Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Amazon Discussions

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 110 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 110
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company is using AWS WAF to protect a customized public API service that is based on Amazon EC instances. The API uses an Application Load Balancer.

The AWS WAF web ACL is configured with an AWS Managed Rules rule group. After a software upgrade to the API and the client application, some types of requests are no longer working and are causing application stability issues. A security engineer discovers that AWS WAF logging is not turned on for the web ACL.

The security engineer needs to immediately return the application to service, resolve the issue, and ensure that logging is not turned off in the future. The security engineer turns on logging for the web ACL and specifies Amazon CloudWatch Logs as the destination.

Which additional set of steps should the security engineer take to meet the requirements?

  • A. Edit the rules in the web ACL to include rules with Count actions. Review the logs to determine which rule is blocking the request. Modify the IAM policy of all AWS WAF administrators so that they cannot remove the logging configuration for any AWS WAF web ACLs.
  • B. Edit the rules in the web ACL to include rules with Count actions. Review the logs to determine which rule is blocking the request. Modify the AWS WAF resource policy so that AWS WAF administrators cannot remove the logging configuration for any AWS WAF web ACLs.
  • C. Edit the rules in the web ACL to include rules with Count and Challenge actions. Review the logs to determine which rule is blocking the request. Modify the AWS WAF resource policy so that AWS WAF administrators cannot remove the logging configuration for any AWS WAF web ACLs.
  • D. Edit the rules in the web ACL to include rules with Count and Challenge actions. Review the logs to determine which rule is blocking the request. Modify the IAM policy of all AWS WAF administrators so that they cannot remove the logging configuration for any AWS WAF web ACLs.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by oioi at Nov. 23, 2023, 10:12 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
SamHan
3 weeks, 3 days ago
Selected Answer: B
B is correct
upvoted 1 times
...
March2023
4 weeks, 1 day ago
Selected Answer: B
option B. This involves editing the rules in the web ACL to include rules with Count actions, reviewing the logs to identify the blocking rule, and then modifying the AWS WAF resource policy to prevent AWS WAF administrators from removing the logging configuration for any web ACLs in the future.
upvoted 1 times
...
Snape
1 month ago
Selected Answer: B
Resource based policy
upvoted 1 times
...
didorins
1 month, 2 weeks ago
B - Resource based policy is better than identity policy here.
upvoted 1 times
...
hro
2 months ago
Im going with B - the issue is the resource policy and not an IAM policy issue. The AWS WAF resource policy allowed for the logging not to be turned on.
upvoted 1 times
...
walter_white_008
2 months, 1 week ago
Selected Answer: B
Modifying Resource based policy is appropriate here. Purpose is to avoid WAF logging modification.
upvoted 1 times
...
lightrod
3 months, 1 week ago
Selected Answer: A
you should modify the resource policy as best practice
upvoted 1 times
walter_white_008
2 months, 1 week ago
the why select A , should have selected B
upvoted 1 times
...
...
vikasj1in
4 months ago
B. A Count action allows rules to collect data about requests that match the conditions but does not block or allow the requests. After making this change, the SE can review the logs in CloudWatch Logs to determine which rule is blocking the specific requests causing the application stability issues. To ensure that logging is not turned off in the future, the security engineer should modify the AWS WAF resource policy. This modification should restrict AWS WAF administrators from removing the logging configuration for any AWS WAF web ACLs, adding an extra layer of protection against inadvertent changes. C & D suggest including rules with Count and Challenge actions, which may not be necessary for the immediate resolution of the issue. Option A recommends modifying IAM policies, but modifying the AWS WAF resource policy is a more direct and suitable approach for preventing changes to logging configurations.
upvoted 1 times
...
yorkicurke
4 months, 4 weeks ago
Selected Answer: A
As many have suggested of why i'ts unnecessary to go for 'challenge' so C&D -> OUT As of why not picking B(resource-based) is because resource policy would only control access to that single web ACL. The question asks to ensure logging is not turned off for any web ACLs[well that's what's implied], which modifying IAM policies globally achieves but modifying a single resource policy does not. AWS documentation recommends applying least privilege permissions through IAM policies when managing access to resources across multiple accounts. This helps ensure permissions are restricted at the identity level rather than at the individual resource level.
upvoted 2 times
...
Aamee
5 months, 3 weeks ago
Selected Answer: A
It's def. not B. Going with option A cuz of IAM policy capability in this use case rather than resource policies.
upvoted 3 times
...
[Removed]
5 months, 3 weeks ago
Selected Answer: A
Challenge logs are not necessary here (CAPTCHA). We'll also want to restrict with IAM policies and NOT resource policies. Perhaps with SCPs as well. Answer is A
upvoted 2 times
WeepingMaplte
5 months ago
Challenge: Runs a silent background check on the client session to verify if it's a legitimate browser. Doesn't involve any user interaction, keeping the experience seamless. Less effective against sophisticated bots that can mimic browser behavior.
upvoted 1 times
...
...
oioi
5 months, 4 weeks ago
Selected Answer: B
correct
upvoted 1 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel