SCS-C01 (Page 2)

A company is running an Amazon RDS Multi-AZ DB instance inside a VPC.The DB instance is using two subnets that provide a default route to the internet through a NAT gateway.The company also has application servers that run on Amazon EC2 instances that use the RDS database.The company has deployed these EC2 instances into two other private subnets within the same VPC.These EC2 instances use a default route to access the internet through the same NAT gateway.Each subnet in the VPC uses its own unique route table.After a recent security audit, the company added a new security requirement.The DB instance must never be able to connect to the internet.A security engineer must make this change immediately without disrupting the application servers’ network traffic.How can the security engineer meet these requirements?Read More →

A security engineer must use AWS Key Management Service (AWS KMS) to design a key management solution for a set of Amazon Elastic Block Store (AmazonEBS) volumes that contain sensitive data.The solution needs to ensure that the key material automatically expires in 90 days.Which solution meets these criteria?Read More →

A company needs to use HTTPS when connecting to its web applications to meet compliance requirements.These web applications run in Amazon VPC onAmazon EC2 instances behind an Application Load Balancer (ALB).A security engineer wants to ensure that the load balancer will only accept connections over port 443, even if the ALB is mistakenly configured with an HTTP listener.Which configuration steps should the security engineer take to accomplish this task?Read More →

A company runs a cron job on an Amazon EC2 instance on a predefined schedule.The cron job calls a bash script that encrypts a 2 KB file.A security engineer creates an AWS Key Management Service (AWS KMS) CMK with a key policy.The key policy and the EC2 instance role have the necessary configuration for this job.Which process should the bash script use to encrypt the file?Read More →

An application is running on an Amazon EC2 instance that has an IAM role attached.The IAM role provides access to an AWS Key Management Service (AWSKMS) customer managed key and an Amazon S3 bucket.A security engineer discovers a potential vulnerability on the EC2 instance that could result in the compromise of the sensitive data.Due to other critical operations, the security engineer cannot immediately shut down the EC2 instance for vulnerability patching.What is the FASTEST way to prevent the sensitive data from being exposed?Read More →

A company is running an Amazon RDS for MySQL DB instance in a VPC.The VPC must not send or receive network traffic through the internet.A security engineer wants to use AWS Secrets Manager to rotate the DB instance credentials automatically.Because of a security policy, the security engineer cannot use the standard AWS Lambda function that Secrets Manager provides to rotate the credentials.The security engineer deploys a custom Lambda function in the VPC.The custom Lambda function will be responsible for rotating the secret in Secrets Manager.The security engineer edits the DB instance’s security group to allow connections from this function.When the function is invoked, the function cannot communicate with Secrets Manager to rotate the secret properly.What should the security engineer do so that the function can rotate the secret?Read More →

A company uses AWS CodePipeline for its software builds.Company policy mandates that code must be deployed to the staging environment before it is deployed to the production environment.The company needs to implement monitoring and alerting to detect when a CodePipeline pipeline is used to deploy code to production without the code first being deployed to staging.What should a security engineer do to meet these requirements?Read More →

A user is implementing a third-party web application on an Amazon EC2 instance.All client communications must be over HTTPS, and traffic must be terminated before it reaches the instance.Communication to the instance must be over port 80.Company policy requires that workloads reside in private subnets.Which solution meets these requirements?Read More →

A company needs to provide digital evidence to a security engineer for analysis.The evidence must be encrypted and the immutability of the source data must be maintained.What is the MOST secure solution that meets these requirements?Read More →

A large company has hundreds of AWS accounts.The company needs to provide its employees with access to these accounts.The solution must maximize scalability and operational efficiency.Which solution meets these requirements?Read More →