Amazon AWS Certified Security — Speciality SCS-C02 Exam Dumps and Practice Test Questions Set 5 Q61-75 - Certbolt

Visit here for our full Amazon AWS Certified Security — Specialty SCS-C02 exam dumps and practice test questions.

Question61:

A multinational enterprise is migrating critical customer data to Amazon S3. Security requirements mandate encryption using customer-managed KMS keys, prevention of unencrypted object uploads, enforcement of least-privilege access, automated remediation of non-compliant objects, and centralised auditing across multiple accounts and regions. Which solution best satisfies these requirements?

A) Enable default SSE-S3 encryption and rely on developers to enforce proper encryption.
B) Use AWS Organizations Service Control Policies (SCPs) to deny S3 PutObject requests unless the specified customer-managed KMS key is used, enforce bucket policies granting access only to authorized IAM roles, configure EventBridge rules to detect unencrypted objects and trigger automated remediation, and consolidate CloudTrail logs into a centralised audit account.
C) Store unencrypted objects temporarily and encrypt them manually later.
D) Rely solely on developer discipline and periodic audits.

Answer:
B

Explanation:

Option A, enabling SSE-S3 default encryption and relying on developers, provides limited protection. SSE-S3 ensures encryption at rest but does not enforce the use of customer-managed KMS keys, which are critical for access control, rotation, and auditing. Human error or oversight can result in non-compliant uploads, creating regulatory and operational risk. Additionally, SSE-S3 lacks automated mechanisms for detecting or remediating unencrypted objects and does not provide granular logging or cross-account audit capability.

Option B is the most comprehensive solution. SCPs enforce organization-wide policies, ensuring that any S3 PutObject request failing to use the approved customer-managed KMS key is automatically denied. This prevents misconfigurations and ensures consistent compliance across multiple accounts. Bucket policies enforce least-privilege access, limiting upload and modification rights to authorized IAM roles, thereby reducing the risk of insider threats. EventBridge rules detect non-compliant objects in near real-time and trigger automated remediation, such as encrypting objects or alerting administrators. Consolidated CloudTrail logs provide a centralised, immutable audit trail of all object-level operations across accounts and regions, supporting forensic analysis and regulatory compliance. By integrating preventive, detective, and corrective controls, this solution ensures operational efficiency, security, and compliance at scale.

Option C, storing unencrypted objects and encrypting them manually later, is reactive, operationally intensive, and error-prone. Objects remain exposed for the duration between upload and manual encryption, increasing risk. Option D relies solely on developer discipline and periodic audits, which cannot prevent real-time violations and introduces human error risk.

Option B uniquely combines preventive enforcement, least-privilege access, automated remediation, and centralised auditing, making it the optimal solution for a complex, multi-account migration scenario.

Question62:

A healthcare organization stores sensitive patient records in Amazon RDS. Security requirements include encryption at rest and in transit, strict identity-based access control, automated credential rotation, and centralised audit logging of all database operations and configuration changes. Which solution best satisfies these requirements?

A) Enable RDS encryption using AWS-managed keys, grant developers full access, and enable SSL/TLS for connections.
B) Use customer-managed KMS keys for RDS encryption, enforce SSL/TLS, implement IAM database authentication, rotate credentials automatically using AWS Secrets Manager, and enable CloudTrail logging for all operations and configuration changes.
C) Store database credentials in environment variables and rely on default encryption.
D) Enable point-in-time recovery and manually review logs.

Answer:
B

Explanation:

Option A provides partial protection but violates best practices. AWS-managed keys offer encryption at rest, and SSL/TLS secures data in transit, but granting full database access to developers breaches least-privilege principles. AWS-managed keys do not allow granular access control, rotation policies, or detailed auditing, which are essential for healthcare regulatory compliance. Without automated credential rotation and centralised logging, the risk of credential compromise or misconfiguration remains high.

Option B satisfies all requirements comprehensively. Customer-managed KMS keys provide encryption at rest with fine-grained access control, rotation, and auditing. SSL/TLS ensures encrypted data in transit. IAM database authentication enforces identity-based access, eliminating static credentials and supporting least-privilege access. AWS Secrets Manager automates credential rotation, mitigating risk from stale or compromised credentials. CloudTrail provides centralised logging of all RDS operations, including configuration changes, enabling auditability, compliance reporting, and forensic investigation. This solution integrates preventive, detective, and corrective controls, aligning with AWS best practices and healthcare regulatory requirements such as HIPAA.

Option C is insecure because storing credentials in environment variables exposes sensitive data to accidental disclosure or insider misuse. Default encryption alone does not enforce least-privilege access, credential rotation, or centralised auditing. Option D, relying on point-in-time recovery and manual log reviews, is reactive and operationally inefficient, failing to provide preventive enforcement or real-time monitoring.

Option B is the only approach that meets all preventive, detective, and corrective requirements while ensuring security, compliance, and operational efficiency for sensitive healthcare data.

Question63:

A financial organization needs to store highly sensitive transactional data in Amazon S3 with requirements for immutability for a defined retention period, prevention of accidental deletion, mitigation of insider threats, and comprehensive audit logging. Which solution best satisfies these requirements?

A) Enable S3 versioning and rely on developers to prevent deletion.
B) Use S3 Object Lock in compliance mode, enforce bucket policies restricting access, and enable CloudTrail logging for all object operations.
C) Maintain separate backups and manually track deletions.
D) Encrypt objects using SSE-S3 and allow developers to manage access manually.

Answer:
B

Explanation:

Option A provides versioning, which allows recovery of previous object versions but does not prevent deletion or modification by privileged users. Relying on developers introduces human error, making it insufficient for regulatory compliance. Versioning alone does not enforce immutability or provide a comprehensive audit trail.

Option B is the most robust solution. S3 Object Lock in compliance mode enforces WORM (write-once-read-many) immutability, preventing modification or deletion during the retention period, even by administrators. Bucket policies enforce least-privilege access, limiting object management to authorized personnel, mitigating insider threats. CloudTrail captures all object-level operations, including unauthorised deletion attempts, providing centralised auditability for compliance and forensic purposes. The combination of preventive controls (Object Lock, bucket policies), detective controls (CloudTrail logging), and corrective mechanisms ensures operational security, compliance, and accountability.

Option C, relying on separate backups and manual tracking, is reactive, labor-intensive, and error-prone. It does not prevent deletions at the source or provide automated enforcement, leaving regulatory gaps. Option D, using SSE-S3 with manual access management, protects confidentiality but does not enforce immutability or provide auditable logs, leaving gaps in security and compliance.

Option B is the only solution that integrates immutability, access control, insider threat mitigation, and auditing, making it ideal for storing sensitive financial data.

Question64:

A healthcare organization processes sensitive patient information using AWS Lambda. Security requirements dictate that Lambda functions can only be invoked through approved API Gateway endpoints, direct invocation by internal staff or other services must be blocked, and all invocations must be auditable. Which solution best satisfies these requirements?

A) Allow all IAM users to invoke Lambda and rely on logging.
B) Attach resource-based policies to Lambda functions allowing invocation only from approved API Gateway principals and enable CloudTrail logging.
C) Store invocation secrets in environment variables and distribute them to developers.
D) Protect Lambda functions with API keys and rely on developers not to share them.

Answer:
B

Explanation:

Option A provides unrestricted invocation, relying on logging for monitoring. While logs capture activity, they do not enforce preventive access control. Option C, storing secrets in environment variables, exposes sensitive data and does not prevent unauthorised invocation. Option D, using API keys, relies on secrecy and human discipline, which is prone to sharing, mismanagement, or accidental leaks.

Option B enforces preventive controls by using resource-based policies that allow invocation only from approved API Gateway endpoints. This eliminates the risk of unauthorised direct invocation. CloudTrail logging provides centralised auditing of all invocation attempts, successful or failed, enabling compliance reporting and forensic investigation. By combining preventive (resource-based policies), detective (CloudTrail), and corrective mechanisms, Option B ensures secure, auditable Lambda execution aligned with AWS best practices and regulatory compliance for sensitive healthcare data.

Question65:

A company operates multiple Amazon EC2 instances that access sensitive internal APIs. Security requirements include least-privilege access, centralised credential management, automated rotation of secrets, and auditable access logs. Which solution best satisfies these requirements?

A) Store API keys in environment variables and rotate manually.
B) Use AWS Systems Manager Parameter Store with SecureString parameters, assign IAM roles to EC2 instances to retrieve secrets, enable automated rotation, and monitor access with CloudTrail.
C) Hard-code credentials in EC2 applications and review logs weekly.
D) Use long-lived IAM user credentials for each EC2 instance.

Answer:
B

Explanation:

Option A exposes credentials through environment variables, which can leak via logs or misconfigurations, and manual rotation is operationally inefficient. Option C, hard-coding credentials, creates long-lived exposure and complicates rotation, violating security best practices. Option D uses long-lived IAM user credentials, which are difficult to rotate, audit, or manage securely, increasing the risk of compromise.

Option B provides a secure, automated, and auditable solution. Parameter Store SecureString parameters store secrets encrypted and restrict access. IAM roles enforce least-privilege access, preventing unauthorised retrieval. Automated rotation reduces the risk of compromise and improves operational efficiency. CloudTrail logs all access events, providing centralised auditing for regulatory compliance and forensic analysis. Option B integrates preventive, detective, and corrective controls, ensuring security, compliance, and operational efficiency for sensitive API access across multiple EC2 instances.

Question66:

A multinational enterprise is deploying sensitive customer data to Amazon S3 across multiple accounts and regions. Security requirements include organization-wide enforcement of encryption using customer-managed KMS keys, prevention of unencrypted uploads, least-privilege access control for IAM roles, automated remediation of non-compliant objects, and centralised audit logging. Which solution best satisfies these requirements?

A) Enable default SSE-S3 encryption on all buckets and rely on developers to enforce encryption.
B) Use AWS Organizations Service Control Policies (SCPs) to deny S3 PutObject requests unless the specified customer-managed KMS key is used, enforce bucket policies granting access only to authorized IAM roles, configure EventBridge rules to detect unencrypted objects and trigger automated remediation, and consolidate CloudTrail logs into a centralised audit account.
C) Store unencrypted objects temporarily and encrypt them manually later.
D) Rely solely on developer discipline and periodic audits.

Answer:
B

Explanation:

Option A provides encryption via SSE-S3 by default but relies heavily on developers to ensure proper encryption is used. While SSE-S3 ensures that objects are encrypted at rest, it does not enforce the use of organization-wide customer-managed KMS keys, which are critical for access control, rotation, and auditing. Human error can result in unencrypted or misconfigured object uploads. Additionally, SSE-S3 lacks automated mechanisms for detection and remediation of non-compliant objects and does not provide cross-account centralised audit logging, which is essential in multi-account and multi-region environments.

Option B is the most comprehensive and effective solution. Service Control Policies (SCPs) enforce organization-wide preventive controls, ensuring any S3 PutObject request that does not use the approved customer-managed KMS key is automatically denied. This provides immediate prevention of policy violations. Bucket policies enforce least-privilege access, restricting uploads, reads, and modifications to authorized IAM roles, mitigating insider threats. EventBridge rules detect unencrypted or non-compliant objects in near-real time and trigger automated remediation workflows such as encrypting the objects or notifying administrators. Consolidated CloudTrail logs enable centralised, immutable auditing of all object-level operations across accounts and regions, supporting regulatory compliance and forensic investigation. By combining preventive, detective, and corrective controls, this solution provides operational efficiency, robust security, and comprehensive compliance coverage.

Option C, storing unencrypted objects temporarily and manually encrypting them, is reactive, error-prone, and labor-intensive. Objects remain exposed until manually remediated, increasing risk. Option D, relying solely on developer discipline and periodic audits, is inadequate in multi-account environments where human error, oversight, or malicious activity could lead to policy violations. Periodic audits are reactive and cannot prevent violations in real-time.

Option B uniquely integrates preventive enforcement, least-privilege access, automated remediation, and centralised auditing, making it the optimal solution for complex, large-scale S3 deployments.

Question67:

A healthcare organization stores sensitive electronic health records in Amazon RDS. Security requirements include encryption at rest and in transit, strict identity-based access control, automated credential rotation, and centralised audit logging of all database operations and configuration changes. Which solution best satisfies these requirements?

A) Enable RDS encryption using AWS-managed keys, grant developers full access, and enable SSL/TLS.
B) Use customer-managed KMS keys for RDS encryption, enforce SSL/TLS connections, implement IAM database authentication, rotate credentials automatically using AWS Secrets Manager, and enable CloudTrail logging for all operations and configuration changes.
C) Store database credentials in environment variables and rely on default encryption.
D) Enable point-in-time recovery and manually review logs.

