A company is building a data processing application mat uses AWS Lambda functions. The application's Lambda functions need to communicate with an Amazon RDS OB instance that is deployed within a VPC in the same AWS account.Which solution meets these requirements in the MOST secure way?
Answer(s): C
This solution ensures that the Lambda functions are deployed inside the VPC and can communicate with the Amazon RDS DB instance securely. The security group attached to the Lambda functions only allows outbound traffic to the VPC CIDR range, and the DB instance security group only allows traffic from the Lambda security group. This solution ensures that the Lambda functions can communicate with the DB instance securely and that the DB instance is not exposed to the public internet.
A company has launched an Amazon EC2 instance with an Amazon Elastic Block Store (Amazon EBS) volume in the us-east-1 Region The volume is encrypted with an AWS Key Management Service (AWS KMS) customer managed key that the company's security team created The security team has created an 1AM key policy and has assigned the policy to the key The security team has also created an 1AM instance profile and has assigned the profile to the instance.The EC2 instance will not start and transitions from the pending state to the shutting-down state to the terminated state.Which combination of steps should a security engineer take to troubleshoot this issue? (Select TWO )
Answer(s): C,D
To troubleshoot the issue of an EC2 instance failing to start and transitioning to a terminated state when it has an EBS volume encrypted with an AWS KMS customer managed key, a security engineer should take the following steps:C) Verify that the KMS key that is associated with the EBS volume is in the Enabled state. If the key is not enabled, it will not function properly and could cause the EC2 instance to fail.D) Verify that the EC2 role that is associated with the instance profile has the correct IAM instance policy to launch an EC2 instance with the EBS volume. If the instance does not have the necessary permissions, it may not be able to mount the volume and could cause the instance to fail.Therefore, options C and D are the correct answers.
For more information, please see the Amazon AWS Certified Security - Specialty Exam Guide, p. 47-48. Also, refer to [1] "Amazon EBS encryption uses AWS KMS keys when creating encrypted volumes ...".
Which of the following are valid configurations for using SSL certificates with Amazon CloudFront? (Select THREE )
Answer(s): A,B,C
The key length for an RSA certificate that you use with CloudFront is 2048 bits, even though ACM supports larger keys. If you use an imported certificate with CloudFront, your key length must be 1024 or 2048 bits and cannot exceed 2048 bits. You must import the certificate in the US East (N. Virginia) Region. You must have permission to use and import the SSL/TLS certificate https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https- requirements.html.
A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution.Which solution will meet these requirements MOST securely?
To meet the requirements of securing access management and implementing a centralized logging solution, the most secure solution would be to:Install a bastion host in the management account.Reconfigure all SSH and RDP to allow access only from the bastion host.Install AWS Systems Manager Agent (SSM Agent) on the bastion host.Attach the AmazonSSMManagedlnstanceCore role to the bastion host.Configure session data streaming to Amazon CloudWatch Logs in a separate logging account to audit log data.This solution provides the following security benefits:It uses AWS Systems Manager Session Manager instead of traditional SSH and RDP protocols, which provides a secure method for accessing EC2 instances without requiring inbound firewall rules or open ports.It provides audit trails by configuring Session Manager logging to Amazon CloudWatch Logs and creating a separate logging account to audit the log data.It uses the AWS Systems Manager Agent to automate common administrative tasks and improve the security posture of the instances.The separate logging account with cross-account permissions provides better data separation and improves security posture.https://aws.amazon.com/solutions/implementations/centralized-logging/
Post your Comments and Discuss Amazon SCS-C02 exam with other Community members:
Mohammed Haque commented on October 04, 2024 very useful site for exam prep UNITED STATES upvote
Our website is free, but we have to fight against bots and content theft. We're sorry for the inconvenience caused by these security measures. You can access the rest of the SCS-C02 content, but please register or login to continue.