Amazon AWS Certified Security — Speciality SCS-C02 Exam Dumps and Practice Test Questions Set 6 Q76-90 - Certbolt

Visit here for our full Amazon AWS Certified Security — Specialty SCS-C02 exam dumps and practice test questions.

Question76:

A multinational enterprise plans to migrate highly sensitive financial data to Amazon S3. Security requirements mandate that all objects must be encrypted with customer-managed KMS keys, unencrypted uploads must be blocked, least-privilege access must be enforced, non-compliant objects must be automatically remediated, and centralised audit logging must be available across all accounts and regions. Which solution best satisfies these requirements?

A) Enable default SSE-S3 encryption and rely on developers to enforce proper encryption.
B) Use AWS Organizations Service Control Policies (SCPs) to deny S3 PutObject requests unless the specified customer-managed KMS key is used, enforce bucket policies granting access only to authorized IAM roles, configure EventBridge rules to detect unencrypted objects and trigger automated remediation, and consolidate CloudTrail logs into a centralised audit account.
C) Store unencrypted objects temporarily and encrypt them manually later.
D) Rely solely on developer discipline and periodic audits.

Answer:
B

Explanation:

Option A provides default SSE-S3 encryption, which ensures objects are encrypted at rest. However, relying on developers to enforce encryption policies introduces substantial risk. SSE-S3 cannot enforce customer-managed KMS keys, which are critical for fine-grained access control, key rotation, and auditability. Human error can easily result in objects being uploaded unencrypted or with incorrect permissions, leaving sensitive data exposed. SSE-S3 alone also lacks the ability to automatically detect or remediate non-compliant objects, and it does not provide centralised audit logging across multiple accounts or regions. In enterprise-scale environments, reliance on default encryption and manual enforcement is insufficient to meet regulatory compliance, operational efficiency, or security best practices.

Option B provides the most comprehensive and robust solution. SCPs applied across AWS Organizations enforce preventive policies, denying S3 PutObject requests that do not utilize the approved customer-managed KMS key. This ensures consistent encryption across all accounts and regions, preventing policy violations at the point of upload. Bucket policies restrict access to authorized IAM roles only, enforcing least-privilege access and mitigating the risk of insider threats. EventBridge rules detect non-compliant objects in near real-time and trigger automated remediation workflows, which may include encrypting the objects with the approved KMS key, moving them to a quarantine location, or notifying administrators. Consolidated CloudTrail logs provide centralised, immutable auditing of all object operations across accounts and regions, supporting forensic investigation, compliance reporting, and operational transparency. By integrating preventive, detective, and corrective controls, Option B ensures operational efficiency, comprehensive security, and compliance at scale.

Option C, storing unencrypted objects temporarily and encrypting them manually later, is reactive, error-prone, and labor-intensive. Objects remain exposed during the interval before encryption, increasing the risk of unauthorised access or regulatory non-compliance. Option D, relying solely on developer discipline and periodic audits, is inadequate in multi-account, multi-region environments, as human error or intentional circumvention can result in unencrypted data storage, and periodic audits cannot prevent real-time security incidents.

Option B uniquely combines preventive enforcement, least-privilege access, automated remediation, and centralised auditing, making it the optimal solution for enterprise-scale secure S3 deployments.

Question77:

A healthcare organization stores highly sensitive electronic health records in Amazon RDS. Security requirements include encryption at rest and in transit, strict identity-based access control, automated credential rotation, and centralised audit logging for all database operations and configuration changes. Which solution best satisfies these requirements?

A) Enable RDS encryption using AWS-managed keys, grant developers full access, and enable SSL/TLS connections.
B) Use customer-managed KMS keys for RDS encryption, enforce SSL/TLS connections, implement IAM database authentication, rotate credentials automatically using AWS Secrets Manager, and enable CloudTrail logging for all operations and configuration changes.
C) Store database credentials in environment variables and rely on default encryption.
D) Enable point-in-time recovery and manually review logs periodically.

