SCS-C02 Exam Dumps - AWS Certified Security - Specialty

Enable VPC Flow Logs:

VPC flow logs capture details about the network traffic in your VPC, including both accepted and rejected traffic.

Configure the flow logs to capture traffic for the subnet where the affected EC2 instances are located.

Filter Rejected Traffic:

In the flow log configuration, ensure that you capture rejected traffic (log-status = REJECT).

This will provide a record of instances that attempted to communicate on TCP port 2905 and were blocked by the NACL rule.

Analyze Flow Logs:

Search the flow log records for entries where:

destination-port = 2905

log-status = REJECT

This will help identify the specific EC2 instances attempting to communicate on TCP port 2905.

Advantages of Using VPC Flow Logs:

Cost-effective: No additional infrastructure or services are required.

Scalable: Automatically captures traffic across the subnet without manual intervention.

Detailed Logs: Provides granular details about the rejected traffic.

VPC Flow Logs Documentation

Filtering VPC Flow Logs

The IAM Documentation mentions the following

To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. You can use the IAM CLI to validate the files in the location where CloudTrail delivered them

Validated log files are invaluable in security and forensic investigations. For example, a validated log file enables you to assert positively that the log file itself has not changed, or that particular user credentials performed specific API activity. The CloudTrail log file integrity validation process also lets you know if a log file has been deleted or changed, or assert positively that no log files were delivered to your account during a given period of time.

Options B.C and D is invalid because you need to check for log File Integrity Validation for cloudtrail logs

For more information on Cloudtrail log file validation, please visit the below URL:

http://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html

The correct answer is: Use CloudTrail Log File Integrity Validation.

omit your Feedback/Queries to our Expert

Set Up AWS Client VPN:

Deploy a Client VPN endpoint in the region where the VPCs are located.

Authorization Rule:

Configure the VPN endpoint with authorization rules to allow access only to the specific VPC subnets that the consultant needs.

VPC Peering Consideration:

Ensure routing between the peered VPCs is correctly configured to allow traffic from the Client VPN endpoint.

Advantages:

Secure Access: Provides encrypted access to the VPCs.

Granular Control: Restricts access to only required resources.

AWS Client VPN Documentation

Authorization Rules for Client VPN

For a company using AWS Organizations that requires centralized management and automatic activation of Amazon GuardDuty across all current and future AWS accounts, setting up a delegated administrator account for GuardDuty is the optimal solution. By enabling GuardDuty in a new account and designating it as the delegated administrator, the company can centrally manage GuardDuty findings and automatically enroll new AWS accounts into GuardDuty as they are created within the organization. This approach ensures consistent threat detection and continuous monitoring across all accounts, aligning with best security practices.

The correct answer is C. The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.

The reason is that Security Hub does not automatically receive findings from GuardDuty unless the integration is activated in each AWS account.According to the AWS documentation1, “The Amazon GuardDuty integration with Security Hub enables you to send findings from GuardDuty to Security Hub. Security Hub can then include those findings in its analysis of your security posture.” However, this integration is not enabled by default and requires manual activation in each AWS account.The documentation1also states that “You must activate the integration in each AWS account that you want to send findings from GuardDuty to Security Hub.”

Therefore, even though the company has configured the security tooling account as the delegated administrator for GuardDuty and Security Hub, and has enabled these services for existing and new AWS accounts, it still needs to activate the GuardDuty integration with Security Hub in each account. Otherwise, the findings from GuardDuty will not be sent to Security Hub and will not be visible in the delegated administrator account.

The other options are incorrect because:

A. VPC flow logs are not required for GuardDuty to generate DNS findings. GuardDuty uses VPC flow logs as one of the data sources for network connection findings, but not for DNS findings.According to the AWS documentation2, “GuardDuty uses VPC Flow Logs as a data source for network connection findings.”

B. The VPC DHCP option configured for a custom OpenDNS resolver does not affect GuardDuty’s ability to generate DNS findings. GuardDuty uses DNS logs as one of the data sources for DNS findings, regardless of the DNS resolver used by the VPC.According to the AWS documentation2, “GuardDuty uses DNS logs as a data source for DNS activity findings.”

D. Cross-Region aggregation in Security Hub is not relevant for this scenario, since the company operates out of a single AWS Region. Cross-Region aggregation in Security Hub allows you to aggregate security findings from multiple Regions into a single Region, where you can view and manage them. However, this feature is not needed if the company only uses one Region.According to the AWS documentation3, “Cross-Region aggregation enables you to aggregate security findings from multiple Regions into a single Region.”