Amazon SCS-C02 Exam - Topic 6 Question 3 Discussion

Actual exam question for Amazon's SCS-C02 exam

Question #: 3
Topic #: 6

A company needs to improve its ability to identify and prevent IAM policies that grant public access or cross-account access to resources. The company has implemented AWS Organizations and has started using AWS Identity and Access Management Access Analyzer to refine overly broad access to accounts in the organization.

A security engineer must automate a response in the company's organization for any newly created policies that are overly permissive. The automation must remediate external access and must notify the company's security team.

Which combination of steps should the security engineer take to meet these requirements? (Select THREE.)

ACreate an AWS Step Functions state machine that checks the resource type in the finding and adds an explicit Deny statement in the trust policy for the IAM
role. Configure the state machine to publish a notification to an Amazon SimpleNotification Service (Amazon SNS) topic.

BCreate an AWS Batch job that forwards any resource type findings to an AWS Lambda function. Configure the Lambda function to add an explicit Deny
statement in the trust policy for the IAM role. Configure the AWS Batch job to publish a notification to an Amazon Simple Notification Service (Amazon SNS)
topic.

CIn Amazon EventBridge, create an event rule that matches active IAM Access Analyzer findings and invokes AWS Step Functions for resolution.

DIn Amazon CloudWatch, create a metric filter that matches active IAM Access Analyzer findings and invokes AWS Batch for resolution.

ECreate an Amazon Simple Queue Service (Amazon SQS) queue. Configure the queue to forward a notification to the security team that an external principal
has been granted access to the specific IAM role and has been blocked.

FCreate an Amazon Simple Notification Service (Amazon SNS) topic for external or cross-account access notices. Subscribe the security team's email
addresses to the topic.

Show Suggested Answer

Suggested Answer: A, C, F

by Fletcher at Oct 02, 2023, 10:16 PM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Blondell

3 months ago

A is interesting, but I prefer the simplicity of C.

upvoted 0 times

...

Arlene

3 months ago

Wait, can we really trust AWS to handle this automatically?

upvoted 0 times

...

Jordan

4 months ago

B seems a bit overcomplicated for this task.

upvoted 0 times

...

Shannan

4 months ago

Definitely agree with C, it fits the requirements perfectly!

upvoted 0 times

...

Josphine

4 months ago

I think option C is a solid choice for automation.

upvoted 0 times

...

Roxane

4 months ago

I definitely remember that we need to notify the security team, and I think creating an SNS topic for that is a solid step.

upvoted 0 times

...

Elsa

4 months ago

I’m a bit confused about whether to use EventBridge or CloudWatch for triggering the automation. They both seem relevant, but I can't recall the specifics.

upvoted 0 times

...

Earleen

5 months ago

I think we practiced a similar question where we had to set up notifications for IAM findings. I feel like using SNS is definitely part of the solution.

upvoted 0 times

...

Maryann

5 months ago

I remember we discussed using AWS Step Functions for automating workflows, but I'm not sure if it's the best choice here.

upvoted 0 times

...

Charlette

5 months ago

Hmm, this is a tricky one. I'm not sure I fully understand all the requirements, but I think the key is to use a combination of AWS services to detect the issues, remediate them, and notify the security team. I'll need to carefully read through the options and think it through.

upvoted 0 times

...

Alline

5 months ago

This seems straightforward enough. I just need to identify the right combination of services to detect the overly permissive policies, remediate them, and notify the security team. I'll focus on the services that can integrate well and automate the entire process.

upvoted 0 times

...

Deane

5 months ago

Okay, I've got this. The question is asking for a combination of three steps, so I need to identify the services that can work together to meet the requirements. I think I'll start by looking at the AWS services mentioned and how they could be used to automate the response.

upvoted 0 times

...

Lyndia

5 months ago

Hmm, this is a tricky one. I'm not sure if I fully understand all the requirements, but I think the key is to use a combination of AWS services to detect the issues, remediate them, and notify the security team. I'll need to carefully read through the options and think it through.

upvoted 0 times

...

Johanna

5 months ago

This looks like a complex question, but I think I can break it down step-by-step. The key is to automate the response to overly permissive IAM policies, so I'll need to focus on the AWS services that can help with that.

upvoted 0 times

...

Ammie

5 months ago

Hmm, I'm not totally sure what continuous integration means in this context. I'll need to think through the options carefully.

upvoted 0 times

...

An

5 months ago

Hmm, this seems like a tricky one. I'll need to carefully consider the options and make sure I understand the requirements before selecting an answer.

upvoted 0 times

...

Clarence

5 months ago

Okay, I think I've got a handle on this. Panacea sounds like a physician hospital organization, where the hospital owns the medical practice. I'm going to go with option B.

upvoted 0 times

...

Eve

5 months ago

I think the gain or loss has to be recognized on the trade date for cash basis taxpayers, but I'm not entirely sure.

upvoted 0 times

...