By:
On:
In: SCS-C01
With: 0 Comments

A company’s data is encrypted in an Amazon S3 bucket by an AWS Key Management Service (AWS KMS) customer managed key.The company has AWS Lambda functions that run in the same account as the S3 bucket.The Lambda functions need to access the data in the S3 bucket.A security engineer must ensure that each Lambda function has its own programmatic access control permissions to use the KMS key.What should the security engineer do to meet this requirement?Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A company is designing a multi-account structure for its development teams.The company is using AWS Organizations and AWS Single Sign-On (AWS SSO).The company must implement a solution so that the development teams can use only specific AWS Regions and so that each AWS account allows access to only specific AWS services.Which solution will meet these requirements with the LEAST operational overhead?Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A company is using Amazon Elastic Container Service (Amazon ECS) to run its container-based application on AWS.The company needs to ensure that the container images contain no severe vulnerabilities.The company also must ensure that only specific IAM roles and specific AWS accounts can access the container images.Which solution will meet these requirements with the LEAST management overhead?Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A company has several production AWS accounts and a central security AWS account.The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account.All of the company’s Amazon S3 buckets are tagged with a value denoting the data classification of their contents.A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance.The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket’s data classification.If any change is out of compliance, the Security team must be notified quickly.Which combination of actions would build the required solution? (Choose three.)Read More →

By:
On:
In: SCS-C01
With: 0 Comments

An organization wants to deploy a three-tier web application whereby the application servers run on Amazon EC2 instances.These EC2 instances need access to credentials that they will use to authenticate their SQL connections to an Amazon RDS DB instance.Also, AWS Lambda functions must issue queries to the RDS database by using the same database credentials.The credentials must be stored so that the EC2 instances and the Lambda functions can access them.No other access is allowed.The access logs must record when the credentials were accessed and by whom.What should the Security Engineer do to meet these requirements?Read More →

By:
On:
In: SCS-C01
With: 0 Comments

An application makes calls to AWS services using the AWS SDK.The application runs on Amazon EC2 instances with an associated IAM role.When the application attempts to access an object within an Amazon S3 bucket; the Administrator receives the following error message: HTTP 403: Access Denied.Which combination of steps should the Administrator take to troubleshoot this issue? (Choose three.)Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A company stores data on an Amazon EBS volume attached to an Amazon EC2 instance.The data is asynchronously replicated to an Amazon S3 bucket.Both the EBS volume and the S3 bucket are encrypted with the same AWS KMS Customer Master Key (CMK).A former employee scheduled a deletion of that CMK before leaving the company.The company’s Developer Operations department learns about this only after the CMK has been deleted.Which steps must be taken to address this situation?Read More →