SCS-C01 (Page 17)

A Security Engineer is working with the development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket.The application will use an AWS KMS customer master key (CMK) to encrypt the data on Amazon S3.The inventory data on Amazon S3 will be shared of vendors.All vendors will use AWS principals from their own AWS accounts to access the data on Amazon S3.The vendor list may change weekly, and the solution must support cross-account access.What is the MOST efficient way to manage access control for the KMS CMK7?Read More →

A company’s database developer has just migrated an Amazon RDS database credential to be stored and managed by AWS Secrets Manager.The developer has also enabled rotation of the credential within the Secrets Manager console and set the rotation to change every 30 days.After a short period of time, a number of existing applications have failed with authentication errors.What is the MOST likely cause of the authentication errors?Read More →

A water utility company uses a number of Amazon EC2 instances to manage updates to a fleet of 2,000 Internet of Things (IoT) field devices that monitor water quality.These devices each have unique access credentials.An operational safety policy requires that access to specific credentials is independently auditable.What is the MOST cost-effective way to manage the storage of credentials?Read More →

A Security Engineer discovers that developers have been adding rules to security groups that allow SSH and RDP traffic from 0.0.0.0/0 instead of the organization firewall IP.What is the most efficient way to remediate the risk of this activity?Read More →

A financial institution has the following security requirements:✑ Cloud-based users must be contained in a separate authentication domain.✑ Cloud-based users cannot access on-premises systems.As part of standing up a cloud environment, the financial institution is creating a number of Amazon managed databases and Amazon EC2 instances.An ActiveDirectory service exists on-premises that has all the administrator accounts, and these must be able to access the databases and instances.How would the organization manage its resources in the MOST secure manner? (Choose two.)Read More →

A distributed web application is installed across several EC2 instances in public subnets residing in two Availability Zones.Apache logs show several intermittent brute-force attacks from hundreds of IP addresses at the layer 7 level over the past six months.What would be the BEST way to reduce the potential impact of these attacks in the future?Read More →

Which of the following are valid event sources that are associated with web access control lists that trigger AWS WAF rules? (Choose two.)Read More →

Which of the following minimizes the potential attack surface for applications?Read More →

Amazon CloudWatch Logs agent is successfully delivering logs to the CloudWatch Logs service.However, logs stop being delivered after the associated log stream has been active for a specific number of hours.What steps are necessary to identify the cause of this phenomenon? (Choose two.)Read More →

A company has multiple production AWS accounts.Each account has AWS CloudTrail configured to log to a single Amazon S3 bucket in a central account.Two of the production accounts have trails that are not logging anything to the S3 bucket.Which steps should be taken to troubleshoot the issue? (Choose three.)Read More →