SCS-C01 (Page 20)

A company provides an AWS account for each of its teams.Members of each team authenticate with AWS by using user accounts in their own team’s account.The company created a project-specific AWS account for collaboration by three or more teams.The company also created a new Amazon S3 bucket inside this new account.There is no S3 bucket policy or S3 ACL.A security engineer must implement a secure solution so that all teams can read objects and write to objects that are stored in the S3 bucket.What should the security engineer do to meet these requirements?Read More →

A security engineer must develop an encryption tool for a company.The company requires a cryptographic solution that supports the ability to perform cryptographic erasure on all resources protected by the key material in 15 minutes or less.Which Aws Key Management Service (AWS KMS) key solution will allow the security engineer to meet these requirements?Read More →

A security engineer is responsible for providing secure access to AWS resources for thousands of developers in a company’s corporate identity provider (IdP).The developers access a set of AWS services from their corporate premises using IAM credentials.Due to the volume of requests for provisioning new IAM users, it is taking a long time to grant access permissions.The security engineer receives reports that developers are sharing their IAM credentials with others to avoid provisioning delays.This causes concern about overall security for the security engineer.Which actions will meet the program requirements that address security?Read More →

A company’s web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group.An AWS WAF web ACL is associated with the ALB.AWS CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs.The Operations team has observed some EC2 instances reboot at random.After rebooting, all access logs on the instances have been deleted.During an investigation, the Operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file.The Operations team needs to view log information to determine if the company is being attacked.Which set of actions will identify the suspect attacker’s IP address for future occurrences?Read More →

A company has a single-page application (SPA) that is served by Amazon CloudFront.An Amazon S3 bucket is the origin of the CloudFront distribution.The company is using Amazon Cognito for authentication.An external security review reveals that unauthenticated users can download the application source code from the SPA in index.html and view internal details of the SPA.A security engineer needs to implement a solution to avoid exposing the source code to unauthenticated users.Which solution will meet these requirements?Read More →

A company has configured a gateway VPC endpoint in a VPC.Only Amazon EC2 instances that reside in a single subnet in the VPC can use the endpoint.The company has modified the route table for this single subnet to route traffic to Amazon S3 through the gateway VPC endpoint.The VPC provides internet access through an internet gateway.A security engineer attempts to use instance profile credentials from an EC2 instance to retrieve an object from the S3 bucket, but the attempt fails.The security engineer verifies that the EC2 instance has an IAM instance profile with the correct permissions to access the S3 bucket and to retrieve objects.The security engineer also verifies that the S3 bucket policy is allowing access properly.Additionally, the security engineer verifies that the EC2 instance’s security group and the subnet’s network ACLs allow the communication.What else should the security engineer check to determine why the request from the EC2 instance is failing?Read More →

A company uses AWS Organizations.The company has teams that use an AWS CloudHSM hardware security module (HSM) that is hosted in a central AWS account.One of the teams creates its own new dedicated AWS account and wants to use the HSM that is hosted in the central account.How should a security engineer share the HSM that is hosted in the central account with the new dedicated account?Read More →

A company uses AWS Organizations and has Amazon Elastic Kubernetes Service (Amazon EKS) clusters in many AWS accounts.A security engineer integrates Amazon EKS with AWS CloudTrail.The CloudTrail trails are stored in an Amazon S3 bucket in each account to monitor API calls.The security engineer observes that CloudTrail logs are not displaying Kubernetes pod creation events.What should the security engineer do to view the Kubernetes events from Amazon CloudWatch?Read More →

A company has an application that processes personally identifiable information (PII).The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB).The company’s security policies require that data is encrypted in transit at all times to avoid the possibility of exposing any PII in plaintext.Which solutions could a security engineer use to meet these requirements? (Choose two.)Read More →

A healthcare company has multiple AWS accounts in an organization in AWS Organizations.The company uses Amazon S3 buckets to store sensitive information of patients.The company needs to restrict users from deleting any S3 bucket across the organization.What is the MOST scalable solution that meets these requirements?Read More →