Answer:
B

Explanation:

Option A provides partial protection. AWS-managed keys provide encryption at rest, and SSL/TLS encrypts data in transit, but granting developers full access violates the principle of least privilege. AWS-managed keys do not allow fine-grained control or detailed auditing of key usage. Without automated credential rotation and centralised logging, credentials remain static and may be compromised over time. Furthermore, monitoring and auditing of database access and configuration changes are limited, making compliance with healthcare regulations such as HIPAA challenging.

Option B fully satisfies all security, operational, and compliance requirements. Customer-managed KMS keys allow encryption at rest with detailed access control, rotation, and audit logging. SSL/TLS ensures secure data transmission, preventing interception or tampering. IAM database authentication eliminates static credentials, enforcing identity-based access control and least-privilege principles. AWS Secrets Manager automates credential rotation, reducing operational overhead and mitigating risks associated with long-lived credentials. CloudTrail logging captures all database operations and configuration changes, enabling centralised auditing, regulatory compliance, and forensic investigation. This solution integrates preventive (IAM policies, KMS encryption), detective (CloudTrail logging), and corrective (automated rotation) controls, ensuring sensitive health records are secure, auditable, and compliant.

Option C, storing credentials in environment variables, exposes sensitive information and does not enforce identity-based access or automated rotation. Default encryption alone does not provide fine-grained access control or auditing. Option D, relying on point-in-time recovery and manual log review, is reactive, labor-intensive, and does not enforce preventive or automated security controls.

Option B is the only solution that fully meets preventive, detective, and corrective security requirements while maintaining compliance with healthcare regulations.

Question78:

A financial organization must store highly sensitive transactional data in Amazon S3 with requirements for immutability during a defined retention period, prevention of accidental deletion, mitigation of insider threats, and comprehensive audit logging. Which solution best satisfies these requirements?

A) Enable S3 versioning and rely on developers to prevent deletion.
B) Use S3 Object Lock in compliance mode, enforce bucket policies restricting access, and enable CloudTrail logging for all object operations.
C) Maintain separate backups in S3 and manually track deletions.
D) Encrypt objects using SSE-S3 and allow developers to manage access manually.

Answer:
B

Explanation:

Option A enables versioning, allowing recovery of previous object versions, but it does not prevent deletions or modifications by privileged users. Relying on developers introduces human error and insider threat risk. Versioning alone is insufficient to satisfy regulatory requirements for immutable storage or auditable operations.

Option B is the most robust solution. S3 Object Lock in compliance mode enforces WORM (write-once-read-many) immutability, preventing modification or deletion during the retention period, even by administrators. Bucket policies enforce least-privilege access, ensuring only authorized personnel can manage or modify objects, mitigating insider threats. CloudTrail logging provides a centralised audit trail of all object-level operations, including deletion attempts, supporting regulatory compliance and forensic investigation. This approach integrates preventive (Object Lock, bucket policies), detective (CloudTrail), and corrective mechanisms to ensure operational security, compliance, and accountability. Option B ensures that sensitive financial data is immutable, auditable, and protected from both accidental and malicious actions.

Option C, relying on separate backups and manual tracking, is reactive, labor-intensive, and error-prone. Manual processes cannot consistently prevent deletions or satisfy compliance requirements. Option D, using SSE-S3 with manual access management, protects confidentiality but does not enforce immutability or provide auditing, leaving security and compliance gaps.

Option B uniquely integrates preventive, detective, and corrective controls, satisfying stringent immutability, insider threat mitigation, and audit requirements.

Question79:

A healthcare organization processes sensitive patient information using AWS Lambda. Security requirements dictate that Lambda functions can only be invoked through approved API Gateway endpoints, direct invocation by internal staff or other services must be blocked, and all invocations must be auditable. Which solution best satisfies these requirements?

A) Allow all IAM users to invoke Lambda functions and rely on logging.
B) Attach resource-based policies to Lambda functions allowing invocation only from approved API Gateway principals and enable CloudTrail logging.
C) Store invocation secrets in environment variables and distribute them to developers.
D) Protect Lambda functions with API keys and rely on developers not to share them.

Answer:
B

Explanation:

Option A allows unrestricted invocation and relies solely on logging. While logs capture activity, they do not prevent unauthorised invocations, leaving Lambda functions vulnerable. Option C, storing secrets in environment variables, exposes sensitive information and does not provide access control, leaving functions susceptible to misuse. Option D, using API keys, relies on secrecy and developer discipline, which is prone to accidental leaks, sharing, or mismanagement, making it unsuitable for sensitive healthcare workloads.

Option B enforces preventive access control through resource-based policies, restricting invocation to approved API Gateway principals. Unauthorized direct invocations are automatically blocked. CloudTrail logging captures all invocation events, successful or failed, providing centralised audit capabilities for compliance, monitoring, and forensic investigations. This solution integrates preventive (resource-based policies), detective (CloudTrail logging), and corrective controls, ensuring secure and auditable Lambda execution in alignment with AWS best practices and regulatory requirements.

Question80:

A company operates multiple Amazon EC2 instances that access sensitive internal APIs. Security requirements include least-privilege access, centralised credential management, automated rotation of secrets, and auditable access logs. Which solution best satisfies these requirements?

A) Store API keys in environment variables and rotate them manually.
B) Use AWS Systems Manager Parameter Store with SecureString parameters, assign IAM roles to EC2 instances to retrieve secrets, enable automated rotation, and monitor access with CloudTrail.
C) Hard-code credentials in EC2 applications and review logs weekly.
D) Use long-lived IAM user credentials for each EC2 instance.

Answer:
B

Explanation:

Option A exposes credentials through environment variables and relies on manual rotation, increasing risk of leaks and operational burden. Option C, hard-coding credentials, creates long-lived exposure and complicates rotation and auditing. Option D, using long-lived IAM user credentials, is difficult to rotate, audit, or manage securely, increasing the likelihood of compromise.

Option B provides a secure, automated, and auditable solution. Parameter Store SecureString parameters encrypt credentials and enforce access control. Assigning IAM roles to EC2 instances ensures least-privilege access, limiting secret retrieval to authorized instances. Automated rotation reduces exposure risk and operational overhead. CloudTrail logging captures all access events, supporting centralised auditing, regulatory compliance, and forensic analysis. By integrating preventive, detective, and corrective controls, Option B ensures secure, auditable, and operationally efficient access to sensitive APIs across EC2 instances.

Question81:

A global enterprise is migrating sensitive customer data to Amazon S3 across multiple AWS accounts and regions. Security requirements include enforcement of encryption using customer-managed KMS keys, prevention of unencrypted uploads, least-privilege access for IAM roles, automated remediation of non-compliant objects, and centralised audit logging. Which solution best satisfies these requirements?

A) Enable default SSE-S3 encryption on all buckets and rely on developers to enforce encryption.
B) Use AWS Organizations Service Control Policies (SCPs) to deny S3 PutObject requests unless the specified customer-managed KMS key is used, enforce bucket policies granting access only to authorized IAM roles, configure EventBridge rules to detect unencrypted objects and trigger automated remediation, and consolidate CloudTrail logs into a centralised audit account.
C) Store unencrypted objects temporarily and encrypt them manually later.
D) Rely solely on developer discipline and periodic audits.

Answer:
B

Explanation:

Option A provides default SSE-S3 encryption, which ensures that objects are encrypted at rest; however, it relies heavily on developers to enforce encryption policies. SSE-S3 does not allow enforcement of customer-managed KMS keys, which are critical for granular access control, auditability, and rotation management. Human error can easily result in unencrypted uploads or objects encrypted with the wrong key, leaving sensitive data exposed. SSE-S3 alone also lacks automated detection or remediation mechanisms for non-compliant objects and does not offer centralised audit logging across multiple accounts or regions. In enterprise-scale deployments, relying solely on default encryption and manual enforcement is insufficient to ensure operational security and regulatory compliance.

Option B provides a robust, comprehensive solution. SCPs applied at the AWS Organizations level enforce organization-wide preventive policies, denying S3 PutObject requests that do not use the approved customer-managed KMS key. Bucket policies enforce least-privilege access, allowing only authorized IAM roles to perform operations on objects, mitigating insider threats. EventBridge rules detect non-compliant uploads and trigger automated remediation, such as encrypting the object with the correct KMS key, moving it to a quarantine location, or notifying administrators. Centralized CloudTrail logs consolidate object-level operations across accounts and regions, enabling auditability and forensic investigation. By integrating preventive (SCPs, bucket policies), detective (EventBridge monitoring), and corrective (automated remediation) controls, Option B ensures comprehensive security, operational efficiency, and compliance with regulatory standards.

Option C, storing unencrypted objects temporarily and encrypting them manually later, is reactive, error-prone, and operationally intensive. Objects remain exposed during the period before encryption, increasing risk. Option D relies solely on developer discipline and periodic audits, which is insufficient for multi-account, multi-region deployments. Human error or malicious activity can result in non-compliant uploads, and periodic audits do not prevent real-time security incidents.

Option B uniquely combines preventive enforcement, least-privilege access, automated remediation, and centralised audit logging, making it the optimal solution for enterprise-scale S3 security.

Question82:

A healthcare organization stores sensitive electronic health records in Amazon RDS. Security requirements include encryption at rest and in transit, strict identity-based access control, automated credential rotation, and centralised audit logging for all database operations and configuration changes. Which solution best satisfies these requirements?

Answer:
B

Explanation:

Option A provides partial protection. While AWS-managed keys encrypt data at rest and SSL/TLS secures data in transit, granting developers full access violates the principle of least privilege. AWS-managed keys do not provide detailed access controls or audit capabilities for key usage. Additionally, without automated credential rotation, static credentials are vulnerable to compromise. Centralized audit logging is also absent, limiting operational visibility and regulatory compliance. In healthcare environments, HIPAA and other regulations require comprehensive control over sensitive data, including encryption, access management, and auditing, which Option A does not fully provide.

Option B is fully compliant with all security, operational, and regulatory requirements. Customer-managed KMS keys enforce encryption at rest, with granular access control, key rotation, and audit logging. SSL/TLS protects data in transit, preventing interception or tampering. IAM database authentication ensures identity-based access control, eliminating static credentials and enforcing least-privilege principles. AWS Secrets Manager automates credential rotation, reducing operational overhead and mitigating the risk of credential compromise. CloudTrail logging captures all database operations and configuration changes, enabling centralised auditing, regulatory compliance, and forensic investigation. Option B integrates preventive (KMS encryption, IAM policies), detective (CloudTrail logging), and corrective (automated rotation) controls, ensuring the security and compliance of sensitive healthcare data.

Option C, storing credentials in environment variables and relying on default encryption, exposes credentials to risk and lacks automated rotation and centralised audit capabilities. Option D, relying on point-in-time recovery and manual log review, is reactive and labor-intensive, insufficient for proactive security and regulatory compliance.

Option B uniquely satisfies all preventive, detective, and corrective requirements, ensuring secure, auditable, and compliant management of sensitive electronic health records.

Question83:

A financial organization needs to store highly sensitive transactional data in Amazon S3 with requirements for immutability during a defined retention period, prevention of accidental deletion, mitigation of insider threats, and comprehensive audit logging. Which solution best satisfies these requirements?

Answer:
B

Explanation:

Option A, enabling versioning, allows recovery of previous object versions but does not prevent deletions or modifications by privileged users. Relying on developers to prevent deletion introduces human error and insider threat risks. Versioning alone does not satisfy regulatory requirements for immutable storage or auditable operations.

Option B is the most secure and compliant solution. S3 Object Lock in compliance mode enforces WORM (write-once-read-many) immutability, preventing modifications or deletions of objects during the retention period, even by administrators. Bucket policies enforce least-privilege access, ensuring that only authorized personnel can manage or modify objects, mitigating insider threats. CloudTrail logging captures all object-level operations, including deletion attempts, providing centralised auditing and supporting regulatory compliance and forensic investigation. This solution combines preventive (Object Lock, bucket policies), detective (CloudTrail), and corrective mechanisms, ensuring operational security, regulatory compliance, and accountability. Option B ensures that highly sensitive financial data remains immutable, auditable, and protected from accidental or malicious actions.

Option C, maintaining separate backups and manually tracking deletions, is reactive, error-prone, and operationally intensive. Manual processes cannot prevent deletion at the source and may fail regulatory or compliance requirements. Option D, using SSE-S3 encryption with manual access management, protects confidentiality but does not enforce immutability or provide audit capabilities, leaving critical gaps in security and compliance.

Option B uniquely integrates preventive, detective, and corrective controls, meeting stringent immutability, insider threat mitigation, and audit requirements.

Question84:

Answer:
B

Explanation:

Option A allows unrestricted invocation and relies solely on logging. While logs capture activity, they do not prevent unauthorised invocations, leaving Lambda functions vulnerable. Option C, storing secrets in environment variables, exposes sensitive information and provides no access control, leaving Lambda functions susceptible to misuse. Option D, relying on API keys, depends on secrecy and developer discipline, which is prone to accidental leaks, sharing, or mismanagement.

Option B enforces preventive access control through resource-based policies, allowing invocation only from approved API Gateway principals. Unauthorized direct invocations are automatically blocked. CloudTrail logging captures all invocation events, successful or failed, providing centralised audit capabilities for compliance, monitoring, and forensic investigation. By integrating preventive (resource-based policies), detective (CloudTrail), and corrective controls, Option B ensures secure and auditable Lambda execution aligned with AWS best practices and regulatory requirements for sensitive healthcare workloads.

Question85:

Answer:
B

Explanation:

Option A exposes credentials in environment variables and relies on manual rotation, increasing risk of leaks and operational overhead. Option C, hard-coding credentials, creates long-lived exposure and complicates rotation and auditing. Option D, using long-lived IAM user credentials, is difficult to rotate, audit, or manage securely, increasing the likelihood of compromise.

Option B provides a secure, automated, and auditable solution. Parameter Store SecureString parameters encrypt credentials and enforce access controls. Assigning IAM roles to EC2 instances enforces least-privilege access, allowing only authorized instances to retrieve secrets. Automated rotation reduces exposure risk and operational complexity. CloudTrail logs all access events, supporting centralised auditing, compliance monitoring, and forensic analysis. By integrating preventive, detective, and corrective controls, Option B ensures secure, auditable, and operationally efficient access to sensitive APIs across EC2 instances.

Question86:

A multinational financial institution plans to migrate critical customer transaction data to Amazon S3 across multiple AWS accounts and regions. Security requirements include enforcement of encryption using customer-managed KMS keys, prevention of unencrypted uploads, least-privilege access for IAM roles, automated remediation of non-compliant objects, and centralised audit logging. Which solution best satisfies these requirements?

Answer:
B

Explanation:

Option A, enabling default SSE-S3 encryption, provides basic encryption at rest but relies on developer discipline to ensure compliance with enterprise security policies. Default SSE-S3 does not enforce the use of customer-managed KMS keys, which provide additional features such as key rotation, fine-grained access control, and detailed audit logging. Relying on developers alone introduces significant operational risk. Human error or negligence can lead to unencrypted data being uploaded, exposing sensitive financial information to unauthorised access or regulatory non-compliance. Moreover, SSE-S3 does not provide mechanisms for detecting or remediating non-compliant uploads in real-time, nor does it offer centralised auditing across multiple accounts and regions. This approach lacks the preventive, detective, and corrective controls necessary for large-scale enterprise deployments with stringent regulatory requirements.

Option B provides a robust, scalable, and compliant solution. Service Control Policies (SCPs) applied at the AWS Organizations level enforce preventive policies, denying S3 PutObject requests unless the approved customer-managed KMS key is used. This ensures that all objects across all accounts and regions are encrypted with the correct key at the time of upload. Bucket policies further enforce least-privilege access, allowing only authorized IAM roles to perform operations, mitigating insider threats. EventBridge rules provide real-time monitoring to detect unencrypted objects or policy violations and trigger automated remediation workflows. Automated remediation can include encrypting the object with the approved KMS key, moving non-compliant objects to a quarantine bucket, or sending notifications to administrators for manual intervention. Consolidated CloudTrail logs capture all object-level operations, access attempts, and policy violations, providing centralised, immutable auditing across accounts and regions. This integrated approach aligns with AWS best practices for preventive, detective, and corrective controls, ensuring operational efficiency, security, and regulatory compliance.

Option C, storing unencrypted objects temporarily and encrypting them manually later, is reactive and error-prone. Objects remain exposed during the interim, increasing the risk of unauthorised access or data loss. Manual remediation does not scale well for enterprise deployments and cannot guarantee timely compliance. Option D, relying solely on developer discipline and periodic audits, is insufficient in complex multi-account, multi-region environments. Human error, oversight, or malicious behavior can result in non-compliant data storage, and periodic audits do not prevent real-time security incidents.

Option B is the only approach that comprehensively addresses preventive, detective, and corrective security controls while ensuring compliance, scalability, and centralised audit capabilities for enterprise S3 deployments.

Question87:

A healthcare organization stores sensitive patient electronic health records in Amazon RDS. Security requirements include encryption at rest and in transit, strict identity-based access control, automated credential rotation, and centralised audit logging for all database operations and configuration changes. Which solution best satisfies these requirements?

Answer:
B

Explanation:

Option A provides limited security. AWS-managed keys provide encryption at rest and SSL/TLS encrypts data in transit. However, granting developers full access violates the principle of least privilege, which is critical for protecting sensitive healthcare data. AWS-managed keys cannot provide detailed audit logs of key usage, and without automated credential rotation, credentials can remain valid for extended periods, increasing the risk of compromise. Additionally, centralised audit logging is not implemented, limiting the ability to monitor, detect, and respond to security incidents or meet regulatory compliance requirements such as HIPAA.

Option B is fully aligned with security, operational, and regulatory requirements. Using customer-managed KMS keys provides encryption at rest with fine-grained access control, key rotation, and detailed audit logging. SSL/TLS ensures secure data transmission, protecting data in transit from interception and tampering. IAM database authentication eliminates static credentials, enforcing identity-based access control and the principle of least privilege. AWS Secrets Manager automates credential rotation, reducing the risk associated with long-lived credentials and improving operational efficiency. CloudTrail captures all database operations and configuration changes, providing centralised audit logging, supporting regulatory compliance, and enabling forensic investigations. This approach integrates preventive (IAM policies, KMS encryption), detective (CloudTrail logging), and corrective (automated rotation) controls, ensuring comprehensive security and compliance for sensitive healthcare data.

Option C, storing credentials in environment variables, exposes sensitive information and lacks automated rotation and centralised logging. Default encryption alone does not enforce least-privilege access or auditing. Option D, relying on point-in-time recovery and manual log review, is reactive and labor-intensive, insufficient for proactive security or compliance monitoring.

Option B uniquely satisfies preventive, detective, and corrective requirements while ensuring secure, auditable, and compliant management of sensitive electronic health records in Amazon RDS.

Question88:

A financial organization needs to store highly sensitive transactional data in Amazon S3 with strict requirements for immutability during a defined retention period, prevention of accidental deletion, mitigation of insider threats, and comprehensive audit logging. Which solution best satisfies these requirements?

Answer:
B

Explanation:

Option A, enabling S3 versioning, allows recovery of previous versions but does not prevent deletion or modification by privileged users. Relying on developers to prevent deletion introduces human error and insider threat risks. Versioning alone does not meet regulatory requirements for immutable storage or comprehensive audit logging.

Option B provides the most secure and compliant solution. S3 Object Lock in compliance mode enforces WORM (write-once-read-many) immutability, preventing deletion or modification of objects during the retention period, even by administrators. Bucket policies restrict access to authorized personnel only, mitigating insider threats. CloudTrail logging captures all object-level operations, including deletion attempts, providing centralised, immutable audit trails essential for compliance and forensic investigation. This solution integrates preventive (Object Lock, bucket policies), detective (CloudTrail logging), and corrective measures, ensuring operational security, regulatory compliance, and accountability. Option B guarantees that highly sensitive financial data remains immutable, auditable, and protected from accidental or malicious actions.

Option C, maintaining separate backups and manually tracking deletions, is reactive, error-prone, and operationally intensive. Manual processes cannot consistently prevent deletion at the source or satisfy regulatory requirements. Option D, using SSE-S3 with manual access management, protects confidentiality but does not enforce immutability or provide audit capabilities, leaving critical gaps in security and compliance.

Option B uniquely integrates preventive, detective, and corrective controls, meeting stringent immutability, insider threat mitigation, and audit requirements.

Question89:

Answer:
B

Explanation:

Option A allows unrestricted invocation and relies solely on logging, which does not prevent unauthorised access. Option C, storing secrets in environment variables, exposes sensitive information and provides no access control, leaving Lambda functions vulnerable to misuse. Option D, relying on API keys, depends on secrecy and developer discipline, which is prone to accidental leaks, sharing, or mismanagement, making it unsuitable for sensitive healthcare workloads.

Option B enforces preventive access control through resource-based policies, allowing invocation only from approved API Gateway principals. Unauthorized direct invocations are automatically blocked. CloudTrail logging captures all invocation events, successful or failed, providing centralised audit capabilities for compliance, monitoring, and forensic investigation. This solution integrates preventive (resource-based policies), detective (CloudTrail logging), and corrective controls, ensuring secure and auditable Lambda execution aligned with AWS best practices and healthcare compliance requirements.

Question90:

Answer:
B

Explanation:

Option A exposes credentials in environment variables and relies on manual rotation, increasing the risk of leaks and operational overhead. Option C, hard-coding credentials, creates long-lived exposure and complicates rotation and auditing. Option D, using long-lived IAM user credentials, is difficult to rotate, audit, or manage securely, increasing the likelihood of compromise.

Option B provides a secure, automated, and auditable solution. Parameter Store SecureString parameters encrypt credentials and enforce access control. Assigning IAM roles to EC2 instances ensures least-privilege access, allowing only authorized instances to retrieve secrets. Automated rotation reduces exposure risk and operational complexity. CloudTrail logs all access events, supporting centralised auditing, compliance monitoring, and forensic analysis. By integrating preventive, detective, and corrective controls, Option B ensures secure, auditable, and operationally efficient access to sensitive APIs across EC2 instances.

Security Challenges with Environment Variables

Option A, storing API keys in environment variables and rotating them manually, introduces several significant security and operational challenges. Environment variables, while convenient for runtime access, are inherently exposed to the host operating system environment. Any process or user with access to the EC2 instance may be able to read environment variables, intentionally or inadvertently. For example, debugging tools or crash reports may log environment variables, creating a potential channel for sensitive information leakage. Moreover, manual rotation of environment variables relies on human discipline, which is prone to oversight and inconsistency. In large-scale environments with numerous EC2 instances, ensuring that every instance updates its environment variables simultaneously is operationally complex and error-prone. Failure to rotate credentials promptly can extend the exposure period, increasing the risk of unauthorised access. Additionally, in environments subject to regulatory compliance, reliance on manual rotation can result in audit deficiencies, as manual processes lack consistent traceability and may be difficult to demonstrate during compliance reviews.

Risks of Hard-Coding Credentials

Option C, embedding credentials directly into EC2 application code, presents even higher levels of risk. Hard-coded credentials are inherently long-lived, as they remain in deployed code until updated. This creates a persistent security vulnerability, especially if the code is stored in source control systems, backed up, or shared among development and operations teams. Hard-coded credentials are also difficult to rotate. Updating credentials requires modifying the application code, testing changes, and redeploying the application across all relevant instances. This process is slow, resource-intensive, and prone to errors, leaving systems exposed during the rotation period. Additionally, hard-coded secrets bypass centralised access management and auditing mechanisms, making it nearly impossible to enforce least-privilege access or maintain accountability. For regulated industries, this lack of centralised control and auditability can result in significant compliance violations.

Limitations of Long-Lived IAM User Credentials

Option D, relying on long-lived IAM user credentials for each EC2 instance, poses severe security and operational challenges. IAM user credentials are primarily intended for human access rather than automated workloads. Using long-lived credentials on EC2 instances introduces several risks: if credentials are compromised, they remain valid until manually rotated or revoked, extending the window of exposure. Managing a large number of long-lived credentials across numerous instances increases administrative complexity and the likelihood of misconfiguration. Auditing activity is also challenging, as all actions are tied to the same IAM user identity rather than the specific EC2 instance or workload, making it difficult to trace activity back to the responsible entity. This approach violates the principle of least privilege and does not align with modern best practices for cloud security, which emphasise centralised management and role-based access.

Advantages of Parameter Store SecureString Parameters

Option B offers a robust, automated, and secure solution for managing credentials. AWS Systems Manager Parameter Store supports SecureString parameters, which encrypt sensitive data using AWS Key Management Service (KMS). This encryption ensures that credentials are protected at rest and during transit. SecureString parameters also integrate seamlessly with IAM, allowing administrators to define precise access policies. Only authorized IAM roles or users can retrieve the stored secrets. By centralizing credential storage and enforcing access control through IAM, organizations can maintain a clear security boundary, reduce the attack surface, and eliminate the need to distribute static credentials across multiple instances.

Role-Based Access with IAM Roles

Assigning IAM roles to EC2 instances strengthens security by providing dynamic, role-based access to credentials. Only EC2 instances with the assigned role can retrieve the SecureString parameters. This approach enforces least-privilege access, ensuring that no instance or user outside the intended scope can access sensitive API keys. IAM roles are centrally manageable, meaning access can be granted, modified, or revoked without redeploying applications or redistributing credentials. This centralised control simplifies operations while maintaining strict security policies and accountability. It also reduces the likelihood of human error, as permissions are defined programmatically rather than manually distributed.

Automated Rotation Enhances Security

Automated rotation of SecureString parameters significantly reduces the risk associated with long-lived credentials. With automated rotation, credentials are updated at predefined intervals without requiring manual intervention. This process limits the duration of potential exposure if a credential is compromised. Automated rotation also simplifies operational management, as administrators do not need to coordinate complex rotation schedules or ensure that all EC2 instances are updated simultaneously. Applications can dynamically retrieve updated credentials at runtime, maintaining uninterrupted operation while enforcing strong security practices. Automated rotation ensures continuous credential freshness, reducing operational risk and improving overall security posture.

Centralized Auditing with CloudTrail

CloudTrail integration provides a centralised mechanism for auditing access to Parameter Store secrets. Every retrieval, modification, or rotation event is logged with detailed information, including the requesting principal, timestamp, and resource accessed. This centralised audit trail enables organisations to monitor for unauthorised access, investigate anomalous activity, and respond proactively to potential incidents. In regulated environments, these logs provide verifiable evidence of controlled access, supporting compliance with PCI DSS, HIPAA, ISO 27001, and other standards. CloudTrail logging also facilitates forensic analysis, allowing security teams to reconstruct access patterns and identify any deviations from established security policies.

Integration of Preventive, Detective, and Corrective Controls

Option B integrates preventive, detective, and corrective security measures. Preventive controls are enforced through KMS encryption and IAM role-based access, preventing unauthorised entities from retrieving credentials. Detective controls are implemented via CloudTrail logging, which provides real-time visibility into access events and enables monitoring for suspicious activity. Corrective controls are supported because compromised credentials can be rotated immediately, and detailed audit logs provide actionable information for investigation and remediation. This layered approach ensures comprehensive protection across all stages of credential management, mitigating risks proactively and enabling rapid response when incidents occur.

Operational Scalability and Efficiency

Centralized secret management with Parameter Store supports operational scalability. Administrators can manage credentials from a single location, avoiding the need for duplication across instances. Updates or revocation of credentials can be performed centrally, without redeploying applications or manually distributing secrets. EC2 instances retrieve credentials dynamically at runtime, ensuring consistent access and reducing human error. This approach scales efficiently for large environments with hundreds or thousands of EC2 instances, allowing organisations to maintain secure, auditable, and consistent credential management across multiple workloads and applications.

Amazon AWS Certified Security — Speciality SCS-C02 Exam Dumps and Practice Test Questions Set 6 Q76-90

Amazon AWS Certified Security — Speciality SCS-C02 Exam Dumps and Practice Test Questions Set 6 Q76-90

Related posts: