Amazon AWS Certified Security — Speciality SCS-C02 Exam Dumps and Practice Test Questions Set 10 Q136-150 - Certbolt

Visit here for our full Amazon AWS Certified Security — Specialty SCS-C02 exam dumps and practice test questions.

Question136:

A global enterprise plans to store sensitive intellectual property in Amazon S3. Security requirements include encryption at rest using customer-managed KMS keys, prevention of accidental or malicious deletions, least-privilege access enforcement, real-time monitoring of policy violations, automated remediation, and centralised auditing across multiple accounts and regions. Which solution best meets these requirements?

A) Enable default SSE-S3 encryption on all buckets and rely on developers to enforce KMS key usage.
B) Implement S3 Object Lock in compliance mode to enforce immutability, enforce Service Control Policies (SCPs) to mandate customer-managed KMS key usage, configure EventBridge rules for automated remediation, apply bucket policies for least-privilege access, and consolidate CloudTrail logs into a centralised audit account.
C) Encrypt objects manually after upload and rely on developers to monitor compliance.
D) Enable versioning and rely on administrators to manually review object modifications.

Answer:
B

Explanation:

Option A provides default SSE-S3 encryption, which automatically encrypts objects at rest using AWS-managed keys. While this ensures that data is encrypted, it does not satisfy the requirement for customer-managed KMS key enforcement. Relying on developers to enforce key usage is prone to human error and operational inconsistencies. SSE-S3 also lacks built-in mechanisms for immutability, prevention of accidental deletions, or centralised multi-account auditing. Additionally, this approach offers minimal real-time monitoring capabilities. Although simple to implement, it does not provide a holistic security posture for enterprise-scale sensitive intellectual property storage.

Option B provides a fully integrated solution that meets all enterprise requirements. S3 Object Lock in compliance mode enforces WORM (Write Once Read Many) immutability, preventing deletions or modifications during a defined retention period. This addresses accidental or malicious deletion concerns. Service Control Policies (SCPs) ensure that only customer-managed KMS keys are used for encryption across multiple accounts, enforcing organizational compliance. EventBridge rules continuously monitor S3 activity for policy violations, triggering automated remediation workflows if necessary. Bucket policies and IAM roles enforce least-privilege access, ensuring that only authorized users or services can perform specific actions on the data. CloudTrail logging consolidates all object-level operations into a centralised audit account, providing visibility and forensic capability across regions and accounts. By combining preventive controls (Object Lock, SCPs, bucket policies), detective controls (EventBridge monitoring), and corrective measures (automated remediation), this solution offers a robust, scalable, and regulatory-compliant security framework.

Option C relies on manual encryption and monitoring, which is reactive and operationally intensive. Data may remain unencrypted or non-compliant for periods, increasing exposure risk. Option D, enabling versioning with manual review, provides recovery capabilities but does not prevent deletions, enforce KMS usage, or provide automated detection and remediation. Manual auditing is time-consuming, error-prone, and difficult to scale across multiple accounts or regions.

Option B is the only approach that integrates encryption enforcement, immutability, access control, real-time monitoring, automated remediation, and centralised auditing, ensuring that the enterprise’s sensitive intellectual property is secured and compliant with regulatory requirements.

Question137:

A healthcare organization is migrating sensitive patient data to Amazon RDS. Requirements include encryption at rest with customer-managed KMS keys, encryption in transit, strict identity-based access control, automated credential rotation, and centralised auditing of database operations and configuration changes. Which solution best satisfies these requirements?

A) Enable RDS encryption with AWS-managed keys, grant developers full access, and use SSL/TLS.
B) Use customer-managed KMS keys for encryption, enforce SSL/TLS, implement IAM database authentication, rotate credentials automatically using AWS Secrets Manager, and enable CloudTrail logging.
C) Store database credentials in environment variables and rely on default encryption.
D) Enable point-in-time recovery and manually review logs periodically.

Answer:
B

Explanation:

Option A provides encryption at rest using AWS-managed keys and SSL/TLS for in-transit encryption, but granting developers full access violates least-privilege principles, creating significant risk of accidental or unauthorized access. AWS-managed keys do not allow granular control over key usage or rotation, and centralised auditing is not implemented. Without automated credential rotation, credentials remain exposed for extended periods, increasing security risk. This approach does not satisfy stringent healthcare regulatory requirements for sensitive patient data.

Option B delivers a comprehensive, enterprise-grade solution. Customer-managed KMS keys provide encryption at rest with centralised control, rotation, and auditing capabilities. SSL/TLS ensures encryption in transit. IAM database authentication enforces strict identity-based, least-privilege access, eliminating static credentials and mitigating insider threats. AWS Secrets Manager automates credential rotation, reducing exposure risk and operational burden. CloudTrail logs all database activity and configuration changes, enabling centralised auditing, monitoring, and forensic capability. Preventive controls (encryption, IAM authentication), detective mechanisms (CloudTrail), and corrective measures (automated credential rotation) are integrated to ensure both security and compliance. This approach reduces operational risk, ensures continuous compliance, and maintains confidentiality and integrity of sensitive patient data.

Option C, storing credentials in environment variables, is insecure, lacks automated rotation, and does not provide centralised audit capability. Option D, enabling point-in-time recovery and manually reviewing logs, is reactive, labor-intensive, and does not offer preventive controls, automated compliance monitoring, or real-time detection of unauthorized access.

Option B satisfies enterprise requirements for operational efficiency, regulatory compliance, and comprehensive security for sensitive patient records in Amazon RDS, offering an integrated preventive, detective, and corrective control framework.

Question138:

A financial organization requires Amazon S3 storage for highly sensitive transactional data. Security requirements include immutability, prevention of accidental or malicious deletions, mitigation of insider threats, and comprehensive audit logging. Which solution meets these requirements?

A) Enable S3 versioning and rely on developers to prevent deletions.
B) Use S3 Object Lock in compliance mode, enforce bucket policies restricting access, and enable CloudTrail logging.
C) Maintain separate backups and manually track deletions.
D) Encrypt objects using SSE-S3 and allow developers to manage access manually.

Answer:
B

Explanation:

Option A, using versioning, allows the recovery of deleted or modified objects, but it does not prevent deletions by authorized users. Relying on developers to enforce deletion policies is prone to error and lacks real-time monitoring. Versioning alone does not ensure immutability, insider threat mitigation, or centralised auditing. In financial environments with strict compliance and regulatory requirements, versioning alone is insufficient.

Option B provides a fully integrated enterprise solution. S3 Object Lock in compliance mode ensures immutability, preventing modifications or deletions during a specified retention period. Bucket policies enforce least-privilege access, mitigating insider threat risk. CloudTrail provides centralised logging of all S3 operations, supporting audit, compliance, and forensic needs. Preventive, detective, and corrective controls are fully integrated, offering a scalable, robust solution for sensitive financial data. The combination of Object Lock, access control policies, and CloudTrail ensures regulatory compliance, operational efficiency, and mitigation of human or insider risk.

Option C, maintaining separate backups and manual tracking, is reactive, error-prone, and operationally intensive. Option D, SSE-S3 encryption with manual access management, secures confidentiality but does not enforce immutability, provide automated monitoring, or integrate centralised auditing, leaving gaps in compliance and insider threat mitigation.

Option B is the only approach that fully satisfies immutability, access control, auditing, and insider threat mitigation, providing a secure, compliant storage solution for sensitive financial transactions.

Question139:

A healthcare organization processes sensitive patient data using AWS Lambda functions. Security policies require Lambda invocations only through approved API Gateway endpoints and centralised auditing of all invocation events. Which solution meets these requirements?

A) Allow all IAM users to invoke Lambda functions and rely on logging.
B) Attach resource-based policies to Lambda functions allowing invocation only from approved API Gateway principals and enable CloudTrail logging.
C) Store invocation secrets in environment variables for developers.
D) Protect Lambda functions with API keys and rely on developers not to share them.

Answer:
B

Explanation:

Option A allows unrestricted Lambda invocation and relies solely on logging for detection, which provides no preventive security control. Sensitive patient data may be exposed to unauthorized access, violating healthcare compliance standards. Option C, storing secrets in environment variables, is insecure, provides no audit or enforcement capabilities, and is prone to accidental leakage. Option D, using API keys and relying on developers not to share them, is operationally unreliable and cannot guarantee compliance or security in a regulated environment.

Option B integrates preventive, detective, and corrective controls. Resource-based policies restrict Lambda invocations to approved API Gateway principals, ensuring unauthorized users cannot access sensitive functions. CloudTrail captures all invocation events, providing centralised auditing, monitoring, and forensic capability. Preventive access control, centralised auditing, and operational monitoring collectively ensure regulatory compliance, security, and real-time oversight of sensitive patient data processing. This approach reduces risk, ensures accountability, and provides operational efficiency for Lambda functions in healthcare environments.

