ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 93 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 93
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company uses infrastructure as code (IaC) to create AWS infrastructure. The company writes the code as AWS CloudFormation templates to deploy the infrastructure. The company has an existing CI/CD pipeline that the company can use to deploy these templates.

After a recent security audit, the company decides to adopt a policy-as-code approach to improve the company's security posture on AWS. The company must prevent the deployment of any infrastructure that would violate a security policy, such as an unencrypted Amazon Elastic Block Store (Amazon EBS) volume.

Which solution will meet these requirements?

  • A. Turn on AWS Trusted Advisor. Configure security notifications as webhooks in the preferences section of the CI/CD pipeline.
  • B. Turn on AWS Config. Use the prebuilt rules or customized rules. Subscribe tile CI/CD pipeline to an Amazon Simple Notification Service (Amazon SNS) topic that receives notifications from AWS Config.
  • C. Create rule sets in AWS CloudFormation Guard. Run validation checks for CloudFormation templates as a phase of the CI/CD process.
  • D. Create rule sets as SCPs. Integrate the SCPs as a part of validation control in a phase of the CI/CD process.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by oioi at Nov. 23, 2023, 9:41 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
RookieCSA
4 months, 3 weeks ago
Selected Answer: C
It doesn't mention organizations, so SCP isn't needed. If organizations were mentioned, then D would also be correct. https://aws.amazon.com/tw/blogs/security/governance-at-scale-enforce-permissions-and-compliance-by-using-policy-as-code/
upvoted 3 times
...
sendjawemail
6 months ago
Selected Answer: D
If you see the following link, it talks about implementing SCP for preventing controls. https://aws.amazon.com/blogs/security/governance-at-scale-enforce-permissions-and-compliance-by-using-policy-as-code/ For proactive controls Cloudformation guard is used.
upvoted 1 times
phmeeeee
2 months, 3 weeks ago
SCPs are not designed to be run in a CI/CD pipeline for template validation and it working at organization-level.
upvoted 2 times
...
...
Gzuis
9 months, 2 weeks ago
I think that is D
upvoted 1 times
...
Daniel76
1 year ago
Selected Answer: C
https://aws.amazon.com/blogs/mt/policy-as-code-for-securing-aws-and-third-party-resource-types/
upvoted 2 times
...
Aamee
1 year, 1 month ago
Selected Answer: C
C definitely. CFN Guard defined rule sets help in preventing from the derivation of Infrastructure resource security policies..
upvoted 4 times
...
[Removed]
1 year, 1 month ago
Selected Answer: C
C for sure
upvoted 2 times
...
oioi
1 year, 1 month ago
Selected Answer: C
correct
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel