SCS-C01 (Page 2)

A company uses AWS Organizations.The company has teams that use an AWS CloudHSM hardware security module (HSM) that is hosted in a central AWS account.One of the teams creates its own new dedicated AWS account and wants to use the HSM that is hosted in the central account.How should a security engineer share the HSM that is hosted in the central account with the new dedicated account?Read More →

A company uses AWS Organizations and has Amazon Elastic Kubernetes Service (Amazon EKS) clusters in many AWS accounts.A security engineer integrates Amazon EKS with AWS CloudTrail.The CloudTrail trails are stored in an Amazon S3 bucket in each account to monitor API calls.The security engineer observes that CloudTrail logs are not displaying Kubernetes pod creation events.What should the security engineer do to view the Kubernetes events from Amazon CloudWatch?Read More →

A company has an application that processes personally identifiable information (PII).The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB).The company’s security policies require that data is encrypted in transit at all times to avoid the possibility of exposing any PII in plaintext.Which solutions could a security engineer use to meet these requirements? (Choose two.)Read More →

A healthcare company has multiple AWS accounts in an organization in AWS Organizations.The company uses Amazon S3 buckets to store sensitive information of patients.The company needs to restrict users from deleting any S3 bucket across the organization.What is the MOST scalable solution that meets these requirements?Read More →

A company has an organization in AWS Organizations.The company’s security team is developing automation to capture Amazon EC2 forensic evidence within any AWS account in the organization.The company has encrypted the Amazon Elastic Block Store (Amazon EBS) volumes of all the EC2 instances in the organization by default by using the AWS managed key.The automation consists of AWS Lambda functions and AWS Step Functions state machines.The automation assumes an IAM role in the target AWS account.The automation takes snapshots of suspicious EC2 instances and assigns permissions to allow the security team’s account to copy the snapshots.The security team has an AWS Key Management Service (AWS KMS) key to encrypt the snapshots.During testing, the automation fails to copy the snapshots into the security team’s AWS account.Which combination of steps should the security team take so that the automation can capture EC2 forensic evidence in all AWS accounts in the organization? (Choose three.)Read More →

A company uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using Amazon CloudFront.HLS splits the video content into chunks so that the user can request the right chunk based on different conditions.Because the video events last for several hours, the total video is made up of thousands of chunks.The origin URL is not disclosed, and every user is forced to access the CloudFront URL.The company has a web application that authenticates the paying users against an internal repository and a CloudFront key pair that is already issued.What is the simplest and MOST effective way to protect the content?Read More →

A company’s Information Security team wants to analyze Amazon EC2 performance and utilization data in near-real time for anomalies.A Security Engineer is responsible for log aggregation.The Engineer must collect logs from all of the company’s AWS accounts in a centralized location to perform the analysis.How should the Security Engineer do this?Read More →

An Amazon S3 bucket is encrypted using an AWS KMS CMK.An IAM user is unable to download objects from the S3 bucket using the AWS ManagementConsole; however, other users can download objects from the S3 bucket.Which policies should the Security Engineer review and modify to resolve this issue? (Choose three.)Read More →

A company has two applications: Application A and Application B. The applications run in different VPCs in the same account. The account is not part of an organization in AWS Organizations. The company’s development team manages both applications by using AWS CloudFormation.The development team splits into two teams, Now, Team A manages Application A. Team B manages Application B. AWS CloudTrail logs in the account are sent to an Amazon S3 bucket.The company needs to prevent faults in one application from affecting the other application, ensure that teams can access only their own workloads, and send CloudTrail logs to a central S3 bucket. In addition, the company needs granular billing for each application.What is the MOST operationally efficient solution that meets these requirements?Read More →

A company is using AWS Secrets Manager to manage database credentials that an application uses to access Amazon DocumentDB (with MongoDB compatibility).The company needs to implement automated password rotation.Which solution will meet this requirement with the LEAST administrative overhead?Read More →