TD Exam 3 (SCS-C03)
An organization has a hybrid cloud infrastructure spanning AWS and its data center connected by a Site-to-Site VPN. The organization uses Amazon Route 53 Resolver forwarding rules to manage its DNS traffic, both for authoritative and non-authoritative domains. The organization must log all the DNS traffic that originates from its AWS resources and be able to query the DNS name that was requested in the request. The solution must also be queryable to identify the source IP address that the query originated from. Which of the following is the MOST suitable solution to satisfy this requirement?
Set up query logging for relevant Amazon VPCs within the company using Amazon Route 53 Resolver. Forward the logs to Amazon CloudWatch Logs and examine the DNS data utilizing Amazon CloudWatch Logs Insights.
A company's developer has recently finalized an update to a Lambda function in his local machine. A security engineer must ensure any updates to the Lambda function are verified for authenticity before deployment to prevent tampering. The engineer has enabled Code signing for the Lambda function. Which combination of steps should be taken next to meet the requirement? (Select two) Part I
Sign the code using an AWS Signer profile.
An eCommerce company is setting up an email service using Amazon SES to send marketing campaigns to its subscribers. All connections must be TLS-encrypted. Which email protocol and port number should be included in the SES endpoint? (Select TWO.) Part I
Simple Mail Transfer Protocol (SMTP)
A security administrator is developing a solution to encrypt business data stored on a fleet of Elastic Block Store (EBS)-backed EC2 instances. As per requirement, the key material must be expired automatically after 30 days. Which solution meets these requirements?
Use a customer-managed KMS key created with imported key material.
A company has experienced an incident where its service becomes inaccessible to some users. The system administrator searched the application and server logs for errors but found nothing that could have brought the server down. It was later found that the issue was caused by misconfigured DNS settings in Route 53. Management has decided to log public DNS queries to help debug similar issues in the future. How can the administrator achieve this?
Activate Route 53 DNS query logging. Specify a CloudWatch Logs log group as the destination.
A company has a number of EC2 instances running in its AWS account. After receiving an alert from Amazon GuardDuty about an UnauthorizedAccess:EC2/TorClient finding, a security team wants to determine whether the flagged instance is compromised or not. The company's AWS account has VPC Flow logs, AWS Config, Amazon Detective, and Amazon Inspector enabled. What steps should the security team take to gather this information?
Investigate the VPC Flow logs using Amazon Detective. Use the From Findings annotations to see the log entries involved in the finding.
A company's developer has recently finalized an update to a Lambda function in his local machine. A security engineer must ensure any updates to the Lambda function are verified for authenticity before deployment to prevent tampering. The engineer has enabled Code signing for the Lambda function. Which combination of steps should be taken next to meet the requirement? (Select two) Part II
Package the source code in a zip file and upload it to an S3 bucket.
An eCommerce company is setting up an email service using Amazon SES to send marketing campaigns to its subscribers. All connections must be TLS-encrypted. Which email protocol and port number should be included in the SES endpoint? (Select TWO.) Part II
Port number 587
