Amazon AWS Certified Security — Speciality SCS-C02 Exam Dumps and Practice Test Questions Set 9 Q121-135 - Certbolt

Visit here for our full Amazon AWS Certified Security — Specialty SCS-C02 exam dumps and practice test questions.

Question121:

A global enterprise is migrating sensitive intellectual property to Amazon S3. Security requirements include encryption at rest using customer-managed KMS keys, prevention of accidental or malicious deletion, least-privilege access enforcement, real-time detection of policy violations, automated remediation, and centralised audit logging across multiple accounts and regions. Which solution best meets these requirements?

A) Enable default SSE-S3 encryption on all buckets and rely on developers to enforce KMS key usage.
B) Implement S3 Object Lock in compliance mode to enforce immutability, enforce Service Control Policies (SCPs) to mandate customer-managed KMS key usage, configure EventBridge rules for automated remediation, apply bucket policies for least-privilege access, and consolidate CloudTrail logs into a centralised audit account.
C) Encrypt objects manually after upload and rely on developers to monitor compliance.
D) Enable versioning and rely on administrators to manually review object modifications.

Answer:
B

Explanation:

Option A, enabling default SSE-S3 encryption, provides automatic server-side encryption for objects at rest. However, it does not allow enforcement of customer-managed KMS keys across multiple accounts and regions. This leaves gaps where sensitive data may be encrypted using AWS-managed keys, failing enterprise policies or regulatory compliance mandates. Relying on developers to enforce KMS usage introduces operational risk and increases the probability of human error. SSE-S3 also cannot prevent accidental or malicious deletion and lacks integrated real-time monitoring or automated remediation mechanisms. Centralized audit logging across multiple accounts is absent, reducing visibility into compliance and operational security. While this option is simple to implement and ensures basic encryption, it does not fulfill the stringent enterprise-grade requirements for highly sensitive intellectual property.

Option B offers a robust, enterprise-ready solution that integrates preventive, detective, and corrective controls. S3 Object Lock in compliance mode enforces WORM (Write Once, Read Many) immutability, preventing objects from being deleted or modified for a defined retention period. This satisfies the requirement to prevent accidental or malicious deletions. SCPs enforce the mandatory use of customer-managed KMS keys across multiple accounts, ensuring consistent encryption compliance. EventBridge rules monitor for policy violations, such as objects being uploaded without the correct KMS key, and trigger automated remediation workflows. For example, objects that are non-compliant can be re-encrypted or moved to a secure quarantine bucket automatically, reducing manual intervention and operational burden. Bucket policies enforce least-privilege access by allowing only authorized roles and users to perform permitted actions, mitigating insider threats. CloudTrail logs capture all object-level operations, including attempted deletions or modifications, across accounts and regions. These logs can be centralised in a dedicated audit account for forensic analysis, regulatory compliance reporting, and historical review. The integration of preventive (Object Lock, bucket policies, SCPs), detective (CloudTrail, EventBridge monitoring), and corrective (automated remediation) controls ensures a comprehensive security posture. This approach addresses encryption compliance, immutability, access enforcement, real-time detection of policy violations, and centralised auditing simultaneously, providing enterprise-grade assurance for sensitive intellectual property storage across multi-account, multi-region environments.

Option C, manual encryption and monitoring, is reactive, labor-intensive, and prone to error. Objects may remain unencrypted for extended periods, leaving critical intellectual property exposed. Manual compliance monitoring does not scale effectively in multi-account, multi-region environments, making it difficult to maintain continuous security and compliance. Option D, relying on versioning and manual reviews, is also reactive. While versioning enables recovery of deleted or modified objects, it does not prevent deletions, enforce KMS key usage, or provide automated detection and remediation of policy violations. Manual auditing is time-consuming, inconsistent, and does not provide real-time visibility or compliance assurance.

Option B is clearly the optimal approach because it integrates preventive, detective, and corrective measures to fully satisfy enterprise-grade security requirements. It ensures encryption compliance, immutability, access control, automated remediation, real-time monitoring, and centralised auditing. This solution addresses operational efficiency, regulatory compliance, and security best practices for multi-account, multi-region S3 deployments storing highly sensitive intellectual property.

Question122:

A healthcare organization is migrating sensitive patient data to Amazon RDS. Security requirements include encryption at rest using customer-managed KMS keys, encryption in transit, strict identity-based access control, automated credential rotation, and centralised auditing of all database operations and configuration changes. Which solution best meets these requirements?

A) Enable RDS encryption with AWS-managed keys, grant developers full access, and use SSL/TLS connections.
B) Use customer-managed KMS keys for encryption, enforce SSL/TLS, implement IAM database authentication, rotate credentials automatically with AWS Secrets Manager, and enable CloudTrail logging.
C) Store database credentials in environment variables and rely on default encryption.
D) Enable point-in-time recovery and manually review logs periodically.

Answer:
B

Explanation:

Option A provides basic encryption using AWS-managed keys and SSL/TLS for data in transit. However, granting developers full access violates least-privilege principles, increasing the risk of unauthorized access or accidental misuse of sensitive patient data. AWS-managed keys do not allow granular control or detailed auditing. Lack of automated credential rotation exposes the system to prolonged credential compromise if credentials are leaked. Centralized auditing is absent, limiting visibility and regulatory compliance. While this approach is easy to configure, it does not meet the requirements for managing sensitive patient data under regulatory frameworks such as HIPAA.

Option B is a comprehensive enterprise-ready solution that integrates preventive, detective, and corrective controls. Customer-managed KMS keys encrypt data at rest, allowing granular access control, key rotation, and detailed audit trails. SSL/TLS encrypts data in transit, ensuring protection against interception or man-in-the-middle attacks. IAM database authentication eliminates static credentials and enforces identity-based, least-privilege access. AWS Secrets Manager automates credential rotation, reducing the risk of exposure and minimizing operational overhead. CloudTrail logs all database operations and configuration changes, providing centralised auditing, monitoring, and forensic capabilities. By integrating preventive measures (encryption, IAM authentication), detective mechanisms (CloudTrail logging), and corrective capabilities (automated credential rotation), this solution ensures sensitive patient records are securely encrypted, accessible only to authorized personnel, automatically rotated, and fully auditable.

Option C, storing credentials in environment variables, exposes sensitive data, lacks automated rotation, and does not provide centralised auditing, creating significant operational and security risks. Option D, enabling point-in-time recovery and manual log review, is reactive, operationally intensive, and does not provide preventive controls or automated compliance monitoring.

Option B is the only solution that fully satisfies enterprise-scale security, operational efficiency, and regulatory compliance requirements. It ensures encryption compliance, least-privilege access, automated credential management, and centralised auditing for sensitive patient data in Amazon RDS.

Question123:

A financial organization requires Amazon S3 storage for highly sensitive transactional data with strict requirements for immutability, prevention of accidental or malicious deletions, mitigation of insider threats, and comprehensive audit logging. Which solution satisfies these requirements?

A) Enable S3 versioning and rely on developers to prevent deletion.
B) Use S3 Object Lock in compliance mode, enforce bucket policies restricting access, and enable CloudTrail logging.
C) Maintain separate backups and manually track deletions.
D) Encrypt objects using SSE-S3 and allow developers to manage access manually.

Answer:
B

Explanation:

Option A, enabling versioning, allows recovery of deleted or modified objects but does not prevent deletions by privileged users. Relying on developers for enforcement introduces operational risk and human error. Versioning alone does not guarantee immutability, insider threat mitigation, or centralised audit logging, which are critical for regulatory compliance in financial environments.

Option B provides a comprehensive enterprise-grade solution. S3 Object Lock in compliance mode enforces WORM immutability, preventing objects from being deleted or modified during a defined retention period. Bucket policies enforce least-privilege access, mitigating insider threats. CloudTrail logs capture all object-level operations, including attempted deletions or modifications, providing centralised, immutable audit trails for regulatory compliance and forensic investigations. Preventive controls (Object Lock, bucket policies), detective controls (CloudTrail), and corrective mechanisms (audit review and remediation) are integrated to provide a robust security posture.

Option C, maintaining separate backups and manually tracking deletions, is reactive, labor-intensive, and prone to errors. Option D, using SSE-S3 encryption with manual access management, ensures confidentiality but does not enforce immutability or provide centralised auditing, leaving critical compliance gaps.

Option B is the only solution that satisfies all preventive, detective, and corrective requirements for secure, immutable, auditable storage of sensitive financial transactions.

Question124:

A healthcare organization processes sensitive patient data using AWS Lambda functions. Security policies require Lambda invocations only through approved API Gateway endpoints and centralised auditing. Which solution satisfies these requirements?

A) Allow all IAM users to invoke Lambda functions and rely on logging.
B) Attach resource-based policies to Lambda functions allowing invocation only from approved API Gateway principals and enable CloudTrail logging.
C) Store invocation secrets in environment variables for developers.
D) Protect Lambda functions with API keys and rely on developers not to share them.

Answer:
B

Explanation:

Option A allows unrestricted Lambda invocation and relies solely on logging, offering no preventive control and exposing sensitive patient data to unauthorized access. Option C exposes sensitive secrets in environment variables without enforcement mechanisms. Option D relies on API key secrecy, which is prone to accidental sharing and misuse, making it unreliable for sensitive workloads.

Option B enforces preventive access control via resource-based policies that restrict Lambda invocation to approved API Gateway principals. Unauthorized attempts are automatically blocked. CloudTrail logs all invocation events, providing centralised auditing, monitoring, and forensic capability. Preventive, detective, and corrective controls are integrated, ensuring compliance with healthcare regulations and secure handling of sensitive patient data. This solution balances operational efficiency, compliance, and security best practices, making it the optimal choice for Lambda function security in regulated environments.

Question125:

A company operates multiple EC2 instances that access sensitive internal APIs. Security requirements include least-privilege access, centralised credential management, automated secret rotation, and auditable logs. Which solution satisfies these requirements?

A) Store API keys in environment variables and rotate manually.
B) Use AWS Systems Manager Parameter Store with SecureString parameters, assign IAM roles to EC2 instances to retrieve secrets, enable automated rotation, and monitor access with CloudTrail.
C) Hard-code credentials in applications and review logs weekly.
D) Use long-lived IAM user credentials for each EC2 instance.

Answer:
B

Explanation:

Option A exposes credentials in environment variables, lacks automated rotation, and increases operational risk. Option C relies on hard-coded static credentials, which are difficult to rotate, audit, and manage securely. Option D uses long-lived IAM user credentials, increasing risk of compromise and operational complexity.

Option B provides a secure, automated, and auditable solution. SecureString parameters encrypt credentials and enforce access control. IAM roles assigned to EC2 instances enforce least-privilege access, allowing only authorized instances to retrieve secrets. Automated rotation reduces exposure risk and operational burden. CloudTrail logs all access events, providing centralised auditing, monitoring, and forensic capability. Preventive, detective, and corrective controls are integrated, ensuring secure, auditable, and operationally efficient access to sensitive APIs. This approach satisfies all enterprise security and compliance requirements for managing sensitive credentials across multiple EC2 instances.

Question126:

A multinational company is migrating highly sensitive intellectual property to Amazon S3. Security requirements include encryption at rest using customer-managed KMS keys, prevention of accidental or malicious deletion, least-privilege access enforcement, real-time detection of policy violations, automated remediation, and centralised audit logging across multiple accounts and regions. Which solution best meets these requirements?

Answer:
B

Explanation:

Option A, enabling default SSE-S3 encryption, provides automatic encryption at rest but does not guarantee that customer-managed KMS keys are used, leaving sensitive intellectual property potentially encrypted with AWS-managed keys. Relying on developers to enforce KMS usage introduces human error and operational risk. SSE-S3 also cannot prevent accidental or malicious deletion and lacks integrated mechanisms for real-time monitoring or automated remediation. Centralized auditing is not automatically implemented across accounts and regions, reducing visibility and increasing compliance risk. While this approach is simple and quick to implement, it does not satisfy stringent enterprise requirements for highly sensitive data, particularly regarding immutability, compliance monitoring, and multi-account security controls.

Option B offers a comprehensive enterprise-ready solution integrating preventive, detective, and corrective controls. S3 Object Lock in compliance mode enforces WORM immutability, preventing objects from being deleted or modified for a defined retention period. SCPs enforce mandatory use of customer-managed KMS keys across all accounts, ensuring consistent encryption compliance. EventBridge rules continuously monitor for policy violations, such as objects uploaded without correct encryption, and automatically trigger remediation workflows. Bucket policies enforce least-privilege access, allowing only authorized users or roles to perform permitted actions and mitigating insider threats. CloudTrail logs all S3 operations across accounts and regions, which can be centralised for audit and forensic purposes. Preventive controls (Object Lock, bucket policies, SCPs), detective mechanisms (CloudTrail, EventBridge monitoring), and corrective measures (automated remediation workflows) are fully integrated. This approach ensures encryption compliance, immutability, access control, real-time detection of policy violations, automated remediation, and centralised auditing, addressing enterprise-scale operational efficiency, regulatory compliance, and security best practices.

Option C relies on manual encryption and monitoring, which is reactive, error-prone, and operationally inefficient. Objects may remain unencrypted or non-compliant for significant periods, exposing critical intellectual property. Option D, using versioning and manual review, is also reactive; versioning enables recovery of deleted or modified objects but does not prevent deletions, enforce KMS key usage, or provide automated detection and remediation. Manual auditing is time-consuming and inconsistent, limiting scalability across accounts and regions.

Option B is the only approach that fully integrates preventive, detective, and corrective measures to satisfy enterprise-grade security requirements. It ensures encryption compliance, immutability, least-privilege access, automated remediation, real-time monitoring, and centralised auditing, providing a robust security posture for multi-account, multi-region S3 deployments storing highly sensitive intellectual property.

Question127:

A healthcare organization is migrating sensitive patient data to Amazon RDS. Security requirements include encryption at rest with customer-managed KMS keys, encryption in transit, strict identity-based access control, automated credential rotation, and centralised auditing of all database operations and configuration changes. Which solution best meets these requirements?

Answer:
B

Explanation:

Option A provides basic encryption with AWS-managed keys and SSL/TLS for data in transit. Granting developers full access violates least-privilege principles, creating risk of unauthorized access or accidental misuse. AWS-managed keys do not offer granular control or detailed audit trails. Lack of automated credential rotation leaves credentials exposed for extended periods. Centralized auditing is absent, reducing visibility for regulatory compliance. Although simple to configure, this approach does not satisfy the security and compliance needs for sensitive patient data.

Option B provides a comprehensive enterprise-grade solution integrating preventive, detective, and corrective controls. Customer-managed KMS keys encrypt data at rest, allowing key rotation, granular access control, and auditability. SSL/TLS protects data in transit from interception. IAM database authentication eliminates static credentials and enforces identity-based, least-privilege access. AWS Secrets Manager automates credential rotation, reducing operational burden and mitigating credential exposure risk. CloudTrail logging captures all database operations and configuration changes, enabling centralised auditing, monitoring, and forensic analysis. Preventive controls (encryption, IAM authentication), detective mechanisms (CloudTrail), and corrective measures (credential rotation) are integrated, ensuring patient records are secure, auditable, and compliant.

Option C, storing credentials in environment variables, exposes sensitive information, lacks automated rotation, and provides no centralised audit capability. Option D, relying on point-in-time recovery and manual log review, is reactive, labour-intensive, and does not provide preventive controls or real-time compliance enforcement.

Option B fully satisfies enterprise-scale security, operational efficiency, and regulatory compliance requirements for managing sensitive patient data in Amazon RDS.

Question128:

A financial organisation requires Amazon S3 storage for highly sensitive transactional data. Security requirements include immutability, prevention of accidental or malicious deletions, mitigation of insider threats, and comprehensive audit logging. Which solution satisfies these requirements?

Answer:
B

Explanation:

Option A, using versioning, allows recovery of deleted or modified objects but does not prevent deletions by privileged users. Relying on developers introduces operational risk and human error. Versioning alone does not guarantee immutability, insider threat mitigation, or centralised auditing, all of which are critical for compliance in financial environments.

Option B provides a robust enterprise solution. S3 Object Lock in compliance mode enforces WORM immutability, preventing deletion or modification during the defined retention period. Bucket policies enforce least-privilege access, reducing insider threat risk. CloudTrail logs all object-level operations, including attempted deletions, providing centralised, immutable audit trails for regulatory compliance and forensic investigations. Preventive controls (Object Lock, bucket policies), detective mechanisms (CloudTrail), and corrective measures (audit review, remediation) are integrated, offering a complete solution.

Option C, maintaining separate backups and manual tracking, is reactive, labor-intensive, and prone to errors. Option D, SSE-S3 encryption with manual access control, ensures confidentiality but does not enforce immutability or centralised auditing, leaving gaps in compliance and insider threat mitigation.

Option B is the only solution that satisfies all preventive, detective, and corrective requirements for secure, immutable, auditable storage of highly sensitive financial transactions.

Question129:

Answer:
B

Explanation:

Option A allows unrestricted Lambda invocation and relies solely on logging, providing no preventive controls. Sensitive patient data could be accessed by unauthorized users, violating compliance mandates. Option C exposes sensitive secrets without enforcement or audit mechanisms. Option D relies on API key secrecy, which is error-prone and operationally unreliable.