Answer:
B

Explanation:

Option A offers only partial protection. AWS-managed keys provide encryption at rest, and SSL/TLS encrypts data in transit. However, granting developers full access violates the principle of least privilege, increasing the risk of unauthorised access and accidental or malicious data modification. AWS-managed keys do not provide fine-grained access control, rotation, or detailed auditing required for healthcare regulatory compliance such as HIPAA. Without automated credential rotation and centralised auditing, the risk of credential compromise remains high, and operational oversight is limited.

Option B satisfies all security and compliance requirements. Customer-managed KMS keys enable encryption at rest with granular access control, key rotation policies, and audit capabilities. SSL/TLS ensures that data in transit is secure from interception or tampering. IAM database authentication eliminates static credentials, enforcing identity-based access and least-privilege principles. AWS Secrets Manager automates credential rotation, reducing the risk associated with compromised or outdated credentials. CloudTrail logging provides centralised auditing of all RDS operations, including configuration changes, enabling regulatory compliance, monitoring, and forensic investigation. By integrating preventive, detective, and corrective controls, this solution ensures operational efficiency, security, and compliance for sensitive healthcare data.

Option C, storing credentials in environment variables and relying on default encryption, exposes credentials to potential leaks, misconfigurations, or insider misuse. Default encryption alone does not enforce identity-based access control, credential rotation, or centralised audit logging. Option D, relying on point-in-time recovery and manual log review, is reactive and operationally intensive, failing to prevent unauthorised access or enforce encryption and rotation policies proactively.

Option B is the only solution that fully addresses preventive, detective, and corrective security requirements while meeting regulatory standards for sensitive healthcare data management.

Question68:

A financial organisation needs to store highly sensitive transactional data in Amazon S3 with requirements for immutability during a defined retention period, prevention of accidental deletion, mitigation of insider threats, and comprehensive audit logging. Which solution best satisfies these requirements?

A) Enable S3 versioning and rely on developers to prevent deletion.
B) Use S3 Object Lock in compliance mode, enforce bucket policies restricting access, and enable CloudTrail logging for all object operations.
C) Maintain separate backups in S3 and manually track deletions.
D) Encrypt objects using SSE-S3 and allow developers to manage access manually.

Answer:
B

Explanation:

Option A, enabling versioning, provides the ability to recover previous object versions but does not prevent deletions or modifications by privileged users. Relying on developers to enforce deletion policies introduces the risk of human error, insider threats, and non-compliance. Versioning alone does not meet regulatory requirements for immutable storage or auditable operations.

Option B is the most robust solution. S3 Object Lock in compliance mode enforces WORM immutability, preventing modification or deletion during the retention period, even by administrators. Bucket policies enforce least-privilege access, ensuring that only authorised personnel can manage or modify objects, mitigating insider threats. CloudTrail logging provides a centralised audit trail of all object-level operations, including any attempts to modify or delete objects, ensuring regulatory compliance and enabling forensic investigation. This approach combines preventive controls (Object Lock, bucket policies), detective controls (CloudTrail), and corrective mechanisms to achieve operational security, regulatory compliance, and accountability for highly sensitive financial data.

Option C, relying on separate backups and manual tracking, is reactive, labor-intensive, and error-prone. It does not prevent deletions at the source and may fail regulatory or compliance requirements. Option D, using SSE-S3 encryption with manual access management, protects confidentiality but does not enforce immutability or provide audit logs, leaving gaps in security and compliance.

Option B uniquely integrates immutability, access control, insider threat mitigation, and auditability, making it the optimal solution for sensitive transactional data storage.

Question69:

A healthcare organization processes sensitive patient information using AWS Lambda. Security requirements dictate that Lambda functions can only be invoked through approved API Gateway endpoints, direct invocation by internal personnel or other services must be blocked, and all invocations must be auditable. Which solution best satisfies these requirements?

A) Allow all IAM users to invoke Lambda functions and rely on logging.
B) Attach resource-based policies to Lambda functions allowing invocation only from approved API Gateway principals and enable CloudTrail logging.
C) Store invocation secrets in environment variables and distribute them to developers.
D) Protect Lambda functions with API keys and rely on developers not to share them.

Answer:
B

Explanation:

Option A allows unrestricted invocation and relies solely on logging. While logs can capture activity, they do not prevent unauthorised invocation, leaving Lambda functions vulnerable to misuse. Option C, storing secrets in environment variables, exposes sensitive data and does not provide access control, leaving the system susceptible to insider or accidental misuse. Option D, using API keys, relies on secrecy and developer discipline, which is prone to sharing, accidental leaks, or misuse, making it insufficient for sensitive healthcare data.

Option B provides a preventive control mechanism by using resource-based policies to restrict invocation to approved API Gateway principals. This eliminates the risk of unauthorised direct invocation. CloudTrail logging captures all invocation attempts, successful or failed, providing centralised auditing for compliance, monitoring, and forensic purposes. This solution integrates preventive (resource-based policies), detective (CloudTrail), and corrective mechanisms, ensuring secure, auditable Lambda execution aligned with AWS best practices and regulatory compliance for sensitive healthcare data.

Question70:

A) Store API keys in environment variables and rotate them manually.
B) Use AWS Systems Manager Parameter Store with SecureString parameters, assign IAM roles to EC2 instances to retrieve secrets, enable automated rotation, and monitor access with CloudTrail.
C) Hard-code credentials in EC2 applications and review logs weekly.
D) Use long-lived IAM user credentials for each EC2 instance.

Answer:
B

Explanation:

Option A exposes credentials through environment variables, which can leak through logs or misconfigurations, and manual rotation is error-prone and operationally inefficient. Option C, hard-coding credentials, creates long-lived exposure and complicates rotation and auditing, violating security best practices. Option D, using long-lived IAM user credentials, is difficult to rotate, audit, or manage securely, increasing risk of compromise.

Option B provides a secure, automated, and auditable solution. Parameter Store SecureString parameters store credentials securely, encrypted, and access-controlled. IAM roles assigned to EC2 instances enforce least-privilege access, preventing unauthorised retrieval. Automated rotation ensures that secrets are regularly updated, reducing exposure risk. CloudTrail logging captures all access events for centralised auditing, regulatory compliance, and forensic analysis. Option B integrates preventive, detective, and corrective controls, ensuring security, compliance, and operational efficiency for sensitive API access across multiple EC2 instances.

Question71:

A global enterprise needs to securely migrate and store critical customer data in Amazon S3. Security requirements include enforcement of encryption using customer-managed KMS keys across all AWS accounts and regions, prevention of unencrypted uploads, least-privilege access control for IAM roles, automated remediation of non-compliant objects, and centralised audit logging. Which solution best satisfies these requirements?

Answer:
B

Explanation:

Option A, enabling default SSE-S3 encryption, provides baseline encryption but relies heavily on human intervention. While SSE-S3 ensures encryption at rest, it does not enforce the use of customer-managed KMS keys, which are crucial for granular access control, rotation, and auditability. Without enforcing KMS key usage, objects may be encrypted with AWS-managed keys, which do not provide the same level of access governance or auditability. Human error can easily result in non-compliant uploads, leading to regulatory risk and exposure. Additionally, SSE-S3 alone does not provide mechanisms for automated detection or remediation of non-compliant objects. It also does not offer cross-account centralised audit logging, which is essential in multi-account, multi-region environments. In large-scale enterprises, relying on default encryption alone cannot meet operational, security, or compliance objectives, as preventive, detective, and corrective measures are incomplete.

Option B provides the most robust and compliant solution. Service Control Policies (SCPs) at the AWS Organizations level enforce organization-wide preventive controls, denying S3 PutObject requests unless the correct customer-managed KMS key is used. This ensures that all objects are encrypted with the approved key before storage, eliminating the possibility of policy violations at the point of upload. Bucket policies enforce least-privilege access, restricting object uploads, modifications, and reads to authorized IAM roles, which mitigates insider threat risks. EventBridge rules detect non-compliant objects in near real-time and trigger automated remediation workflows, such as encrypting the object with the approved KMS key, moving the object to a quarantine bucket, or sending alerts to administrators. Centralized CloudTrail logs consolidate all S3 operations across accounts and regions, providing an immutable, auditable record for compliance reporting and forensic analysis. By integrating preventive (SCPs, bucket policies), detective (EventBridge, logging), and corrective (automated remediation) controls, this approach ensures operational efficiency, security, and regulatory compliance at scale, fully aligning with AWS security best practices.

Option C, storing unencrypted objects temporarily and encrypting them manually later, is reactive, operationally intensive, and error-prone. Objects remain exposed between upload and manual encryption, increasing risk. Manual remediation is inconsistent, difficult to scale, and cannot provide real-time compliance assurance. Option D relies solely on developer discipline and periodic audits, which is insufficient in a complex enterprise environment. Human error, oversight, or intentional circumvention could lead to unencrypted data storage, and periodic audits cannot prevent security incidents in real-time.

Option B uniquely combines organization-wide enforcement, least-privilege access, automated remediation, and centralised auditing. This solution ensures that sensitive data remains encrypted, accessible only by authorized roles, and fully auditable across multiple accounts and regions, meeting enterprise-scale operational and regulatory requirements.

Question72:

A) Enable RDS encryption using AWS-managed keys, grant developers full access, and enable SSL/TLS connections.
B) Use customer-managed KMS keys for RDS encryption, enforce SSL/TLS connections, implement IAM database authentication, rotate credentials automatically using AWS Secrets Manager, and enable CloudTrail logging for all operations and configuration changes.
C) Store database credentials in environment variables and rely on default encryption.
D) Enable point-in-time recovery and manually review logs periodically.

Answer:
B

Explanation:

Option A provides partial protection. AWS-managed keys provide encryption at rest, and SSL/TLS encrypts data in transit, but granting developers full database access violates the principle of least privilege. AWS-managed keys do not allow granular access control or detailed audit logging of key usage, which is critical in healthcare environments where HIPAA and other regulations require strict control over sensitive patient data. Additionally, this approach lacks automated credential rotation, meaning credentials may remain valid for extended periods, increasing exposure risk. Without centralised audit logging, tracking configuration changes or access events across multiple instances is challenging, limiting operational visibility and compliance assurance.

Option B fully satisfies all security, operational, and compliance requirements. Customer-managed KMS keys enable encryption at rest with granular access control and key rotation policies. SSL/TLS ensures that data in transit is protected from interception or tampering. IAM database authentication provides identity-based access control, eliminating static credentials and enforcing the principle of least privilege. AWS Secrets Manager automates credential rotation, minimizing the risk of credential compromise and ensuring operational efficiency. CloudTrail logging provides centralised auditing for all database operations and configuration changes, supporting regulatory compliance, monitoring, and forensic investigation. By integrating preventive (IAM policies, KMS encryption), detective (CloudTrail logging), and corrective (automated credential rotation) controls, this solution ensures that sensitive patient records are secure, auditable, and compliant with regulatory requirements.

Option C, storing credentials in environment variables, exposes them to potential misuse and does not provide identity-based access control or automated rotation. Default encryption does not enforce least-privilege access or centralised logging, leaving gaps in compliance and security. Option D, relying on point-in-time recovery and manual log review, is reactive, labor-intensive, and insufficient for ensuring preventive security or compliance.

Option B is the only solution that comprehensively addresses preventive, detective, and corrective security measures while meeting healthcare regulatory mandates for sensitive data stored in Amazon RDS.

Question73:

A financial organization needs to store highly sensitive transactional data in Amazon S3 with strict requirements for immutability during a defined retention period, prevention of accidental deletion, mitigation of insider threats, and comprehensive audit logging. Which solution best satisfies these requirements?

A) Enable S3 versioning and rely on developers to prevent deletion.
B) Use S3 Object Lock in compliance mode, enforce bucket policies restricting access, and enable CloudTrail logging for all object operations.
C) Maintain separate backups in S3 and manually track deletions.
D) Encrypt objects using SSE-S3 and allow developers to manage access manually.

Answer:
B

Explanation:

Option A provides versioning, which allows recovery of previous object versions, but does not prevent deletion or modification by privileged users. Relying on developers introduces human error and insider threat risk. Versioning alone is insufficient to satisfy regulatory requirements for immutable storage or auditable operations.

Option B is the most robust solution. S3 Object Lock in compliance mode enforces WORM (write-once-read-many) immutability, preventing object modifications or deletions during the retention period, even by administrators. Bucket policies enforce least-privilege access, ensuring that only authorized personnel can manage or modify objects, mitigating insider threats. CloudTrail provides a centralised audit trail of all object-level operations, including attempts to delete or modify objects, ensuring regulatory compliance and enabling forensic investigations. This approach integrates preventive (Object Lock, bucket policies), detective (CloudTrail), and corrective mechanisms to achieve operational security, compliance, and accountability. Option B ensures that highly sensitive financial data is immutable, auditable, and secure against both accidental and malicious actions.

