ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 113 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 113
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company is testing its incident response plan for compromised credentials. The company runs a database on an Amazon EC2 instance and stores the sensitive database credentials as a secret in AWS Secrets Manager. The secret has rotation configured with an AWS Lambda function that uses the generic rotation function template. The EC2 instance and the Lambda function are deployed in the same private subnet. The VPC has a Secrets Manager VPC endpoint.

A security engineer discovers that the secret cannot rotate. The security engineer determines that the VPC endpoint is working as intended. The Amazon CloudWatch logs contain the following error: "setSecret: Unable to log into database".

Which solution will resolve this error?

  • A. Use the AWS Management Console to edit the JSON structure of the secret in Secrets Manager so that the secret automatically conforms with the structure that the database requires.
  • B. Ensure that the security group that is attached to the Lambda function allows outbound connections to the EC2 instance. Ensure that the security group that is attached to the EC2 instance allows inbound connections from the security group that is attached to the Lambda function.
  • C. Use the Secrets Manager list-secrets command in the AWS CLI to list the secret. Identify the database credentials. Use the Secrets Manager rotate-secret command in the AWS CLI to force the immediate rotation of the secret.
  • D. Add an internet gateway to the VPC. Create a NAT gateway in a public subnet. Update the VPC route tables so that traffic from the Lambda function and traffic from the EC2 instance can reach the Secrets Manager public endpoint.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by oioi at Nov. 23, 2023, 10:35 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
yorkicurke
Highly Voted 8 months, 1 week ago
Selected Answer: B
Hate questions like these which rather then testing your knoweledge of technologies trick you into these weired worded questions. the statement 'Ensure that the security group that is attached to the Lambda function allows outbound' threw me off as Lambda does not have SGs. But then through some internet digging came accross the fact that when a Lambda function needs to access resources inside a Virtual Private Cloud (VPC), it does so using ENI which resides in a subnet of the VPC and can have a security group associated with it. The security group acts as a virtual firewall for the ENI.
upvoted 5 times
...
Daniel76
Most Recent 8 months, 1 week ago
Selected Answer: B
a) when you use the console to store a database secret, Secrets Manager automatically creates it in the correct JSON structure. c) secret manager already configured as auto-rotation. also, secret id should have been known instead of listing secrets . d) accessing secret manager via public is not recommended.
upvoted 1 times
...
confusedyeti69
9 months ago
Why would the lambda need access to the EC2? The question is unclear about the exact job of the lambda. It is worded as if the lambda job is to change the creds in secrets manager only.
upvoted 2 times
JPSWS
8 months, 2 weeks ago
The DB runs on the EC2 that's why the Lambda needs access to it to set the new credentials
upvoted 2 times
...
...
Aamee
9 months, 1 week ago
Selected Answer: B
B is the only one that logically seems right. All others are distracters except option C. But option C describes the solution of this problem as a one time thing whereas, it's been asked to provide a permanent solution for this use case. That's why B looks much more secured and valid option among all others.
upvoted 4 times
...
[Removed]
9 months, 1 week ago
Selected Answer: B
I'll vote B. The rest are distractors but feel free to correct me if I'm wrong.
upvoted 2 times
...
oioi
9 months, 2 weeks ago
Selected Answer: B
correct
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago