By:
On:
In: SCS-C01
With: 0 Comments

A company is implementing a new application in a new AWS account.A VPC and subnets have been created for the application.The application has been peered to an existing VPC in another account in the same AWS Region for database access.Amazon EC2 instances will regularly be created and terminated in the application VPC, but only some of them will need access to the databases in the peered VPC over TCP port 1521.A security engineer must ensure that only theEC2 instances than need access to the databases can access them through the network.How can the security engineer implement this solution?Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A company is using AWS Organizations to manage multiple AWS member accounts.All of these accounts have Amazon GuardDuty enabled in all Regions.The company’s AWS Security Operations Center has a centralized security account for logging and monitoring.One of the member accounts has received an excessively high bill.A security engineer discovers that a compromised Amazon EC2 instance is being used to mine cryptocurrency.The Security OperationsCenter did not receive a GuardDuty finding in the central security account, but there was a GuardDuty finding in the account containing the compromised EC2 instance.The security engineer needs to ensure all GuardDuty findings are available in the security account.What should the security engineer do to resolve this issue?Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A company uses AWS Organization to manage 50 AWS accounts.The finance staff members log in as AWS IAM users in the FinanceDept AWS account.The staff members need to read the consolidated billing information in the MasterPayer AWS account.They should not be able to view any other resources in theMasterPayer AWS account.IAM access to billing has been enabled in the MasterPayer account.Which of the following approaches grants the finance staff the permissions they require without granting any unnecessary permissions?Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A security engineer receives an AWS abuse email message.According to the message, an Amazon EC2 instance that is running in the security engineer’s AWS account is sending phishing email messages.The EC2 instance is part of an application that is deployed in production.The application runs on many EC2 instances behind an Application Load Balancer.The instances run in an Amazon EC2 Auto Scaling group across multiple subnets and multiple Availability Zones.The instances normally communicate only over the HTTP, HTTPS, and MySQL protocols.Upon investigation, the security engineer discovers that email messages are being sent over port 587.All other traffic is normal.The security engineer must create a solution that contains the compromised EC2 instance, preserves forensic evidence for analysis, and minimizes application downtime.Which combination of steps must the security engineer take to meet these requirements? (Choose three.)Read More →

By:
On:
In: SCS-C01
With: 0 Comments

An audit determined that a company’s Amazon EC2 instance security group violated company policy by allowing unrestricted incoming SSH traffic.A security engineer must implement a near-real-time monitoring and alerting solution that will notify administrators of such violations.Which solution meets these requirements with the MOST operational efficiency?Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A company stores images for a website in an Amazon S3 bucket.The company is using Amazon CloudFront to serve the images to the end users.The company recently discovered that the images are being accessed form countries where the company does not have a distribution license.Which actions should the company take to secure the images to limit their distribution? (Choose two.)Read More →