Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 110 discussion

A company is using AWS WAF to protect a customized public API service that is based on Amazon EC instances. The API uses an Application Load Balancer.

The AWS WAF web ACL is configured with an AWS Managed Rules rule group. After a software upgrade to the API and the client application, some types of requests are no longer working and are causing application stability issues. A security engineer discovers that AWS WAF logging is not turned on for the web ACL.

The security engineer needs to immediately return the application to service, resolve the issue, and ensure that logging is not turned off in the future. The security engineer turns on logging for the web ACL and specifies Amazon CloudWatch Logs as the destination.

Which additional set of steps should the security engineer take to meet the requirements?

  • A. Edit the rules in the web ACL to include rules with Count actions. Review the logs to determine which rule is blocking the request. Modify the IAM policy of all AWS WAF administrators so that they cannot remove the logging configuration for any AWS WAF web ACLs.
  • B. Edit the rules in the web ACL to include rules with Count actions. Review the logs to determine which rule is blocking the request. Modify the AWS WAF resource policy so that AWS WAF administrators cannot remove the logging configuration for any AWS WAF web ACLs.
  • C. Edit the rules in the web ACL to include rules with Count and Challenge actions. Review the logs to determine which rule is blocking the request. Modify the AWS WAF resource policy so that AWS WAF administrators cannot remove the logging configuration for any AWS WAF web ACLs.
  • D. Edit the rules in the web ACL to include rules with Count and Challenge actions. Review the logs to determine which rule is blocking the request. Modify the IAM policy of all AWS WAF administrators so that they cannot remove the logging configuration for any AWS WAF web ACLs.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
yorkicurke
Highly Voted 10 months, 3 weeks ago
Selected Answer: A
As many have suggested of why i'ts unnecessary to go for 'challenge' so C&D -> OUT As of why not picking B(resource-based) is because resource policy would only control access to that single web ACL. The question asks to ensure logging is not turned off for any web ACLs[well that's what's implied], which modifying IAM policies globally achieves but modifying a single resource policy does not. AWS documentation recommends applying least privilege permissions through IAM policies when managing access to resources across multiple accounts. This helps ensure permissions are restricted at the identity level rather than at the individual resource level.
upvoted 5 times
...
DSExam
Most Recent 2 weeks ago
Selected Answer: A
There is no resource base policy for WAF!
upvoted 2 times
...
kkravets
2 weeks, 3 days ago
Selected Answer: B
B as it is more scallable
upvoted 1 times
...
Pmktechno
3 weeks, 2 days ago
Selected Answer: B
Answer B
upvoted 1 times
...
div05jkjl
3 weeks, 4 days ago
A
upvoted 1 times
...
VerRi
2 months, 2 weeks ago
Selected Answer: A
I cannot even see resource policy setting within WAF. There is one in Firewall Manager to handle access control to WAF, but I will go with A in this scenario.
upvoted 2 times
...
cumzle_com
4 months, 3 weeks ago
Selected Answer: B
Both Option A and Option B are strong candidates, but Option B has a slight edge due to the use of AWS WAF resource policies, which are more direct for managing configurations. This method ensures that logging configurations cannot be easily altered by administrators, providing a more robust solution.
upvoted 3 times
...
SamHan
6 months, 3 weeks ago
Selected Answer: B
B is correct
upvoted 1 times
...
March2023
6 months, 3 weeks ago
Selected Answer: B
option B. This involves editing the rules in the web ACL to include rules with Count actions, reviewing the logs to identify the blocking rule, and then modifying the AWS WAF resource policy to prevent AWS WAF administrators from removing the logging configuration for any web ACLs in the future.
upvoted 1 times
...
Snape
7 months ago
Selected Answer: B
Resource based policy
upvoted 1 times
...
didorins
7 months, 2 weeks ago
B - Resource based policy is better than identity policy here.
upvoted 1 times
...
hro
8 months ago
Im going with B - the issue is the resource policy and not an IAM policy issue. The AWS WAF resource policy allowed for the logging not to be turned on.
upvoted 1 times
...
walter_white_008
8 months, 1 week ago
Selected Answer: B
Modifying Resource based policy is appropriate here. Purpose is to avoid WAF logging modification.
upvoted 2 times
...
lightrod
9 months, 1 week ago
Selected Answer: A
you should modify the resource policy as best practice
upvoted 1 times
walter_white_008
8 months, 1 week ago
the why select A , should have selected B
upvoted 2 times
...
...
vikasj1in
10 months ago
B. A Count action allows rules to collect data about requests that match the conditions but does not block or allow the requests. After making this change, the SE can review the logs in CloudWatch Logs to determine which rule is blocking the specific requests causing the application stability issues. To ensure that logging is not turned off in the future, the security engineer should modify the AWS WAF resource policy. This modification should restrict AWS WAF administrators from removing the logging configuration for any AWS WAF web ACLs, adding an extra layer of protection against inadvertent changes. C & D suggest including rules with Count and Challenge actions, which may not be necessary for the immediate resolution of the issue. Option A recommends modifying IAM policies, but modifying the AWS WAF resource policy is a more direct and suitable approach for preventing changes to logging configurations.
upvoted 2 times
...
Aamee
11 months, 3 weeks ago
Selected Answer: A
It's def. not B. Going with option A cuz of IAM policy capability in this use case rather than resource policies.
upvoted 3 times
...
[Removed]
11 months, 3 weeks ago
Selected Answer: A
Challenge logs are not necessary here (CAPTCHA). We'll also want to restrict with IAM policies and NOT resource policies. Perhaps with SCPs as well. Answer is A
upvoted 2 times
WeepingMaplte
10 months, 4 weeks ago
Challenge: Runs a silent background check on the client session to verify if it's a legitimate browser. Doesn't involve any user interaction, keeping the experience seamless. Less effective against sophisticated bots that can mimic browser behavior.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...