Question 1

An AWS Lambda function was misused to alter data, and a security engineer must identify who invoked the function and what output was produced. The engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs. Which of the following explains why the logs are not available?

Options :

A : The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.

B : The Lambda function was invoked by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.

C : The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.

D : The version of the Lambda function that was invoked was not current.

Answer: A

Question 2

A company is running a new workload across accounts in an organization in AWS Organizations. All running resources must have a tag of CostCenter, and the tag must have one of three approved values. The company must enforce this policy and must prevent any changes of the CostCenter tag to a non-approved value. Which solution will meet these requirements?

Options :

A : Use AWS Config custom policy rule and an SCP to deny non-approved aws:RequestTag/CostCenter values.

B : Use CloudTrail + EventBridge + Lambda to block creation.

C : Enable tag policies, define allowed values, enforce noncompliant operations, and use an SCP to deny creation when aws:RequestTag/CostCenter is null.

D : Enable tag policies and use EventBridge + Lambda to block changes.

Answer: C

Question 3

A company has several Amazon S3 buckets that do not enforce encryption in transit. A security engineer must implement a solution that enforces encryption in transit for all the company's existing and future S3 buckets. Which solution will meet these requirements?

Options :

A : Enable AWS Config. Create a proactive AWS Config Custom Policy rule. Create a Guard clause to evaluate the S3 bucket policies to check for a value of True for the aws:SecureTransport condition key. If the AWS Config rule evaluates to NON_COMPLIANT, block resource creation.

B : Enable AWS Config. Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid. Create an AWS Systems Manager Automation runbook that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure automatic remediation. Set the runbook as the target of the rule.

C : Enable Amazon Inspector. Create a custom AWS Lambda rule. Create a Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Set the Lambda function as the target of the rule.

D : Create an AWS CloudTrail trail. Enable S3 data events on the trail. Create an AWS Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure the CloudTrail trail to invoke the Lambda function.

Answer: B

Question 4

A company is building a secure solution that relies on an AWS Key Management Service (AWS KMS) customer managed key. The company wants to allow AWS Lambda to use the KMS key. However, the company wants to prevent Amazon EC2 from using the key. Which solution will meet these requirements?

Options :

A : Use IAM explicit deny for EC2 instance profiles and allow for Lambda roles.

B : Use a KMS key policy with kms:ViaService conditions to allow Lambda usage and deny EC2 usage.

C : Use aws:SourceIp and aws:AuthorizedService condition keys in the KMS key policy.

D : Use an SCP to deny EC2 and allow Lambda.

Answer: B

Question 5

A company needs to scan all AWS Lambda functions for code vulnerabilities.

Options :

A : Use Amazon Macie.

B : Enable Amazon Inspector Lambda scanning.

C : Use GuardDuty and Security Hub.

D : Use GuardDuty Lambda Protection.

Answer: B

Higher Test Marks with Free Online SCS-C03 Exam Practice

Buying Options: