SCS-C01 (Page 10)

While securing the connection between a company’s VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host(IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139).The ping command did not return a response.The flow log in the VPC showed the following:2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OKWhat action should be performed to allow the ping to work?Read More →

A company has a website with an Amazon CloudFront HTTPS distribution an Application Load Balancer (ALB) with multiple web instances for dynamic website content, and an Amazon S3 bucket for static website content.The company’s security engineer recently updated the website security requirements:✑ HTTPS needs to be enforced for all data in transit with specific ciphers.✑ The CloudFront distribution needs to be accessible from the internet only.Which solution will meet these requirements?Read More →

A company accidentally deleted the private key for an Amazon Elastic Block Store (Amazon EBS)-backed Amazon EC2 instance.A security engineer needs to regain access to the instance.Which combination of steps will meet this requirement? (Choose two.)Read More →

A company website runs on Amazon EC2 instances behind an Application Load Balancer (ALB).The instances run in an Auto Scaling group across multipleAvailability Zones.There is an Amazon CloudFront distribution in front of the ALB.Users are reporting performance problems.A security engineer discovers that the website is receiving a high rate of unwanted requests to the CloudFront distribution originating from a series of source IP addresses.How should the security engineer address this problem?Read More →

A company needs to retain log data archives for several years to be compliant with regulations.The log data is no longer used, but it must be retained.What is the MOST secure and cost-effective solution to meet these requirements?Read More →

A company’s security officer is concerned about the risk of AWS account root user logins and has assigned a security engineer to implement a notification solution for near-real-time alerts upon account root user logins.How should the security engineer meet these requirements?Read More →

A company hosts an application on Amazon EC2 that is subject to specific rules for regulatory compliance.One rule states that traffic to and from the workload must be inspected for network-level attacks.This involves inspecting the whole packet.To comply with this regulatory rule, a security engineer must install intrusion detection software on a c5n.4xlarge EC2 instance.The engineer must then configure the software to monitor traffic to and from the application instances.What should the security engineer do next?Read More →

A company is designing the security architecture for a global latency-sensitive web application it plans to deploy to AWS.A security engineer needs to configure a highly available and secure two-tier architecture.The security design must include controls to prevent common attacks such as DDoS, cross-site scripting, andSQL injection.Which solution meets these requirements?Read More →

A security engineer has noticed that VPC Flow Logs are getting a lot of REJECT traffic originating from a single Amazon EC2 instance in an Auto Scaling group.The security engineer is concerned that this EC2 instance may be compromised.What immediate action should the security engineer take?Read More →

Which of the following is the most efficient way to automate the encryption of AWS CloudTrail logs using a Customer Master Key (CMK) in AWS KMS?Read More →