SCS-C01 (Page 14)

A company uses Amazon EC2 Linux instances in the AWS Cloud.A member of the company’s security team recently received a report about common vulnerability identifiers on the instances.A security engineer needs to verify patching and perform remediation if the instances do not have the correct patches installed.The security engineer must determine which EC2 instances are at risk and must implement a solution to automatically update those instances with the applicable patches.What should the security engineer do to meet these requirements?Read More →

A company that builds document management systems recently performed a security review of its application on AWS.The review showed that uploads of documents through signed URLs into Amazon S3 could occur in the application without encryption in transit.A security engineer must implement a solution that prevents uploads that are not encrypted in transit.Which solution will meet this requirement?Read More →

A company deployed Amazon GuardDuty in the us-east-1 Region.The company wants all DNS logs that relate to the company’s Amazon EC2 instances to be inspected.What should a security engineer do to ensure that the EC2 instances are logged?Read More →

A security administrator is setting up a new AWS account.The security administrator wants to secure the data that a company stores in an Amazon S3 bucket.The security administrator also wants to reduce the chance of unintended data exposure and the potential for misconfiguration of objects that are in the S3 bucket.Which solution will meet these requirements with the LEAST operational overhead?Read More →

A company runs an application on Amazon EC2 instances that run on Amazon Linux 2.The application outputs important information to a custom log file.To support troubleshooting and incident response, new events in the log files must be available to the company’s operations staff within 30 minutes.The operations staff needs a solution to retrieve the latest custom log information without using interactive sessions to connect to the instances.Which solutions will meet these requirements? (Choose two.)Read More →

A systems engineer deployed containers from several custom-built images that an application team provided through a QA workflow.The systems engineer used Amazon Elastic Container Service (Amazon ECS) with the Fargate launch type as the target platform.The system engineer now needs to collect logs from all containers into an existing Amazon CloudWatch log group.Which solution will meet this requirement?Read More →

A security engineer receives a notice from the AWS Abuse team about suspicious activity from a Linux-based Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS)-based storage.The instance is making connections to known malicious addresses.The instance is in a development account within a VPC that is in the us-east-1 Region.The VPC contains an internet gateway and has a subnet in us-east-1a and us-east-1 b.Each subnet is associate with a route table that uses the internet gateway as a default route.Each subnet also uses the default network ACL.The suspicious EC2 instance runs within the us-east-1 b subnet.During an initial investigation, a security engineer discovers that the suspicious instance is the only instance that runs in the subnet.Which response will immediately mitigate the attack and help investigate the root cause?Read More →

A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region.The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key.To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region.However, when the company tries to copy the snapshot to us-west-1, the company cannot access the key that was used to encrypt the original database.What should the company do to set up the snapshot in us-west-1 with proper encryption?Read More →

A company’s security administrator receives an AWS Abuse notification that an IAM user’s access key might be compromised.A legacy application uses the IAM user.The security administrator must remediate the potential compromise with the least possible downtime to the application.Which solution will meet these requirements?Read More →

A company wants to store all objects that contain sensitive data in an Amazon S3 bucket.The company will use server-side encryption to encrypt the S3 bucket.The company’s operations team manages access to the company’s S3 buckets.The company’s security team manages access to encryption keys.The company wants to separate the duties of the two teams to ensure that configuration errors by only one of these teams will not compromise the data by granting unauthorized access to plaintext data.Which solution will meet this requirement?Read More →