Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SCS-C02 Exam - Topic 6 Question 3 Discussion

A company needs to improve its ability to identify and prevent IAM policies that grant public access or cross-account access to resources. The company has implemented AWS Organizations and has started using AWS Identity and Access Management Access Analyzer to refine overly broad access to accounts in the organization.A security engineer must automate a response in the company's organization for any newly created policies that are overly permissive. The automation must remediate external access and must notify the company's security team.Which combination of steps should the security engineer take to meet these requirements? (Select THREE.)
A) Create an AWS Step Functions state machine that checks the resource type in the finding and adds an explicit Deny statement in the trust policy for the IAM role. Configure the state machine to publish a notification to an Amazon SimpleNotification Service (Amazon SNS) topic. and C) In Amazon EventBridge, create an event rule that matches active IAM Access Analyzer findings and invokes AWS Step Functions for resolution. and F) Create an Amazon Simple Notification Service (Amazon SNS) topic for external or cross-account access notices. Subscribe the security team's email addresses to the topic.
B) Create an AWS Batch job that forwards any resource type findings to an AWS Lambda function. Configure the Lambda function to add an explicit Deny statement in the trust policy for the IAM role. Configure the AWS Batch job to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic.
D) In Amazon CloudWatch, create a metric filter that matches active IAM Access Analyzer findings and invokes AWS Batch for resolution.
E) Create an Amazon Simple Queue Service (Amazon SQS) queue. Configure the queue to forward a notification to the security team that an external principal has been granted access to the specific IAM role and has been blocked.

Amazon SCS-C02 Exam - Topic 6 Question 3 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 3
Topic #: 6
[All SCS-C02 Questions]

A company needs to improve its ability to identify and prevent IAM policies that grant public access or cross-account access to resources. The company has implemented AWS Organizations and has started using AWS Identity and Access Management Access Analyzer to refine overly broad access to accounts in the organization.

A security engineer must automate a response in the company's organization for any newly created policies that are overly permissive. The automation must remediate external access and must notify the company's security team.

Which combination of steps should the security engineer take to meet these requirements? (Select THREE.)

Show Suggested Answer Hide Answer
Suggested Answer: A, C, F

by Fletcher at Oct 02, 2023, 10:16 PM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Blondell
6 months ago
A is interesting, but I prefer the simplicity of C.
upvoted 0 times
...
Arlene
7 months ago
Wait, can we really trust AWS to handle this automatically?
upvoted 0 times
...
Jordan
7 months ago
B seems a bit overcomplicated for this task.
upvoted 0 times
...
Shannan
7 months ago
Definitely agree with C, it fits the requirements perfectly!
upvoted 0 times
...
Josphine
7 months ago
I think option C is a solid choice for automation.
upvoted 0 times
...
Roxane
7 months ago
I definitely remember that we need to notify the security team, and I think creating an SNS topic for that is a solid step.
upvoted 0 times
...
Elsa
8 months ago
I’m a bit confused about whether to use EventBridge or CloudWatch for triggering the automation. They both seem relevant, but I can't recall the specifics.
upvoted 0 times
...
Earleen
8 months ago
I think we practiced a similar question where we had to set up notifications for IAM findings. I feel like using SNS is definitely part of the solution.
upvoted 0 times
...
Maryann
8 months ago
I remember we discussed using AWS Step Functions for automating workflows, but I'm not sure if it's the best choice here.
upvoted 0 times
...
Charlette
8 months ago
Hmm, this is a tricky one. I'm not sure I fully understand all the requirements, but I think the key is to use a combination of AWS services to detect the issues, remediate them, and notify the security team. I'll need to carefully read through the options and think it through.
upvoted 0 times
...
Alline
8 months ago
This seems straightforward enough. I just need to identify the right combination of services to detect the overly permissive policies, remediate them, and notify the security team. I'll focus on the services that can integrate well and automate the entire process.
upvoted 0 times
...
Deane
8 months ago
Okay, I've got this. The question is asking for a combination of three steps, so I need to identify the services that can work together to meet the requirements. I think I'll start by looking at the AWS services mentioned and how they could be used to automate the response.
upvoted 0 times
...
Lyndia
8 months ago
Hmm, this is a tricky one. I'm not sure if I fully understand all the requirements, but I think the key is to use a combination of AWS services to detect the issues, remediate them, and notify the security team. I'll need to carefully read through the options and think it through.
upvoted 0 times
...
Johanna
8 months ago
This looks like a complex question, but I think I can break it down step-by-step. The key is to automate the response to overly permissive IAM policies, so I'll need to focus on the AWS services that can help with that.
upvoted 0 times
...
Ammie
8 months ago
Hmm, I'm not totally sure what continuous integration means in this context. I'll need to think through the options carefully.
upvoted 0 times
...
An
8 months ago
Hmm, this seems like a tricky one. I'll need to carefully consider the options and make sure I understand the requirements before selecting an answer.
upvoted 0 times
...
Clarence
8 months ago
Okay, I think I've got a handle on this. Panacea sounds like a physician hospital organization, where the hospital owns the medical practice. I'm going to go with option B.
upvoted 0 times
...
Eve
8 months ago
I think the gain or loss has to be recognized on the trade date for cash basis taxpayers, but I'm not entirely sure.
upvoted 0 times
...

Save Cancel