SCS-C02 Exam Dumps - AWS Certified Security - Specialty

To minimize downtime in response to DDoS attacks, the company should do the following:

Subscribe to AWS Shield Advanced and reach out to AWS Support in the event of an attack. This provides access to 24x7 support from the AWS DDoS Response Team (DRT), as well as advanced detection and mitigation capabilities for network and application layer attacks.

Use AWS WAF to create rules to respond to such attacks. This allows the company to filter web requests based on IP addresses, headers, body, or URI strings, and block malicious requests before they reach the web applications.

Understand the Issue:

KMS grants are created using theCreateGrantoperation.

The grant might not propagate immediately for use, leading toAccessDeniedExceptionerrors.

Use Grant Tokens for Immediate Access:

When a grant is created, AWS KMS provides a grant token in the response.

This grant token can be used immediately, even before the grant is fully propagated.

Implement Solution:

Pass the grant token returned byCreateGrantto the users.

Ensure users include the grant token in their requests to encrypt data.

AWS KMS Grant Tokens Documentation

Troubleshooting KMS AccessDenied Errors

AWS Secrets Manager is a service that helps you manage, retrieve, and rotate secrets such as database credentials, API keys, and other sensitive information. By configuring automatic rotation of credentials in AWS Secrets Manager, you can ensure that your secrets are changed regularly and securely, without requiring manual intervention or application downtime. You can also specify the rotation frequency and the rotation function that performs the logic of changing the credentials on the database and updating the secret in Secrets Manager1.

E. Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.

By configuring the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials, you can avoid hard-coding the credentials in your application code or configuration files. This way, your application can dynamically obtain the latest credentials from Secrets Manager whenever the password is rotated, without needing to restart or redeploy the application. To enable this, you need to grant permission to the instance role associated with the EC2 instance to access Secrets Manager using IAM policies2. You can also usethe AWS SDK for Java to integrate your application with Secrets Manager3.

the reason why there were no alerts on the sudo commands. Sudo commands are commands that allow a user to execute commands as another user, usually the superuser or root. CloudWatch Logs agent is a software agent that can send log data from an EC2 instance to CloudWatch Logs, a service that monitors and stores log data. The CloudWatch Logs agent needs an IAM instance profile, which is a container for an IAM role that allows applications running on an EC2 instance to make API requests to AWS services. If the IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch, then there would be no alerts on the sudo commands. The other options are either irrelevant or invalid for explaining why there were no alerts on the sudo commands.

The correct answer is A. Configure an S3 Lifecycle rule on the S3 bucket to delete objects after 45 days.

The reason is that this is the simplest and most effective way to enforce the data retention policy.According to theAWS documentation1, “To manage your objects so that they are stored cost effectively throughout their lifecycle, configure their Amazon S3 Lifecycle. An S3 Lifecycle configuration is a set of rules that define actions that Amazon S3 applies to a group of objects.There are two types of actions: Transition actionsand Expiration actions.” The documentation1also states that “Expiration actions define when objects expire. Amazon S3 deletes expired objects on your behalf.” Therefore, by configuring an S3 Lifecycle rule on the S3 bucket to delete objects after 45 days, the security engineer can ensure that the data is removed from the S3 bucket according to the company’s policy.

The other options are incorrect because:

B. Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an S3 event notification to invoke the Lambda function for each PutObject operation. This option is not optimal because it requires deploying and maintaining a Lambda function, which adds complexity and cost. Moreover, it does not guarantee that the data is deleted exactly after 45 days, since the Lambda function is triggered only when a new object is put into the S3 bucket. If there are no new objects for a long period of time, the Lambda function will not run and the data will not be deleted.

C. Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an Amazon EventBridge rule to invoke the Lambda function each month. This option is not optimal because it requires deploying and maintaining a Lambda function, which adds complexity and cost. Moreover, it does not guarantee that the data is deleted exactly after 45 days, since the Lambda function is triggered only once a month. If the data is older than 45 days but less than a month, it will not be deleted until the next month.

D. Configure S3 Intelligent-Tiering on the S3 bucket to automatically transition objects to another storage class. This option is not sufficient to enforce the data retention policy, because it does not delete the data from the S3 bucket. It only moves the data to a less expensive storage class based on access patterns.According to the AWS documentation2, “S3 Intelligent-Tiering optimizes storage costs by automatically moving data between two access tiers, frequent access and infrequent access, when access patterns change.” However, this feature does not expire or delete the data after a certain period of time.

Comprehensive Detailed Explanation with all AWS References

To ensure encryption for all data in transit between EC2 instances and EBS volumes,TLS encryptionmust be implemented. While EBS volume encryption secures data at rest, the requirement here is to secure datain transit.

TLS Encryption with ACM Certificates:

AWS Certificate Manager (ACM) simplifies the process of deploying TLS encryption by managing certificates.

EC2 instances can use these certificates for secure data transmission to EBS.