SCS-C01 (Page 14)

A company uses AWS Organizations to manage a small number of AWS accounts.However, the company plans to add 1,000 more accounts soon.The company allows only a centralized security team to create IAM roles for all AWS accounts and teams.Application teams submit requests for IAM roles to the security team.The security team has a backlog of IAM role requests and cannot review and provision the IAM roles quickly.The security team must create a process that will allow application teams to provision their own IAM roles.The process must also limit the scope of IAM roles and prevent privilege escalation.Which solution will meet these requirements with the LEAST operational overhead?Read More →

A company wants to gain better control of its large number of AWS accounts by establishing a centralized location where the accounts can be managed.The company also wants to prevent any users outside the company-owned AWS accounts from accessing a company Amazon S3 bucket.Which solution meets these requirements with the LEAST amount of operational overhead?Read More →

A team is using AWS Secrets Manager to store an application database password.Only a limited number of IAM principals within the account can have access to the secret.The principals who require access to the secret change frequently.A security engineer must create a solution that maximizes flexibility and scalability.Which solution will meet these requirements?Read More →

A company has a strict policy against using root credentials.The company’s security team wants to be alerted as soon as possible when root credentials are used to sign in to the AWS Management Console.How should the security team achieve this goal?Read More →

A company hosts a web-based application that captures and stores sensitive data in an Amazon DynamoDB table.A security audit reveals that the application does not provide end-to-end data protection or the ability to detect unauthorized data changes.The software engineering team needs to make changes that will address the audit findings.Which set of steps should the software engineering team take?Read More →

A company requires that SSH commands used to access its AWS instance be traceable to the user who executed each command.How should a Security Engineer accomplish this?Read More →

A Website currently runs on Amazon EC2, with mostly static content on the site.Recently, the site was subjected to a DDoS attack, and a Security Engineer was tasked with redesigning the edge security to help mitigate this risk in the future.What are some ways the Engineer could achieve this? (Choose three.)Read More →

Example.com is hosted on Amazon EC2 instance behind an Application Load Balancer (ALB).Third-party host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host.The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers.What is the MOST secure way to meet these requirements?Read More →

A company became aware that one of its access keys was exposed on a code sharing website 11 days ago.A Security Engineer must review all use of the exposed keys to determine the extent of the exposure.The company enabled AWS CloudTrail in all regions when it opened the account.Which of the following will allow the Security Engineer to complete the task?Read More →

A company has public certificates that are managed by AWS Certificate Manager (ACM).The certificates are either imported certificates or managed certificates from ACM with mixed validation methods.A security engineer needs to design a monitoring solution to provide alerts by email when a certificate is approaching its expiration date.What is the MOST operationally efficient way to meet this requirement?Read More →