Question140:

A company operates multiple EC2 instances that need access to sensitive internal APIs. Security requirements include least-privilege access, centralised credential management, automated secret rotation, and auditable logs. Which solution satisfies these requirements?

A) Store API keys in environment variables and rotate manually.
B) Use AWS Systems Manager Parameter Store with SecureString parameters, assign IAM roles to EC2 instances to retrieve secrets, enable automated rotation, and monitor access with CloudTrail.
C) Hard-code credentials in applications and review logs weekly.
D) Use long-lived IAM user credentials for each EC2 instance.

Answer:
B

Explanation:

Option A exposes API keys in environment variables, lacks automated rotation, and introduces operational and security risks. Option C, hard-coding credentials in applications, creates challenges for rotation, auditing, and secure management. Option D relies on long-lived IAM user credentials, increasing risk of compromise and operational overhead for rotation and auditing.

Option B provides a secure, automated, and auditable solution. SecureString parameters encrypt credentials and enforce strict access control. IAM roles assigned to EC2 instances ensure least-privilege access, restricting secret retrieval to authorized instances. Automated rotation reduces exposure risk and operational complexity. CloudTrail logs all access events, enabling centralised auditing, monitoring, and forensic capability. Preventive, detective, and corrective controls are integrated, ensuring secure, auditable, and operationally efficient access to sensitive APIs. This approach satisfies enterprise security, operational efficiency, and compliance requirements for managing sensitive credentials across multiple EC2 instances.

Question141:

A multinational enterprise plans to store highly confidential corporate research data in Amazon S3. Security requirements include encryption at rest with customer-managed KMS keys, strict immutability to prevent deletion or modification, least-privilege access, multi-region auditing, and real-time alerting on policy violations. Which solution satisfies these requirements?

A) Enable SSE-S3 encryption and rely on administrators to enforce KMS usage manually.
B) Implement S3 Object Lock in compliance mode, enforce Service Control Policies (SCPs) to mandate customer-managed KMS key usage, configure EventBridge rules for automated remediation, apply least-privilege bucket policies, and consolidate CloudTrail logs into a centralised audit account.
C) Encrypt objects manually post-upload and rely on developers to monitor compliance.
D) Enable versioning and manually review object deletions and modifications.

Answer:
B

Explanation:

Option A, SSE-S3 encryption with manual enforcement of KMS usage, provides basic protection but fails to meet enterprise-grade security and compliance requirements. Manual enforcement is prone to human error and lacks scalability, making it unsuitable for a multinational organization. SSE-S3 also does not prevent deletion or modification, leaving the data vulnerable to insider threats. Real-time alerting and centralised auditing are not inherently provided, leaving gaps in compliance monitoring.

Option B provides a comprehensive solution integrating preventive, detective, and corrective controls. S3 Object Lock in compliance mode enforces immutability, preventing deletion or modification during the retention period, satisfying regulatory and internal security mandates. SCPs enforce organizational policies mandating customer-managed KMS keys, ensuring consistent encryption across all accounts. EventBridge rules monitor for policy violations and trigger automated remediation workflows, addressing misconfigurations proactively. Bucket policies enforce least-privilege access, reducing the risk of insider threats. centralised CloudTrail logs across regions provide auditability, forensic readiness, and operational oversight. The integration of these controls ensures that sensitive research data is encrypted, immutable, access-controlled, monitored in real-time, and auditable across multiple regions, fulfilling enterprise security, compliance, and operational requirements.

Option C relies on manual encryption and monitoring, which is operationally intensive and reactive, leaving sensitive data potentially unencrypted or non-compliant for periods. Option D, using versioning with manual review, allows recovery but does not prevent deletions, enforce encryption policies, or provide automated monitoring and alerting. Manual auditing is insufficient for multinational enterprise-scale compliance and does not address real-time threat mitigation.

Option B is the only approach that fully integrates encryption, immutability, access control, centralised auditing, and automated monitoring, providing a robust, scalable, and compliant solution for highly confidential corporate research data.

Question142:

A healthcare provider is deploying Amazon RDS to store sensitive patient data. Security requirements include encryption at rest with customer-managed KMS keys, encryption in transit, identity-based access control, automated credential rotation, and centralised auditing of database operations and configuration changes. Which solution best meets these requirements?

A) Enable RDS encryption using AWS-managed keys, grant developers broad access, and use SSL/TLS.
B) Use customer-managed KMS keys for encryption, enforce SSL/TLS, implement IAM database authentication, enable automatic credential rotation via AWS Secrets Manager, and configure CloudTrail logging.
C) Store credentials in environment variables and rely on default encryption.
D) Enable point-in-time recovery and manually review logs periodically.

Answer:
B

Explanation:

Option A provides encryption at rest with AWS-managed keys and SSL/TLS for data in transit. However, granting developers broad access violates least-privilege principles, increasing the risk of unauthorized access. AWS-managed keys do not allow granular key management, automated rotation, or auditability. Without centralised auditing and automated credential rotation, the approach fails to satisfy healthcare regulatory requirements and enterprise security standards.

Option B delivers a fully integrated enterprise-grade solution. Customer-managed KMS keys enable encryption at rest with centralised control, auditing, and rotation capabilities. SSL/TLS ensures encryption in transit. IAM database authentication enforces identity-based access and least-privilege principles, eliminating static credentials and reducing insider threats. AWS Secrets Manager automates credential rotation, reducing operational risk and exposure. CloudTrail captures all database activity and configuration changes, providing centralised auditing, monitoring, and forensic capabilities. Preventive, detective, and corrective controls are fully integrated, ensuring compliance, operational efficiency, and secure handling of sensitive patient data.

Option C relies on insecure environment variables for credentials and default encryption, offering no automated rotation, centralised auditing, or preventive controls. Option D, point-in-time recovery with manual log review, is reactive, labor-intensive, and insufficient for proactive prevention of unauthorized access or regulatory compliance.

Option B is the only solution that satisfies encryption, identity-based access, automated credential management, and centralised auditing, providing a secure, compliant, and operationally efficient deployment for sensitive patient data in Amazon RDS.

Question143:

A financial organization must store sensitive transactional data in Amazon S3. Security requirements include prevention of accidental or malicious deletions, enforcement of immutability, mitigation of insider threats, and comprehensive audit logging. Which solution meets these requirements?

Answer:
B

Explanation:

Option A, enabling versioning, provides recovery capabilities but does not prevent deletions or modifications. Relying on developers for enforcement is prone to human error and lacks real-time detection, making it insufficient for enterprise-scale compliance and security. Versioning alone cannot enforce immutability or mitigate insider threats effectively.

Option B offers a comprehensive solution integrating preventive, detective, and corrective controls. S3 Object Lock in compliance mode enforces immutability, preventing deletion or modification during the retention period, ensuring data integrity and regulatory compliance. Bucket policies enforce least-privilege access, mitigating insider threats. CloudTrail provides centralised logging for auditing, monitoring, and forensic analysis. EventBridge or similar monitoring can trigger automated remediation if violations occur. This approach ensures secure, auditable, and compliant storage of sensitive financial data, meeting operational, regulatory, and security requirements.

Option C relies on manual backups and tracking, which is reactive, error-prone, and operationally intensive. Option D, SSE-S3 encryption with manual access control, secures data at rest but does not enforce immutability, provide automated monitoring, or ensure centralised auditability, leaving gaps in compliance and insider threat mitigation.

Option B is the only solution that integrates immutability, access control, auditing, and insider threat mitigation, providing a robust, scalable, and compliant storage solution.

Question144:

Answer:
B

Explanation:

Option A allows unrestricted Lambda invocations, relying solely on logging, which provides no preventive security control. Sensitive patient data could be accessed by unauthorized users, violating healthcare regulations. Option C, storing secrets in environment variables, is insecure, provides no audit or enforcement mechanisms, and risks accidental exposure. Option D, relying on API keys and developers not sharing them, is operationally unreliable and cannot guarantee regulatory compliance or security at scale.

Option B provides a fully integrated solution. Resource-based policies restrict Lambda invocation to approved API Gateway principals, enforcing preventive access control. CloudTrail captures all invocation events, providing centralised auditing, monitoring, and forensic capability. Preventive access control, centralised auditing, and operational monitoring together ensure compliance with healthcare regulations, protect sensitive patient data, and provide operational efficiency. This solution reduces risk, enforces accountability, and enables real-time monitoring of Lambda function invocations in regulated environments.

Question145:

A company operates multiple EC2 instances that require access to sensitive internal APIs. Security requirements include least-privilege access, centralised credential management, automated secret rotation, and auditable logs. Which solution satisfies these requirements?

A) Store API keys in environment variables and rotate manually.
B) Use AWS Systems Manager Parameter Store with SecureString parameters, assign IAM roles to EC2 instances, enable automated rotation, and monitor access with CloudTrail.
C) Hard-code credentials in applications and review logs weekly.
D) Use long-lived IAM user credentials for each EC2 instance.

Answer:
B

Explanation:

Option A exposes credentials in environment variables, lacks automated rotation, and increases operational risk. Option C relies on hard-coded credentials, making rotation, auditing, and secure management challenging. Option D uses long-lived IAM user credentials, increasing risk of compromise and operational overhead for rotation and auditing.

Option B provides a secure, automated, and auditable solution. SecureString parameters encrypt credentials and enforce strict access control. IAM roles assigned to EC2 instances enforce least-privilege access. Automated rotation reduces exposure risk and operational overhead. CloudTrail logs all access events, enabling centralised auditing and monitoring. Preventive, detective, and corrective controls are fully integrated, ensuring secure, compliant, and operationally efficient access to sensitive APIs. This approach satisfies enterprise-scale security, operational efficiency, and regulatory compliance for sensitive credentials across EC2 instances.

Question146:

A multinational enterprise stores highly sensitive intellectual property in Amazon S3. Security requirements include encryption at rest using customer-managed KMS keys, prevention of accidental or malicious deletions, least-privilege access enforcement, multi-region audit logging, and real-time alerting for policy violations. Which solution best satisfies these requirements?

Answer:
B

Explanation:

Option A, using SSE-S3 encryption with manual enforcement of KMS usage, provides minimal protection and lacks the automation, preventive controls, and centralised auditability required for enterprise-scale sensitive data. Relying on administrators introduces human error and operational inconsistency. SSE-S3 does not enforce immutability or prevent deletions, leaving critical intellectual property vulnerable to insider threats or accidental removal. Real-time alerting and multi-region audit capabilities are also absent, creating gaps in regulatory compliance and operational visibility. While this option is simple to implement, it fails to meet stringent enterprise security standards, particularly for multinational operations requiring coordinated enforcement across multiple accounts and regions.

Option B is the comprehensive solution that addresses all stated security requirements. S3 Object Lock in compliance mode enforces WORM (Write Once Read Many) immutability, ensuring that objects cannot be deleted or modified during a retention period. This prevents accidental or malicious deletion. Service Control Policies (SCPs) mandate the usage of customer-managed KMS keys, enforcing encryption standards across all accounts. EventBridge rules monitor bucket events in real-time and trigger automated remediation workflows when policy violations are detected, ensuring immediate correction of misconfigurations. Bucket policies enforce least-privilege access, reducing insider threat risks. centralised CloudTrail logs provide multi-region audit capability and full visibility of object-level operations, supporting compliance and forensic investigations. The integration of preventive, detective, and corrective controls ensures that sensitive data is protected, monitored, and auditable across all accounts and regions, satisfying enterprise security and regulatory compliance requirements.

Option C, manual encryption and developer monitoring, is reactive and operationally intensive. It leaves the system vulnerable between the time of upload and verification, lacks automated alerting, and introduces the risk of human error, which could compromise sensitive intellectual property. Option D, enabling versioning with manual review, allows recovery of deleted objects but does not prevent deletions, enforce KMS key usage, or provide real-time monitoring. Manual audits are impractical at scale, particularly for multinational enterprises.

Question147:

A healthcare provider is migrating sensitive patient data to Amazon RDS. Security requirements include encryption at rest with customer-managed KMS keys, encryption in transit, identity-based access control, automated credential rotation, and centralised auditing of database operations and configuration changes. Which solution best meets these requirements?

Answer:
B

Explanation:

Option A provides encryption at rest with AWS-managed keys and SSL/TLS for in-transit encryption. However, granting broad developer access violates the principle of least privilege, increasing the risk of unauthorized access or inadvertent data exposure. AWS-managed keys do not provide granular control, rotation scheduling, or centralised auditing, failing to meet healthcare regulatory requirements for sensitive patient data. Without automated credential rotation and centralised auditing, operational oversight and compliance are insufficient, leaving the system vulnerable to both insider threats and misconfigurations.

Option B provides a comprehensive, secure, and compliant solution. Customer-managed KMS keys ensure encryption at rest with organisational control, auditing capabilities, and key rotation options. SSL/TLS protects data in transit between clients and the RDS database, maintaining confidentiality and integrity. IAM database authentication enables identity-based access control, enforcing least-privilege access and reducing the risk of compromised credentials. AWS Secrets Manager automates credential rotation, ensuring minimal exposure of sensitive credentials and reducing operational overhead. CloudTrail captures all database operations and configuration changes, supporting centralised auditing, monitoring, and forensic analysis. Together, preventive controls (encryption, IAM authentication), detective controls (CloudTrail), and corrective mechanisms (credential rotation) form an integrated security framework that satisfies both enterprise and regulatory requirements.

Option C, storing credentials in environment variables with default encryption, is insecure, lacks automated rotation, centralised auditing, and preventive access controls, making it insufficient for healthcare data. Option D, enabling point-in-time recovery with manual log review, is reactive, labour-intensive, and incapable of proactively preventing unauthorised access, misconfigurations, or ensuring continuous compliance.

Option B ensures comprehensive security, compliance, and operational efficiency for sensitive patient data in Amazon RDS, integrating encryption, access control, automated credential management, and centralised auditing into a robust and enterprise-ready solution.

Question148:

A financial institution needs to store highly sensitive transactional data in Amazon S3. Security requirements include prevention of accidental or malicious deletions, enforcement of immutability, mitigation of insider threats, and comprehensive audit logging. Which solution meets these requirements?

Answer:
B

Explanation:

Option A, enabling S3 versioning, allows recovery of deleted or modified objects but does not prevent deletions. Relying on developers to enforce deletion policies is error-prone and lacks real-time detection. Versioning alone does not enforce immutability or mitigate insider threats, making it insufficient for compliance and enterprise security standards in the financial sector.

Option B offers a comprehensive enterprise solution. S3 Object Lock in compliance mode enforces WORM immutability, ensuring that objects cannot be deleted or modified during the retention period. Bucket policies enforce least-privilege access, mitigating insider threat risk and controlling access strictly to authorised personnel. CloudTrail logging provides centralised auditing and monitoring of all S3 object operations, supporting regulatory compliance, forensic analysis, and operational oversight. Event-driven workflows, such as EventBridge rules, can provide real-time remediation for policy violations, further enhancing security posture. This solution integrates preventive, detective, and corrective controls to provide a robust, scalable, and auditable storage mechanism for highly sensitive transactional data, meeting operational, regulatory, and compliance requirements.

Option C relies on manual backups and tracking, which is reactive, operationally intensive, and error-prone. Option D, SSE-S3 encryption with manual access control, protects data confidentiality but does not enforce immutability, automate monitoring, or centralise audit logging, leaving critical gaps in compliance and insider threat mitigation.

Option B is the only solution that satisfies immutability, access control, auditing, and insider threat mitigation, providing a robust and compliant storage solution for sensitive financial data.

Question149:

A healthcare organisation processes sensitive patient data using AWS Lambda functions. Security policies require that Lambda invocations occur only through approved API Gateway endpoints and that all invocations are auditable. Which solution meets these requirements?

A) Allow all IAM users to invoke Lambda functions and rely on logging.
B) Attach resource-based policies to Lambda functions, allowing invocation only from approved API Gateway principals and enabling CloudTrail logging.
C) Store invocation secrets in environment variables for developers.
D) Protect Lambda functions with API keys and rely on developers not to share them.

Answer:
B

Explanation:

Option A permits unrestricted Lambda invocation, relying solely on logging to detect unauthorised access. This approach does not enforce preventive controls and could allow unauthorised access to sensitive patient data, violating healthcare compliance requirements. Option C, storing invocation secrets in environment variables, is insecure and provides no enforcement or auditing mechanism. Option D, relying on API keys and developers not sharing them, is operationally unreliable, lacks centralised auditing, and cannot guarantee regulatory compliance at scale.

Option B provides a comprehensive solution that integrates preventive and detective controls. Resource-based policies restrict Lambda invocations to approved API Gateway principals, enforcing least-privilege access and preventing unauthorised function execution. CloudTrail captures all invocation events, enabling centralised auditing, monitoring, and forensic analysis. This integration ensures that sensitive patient data is only processed through approved channels, access is controlled proactively, and all activity is auditable, meeting both operational and regulatory requirements. Preventive controls (resource policies), detective mechanisms (CloudTrail logging), and centralised monitoring work together to create a secure and compliant execution environment for Lambda functions.

Question150:

Answer:
B

Explanation:

Option A exposes API keys in environment variables, lacks automated rotation, centralised auditing, and preventive access controls, increasing operational risk. Option C, hard-coding credentials in applications, is insecure, complicates rotation, auditing, and access control, and increases the likelihood of credential compromise. Option D relies on long-lived IAM user credentials, which elevates the risk of unauthorised access, complicates rotation, and increases administrative overhead.

Option B provides a secure, automated, and auditable solution. SecureString parameters in Parameter Store encrypt credentials and enforce strict access control. IAM roles assigned to EC2 instances enforce least-privilege access, ensuring only authorised instances can retrieve credentials. Automated rotation of secrets reduces exposure risk and operational overhead, ensuring that compromised credentials cannot remain valid indefinitely. CloudTrail logs all access events, providing centralised auditing, monitoring, and forensic capability. Preventive, detective, and corrective controls are fully integrated, ensuring secure, compliant, and operationally efficient access to sensitive APIs. This approach aligns with enterprise-scale security, regulatory compliance, and operational best practices.

Security Risks of Environment Variables

Option A, storing API keys in environment variables and manually rotating them, introduces multiple security challenges. Environment variables are accessible to all processes running on the same EC2 instance, which increases the attack surface. Any compromise of a process or a user account with sufficient privileges can lead to exposure of the credentials. Furthermore, environment variables can unintentionally be exposed in logs, debugging outputs, or system dumps, creating an additional vector for unauthorised access. Manual rotation compounds these risks because human error is likely. Administrators may forget to rotate credentials, fail to update all instances consistently, or misconfigure permissions during rotation. This operational complexity increases the chance of security gaps and prolongs the exposure window for sensitive API keys.

Large-scale environments exacerbate these challenges. Coordinating manual rotations across hundreds or thousands of instances is time-consuming and error-prone. Even if a rotation is performed, without centralised tracking, organisations cannot provide verifiable evidence that credentials were rotated consistently, creating compliance issues. The lack of automation makes it difficult to enforce security policies reliably, and organisations may fail to meet regulatory requirements, including PCI DSS, HIPAA, or ISO 27001.

Challenges of Hard-Coded Credentials

Option C, embedding credentials directly in applications, introduces even greater risks. Hard-coded credentials are static, long-lived, and difficult to rotate, which increases the window of exposure in the event of a compromise. If the application code is shared among developers, stored in source control, or included in deployment packages, credentials can be inadvertently exposed to unauthorised individuals. Hard-coded secrets bypass centralised management, preventing the enforcement of least-privilege policies and making it difficult to revoke access if a breach occurs.

From an operational standpoint, rotating hard-coded credentials requires modifying the application code, testing, and redeploying it across all instances. This process is slow, error-prone, and can result in downtime. Moreover, hard-coded credentials are challenging to audit. There is no central log of access or retrieval, so security teams cannot monitor usage patterns, detect anomalies, or demonstrate compliance with enterprise policies or regulatory standards. For large organisations with multiple applications and environments, managing hard-coded credentials becomes highly inefficient and risky.

Operational and Security Limitations of Long-Lived IAM User Credentials

Option D, using long-lived IAM user credentials for EC2 instances, is also problematic. IAM users are designed primarily for human access, not for automated workloads. Long-lived credentials remain valid until manually rotated or revoked, increasing the window of vulnerability if they are compromised. The administrative overhead of managing multiple IAM users across many instances is significant. Each credential must be tracked, rotated, and audited manually, creating a high likelihood of misconfiguration or human error.

Auditing is complicated with long-lived IAM user credentials because all activity is attributed to the user rather than the specific instance or application. This lack of granularity makes it difficult to identify the source of unauthorised activity or anomalies. Additionally, long-lived credentials violate the principle of least privilege, as they provide ongoing access regardless of whether the EC2 instance or workload still requires it. This approach increases operational complexity and decreases overall security posture, making it unsuitable for enterprise environments where accountability, traceability, and compliance are critical.

Benefits of Parameter Store SecureString Parameters

Option B, which leverages AWS Systems Manager Parameter Store with SecureString parameters, provides a robust, secure, and automated solution for managing sensitive credentials. SecureString parameters encrypt credentials using AWS Key Management Service (KMS), ensuring protection both at rest and in transit. Encryption ensures that even if an unauthorised actor gains access to the underlying storage or backups, the credentials remain unreadable without the appropriate KMS permissions.

Centralised management of secrets simplifies operational workflows. Administrators can create, update, or revoke credentials from a single location without redeploying applications. This reduces the risk of inconsistencies and ensures that all instances access the correct and most up-to-date secrets. Fine-grained IAM policies allow administrators to define precisely which users or roles can access specific secrets, enforcing least-privilege access and reducing exposure risk. Centralised storage also improves visibility and accountability, making it easier to monitor, audit, and manage credential usage across large enterprise environments.

Role-Based Access with IAM Roles

Assigning IAM roles to EC2 instances is a key element of Option B’s security posture. IAM roles provide temporary, dynamic credentials that allow EC2 instances to access Parameter Store secrets. This approach ensures that credentials are not static and cannot be stored in code or environment variables, reducing the likelihood of exposure. IAM roles can be centrally managed and modified without redeploying applications, enabling administrators to enforce strong access policies dynamically.

By granting each EC2 instance only the permissions required to access the secrets it needs, organisations enforce the principle of least privilege. This minimises the risk associated with over-permissioned accounts or accidental misuse of credentials. Temporary credentials provided by IAM roles are automatically rotated, reducing the exposure window in the event of a compromise. This model supports dynamic environments where EC2 instances may be frequently provisioned or decommissioned, ensuring that security policies remain consistent across all instances.

Automated Rotation Reduces Risk and Operational Burden

Automated rotation of SecureString parameters is a significant advantage of Option B. Secrets are rotated at predefined intervals without manual intervention, reducing the likelihood that compromised credentials remain valid for extended periods. Applications retrieve updated credentials dynamically at runtime, ensuring continuity of service without manual updates or downtime. Automated rotation also streamlines operational workflows, eliminating human error associated with manual rotation and ensuring consistent application of security policies. This approach supports compliance by demonstrating that credentials are systematically managed and rotated according to enterprise or regulatory requirements.

centralised Auditing and Monitoring with CloudTrail

CloudTrail integration provides centralised auditing and monitoring for all interactions with Parameter Store. Every retrieval, modification, or rotation event is logged with details including the requesting principal, timestamp, and resource accessed. This enables security teams to detect unauthorised access attempts, investigate anomalies, and respond quickly to potential security incidents. Centralised auditing also facilitates compliance reporting and forensic analysis, providing verifiable evidence of credential access and management practices. Organisations can ensure accountability, monitor usage patterns, and maintain a historical record of credential activity for internal and external audits.

Integration of Preventive, Detective, and Corrective Controls

Option B effectively integrates preventive, detective, and corrective security controls. Preventive controls include encryption with KMS and role-based access policies, which prevent unauthorised access to credentials. Detective controls are implemented via CloudTrail logging, enabling continuous monitoring and anomaly detection. Corrective controls are facilitated by automated rotation, allowing compromised credentials to be replaced quickly. This layered security approach ensures that credentials are protected throughout their lifecycle and that organisations can respond efficiently to potential security events.

Operational Scalability and Efficiency

Centralised credential management with Parameter Store enhances operational efficiency and scalability. Administrators can manage all secrets from a single location, minimising duplication and reducing administrative overhead. Updates or rotations can be applied centrally without redeploying applications, ensuring consistency across environments. EC2 instances retrieve credentials dynamically, guaranteeing secure and reliable access. This model scales efficiently across large enterprises with hundreds or thousands of instances, maintaining operational efficiency while providing robust security controls and auditability.

By leveraging Parameter Store SecureString parameters, IAM role-based access, automated rotation, and CloudTrail auditing, Option B enforces preventive, detective, and corrective controls effectively. This approach improves security posture, ensures regulatory compliance, reduces operational complexity, and aligns with AWS best practices. It enables scalable, secure, and auditable access to sensitive APIs across multiple EC2 instances, reducing the risk of credential compromise while supporting enterprise-scale operations.

Amazon AWS Certified Security — Speciality SCS-C02 Exam Dumps and Practice Test Questions Set 10 Q136-150

Amazon AWS Certified Security — Speciality SCS-C02 Exam Dumps and Practice Test Questions Set 10 Q136-150

Related posts: