By:
On:
In: SCS-C01
With: 0 Comments

A company needs to encrypt all of its data stored in Amazon S3.The company wants to use AWS Key Management Service (AWS KMS) to create and manage its encryption keys.The company’s security policies require the ability to import the company’s own key material for the keys, set an expiration date on the keys, and delete keys immediately, if needed.How should a security engineer set up AWS KMS to meet these requirements?Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A company has a PHP-based web application that uses Amazon S3 as an object store for user files.The S3 bucket that stores the files is configured for server- side encryption with S3 managed encryption keys (SSE-S3).According to new security requirements, the company must control all encryption keys.Additionally, all objects in the S3 bucket must be encrypted by a key that the company controls.Which combination of steps must a security engineer take to meet these requirements? (Choose three.)Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A company plans to move most of its IT infrastructure to AWS.They want to leverage their existing on-premises Active Directory as an identity provider for AWS.Which combination of steps should a Security Engineer take to federate the company’s on-premises Active Directory with AWS? (Choose two.)Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A company has a requirement that no Amazon EC2 security group can allow SSH access from the CIDR block 0.0.0.0/0.The company wants to monitor compliance with this requirement at all times and wants to receive a near-real-time notification if any security group is noncompliant.A security engineer has configured AWS Config and will use the restricted-ssh managed rule to monitor the security groups.What should the security engineer do next to meet these requirements?Read More →

By:
On:
In: SCS-C01
With: 0 Comments

An Amazon API Gateway API invokes an AWS Lambda function that needs to interact with a software-as-a-service (SaaS) platform.A unique client token is generated in the SaaS platform to grant access to the Lambda function.A security engineer needs to design a solution to encrypt the access token at rest and pass the token to the Lambda function at runtime.Which solution will meet these requirements MOST cost-effectively?Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A company has a web server in the AWS Cloud.The company will store the content for the web server in an Amazon S3 bucket.A security engineer must use an Amazon CloudFront distribution to speed up delivery of the content.None of the files can be publicly accessible from the S3 bucket direct.Which solution will meet these requirements?Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A company wants to prevent SSH access through the use of SSH key pairs for any Amazon Linux 2 Amazon EC2 instances in its AWS account.However, a system administrator occasionally will need to access these EC2 instances through SSH in an emergency.For auditing purposes, the company needs to record any commands that a user runs in an EC2 instance.What should a security engineer do to configure access to these EC2 instances to meet these requirements?Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A company’s security engineer is investigating an Amazon GuardDuty finding for unusual activity for an IAM role.The AWS account has AWS Single Sign-On configured with federation with the company’s on-premises Active Directory domain controller.The security engineer determines that the root cause of the finding is a compromised Active Directory identity on premises.Multiple production workloads are using the IAM role on AWS.The security engineer must mitigate the unauthorized use of the IAM role while minimizing production workload downtime on AWS.Which combination of actions should the security engineer take to meet these requirements? (Choose two.)Read More →