Free Amazon Web Services SCS-C02 Practice Exam with Questions & Answers | Set: 3

Understand the Risk:

Unauthorized users could stop or delete CloudTrail logging, creating a gap in audit trails.

Create a Service Control Policy (SCP):

Define an SCP at the root organizational unit (OU) level. The SCP should explicitly denyStopLoggingandDeleteTrailactions.

Example SCP:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Deny",

"Action": [

"cloudtrail:StopLogging",

"cloudtrail:DeleteTrail"

],

"Resource": "*"

}

]

}

Attach the SCP:

Attach the SCP to the root OU in AWS Organizations. This ensures the policy is enforced across all accounts within the organization.

Test and Verify:

Attempt to stop or delete a CloudTrail trail to ensure the SCP prevents these actions.

AWS CloudTrail Security Best Practices

Service Control Policies Documentation

To address the issue of an Amazon EC2 instance receiving suspicious requests over an open TCP port, the most effective solution is to update the Network Access Control List (NACL) associated with the subnet where the EC2 instance resides. By adding a deny rule for the specific TCP port and source IP addresses involved in the suspicious activity, the security team can effectively block unwanted traffic at the subnet level. NACLs act as a stateless firewall for controlling traffic in and out of subnets, allowing for broad-based traffic filtering. This measure ensures that only legitimate traffic can reach the EC2 instance, thereby enhancing security without affecting the application's availability to other users. It's a more granular and immediate way to block specific traffic compared to modifying security group rules, which are stateful and apply at the instance level.

Comprehensive and Detailed Explanation From Exact Extract:

KMS grants are lightweight and efficient tools designed specifically for programmatic, temporary, or high-volume delegation of KMS key usage. They are ideal when access needs to be rotated or updated frequently—such as weekly changes in vendors.

KMS grants allow you to control access without changing the key policy itself. They can be easily created and revoked programmatically, which minimizes operational overhead compared to editing key or IAM policies.

This approach aligns with Identity and Access Management best practices in the AWS Certified Security – Specialty study guide for scalable cross-account key access management.

The following may be causing the problem for the Auditor:

A. The external ID used by the Auditor is missing or incorrect. This is a possible cause, because the external ID is a unique identifier that is used to establish a trust relationship between the accounts.The external ID must match the one that is specified in the role’s trust policy in the destination account1.

C. The Auditor has not been granted sts:AssumeRole for the role in the destination account. This is a possible cause, because sts:AssumeRole is the API action that allows the Auditor to assume the cross-account role and obtain temporary credentials.The Auditor must have an IAM policy that allows them to call sts:AssumeRole for the role ARN in the destination account2.

F. The role ARN used by the Auditor is missing or incorrect. This is a possible cause, because the role ARN is the Amazon Resource Name of the cross-account role that the Auditor wants to assume.The role ARN must be valid and exist in the destination account3.

The combination of solutions that will meet the requirements are:

A. Create a local individual break glass IAM user for the security team. Create a trail in AWS CloudTrail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor local user activities. This is a valid solution because it allows the security team to access the workload AWS account and instances using a local IAM user that does not depend on SAML federation.It also enables logging and monitoring of the break glass user activities using AWS CloudTrail, Amazon CloudWatch Logs, and Amazon EventBridge123.

E. Configure AWS Systems Manager Session Manager for Amazon EC2. Configure an AWS CloudTrail filter based on Session Manager. Send the results to an Amazon Simple Notification Service (Amazon SNS) topic. This is a valid solution because it allows the security team to access the workload instances without opening any inbound ports or managing SSH keys or bastion hosts.It also enables logging and notification of the breakglass user activities using AWS CloudTrail, Session Manager, and Amazon SNS456.

The other options are incorrect because:

B.Creating a break glass EC2 key pair for the AWS account and providing it to the security team is not a valid solution, because it requires opening inbound ports on the instances and managing SSH keys, which increases the security risk and complexity7.

C.Creating a break glass IAM role for the account and allowing security team members to perform the AssumeRoleWithSAML operation is not a valid solution, because it still dependson SAML federation, which might not work in case of SAML errors8.

D.Creating a local individual break glass IAM user on the operating system level of each workload instance and configuring unrestricted security groups on theinstances to grant access to the break glass IAM users is not a valid solution,because it requires opening inbound ports on the instances and managing multiple local users, which increases the security risk and complexity9.

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-authentication.html

Utilizing AWS Config with a custom AWS Config rule (ec2-managedinstance-applications-required) enables detection of EC2 instances lacking the required software across all accounts in an organization. By creating an Amazon EventBridge rule that triggers on AWS Config events, and configuring it to invoke an AWS Lambda function, automated actions can be taken to ensure compliance. The Lambda function can leverage AWS Systems Manager Run Command to install the necessary software on non-compliant instances. This approach ensures continuous compliance and automated remediation, aligning with best practices for cloud security and management.

Restrict Root User Capabilities Using Service Control Policies (SCPs):

SCPs in AWS Organizations provide the ability to control permissions for AWS accounts in the organization.

Create a new organizational unit (OU) and move all member accounts into this OU.

Create SCP for Root User Restrictions:

Define an SCP that denies critical actions likeiam:CreateUser,iam:DeleteUser, or other high-risk actions for the root user. Example SCP:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Deny",

"Action": "*",

"Resource": "*",

"Condition": {

"StringEquals": {

"aws:PrincipalAccountRoot": "true"

}

}

}

]

}

Enforce Multi-Factor Authentication (MFA):

Enable MFA on root accounts for additional security.

Monitor Root User Activity:

Use AWS CloudTrail to monitor and log root user actions. Configure alerts with CloudWatch for any unauthorized root usage.

AWS Organizations SCP Documentation

Best Practices for Root User Account

You can establish a private connection between your VPC and Secrets Manager by creating an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to privately access Secrets Manager APIs without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Reference:https://docs.aws.amazon.com/secretsmanager/latest/userguide/vpc-endpoint-overview.html

The correct answer is D. Configure a Secrets Manager interface VPC endpoint. Include the Lambda function’s private subnet during the configuration process.

A Secrets Manager interface VPC endpoint is a private connection between the VPC and Secrets Manager that does not require an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection1. By configuring a Secrets Manager interface VPC endpoint, the security engineer can enable the custom Lambda function to communicate with Secrets Manager without sending or receiving network traffic through the internet.The security engineer must include the Lambda function’s private subnet during the configuration process to allow the function to use the endpoint2.

The other options are incorrect for the following reasons:

A.An egress-only internet gateway is a VPC component that allows outbound communication over IPv6 from instances in the VPC to the internet, and prevents the internet from initiating an IPv6 connection with the instances3. However, this option does not meet the requirement that the VPC must not send or receive network traffic through the internet.Moreover, an egress-only internet gateway is for use with IPv6 traffic only, and Secrets Manager does not support IPv6 addresses2.

B.A NAT gateway is a VPC component that enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating connections with those instances4. However, this option does not meet therequirement that the VPC must not send or receive network traffic through the internet.Additionally, a NAT gateway requires an elasticIP address, which is a public IPv4 address4.

C.A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses5. However, this option does not work because Secrets Manager does not have a default VPC that can be peered with.Furthermore, a VPC peering connection does not provide a private connection to Secrets Manager APIs without an internetgateway or other devices2.