Option C, relying on separate backups and manual tracking, is reactive, labor-intensive, and error-prone. It does not prevent deletions at the source, and manual processes cannot meet regulatory compliance requirements consistently. Option D, using SSE-S3 encryption with manual access control, protects confidentiality but does not enforce immutability or provide auditability, leaving significant gaps in operational security and compliance.

Option B uniquely integrates preventive, detective, and corrective controls, meeting the stringent requirements for immutable storage, insider threat mitigation, and centralised auditing, making it the optimal solution for sensitive transactional data.

Question74:

Answer:
B

Explanation:

Option A allows unrestricted invocation and relies solely on logging. While logs capture activity, they do not prevent unauthorised invocations. Option C, storing secrets in environment variables, exposes sensitive information and provides no access control, leaving Lambda functions vulnerable to misuse. Option D, using API keys, relies on secrecy and developer discipline, which is prone to sharing, accidental leaks, or mismanagement, making it unsuitable for sensitive healthcare data processing.

Option B enforces preventive access control through resource-based policies, allowing invocation only from approved API Gateway principals. Unauthorized direct invocations are automatically blocked. CloudTrail logging captures all invocation events, successful or failed, providing centralised audit capabilities for regulatory compliance, monitoring, and forensic investigations. This solution integrates preventive (resource-based policies), detective (CloudTrail logging), and corrective controls, ensuring secure, auditable Lambda execution aligned with AWS best practices and healthcare compliance requirements.

Question75:

Answer:
B

Explanation:

Option A exposes credentials in environment variables and relies on manual rotation, increasing the risk of leaks and operational overhead. Option C, hard-coding credentials, creates long-lived exposure and complicates rotation and auditing. Option D, using long-lived IAM user credentials, is difficult to rotate, audit, or manage securely, increasing the risk of compromise.

Option B provides a secure, automated, and auditable solution. Parameter Store SecureString parameters encrypt credentials and restrict access based on IAM roles. Assigning roles to EC2 instances enforces least-privilege access, ensuring only authorized instances can retrieve secrets. Automated rotation reduces exposure risk and simplifies operational management. CloudTrail logs all access events, enabling centralised auditing, compliance monitoring, and forensic investigation. This approach integrates preventive, detective, and corrective controls, providing security, operational efficiency, and regulatory compliance for sensitive API access across multiple EC2 instances.

Security Risks of Using Environment Variables

Option A, which involves storing API keys in environment variables and rotating them manually, exposes the organization to multiple security and operational risks. Environment variables are convenient for developers because they can be accessed directly by applications at runtime without embedding secrets into the code. However, this convenience comes at a cost. Environment variables can be inadvertently exposed through system logs, error messages, or debugging sessions. For instance, if an application crashes or logs its environment during troubleshooting, sensitive API keys may be printed in plaintext. This creates an opportunity for malicious actors or careless internal personnel to gain access to critical credentials. Moreover, environment variables are often accessible to all processes running under the same operating system user, which increases the potential attack surface.

Manual rotation of API keys adds another layer of risk. Administrators are responsible for remembering to rotate credentials regularly and ensuring that all systems using the keys are updated simultaneously. This process is prone to human error. Some instances may not be updated promptly, leaving credentials valid longer than intended. If a compromised key is not rotated quickly, the window of opportunity for an attacker to exploit it remains open. From an operational perspective, managing manual rotation across a large fleet of EC2 instances can be time-consuming and inconsistent, creating gaps in security coverage and increasing compliance risk.

Insecurity of Hard-Coded Credentials

Option C, which involves hard-coding credentials directly into application code running on EC2 instances, is widely regarded as a dangerous practice in modern security frameworks. Hard-coded credentials are effectively permanent unless the code is updated and redeployed. This introduces long-lived exposure, which is highly risky if credentials are accidentally leaked through source code repositories, backups, or deployment artifacts. Even in environments with controlled access, the risk of insider misuse or accidental disclosure remains significant.

Hard-coded credentials are also extremely difficult to rotate. Changing credentials requires developers to modify the code, rebuild applications, and redeploy them across all instances using the credentials. This introduces operational overhead and potential downtime, making rotation infrequent or inconsistent. In addition, auditing and monitoring hard-coded credentials are complicated because there is no centralised access control. Tracking who accessed the credentials and when is nearly impossible without additional mechanisms, which violates the principles of least privilege and accountability. For organizations with regulatory obligations, such as PCI DSS, HIPAA, or GDPR, this approach can result in non-compliance due to the inability to demonstrate secure and auditable access control.

Limitations of Long-Lived IAM User Credentials

Option D, which relies on long-lived IAM user credentials for each EC2 instance, introduces operational and security challenges. IAM user credentials are designed for human access, not automated workloads. Using them for EC2 instances creates several problems. Long-lived credentials are difficult to rotate, and if compromised, they can remain valid for extended periods. Managing large numbers of IAM users for automated access adds complexity and increases the likelihood of mismanagement or errors.

Auditing becomes cumbersome with long-lived credentials. It is difficult to tie specific actions back to individual workloads, as all activity performed by the IAM user appears under a single identity. Additionally, long-lived credentials are more likely to be shared or embedded in configuration files to facilitate automation, further increasing the risk of exposure. This approach violates modern security best practices that emphasise centralised access control, automated credential management, and least-privilege enforcement.

Benefits of Using Parameter Store SecureString Parameters

Option B provides a highly secure, automated, and auditable solution for managing API credentials on EC2 instances. AWS Systems Manager Parameter Store allows credentials to be stored as SecureString parameters, which are encrypted using AWS Key Management Service (KMS). Encryption ensures that credentials are protected at rest and during transit, preventing unauthorised access. SecureString parameters also support fine-grained access control through IAM policies, allowing organizations to restrict which roles or users can retrieve specific credentials.

Assigning IAM roles to EC2 instances enforces least-privilege access. Only instances with the appropriate role can retrieve the secrets, eliminating the need to distribute static credentials across systems. This reduces the risk of accidental exposure or unauthorised access by internal personnel. Roles can be updated centrally to grant or revoke access, providing flexibility and operational efficiency while maintaining strict security boundaries.

Automated Rotation and Risk Mitigation

A key feature of Parameter Store is automated secret rotation. Automated rotation ensures that credentials are periodically updated without requiring manual intervention. This reduces the window of exposure if a credential is compromised and eliminates human error associated with manual rotation. Applications can seamlessly retrieve the updated secrets at runtime, maintaining uninterrupted operations. This automation supports operational scalability, as administrators do not need to manually rotate and distribute credentials across potentially hundreds or thousands of EC2 instances.

Centralized Auditing and Compliance

CloudTrail integration provides centralised logging of all interactions with Parameter Store. Every request to retrieve, modify, or rotate a secret is recorded with details about the principal making the request, the time of access, and the resource involved. This centralised audit trail supports forensic investigation in case of suspicious activity, enables monitoring for unauthorised access attempts, and provides evidence for regulatory compliance. Organisations can demonstrate adherence to security policies and regulatory requirements by showing a clear, auditable record of how sensitive credentials are accessed and managed.

Integration of Preventive, Detective, and Corrective Controls

Option B integrates all three core types of security controls. Preventive controls are enforced through IAM role assignments and KMS encryption, ensuring unauthorised users cannot access secrets. Detective controls are provided through CloudTrail logging, which enables monitoring and alerts for anomalous access patterns. Corrective controls are enabled because administrators can rotate compromised credentials immediately and investigate access logs to identify and remediate potential security incidents. This layered approach ensures comprehensive protection, accountability, and resilience against both internal and external threats.

Operational Efficiency and Scalability

Using Parameter Store with IAM roles improves operational efficiency and scalability. Secrets are centrally managed, reducing duplication and simplifying access control. Updating or revoking access can be performed centrally without requiring redeployment of applications. EC2 instances can dynamically retrieve secrets at runtime, minimising operational disruption and ensuring consistency across environments. This approach scales seamlessly across large fleets of instances, supporting enterprise-level deployments while maintaining security and compliance standards.

Amazon AWS Certified Security — Speciality SCS-C02 Exam Dumps and Practice Test Questions Set 5 Q61-75

Amazon AWS Certified Security — Speciality SCS-C02 Exam Dumps and Practice Test Questions Set 5 Q61-75

Related posts: