ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 110 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 110
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company is using AWS WAF to protect a customized public API service that is based on Amazon EC instances. The API uses an Application Load Balancer.

The AWS WAF web ACL is configured with an AWS Managed Rules rule group. After a software upgrade to the API and the client application, some types of requests are no longer working and are causing application stability issues. A security engineer discovers that AWS WAF logging is not turned on for the web ACL.

The security engineer needs to immediately return the application to service, resolve the issue, and ensure that logging is not turned off in the future. The security engineer turns on logging for the web ACL and specifies Amazon CloudWatch Logs as the destination.

Which additional set of steps should the security engineer take to meet the requirements?

  • A. Edit the rules in the web ACL to include rules with Count actions. Review the logs to determine which rule is blocking the request. Modify the IAM policy of all AWS WAF administrators so that they cannot remove the logging configuration for any AWS WAF web ACLs.
  • B. Edit the rules in the web ACL to include rules with Count actions. Review the logs to determine which rule is blocking the request. Modify the AWS WAF resource policy so that AWS WAF administrators cannot remove the logging configuration for any AWS WAF web ACLs.
  • C. Edit the rules in the web ACL to include rules with Count and Challenge actions. Review the logs to determine which rule is blocking the request. Modify the AWS WAF resource policy so that AWS WAF administrators cannot remove the logging configuration for any AWS WAF web ACLs.
  • D. Edit the rules in the web ACL to include rules with Count and Challenge actions. Review the logs to determine which rule is blocking the request. Modify the IAM policy of all AWS WAF administrators so that they cannot remove the logging configuration for any AWS WAF web ACLs.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by oioi at Nov. 23, 2023, 10:12 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
yorkicurke
Highly Voted 1 year, 2 months ago
Selected Answer: A
As many have suggested of why i'ts unnecessary to go for 'challenge' so C&D -> OUT As of why not picking B(resource-based) is because resource policy would only control access to that single web ACL. The question asks to ensure logging is not turned off for any web ACLs[well that's what's implied], which modifying IAM policies globally achieves but modifying a single resource policy does not. AWS documentation recommends applying least privilege permissions through IAM policies when managing access to resources across multiple accounts. This helps ensure permissions are restricted at the identity level rather than at the individual resource level.
upvoted 5 times
...
AWSLoverLoverLoverLoverLover
Most Recent 1 week, 6 days ago
Selected Answer: A
The correct answer is A: Explanation: Use "Count" action to debug the issue Instead of outright blocking traffic, changing rules to Count mode helps identify which rule is causing issues without disrupting the API. This allows normal API operation while collecting logs for analysis. Review CloudWatch Logs for debugging Since logging is now enabled, the security engineer can analyze logs in CloudWatch to pinpoint which rule is incorrectly blocking API requests. Prevent logging from being turned off The best way to enforce logging is by modifying IAM policies of all AWS WAF administrators. This ensures that no admin user can disable logging, which aligns with AWS security best practices. IAM policies are more effective than WAF resource policies for managing administrative actions like disabling logs.
upvoted 1 times
...
TareDHakim
2 months ago
Selected Answer: A
There is no resource-based policy for AWS WAF. However, AWS WAF can be used with IAM permission policies to secure the service and its resources. AWS WAF is a managed web application firewall that allows users to create custom rules to block, allow, count, or monitor web requests. These rules can be based on conditions such as IP address ranges, CIDR blocks, countries or regions, or malicious code.
upvoted 1 times
...
IPLogic
3 months ago
Selected Answer: B
To address the issue and ensure logging remains enabled, the security engineer should: Edit the rules in the web ACL to include rules with Count actions. This will help identify which rule is blocking the requests by reviewing the logs. Review the logs to determine the specific rule causing the issue. Modify the AWS WAF resource policy so that AWS WAF administrators cannot remove the logging configuration for any AWS WAF web ACLs. Therefore, the correct answer is B.
upvoted 1 times
...
DSExam
4 months ago
Selected Answer: A
There is no resource base policy for WAF!
upvoted 3 times
...
kkravets
4 months ago
Selected Answer: B
B as it is more scallable
upvoted 1 times
...
Pmktechno
4 months, 1 week ago
Selected Answer: B
Answer B
upvoted 1 times
...
div05jkjl
4 months, 2 weeks ago
A
upvoted 1 times
...
VerRi
6 months, 1 week ago
Selected Answer: A
I cannot even see resource policy setting within WAF. There is one in Firewall Manager to handle access control to WAF, but I will go with A in this scenario.
upvoted 2 times
...
cumzle_com
8 months, 2 weeks ago
Selected Answer: B
Both Option A and Option B are strong candidates, but Option B has a slight edge due to the use of AWS WAF resource policies, which are more direct for managing configurations. This method ensures that logging configurations cannot be easily altered by administrators, providing a more robust solution.
upvoted 3 times
...
SamHan
10 months, 1 week ago
Selected Answer: B
B is correct
upvoted 1 times
...
March2023
10 months, 2 weeks ago
Selected Answer: B
option B. This involves editing the rules in the web ACL to include rules with Count actions, reviewing the logs to identify the blocking rule, and then modifying the AWS WAF resource policy to prevent AWS WAF administrators from removing the logging configuration for any web ACLs in the future.
upvoted 1 times
...
Snape
10 months, 3 weeks ago
Selected Answer: B
Resource based policy
upvoted 1 times
...
didorins
11 months ago
B - Resource based policy is better than identity policy here.
upvoted 1 times
...
hro
11 months, 3 weeks ago
Im going with B - the issue is the resource policy and not an IAM policy issue. The AWS WAF resource policy allowed for the logging not to be turned on.
upvoted 1 times
...
walter_white_008
12 months ago
Selected Answer: B
Modifying Resource based policy is appropriate here. Purpose is to avoid WAF logging modification.
upvoted 2 times
...
lightrod
1 year ago
Selected Answer: A
you should modify the resource policy as best practice
upvoted 1 times
walter_white_008
12 months ago
the why select A , should have selected B
upvoted 2 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago