Free Amazon Web Services SCS-C02 Practice Exam with Questions & Answers

To ensure that application content is accessible only through CloudFront and not directly, the security engineer should do the following:

Add an origin custom header. This is a header that CloudFront adds to the requests that it sends to the origin, but viewers cannot see or modify.

Set the viewer protocol policy to redirect HTTP to HTTPS. This ensures that the viewers always use HTTPS when they access the website through CloudFront.

Set the origin protocol policy to HTTPS only. This ensures that CloudFront always uses HTTPS when it connects to the origin.

Update the application to validate the CloudFront custom header. This means that the application checks if the request has the custom header and only responds if it does. Otherwise, it denies or ignores the request. This prevents users from bypassing CloudFront and accessing the content directly on the origin.

Use AWS Systems Manager Session Manager:

AWS Systems Manager Session Manager provides a secure way to access Amazon EC2 instances without requiring SSH keys, opening inbound ports, or maintaining bastion hosts.

This complies with the company's requirement of not managing SSH keys or maintaining bastion hosts.

Configure Session Manager Logging to CloudWatch:

In the Systems Manager Console, configure Session Manager to upload session logs to Amazon CloudWatch Logs.

This ensures all session activity logs are recorded and stored securely.

Encrypt Logs in CloudWatch:

Use an AWS Key Management Service (AWS KMS) key to encrypt the logs in CloudWatch Logs. Ensure that the CloudWatch log group is configured to use an encrypted KMS key.

This meets the requirement to encrypt logs.

Monitor Logs for Compliance and Security:

Monitor the CloudWatch Logs to ensure proper access and record all activity for compliance purposes.

AWS Systems Manager Session Manager Documentation

Encrypting CloudWatch Logs with KMS

AWS Best Practices for Accessing EC2 Instances

The possible steps to troubleshoot this issue are:

A. Ensure that the EC2 instance profile that is attached to the EC2 instances has permissions to create log streams and write logs.This is a necessary step because the CloudWatch agent uses the credentialsfrom the instance profile to communicate with CloudWatch1.

C. Check the CloudWatch agent configuration file on each EC2 instance to make sure that the CloudWatch agent is collecting the proper log files.This is a necessary step because the CloudWatch agent needs to know which logfiles to monitor and send to CloudWatch2.

D. Check the VPC endpoint policies of both VPC endpoints to ensure that the EC2 instances have permissions to use them.This is a necessary step because the VPC endpoint policies control which principals can access the AWS services through the endpoints3.

The other options are incorrect because:

B. Creating a metric filter on the logs is not a troubleshooting step, but a way to extract metric data from the logs. Metric filters do not affect the visibility of the logs in the AWS Management Console.

E. Creating a NAT gateway in the subnet is not a solution, because the EC2 instances do not need internet access to communicate with CloudWatch through the VPC endpoints.A NAT gateway would also incur additional costs.

F. Ensuring that the security groups allow all the EC2 instances to communicate with each other is not a necessary step, because the CloudWatch agent does not require log aggregation before sending. Each EC2 instance can send its own logs independently to CloudWatch.

You can establish a private connection between your VPC and Secrets Manager by creating an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to privately access Secrets Manager APIs without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Reference:https://docs.aws.amazon.com/secretsmanager/latest/userguide/vpc-endpoint-overview.html

The correct answer is D. Configure a Secrets Manager interface VPC endpoint. Include the Lambda function’s private subnet during the configuration process.

A Secrets Manager interface VPC endpoint is a private connection between the VPC and Secrets Manager that does not require an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection1. By configuring a Secrets Manager interface VPC endpoint, the security engineer can enable the custom Lambda function to communicate with Secrets Manager without sending or receiving network traffic through the internet.The security engineer must include the Lambda function’s private subnet during the configuration process to allow the function to use the endpoint2.

The other options are incorrect for the following reasons:

A.An egress-only internet gateway is a VPC component that allows outbound communication over IPv6 from instances in the VPC to the internet, and prevents the internet from initiating an IPv6 connection with the instances3. However, this option does not meet the requirement that the VPC must not send or receive network traffic through the internet.Moreover, an egress-only internet gateway is for use with IPv6 traffic only, and Secrets Manager does not support IPv6 addresses2.

B.A NAT gateway is a VPC component that enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating connections with those instances4. However, this option does not meet therequirement that the VPC must not send or receive network traffic through the internet.Additionally, a NAT gateway requires an elasticIP address, which is a public IPv4 address4.

C.A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses5. However, this option does not work because Secrets Manager does not have a default VPC that can be peered with.Furthermore, a VPC peering connection does not provide a private connection to Secrets Manager APIs without an internetgateway or other devices2.

 these are the strategies that can reduce the attack surface and enhance the security of the containers. Containers are a method of packaging and running applications in isolated environments. Using containers to automate security deployments can help ensure that security patches and updates are applied consistently and quickly across the container fleet. Segregating containers by host, function, and data classification can help limit the impact of a compromise and enforce the principle of least privilege. The other options are either irrelevant or risky for securing containers.

To rotate database credentials every 30 days, the most secure and efficient solution is to store the database credentials in AWS Secrets Manager and configure automatic credential rotation for every 30 days. Secrets Manager can handle the rotation of the credentials in both the secret and the database, and it can use AWS KMS to encrypt the credentials. Option B is incorrect because it requires creating a custom Lambda function to rotate the credentials, which is more effort than using Secrets Manager. Option C is incorrect because it stores the database credentials in an environment file or a configuration file, which is less secure than using Secrets Manager. Option D is incorrect because it combines the drawbacks of option B and option C. Verified References:

https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_turn-on-for-other.html