Option B enforces preventive access control via resource-based policies, restricting Lambda invocations to approved API Gateway principals. Unauthorized attempts are blocked automatically. CloudTrail captures all invocation events, providing centralised auditing, monitoring, and forensic capability. This approach integrates preventive, detective, and corrective controls, ensuring compliance with healthcare regulations and secure handling of sensitive patient data. Operational efficiency, auditability, and regulatory compliance are achieved while minimizing risk exposure, making this the optimal solution for Lambda security in regulated environments.

Question130:

Answer:
B

Explanation:

Option A exposes credentials in environment variables, lacks automated rotation, and increases operational risk. Option C relies on hard-coded credentials, making secure rotation, auditing, and management difficult. Option D uses long-lived IAM user credentials, creating high compromise risk and operational complexity.

Option B provides a secure, automated, and auditable solution. SecureString parameters encrypt credentials, enforcing strict access control. IAM roles assigned to EC2 instances implement least-privilege access, ensuring only authorized instances can retrieve secrets. Automated rotation reduces exposure risk and operational overhead. CloudTrail captures all access events, enabling centralised auditing, monitoring, and forensic capability. Preventive, detective, and corrective controls are integrated, ensuring secure, auditable, and operationally efficient access to sensitive APIs. This solution fully satisfies enterprise-scale security, operational efficiency, and compliance requirements for managing sensitive credentials across multiple EC2 instances.

Question131:

A global financial institution plans to use Amazon S3 to store highly sensitive transaction logs. The organization requires that all logs be immutable, encrypted with customer-managed KMS keys, protected from accidental or malicious deletion, accessible only through least-privilege principles, and continuously monitored with centralised auditing. Which solution best meets these requirements?

A) Enable S3 default encryption with SSE-S3 and rely on administrators to enforce KMS key usage manually.
B) Implement S3 Object Lock in compliance mode for immutability, enforce bucket policies and IAM roles for least-privilege access, require customer-managed KMS keys via Service Control Policies (SCPs), and configure CloudTrail for centralised audit logging.
C) Use versioning and manual review of logs for unauthorized deletions or modifications.
D) Encrypt logs after upload and rely on developers to maintain access controls and audit trails.

Answer:
B

Explanation:

Option A enables default encryption with SSE-S3, which provides basic protection for data at rest. However, it does not guarantee enforcement of customer-managed KMS keys, leaving logs potentially encrypted with AWS-managed keys that may not satisfy regulatory or enterprise requirements. Relying on administrators to enforce KMS key usage manually is prone to human error, increases operational burden, and lacks automated real-time compliance enforcement. Additionally, SSE-S3 encryption does not prevent accidental or malicious deletion and does not inherently provide immutability. Centralized auditing is absent, which limits the organization’s ability to track access and modifications across multiple accounts and regions, leaving gaps in compliance and forensic readiness.

Option B represents a comprehensive enterprise-grade solution integrating preventive, detective, and corrective controls. S3 Object Lock in compliance mode enforces immutability, preventing objects from being modified or deleted during a specified retention period, which protects against both accidental and malicious deletion. Bucket policies and IAM roles enforce least-privilege access by granting only authorized users or services the minimal permissions required, reducing insider threat risk. Service Control Policies (SCPs) enforce the use of customer-managed KMS keys across multiple accounts and regions, ensuring consistent encryption compliance for sensitive transaction logs. CloudTrail records all object-level activities, providing centralised auditing, monitoring, and forensic capability. The integration of preventive controls (Object Lock, bucket policies, SCPs), detective mechanisms (CloudTrail monitoring), and corrective measures (audit and remediation workflows) ensures secure, auditable, and compliant handling of transaction logs. This approach is scalable, reduces operational risk, and satisfies regulatory mandates for highly sensitive financial data.

Option C, using versioning and manual reviews, provides a reactive approach. While versioning enables recovery of deleted or modified objects, it does not prevent deletions, enforce encryption policies, or integrate automated compliance monitoring. Manual review is labor-intensive, error-prone, and insufficient for real-time detection or prevention of unauthorized activity, especially in multi-account, multi-region environments. Option D, encrypting logs post-upload and relying on developers to enforce access controls and maintain audit trails, is similarly reactive and operationally inefficient. It leaves logs vulnerable until encryption is applied and requires significant manual intervention to ensure compliance, creating risk of gaps or oversight.

Option B is the only solution that simultaneously addresses encryption compliance, immutability, access control, real-time monitoring, and centralised auditing. It satisfies enterprise security, operational efficiency, and regulatory compliance requirements for multi-account, multi-region S3 storage of sensitive transaction logs, providing a robust and scalable solution for the organization.

Question132:

A healthcare organization is migrating sensitive patient records to Amazon RDS. Requirements include encryption at rest with customer-managed KMS keys, encryption in transit, strict identity-based access control, automated credential rotation, and centralised auditing of database operations and configuration changes. Which solution satisfies these requirements?

A) Enable RDS encryption using AWS-managed keys, grant developers full access, and use SSL/TLS.
B) Use customer-managed KMS keys for encryption, enforce SSL/TLS, implement IAM database authentication, automate credential rotation with AWS Secrets Manager, and enable CloudTrail logging.
C) Store database credentials in environment variables and rely on default encryption.
D) Enable point-in-time recovery and manually review logs periodically.

Answer:
B

Explanation:

Option A provides basic encryption at rest with AWS-managed keys and SSL/TLS for data in transit. Granting developers full access violates least-privilege principles, creating a high risk of unauthorized access or accidental misuse of sensitive patient data. AWS-managed keys do not provide granular control, key rotation, or detailed auditing. Centralized auditing is not implemented, and lack of automated credential rotation exposes credentials to prolonged risk of compromise. While simple to deploy, this approach does not meet strict healthcare regulatory or enterprise security requirements.

Option B delivers a comprehensive solution integrating preventive, detective, and corrective controls. Customer-managed KMS keys enable fine-grained encryption management, key rotation, and auditability. SSL/TLS ensures secure transmission of sensitive data. IAM database authentication enforces identity-based access control and eliminates static credentials, supporting least-privilege principles. AWS Secrets Manager automates credential rotation, reducing operational risk and exposure. CloudTrail captures all database activity and configuration changes, enabling centralised auditing, monitoring, and forensic capability. Preventive controls (encryption, IAM authentication), detective mechanisms (CloudTrail), and corrective measures (automated rotation) collectively satisfy security, operational, and compliance requirements for sensitive patient records.

Option C exposes credentials in environment variables, lacks automated rotation, and provides no centralised auditing. Option D relies on point-in-time recovery and manual log review, which is reactive, labour-intensive, and insufficient for preventive security, automated compliance, or real-time monitoring.

Option B fully addresses enterprise-scale security, operational efficiency, and regulatory compliance requirements for sensitive patient data in Amazon RDS, making it the optimal solution.

Question133:

A financial organisation requires Amazon S3 storage for highly sensitive transactional data. Security mandates include immutability, prevention of accidental or malicious deletions, mitigation of insider threats, and comprehensive audit logging. Which solution satisfies these requirements?

A) Enable S3 versioning and rely on developers to prevent deletions.
B) Use S3 Object Lock in compliance mode, enforce bucket policies restricting access, and enable CloudTrail logging.
C) Maintain separate backups and manually track deletions.
D) Encrypt objects using SSE-S3 and allow developers to manage access manually.

Answer:
B

Explanation:

Option A, using versioning, allows recovery of deleted or modified objects but does not prevent deletions by authorised users. It relies on developer enforcement, which is prone to human error, and provides no real-time compliance monitoring. Versioning alone does not meet requirements for immutability, insider threat mitigation, or centralised audit logging, making it insufficient for regulatory compliance in financial environments.

Option B provides a comprehensive enterprise-grade solution. S3 Object Lock in compliance mode enforces immutability, ensuring objects cannot be deleted or modified during the retention period. Bucket policies enforce least-privilege access, mitigating insider threat risks. CloudTrail logs all S3 operations, enabling centralised auditing, monitoring, and forensic capability. Preventive controls (Object Lock, bucket policies), detective mechanisms (CloudTrail monitoring), and corrective measures (audit and remediation workflows) are integrated, creating a robust and scalable solution for sensitive financial data. This ensures both regulatory compliance and operational security while reducing the risk of accidental or malicious data loss.

Option C, maintaining separate backups and manually tracking deletions, is reactive and operationally inefficient, prone to errors, and insufficient for real-time detection or prevention of unauthorised activity. Option D, SSE-S3 encryption with manual access management, protects data confidentiality but does not enforce immutability, access control, or centralised auditing, leaving gaps in compliance and security.

Option B is the only solution that simultaneously fulfils preventive, detective, and corrective requirements for secure, immutable, auditable storage of highly sensitive financial data.

Question134:

A healthcare organisation processes sensitive patient data using AWS Lambda functions. Security policies require that Lambda functions can be invoked only through approved API Gateway endpoints and that all invocation events are auditable. Which solution satisfies these requirements?

A) Allow all IAM users to invoke Lambda functions and rely on logging.
B) Attach resource-based policies to Lambda functions, allowing invocation only from approved API Gateway principals and enabling CloudTrail logging.
C) Store invocation secrets in environment variables for developers.
D) Protect Lambda functions with API keys and rely on developers not to share them.

Answer:
B

Explanation:

Option A allows unrestricted Lambda invocation and relies solely on logging. This provides no preventive control, exposing sensitive patient data to unauthorised users and violating healthcare compliance mandates. Option C stores invocation secrets in environment variables, which is insecure, unmonitored, and prone to accidental leakage. Option D relies on API key secrecy, which is operationally unreliable and can be accidentally shared, creating exposure risk.

Option B integrates preventive, detective, and corrective controls. Resource-based policies restrict Lambda invocations to approved API Gateway principals, preventing unauthorised access. CloudTrail captures all invocation events, providing centralised auditing, monitoring, and forensic capability. This solution ensures compliance with healthcare regulations, secures sensitive patient data, and minimizes operational risk while allowing real-time auditing and monitoring of function invocations. The combination of preventive access control, centralised auditing, and operational efficiency makes this the optimal approach for secure Lambda function deployment in regulated environments.

Question135:

A company operates multiple EC2 instances that need access to sensitive internal APIs. Security requirements include least-privilege access, centralised credential management, automated secret rotation, and auditable logs. Which solution satisfies these requirements?

Answer:
B

Explanation:

Option A exposes credentials in environment variables, lacks automated rotation, and increases the risk of accidental compromise. Option C uses hard-coded credentials, which are difficult to rotate, audit, and secure, creating operational and compliance challenges. Option D employs long-lived IAM user credentials, which increases exposure risk, complicates credential rotation, and makes auditing difficult.

Option B provides a secure, automated, and auditable solution. SecureString parameters encrypt credentials and enforce strict access control. IAM roles assigned to EC2 instances implement least-privilege access, ensuring that only authorised instances can retrieve secrets. Automated rotation reduces the risk of credential exposure and decreases operational overhead. CloudTrail logs all access events, providing centralised auditing, monitoring, and forensic capability. Preventive, detective, and corrective controls are fully integrated, ensuring secure, auditable, and operationally efficient access to sensitive APIs. This approach satisfies enterprise-scale security, operational efficiency, and compliance requirements for managing sensitive credentials across multiple EC2 instances.

Security Implications of Using Environment Variables

Option A, storing API keys in environment variables and relying on manual rotation, introduces multiple security and operational risks. Environment variables are accessible to all processes running on the same EC2 instance, which increases the potential attack surface. If an attacker gains access to a process with sufficient privileges, they could read these credentials directly from memory. Additionally, environment variables are prone to accidental exposure. Logging and debugging processes can inadvertently include these variables, which may then be stored in log files or monitoring systems. Once exposed, these credentials are at high risk of misuse.

Manual rotation of environment variables compounds operational complexity. Human-driven processes are inherently error-prone. Administrators may forget to rotate secrets on time, fail to synchronise updates across all EC2 instances, or misconfigure permissions during rotation. In large-scale environments with hundreds or thousands of instances, these manual steps introduce significant operational overhead and increase the likelihood of inconsistencies and mismanagement. Delays in rotation extend the window of exposure, leaving credentials vulnerable to potential compromise. Moreover, this approach lacks systematic auditability. Organisations cannot reliably demonstrate that rotations were performed correctly or consistently, which may result in regulatory or compliance violations, particularly in industries subject to strict standards such as PCI DSS, HIPAA, or ISO 27001.

Challenges and Risks of Hard-Coded Credentials

Option C, embedding credentials directly in application code, creates long-lived security vulnerabilities. Hard-coded credentials are static and persist until the application code is modified and redeployed. This introduces prolonged exposure to sensitive API keys and increases the risk of compromise. Additionally, if the application code is stored in version control systems, shared with development teams, or backed up in storage systems, the credentials may be exposed to unintended users.

Hard-coded credentials bypass centralised management, eliminating the possibility of enforcing least-privilege access dynamically. Rotation of these credentials is slow and operationally intensive. Updating hard-coded secrets requires changing the code, testing the application, and redeploying it across all relevant EC2 instances. This process is error-prone and may introduce downtime, negatively affecting operational efficiency. Furthermore, hard-coded credentials lack centralised logging and audit trails, making it difficult for security teams to monitor access or demonstrate compliance. In regulated industries, this absence of auditability can result in non-compliance and penalties.

Operational and Security Risks of Long-Lived IAM User Credentials

Option D, using long-lived IAM user credentials for each EC2 instance, also carries significant operational and security risks. IAM users are designed primarily for human access rather than for automated workloads. Storing long-lived credentials on EC2 instances increases the duration that credentials remain valid, amplifying the consequences of potential compromise. If credentials are exposed or leaked, they remain active until manually revoked, creating an extended window of vulnerability.

Managing large numbers of IAM user credentials across multiple instances is operationally complex. Administrators must manually track, rotate, and revoke credentials for each instance, increasing the risk of error or oversight. Additionally, auditing actions performed using IAM user credentials is challenging because all activities are attributed to a single user identity rather than the specific EC2 instance or workload. This hinders accountability and complicates forensic investigations, making it difficult to identify the source of unauthorised activity. Overall, long-lived IAM user credentials violate the principle of least privilege, reduce operational agility, and increase both security and compliance risk.

Advantages of AWS Systems Manager Parameter Store SecureString Parameters

Option B provides a comprehensive, automated, and auditable approach for managing API credentials on EC2 instances. AWS Systems Manager Parameter Store supports SecureString parameters, which encrypt sensitive credentials using AWS Key Management Service (KMS). Encryption protects secrets both at rest and in transit, reducing the risk of unauthorised access. SecureString parameters are centrally managed, eliminating the need for distributing credentials manually across multiple EC2 instances, which reduces operational complexity and potential exposure. Fine-grained access policies via IAM ensure that only authorised users, roles, or instances can retrieve the credentials, enforcing strict least-privilege access.

Centralised storage also simplifies operational management. Administrators can easily add, revoke, or update credentials without redeploying applications. By maintaining all credentials in a single repository, organisations can monitor and control access efficiently while minimising human error. Centralised management ensures consistency and reliability across environments, particularly in enterprise-scale deployments where hundreds or thousands of EC2 instances may be accessing sensitive APIs.

IAM Role-Based Access Control

Assigning IAM roles to EC2 instances is a key security measure within Option B. Roles provide temporary, dynamic credentials to instances, ensuring that only authorised workloads can access Parameter Store secrets. This eliminates the need for static credentials, whether embedded in code or stored locally, and ensures that each instance receives credentials appropriate to its specific permissions. IAM roles can be centrally managed, modified, or revoked without redeploying applications, allowing administrators to maintain operational flexibility while enforcing strong security policies. Role-based access also facilitates controlled, temporary access for specific workloads, which is particularly beneficial in environments with frequent provisioning or scaling of instances.

Automated Rotation Reduces Credential Exposure

Automated rotation of SecureString parameters further strengthens security by minimising the exposure window of sensitive credentials. When credentials are rotated automatically, compromised secrets are quickly replaced, reducing the risk of misuse. Applications dynamically retrieve updated credentials at runtime, maintaining uninterrupted operation and eliminating the need for manual interventions. Automated rotation simplifies operational management, ensures consistent security practices across all instances, and aligns with regulatory and enterprise compliance requirements by demonstrating controlled and systematic credential lifecycle management.

Centralised Auditing and Monitoring with CloudTrail

CloudTrail integration provides centralised auditing for all interactions with Parameter Store. Each retrieval, update, or rotation of a secret is logged with detailed information, including the requesting principal, timestamp, and resource accessed. Centralised logging enables security teams to monitor access patterns, detect unauthorised attempts, and investigate anomalous activity. In regulated industries, CloudTrail logs serve as verifiable evidence of controlled access and adherence to organisational security policies. Auditability ensures accountability, supports forensic investigation, and facilitates compliance reporting, providing a clear record of credential access and management actions.

Amazon AWS Certified Security — Speciality SCS-C02 Exam Dumps and Practice Test Questions Set 9 Q121-135

Amazon AWS Certified Security — Speciality SCS-C02 Exam Dumps and Practice Test Questions Set 9 Q121-135

Related posts: