SCS-C01 (Page 10)

A large government organization is moving to the cloud and has specific encryption requirements.The first workload to move requires that a customer’s data be immediately destroyed when the customer makes that request.Management has asked the security team to provide a solution that will securely store the data, allow only authorized applications to perform encryption and decryption, and allow for immediate destruction of the data.Which solution will meet these requirements?Read More →

A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running in Amazon Elastic ContainerService (Amazon ECS).This solution will also handle volatile traffic patterns.Which solution would have the MOST scalability and LOWEST latency?Read More →

A company is running an application on Amazon EC2 instances in an Auto Scaling group.The application stores logs locally.A security engineer noticed that logs were lost after a scale-in event.The security engineer needs to recommend a solution to ensure the durability and availability of log data.All logs must be kept for a minimum of 1 year for auditing purposes.What should the security engineer recommend?Read More →

An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised.What techniques will limit lateral movement and allow evidence gathering?Read More →

A company is setting up products to deploy in AWS Service Catalog.Management is concerned that when users launch products, elevated IAM privileges will be required to create resources.How should the company mitigate this concern?Read More →

A company is using AWS Organizations to manage multiple AWS accounts.The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an AWS KMS CMK.However, when users try to access the files in the S3 bucket, they get an access denied error.What should a security engineer do to troubleshoot this error? (Choose three.)Read More →

A company’s director of information security wants a daily email report from AWS that contains recommendations for each company account to meet AWSSecurity best practices.Which solution would meet these requirements?Read More →

A company’s security information events management (SIEM) tool receives new AWS CloudTrail logs from an Amazon S3 bucket that is configured to send all object created event notifications to an Amazon SNS topic.An Amazon SQS queue is subscribed to this SNS topic.The company’s SIEM tool then polls this SQS queue for new messages using an IAM role and fetches new log events from the S3 bucket based on the SQS messages.After a recent security review that resulted in restricted permissions, the SIEM tool has stopped receiving new CloudTrail logs.Which of the following are possible causes of this issue? (Choose three.)Read More →

A security engineer is designing an incident response plan to address the risk of a compromised Amazon EC2 instance.The plan must recommend a solution to meet the following requirements:✑ A trusted forensic environment must be provisioned.✑ Automated response processes must be orchestrated.Which AWS services should be included in the plan? (Choose two.)Read More →

An application uses Amazon Cognito to manage end users’ permissions when directly accessing AWS resources, including Amazon DynamoDB.A new feature request reads as follows:Provide a mechanism to mark customers as suspended pending investigation or suspended permanently.Customers should still be able to log in when suspended, but should not be able to make changes.The priorities are to reduce complexity and avoid potential for future security issues.Which approach will meet these requirements and priorities?Read More →