SCS-C02 Exam Dumps - AWS Certified Security - Specialty

Note that the IP is known and the question wants us to deny access from that particular address and so we can use IP set match policy of WAF to block access.

The correct answer is A. Revoke all versions of the signing profile assigned to the developer.

According to the AWS documentation1, AWS Signer is a fully managed code-signing service that helps you ensure the trust and integrity of your code. You can use Signer to sign code artifacts, such as Lambda deployment packages, with code-signing certificates that you control and manage.

A signing profile is a collection of settings that Signer uses to sign your code artifacts. A signing profile includes information such as the following:

The type of signature that you want to create (for example, a code-signing signature).

The signing algorithm that you want Signer to use to sign your code.

The code-signing certificate and its private key that you want Signer to use to sign your code.

You can create multiple versions of a signing profile, each with a different code-signing certificate. You can also revoke a version of a signing profile if you no longer want to use it for signing code artifacts.

In this case, the company wants to ensure that all the code that the developer wrote can no longer be deployed to the Lambda functions. One way to achieve this is to revoke all versions of the signing profile that was assigned to the developer. This will prevent Signer from using that signing profile to sign any new code artifacts, and also invalidate any existing signatures that were created with that signing profile. This way, the company can ensure that only trusted and authorized code can be deployed to the Lambda functions.

The other options are incorrect because:

B. Examining the developer’s IAM roles and removing all permissions that grant access to Signer may not be sufficient to prevent the deployment of the developer’s code. The developer may have already signed some code artifacts with a valid signing profile before leaving the company, and those signatures may still be accepted by Lambda unless the signing profile is revoked.

C. Re-encrypting all source code with a new AWS Key Management Service (AWS KMS) key may not be effective or practical. AWS KMS is a service that lets you create and manage encryption keys for your data. However, Lambda does not require encryption keys for deploying code artifacts, only valid signatures from Signer. Therefore, re-encrypting the source code may not prevent the deployment of the developer’s code if it has already been signed with a valid signing profile. Moreover, re-encrypting all source code may be time-consuming and disruptive for other developers who are working on the same code base.

D. Using Amazon CodeGuru to profile all the code that the Lambda functions use may not help with preventing the deployment of the developer’s code. Amazon CodeGuru is a service that provides intelligent recommendations to improve your code quality and identify an application’s most expensive lines of code. However, CodeGuru does not perform any security checks or validations on your code artifacts, nor does it interact with Signer or Lambda in any way. Therefore, using CodeGuru may not prevent unauthorized or untrusted code from being deployed to the Lambda functions.

References:

1: What is AWS Signer? - AWS Signer

AWS Nitro Enclaves are isolated and hardened virtual machines that run on EC2 instances and provide a secure environment for processing sensitive data. Nitro Enclaves have no persistent storage, interactive access, or external networking, and they can only communicate with the parent instance through a secure local channel. Nitro Enclaves also support cryptographic attestation, which allows verifying the identity and integrity of the enclave and its code. Nitro Enclaves are ideal for implementing data protection solutions such as tokenization, encryption, and key management.

Using Nitro Enclaves for the tokenization component of the application meets the requirements of isolating the sensitive data from other parts of the application, encrypting and storing the credit card numbers securely, and issuing tokens to replace the numbers. Other components of the application will not be able to access or store the credit card numbers, as they are only available within the enclave.

The correct answer is A and B. The principal’s identity-based policy grants access to put objects into the S3 bucket with no conditions, and the principal’s identity-based policy overrides the condition because the identity-based policy contains an explicit allow.

The reason is that when evaluating access requests, AWS uses a combination of resource-based policies (such as bucket policies) and identity-based policies (such as IAM user policies) to determine whether to allow or deny the action. According to the AWS documentation1, “If an explicit allow exists in either the resource-based policy or the identity-based policy, then AWS allows access to the resource.” Therefore, even if the bucket policy has a condition that checks the tag values, it will not be effective if the principal’s identity-based policy has an explicit allow for the PutObject action without any conditions. The explicit allow in the identity-based policy will override the condition in the bucket policy and grant access to the principal.

The other options are incorrect because:

C. The S3 bucket’s resource policy does not deny access to put objects. This is not a factor that causes the PutObject operation to succeed when the tag values are different. The bucket policy can either allow or deny access based on conditions, but it cannot prevent an explicit allow in the identity-based policy from taking effect.

D. The S3 bucket’s resource policy cannot allow actions to the principal. This is not true. The bucket policy can allow actions to specific principals by using the Principal element in the policy statement. According to the AWS documentation2, “The Principal element specifies the user (IAM user, federated user, or assumed-role user), AWS account, AWS service, or other principal entity that is allowed or denied access to a resource.”

E. The bucket policy does not apply to principals in the same zone of trust. This is not true. The bucket policy applies to any principal that is specified in the Principal element, regardless of whether they are in the same zone of trust or not. A zone of trust is a logical boundary that defines who can access a resource and under what conditions. According to the AWS documentation3, “A zone of trust can be as small as a single resource (for example, an Amazon S3 object) or as large as an entire AWS account.”

The correct answer is B because it checks the configuration of the CloudWatch alarm that is supposed to monitor the CloudTrail log events. The analyst should verify that a metric filter was created to extract the relevant information from the log events, such as the event name, source, and user identity. The analyst should also verify that the metric filter was mapped to an alarm that triggers when a certain threshold is reached, and that the alarm notification action is set up correctly to send alerts to the analyst1.

The other options are incorrect because they do not address the issue of the CloudWatch alarm not working as expected. Option A is incorrect because CloudTrail and S3 bucket access logging are not related to the monitoring of security group changes. CloudTrail logs the API calls made to AWS services, and S3 bucket access logging records the requests made to the bucket2. Option C is incorrect because CloudWatch dashboards are used to display metrics and alarms in a graphical way, but they do not affect the functionality of the alarm3. Option D is incorrect because the IAM policy permissions for cloudwatch:GetMetricStatistics and cloudwatch:ListMetrics are not required to monitor the CloudTrail log events. These permissions are used to retrieve the statistics and list of metrics for a given namespace4.