while ensuring functionality?
For increased security while ensuring functionality, adjusting NACL3 to allow inbound traffic on port 5432 from the CIDR blocks of the application instance subnets, and allowing outbound traffic on ephemeral ports (1024-65536) back to those subnets creates a secure path for database access. Removing default allow-all rules enhances security by implementing the principle of least privilege, ensuring that only necessary traffic is permitted.
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Currently there are no comments in this discussion, be the first to comment!