SCS-C02 Exam Dumps - AWS Certified Security - Specialty

To address the issue of an Amazon EC2 instance receiving suspicious requests over an open TCP port, the most effective solution is to update the Network Access Control List (NACL) associated with the subnet where the EC2 instance resides. By adding a deny rule for the specific TCP port and source IP addresses involved in the suspicious activity, the security team can effectively block unwanted traffic at the subnet level. NACLs act as a stateless firewall for controlling traffic in and out of subnets, allowing for broad-based traffic filtering. This measure ensures that only legitimate traffic can reach the EC2 instance, thereby enhancing security without affecting the application's availability to other users. It's a more granular and immediate way to block specific traffic compared to modifying security group rules, which are stateful and apply at the instance level.

This solution meets the requirement of recovering the EC2 instances if the AWS account is compromised and the EBS snapshots are deleted. By creating a new AWS account with limited privileges, the company can isolate the backup snapshots from the main account and reduce the risk of accidental or malicious deletion. By allowing the new account to access the KMS key that encrypts the EBS snapshots, the company can ensure that the snapshots are copied in an encrypted form and can be decrypted when needed. By copying the encrypted snapshots to the new account on a recurring basis, the company can maintain a consistent backup schedule and minimize data loss.

CloudWatchLogsReadOnlyAccess doesn't include "logs:CreateLogStream" but it includes "logs:Get*" https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.html#:~:text=oam%3A*%3A*%3Asink/*%22%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%5D%0A%7D-,CloudWatchLogsReadOnlyAccess,-The%20CloudWatchLogsReadOnly Access%20policy

The correct answer is D. Remove Amazon SES from the root SCP.

This answer is correct because the root SCP is the most restrictive policy that applies to all accounts in the organization. The root SCP explicitly denies access to Amazon SES by using the NotAction element, which means that any action that is not listed in the element is denied. Therefore, removing Amazon SES from the root SCP will allow the developers to access it, as long as there are no other SCPs or IAM policies that deny it.

The other options are incorrect because:

A. Adding a resource policy that allows each member of the group to access Amazon SES is not a solution, because resource policies are not supported by Amazon SES1. Resource policies are policies that are attached to AWS resources, such as S3 buckets or SNS topics, to control access to those resources2. Amazon SES does not have any resources that can have resource policies attached to them.

B. Adding a resource policy that allows “Principal”: {“AWS”: “arn:aws:iam::account-number:group/Dev”} is not a solution, because resource policies do not support IAM groups as principals3. Principals are entities that can perform actions on AWS resources, such as IAM users, roles, or AWS accounts4. IAM groups are not principals, but collections of IAM users that share the same permissions5.

C. Removing the AWS Control Tower control (guardrail) that restricts access to Amazon SES is not a solution, because AWS Control Tower does not have any guardrails that restrict access to Amazon SES6. Guardrails are high-level rules that govern the overall behavior of an organization’s accounts7. AWS Control Tower provides a set of predefined guardrails that cover security, compliance, and operations domains8.

References:

1: Amazon Simple Email Service endpoints and quotas 2: Resource-based policies and IAM policies 3: Specifying a principal in a policy 4: Policy elements: Principal 5: IAM groups 6: AWS Control Tower guardrails reference 7: AWS Control Tower concepts 8: AWS Control Tower guardrails

Although you can use a IAM policy to prevent users launching resources in other regions. The best practice is to use SCP when using AWS organizations. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region

The correct answer is A because GuardDuty can detect and alert on EC2 instance credential exfiltration events. These events indicate that the credentials obtained from the EC2 instance metadata service are being used from an IP address that is owned by a different AWS account than the one that owns the instance1. GuardDuty can also provide details such as the source and destination IP addresses, the AWS account ID of the attacker, and the API calls made using the exfiltrated credentials2.

The other options are incorrect because they do not provide the information needed to determine if the credentials were used to access the company’s resources from an external account. Option B is incorrect because Audit Manager does not generate InstanceCredentialExfiltration events. Audit Manager is a service that helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards3. Option C is incorrect because CloudTrail logs do not show the account ID of the caller for GetSessionToken API calls to AWS STS. CloudTrail logs show the account ID of the identity whose credentials were used to call the API4. Option D is incorrect because CloudWatch logs do not show the GetSessionToken API calls to AWS STS by default. CloudWatch logs can show the API calls made by AWS Lambda functions, Amazon API Gateway, and other AWS services that integrate with CloudWatch5.