SCS-C01 (Page 15)

A company has public certificates that are managed by AWS Certificate Manager (ACM).The certificates are either imported certificates or managed certificates from ACM with mixed validation methods.A security engineer needs to design a monitoring solution to provide alerts by email when a certificate is approaching its expiration date.What is the MOST operationally efficient way to meet this requirement?Read More →

A Security Architect has been asked to review an existing security architecture and identity why the application servers cannot successfully initiate a connection to the database servers.The following summary describes the architecture:1.An Application Load Balancer, an internet gateway and a NAT gateway are configured in the pubic subnet.2.Database, application, and web servers are configured on three different private subnets.3.The VPC has two route tables: one for the public subnet and one for all other subnets.The route table for the public subnet has a 0.0.0.0/0 route to the internet gateway.The route table for all other subnets has a 0.0.0.0/0 route to the NAT gateway.All private subnets can route to each other.4.Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols.5.There are 3 Security Groups (SGs): database, application, and web.Each group limits all inbound and outbound connectivity to the minimum required.Which of the following accurately reflects the access control mechanisms the Architect should verify?Read More →

A company has a VPC that contains a publicly accessible subnet and a privately accessible subnet.Both subnets send network traffic that is destined for the company’s data center through the public internet.The public subnet uses Route Table A, which has a default route for network traffic to travel through the internet gateway of the VPC.The private subnet uses Route Table B, which has a default route for network traffic to travel through a NAT gateway within the VPC.Recently, the company created an AWS Site-to-Site VPN connection to the VPC from one of is data centers.The tunnel s active and is working property between the customer gateway and the virtual private gateway.The CIDR blocks of the VPC and the data center do not overlap.According to a new security policy, all network traffic that originates from the VPC and travels to the data center must not travel across the public internet.A security engineer determines that resources in the public subnet and private subnet are still sending traffic across the public internet to the data center.Which combination of steps will ensure that all network traffic that originates from the VPC will not use the public internet to communicate with the data cantor? (Choose two.)Read More →

A recent security audit found that AWS CloudTrail logs are insufficiently protected from tampering and unauthorized access.Which actions must the Security Engineer take to access these audit findings? (Choose three.)Read More →

A global company must mitigate and respond to DDoS attacks at Layers 3, 4 and 7.All of the company’s AWS applications are serverless with static content hosted on Amazon S3 using Amazon CloudFront and Amazon Route 53.Which solution will meet these requirements?Read More →

A company has deployed servers on Amazon EC2 instances in a VPC.External vendors access these servers over the internet.Recently, the company deployed a new application on EC2 instances in a new CIDR range.The company needs to make the application available to the vendors.A security engineer verified that the associated security groups and network ACLs are allowing the required ports in the inbound diction.However, the vendors cannot connect to the application.Which solution will provide the vendors access to the application?Read More →

A Software Engineer is trying to figure out why network connectivity to an Amazon EC2 instance does not appear to be working correctly.Its security group allows inbound HTTP traffic from 0.0.0.0/0, and the outbound rules have not been modified from the default.A custom network ACL associated with its subnet allows inbound HTTP traffic from 0.0.0.0/0 and has no outbound rules.What would resolve the connectivity issue?Read More →

The Security Engineer for a mobile game has to implement a method to authenticate users so that they can save their progress.Because most of the users are part of the same OpenID-Connect compatible social media website, the Security Engineer would like to use that as the identity provider.Which solution is the SIMPLEST way to allow the authentication of users using their social media identities?Read More →

A Security Engineer is trying to determine whether the encryption keys used in an AWS service are in compliance with certain regulatory standards.Which of the following actions should the Engineer perform to get further guidance?Read More →

A company recently began using Amazon Route 53 as its DNS provider.The company must log public DNS queries that Route 53 receives.The company has activated Route 53 public DNS query logging.The queries must be stored in a highly durable storage solution that deletes logs that are older than 1 year.Which solution will meet these requirements MOST cost-effectively?Read More →