ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 281 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 281
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company wants to automate the creation of a security report. The company has an AWS Lambda function that gathers data from Amazon Inspector findings stored in AWS Security Hub in the us-west-2 Region. The Lambda function then needs to create a daily report by using an Amazon EventBridge schedule.

A security engineer discovers that the Lambda function is failing to create the report. The security engineer must implement a solution that corrects the issue and provides least privilege permissions.

Which solution will meet these requirements?

  • A. Create a resource-based policy that allows Security Hub access to the ARN of the Lambda function.
  • B. Attach the AWSSecurityHubReadOnlyAccess AWS managed policy to the Lambda function’s execution role.
  • C. Grant the Lambda function’s execution role read-only permissions to access Amazon Inspector and Security Hub.
  • D. Create a custom IAM policy that grants the Security Hub Get*, List*, Batch*, and Describe* permissions on the arn:aws:securityhub:us-west-2::product/aws/inspector/* resource. Attach the policy to the Lambda function’s execution role.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by 723993f at Nov. 26, 2024, 3:56 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
b5f86df
5 days, 21 hours ago
Selected Answer: C
It grants only the necessary read-only permissions to both services.
upvoted 1 times
...
1329ca5
2 weeks, 2 days ago
Selected Answer: B
The blanket Batch* in Option D is problematic because it would include write permissions, violating the least privilege principle for a function that only needs to gather (read) data.
upvoted 1 times
...
barracouto
1 month, 3 weeks ago
Selected Answer: B
This is one of those controversial exam questions.. knowing AWS I think I'd pick B because its an AWS managed policy (less "overhead") and the lambda function doesn't need read access to inspector because it is pulling data sourced from security hub not directly from inspector.
upvoted 2 times
...
mnsait
2 months, 1 week ago
Selected Answer: D
D - Correct Rationale: A - resource-based policy that allows Security Hub access Does not specific fine grained permission, hence is not least priviledge B - AWSSecurityHubReadOnlyAccess is AWS created and is considered more permissive than custom created policies. This is a general rule with all AWS created policies. C - Access is not required to Inspector since logs are already stored in SecurityHub D - Creates specific, fine-grained grants for the purpose of reading the logs and attaching to the execution role of the Lambda. Just sufficient to fix the issue.
upvoted 1 times
...
phmeeeee
3 months ago
Selected Answer: C
C - can solve the permission with least privilege.
upvoted 1 times
...
TareDHakim
5 months, 3 weeks ago
Selected Answer: B
B, there's no need for permissions to Inspector as logs already populated in Security Hub.
upvoted 3 times
...
Asma2023
6 months, 1 week ago
Selected Answer: B
beacause findings are already stored in AWS Security HUB
upvoted 4 times
...
8acf42c
6 months, 2 weeks ago
Selected Answer: C
By explicitly granting read-only permissions to both Amazon Inspector and Security Hub, the Lambda function will have the least privilege access it needs to retrieve findings and generate the report. This aligns with best practices.
upvoted 3 times
...
SCSC02Q
6 months, 2 weeks ago
Selected Answer: B
* enabling more than read access...
upvoted 2 times
...
SCSC02Q
6 months, 2 weeks ago
Selected Answer: B
its B, since the Batch* on D is a problem, enabling more the read access. In comparison, B provides only BatchGet* so ok.
upvoted 2 times
...
Pmktechno
6 months, 2 weeks ago
Selected Answer: C
This approach ensures that the Lambda function has the necessary permissions to read data from Amazon Inspector and Security Hub without granting excessive permissions. It aligns with the principle of least privilege by only allowing the specific actions required for the Lambda function to perform its task.
upvoted 3 times
...
HappyG
7 months, 2 weeks ago
Selected Answer: C
C grants the Lambda function's execution role the necessary permissions to read from both Amazon Inspector and AWS Security Hub, but not granting excessive permissions. This approach adheres to the principle of least privilege by providing only the necessary permissions for the Lambda function to perform its task.
upvoted 3 times
...
Palanda
7 months, 2 weeks ago
Selected Answer: B
I agree with b
upvoted 2 times
...
jdx000
7 months, 2 weeks ago
Selected Answer: B
the findings are already in security hub, so only read access to security hub is needed
upvoted 4 times
...
723993f
7 months, 2 weeks ago
Selected Answer: D
is it not D ? or is the Batch:* a problem ? but i think there are no batch write/delete operations that can be performed on that resource arn anyways
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel