SCS-C02 Exam Dumps - AWS Certified Security - Specialty

Understand the Problem:

The inability of external users to log in indicates potential issues with configuration or permissions.

Review Cognito Configuration:

Check for recent changes in Cognito user pool settings, such as password policies or authentication flow configurations.

Ensure the app client settings (e.g., callback URLs, OAuth flows) are correctly configured.

Review IAM Policies and Role Trust Relationships:

Verify that IAM roles used by Cognito (e.g., for identity providers) have the correct policies attached.

Ensure trust relationships for roles are properly configured to allow Cognito to assume them.

Advantages of Reviewing Configurations:

Addresses the root cause of login failures without disrupting user experience (e.g., resetting passwords).

Next Steps:

If no issues are found in the configuration, proceed with detailed logging and monitoring using CloudTrail (Option A).

Troubleshooting Amazon Cognito User Pools

Configuring App Clients in Cognito

IAM Roles for Cognito

Use AWS Systems Manager Session Manager:

AWS Systems Manager Session Manager provides a secure way to access Amazon EC2 instances without requiring SSH keys, opening inbound ports, or maintaining bastion hosts.

This complies with the company's requirement of not managing SSH keys or maintaining bastion hosts.

Configure Session Manager Logging to CloudWatch:

In the Systems Manager Console, configure Session Manager to upload session logs to Amazon CloudWatch Logs.

This ensures all session activity logs are recorded and stored securely.

Encrypt Logs in CloudWatch:

Use an AWS Key Management Service (AWS KMS) key to encrypt the logs in CloudWatch Logs. Ensure that the CloudWatch log group is configured to use an encrypted KMS key.

This meets the requirement to encrypt logs.

Monitor Logs for Compliance and Security:

Monitor the CloudWatch Logs to ensure proper access and record all activity for compliance purposes.

AWS Systems Manager Session Manager Documentation

Encrypting CloudWatch Logs with KMS

AWS Best Practices for Accessing EC2 Instances

Action for Amazon Cognito User Pools:

Update the password policy in the Cognito user pool configuration.

Set the required minimum password length and other password complexity settings as needed.

Navigate toAmazon Cognito>User Pools>Policies, and configure the password requirements.

Action for On-Premises Active Directory:

Update the password policy in the on-premises Active Directory.

Use Group Policy Management to configure the minimum password length.

Apply the updated policy to all relevant organizational units (OUs).

IAM Password Policy:

Note that IAM does not manage Active Directory or Cognito password policies. Instead, focus on federated configurations and user pool settings.

Amazon Cognito User Pool Policies

Active Directory Password Policy

To rotate database credentials every 30 days, the most secure and efficient solution is to store the database credentials in AWS Secrets Manager and configure automatic credential rotation for every 30 days. Secrets Manager can handle the rotation of the credentials in both the secret and the database, and it can use AWS KMS to encrypt the credentials. Option B is incorrect because it requires creating a custom Lambda function to rotate the credentials, which is more effort than using Secrets Manager. Option C is incorrect because it stores the database credentials in an environment file or a configuration file, which is less secure than using Secrets Manager. Option D is incorrect because it combines the drawbacks of option B and option C. Verified References:

https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_turn-on-for-other.html

the most secure way to meet the requirements. TLS is a protocol that provides encryption and authentication for data in transit. ALB is a service that distributes incoming traffic across multiple EC2 instances. HIDS is a system that monitors and detects malicious activity on a host. ECDHE is a type of cipher suite that supports perfect forward secrecy, which is a property that ensures that past and current TLS traffic stays secure even if the certificate private key is leaked. By creating a listener on the ALB that does not enable PFS cipher suites, and using encrypted connections to the servers using ECDHE cipher suites, you can ensure that the HIDS agents can capture the traffic of the EC2 instance without compromising the privacy of the users. The other options are either less secure or less compatible with the third-party solution.