AWS Certified Specialty SCS-C01 Syllabus Exam Questions Answers

Page: 13 / 43

Question 52

A company is using CloudTrail to log all IAM API activity for all regions in all of its accounts. The CISO has asked that additional steps be taken to protect the integrity of the log files.

What combination of steps will protect the log files from intentional or unintentional alteration? Choose 2 answers from the options given below

Please select:

Options:

Create an S3 bucket in a dedicated log account and grant the other accounts write only access. Deliver all log files from every account to this S3 bucket.

Write a Lambda function that queries the Trusted Advisor Cloud Trail checks. Run the function every 10 minutes.

Enable CloudTrail log file integrity validation

Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs.

Create a Security Group that blocks all traffic except calls from the CloudTrail service. Associate the security group with) all the Cloud Trail destination S3 buckets.

Question 53

A Security Engineer is working with a Product team building a web application on IAM. The application uses Amazon S3 to host the static content, Amazon API Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider.

Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)

Options:

Create a custom authorization service using IAM Lambda.

Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.

Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.

Configure an Amazon Cognito identity pool to integrate with social login providers.

Update DynamoDB to store the user email addresses and passwords.

Update API Gateway to use a COGNITO_USER_POOLS authorizer.

Question 54

The Security Engineer is given the following requirements for an application that is running on Amazon EC2 and managed by using IAM CloudFormation templates with EC2 Auto Scaling groups:

-Have the EC2 instances bootstrapped to connect to a backend database.

-Ensure that the database credentials are handled securely.

-Ensure that retrievals of database credentials are logged.

Which of the following is the MOST efficient way to meet these requirements?

Options:

Pass databases credentials to EC2 by using CloudFormation stack parameters with the property set to true. Ensure that the instance is configured to log to Amazon CloudWatch Logs.

Store database passwords in IAM Systems Manager Parameter Store by using SecureString parameters. Set the IAM role for the EC2 instance profile to allow access to the parameters.

Create an IAM Lambda that ingests the database password and persists it to Amazon S3 with server-side encryption. Have the EC2 instances retrieve the S3 object on startup, and log all script invocations to syslog.

Write a script that is passed in as UserData so that it is executed upon launch of the EC2 instance. Ensure that the instance is configured to log to Amazon CloudWatch Logs.

Question 55

A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2 instances. The company security policy states that application logs for the reporting service must be centrally collected.

What is the MOST efficient way to meet these requirements?

Options:

Write an IAM Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket.

Enable IAM CloudTrail logging for the IAM account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail.

Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync.

Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.