SCS-C01 (Page 21)

A company’s Developers plan to migrate their on-premises applications to Amazon EC2 instances running Amazon Linux AMIs.The applications are accessed by a group of partner companies.The Security Engineer needs to implement the following host-based security measures for these instances:✑ Block traffic from documented known bad IP addresses.✑ Detect known software vulnerabilities and CIS Benchmarks compliance.Which solution addresses these requirements?Read More →

A company is operating an open-source software platform that is internet facing.The legacy software platform no longer receives security updates.The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster.A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided.The company’s Security Engineer must secure this system against SQL injection attacks within 24 hours.The Security Engineer’s solution must involve the least amount of effort and maintain normal operations during implementation.What should the Security Engineer do to meet these requirements?Read More →

A company is developing an ecommerce application.The application uses Amazon EC2 instances and an Amazon RDS MySQL database.For compliance reasons, data must be secured in transit and at rest.The company needs a solution that minimizes operational overhead and minimizes cost.Which solution meets these requirements?Read More →

Unapproved changes were previously made to a company’s Amazon S3 bucket.A security engineer configured AWS Config to record configuration changes made to the company’s S3 buckets.The engineer discovers there are S3 configuration changes being made, but no Amazon SNS notifications are being sent.The engineer has already checked the configuration of the SNS topic and has confirmed the configuration is valid.Which combination of steps should the security engineer take to resolve the issue? (Choose two.)Read More →

A company’s policy requires that all API keys be encrypted and stored separately from source code in a centralized security account.This security account is managed by the company’s security team.However, an audit revealed that an API key is stored with the source code of an AWS Lambda function in an AWSCodeCommit repository in the DevOps account.How should the security team securely store the API key?Read More →

A company is outsourcing its operational support to an external company.The company’s security officer must implement an access solution for delegating operational support that minimizes overhead.Which approach should the security officer take to meet these requirements?Read More →

A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data.During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code in the company’s source code repository.A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically.The credentials should be accessible to the application only.The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates.The solution must also minimize administrative overhead.Which solution meets these requirements?Read More →

A software-as-a-service (SaaS) company hosts an application on AWS in a VPC.External customers will use the application on their own Amazon EC2 instances.To access the application, the customers need to install a client application on an EC2 instance in a VPC in their AWS accounts.A security engineer is designing a solution to allow communication between the client software and the SaaS application.The solution must maximize scalability and security.Which combination of actions will meet these requirements? (Choose two.)Read More →

A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots.After performing a gap analysis of its disaster recovery procedures and backup strategies, the company is concerned that, next time, it will not be able to recover the EC2 instances if the AWS account was compromised and Amazon EBS snapshots were deleted.All EBS snapshots are encrypted using an AWS KMS CMK.Which solution would solve this problem?Read More →

A company uses AWS Certificate Manager (ACM) to automate the renewal of SSL/TLS certificates that the company’s Elastic Load Balancers use.The company recently noticed that ACM was unable to automatically renew some certificates.These certificates have a status of “pending validation” in the ACM console.A security engineer configured the certificates by using DNS validation.The security engineer has verified that the existing certificates have not expired.What should the security engineer do to correct this issue?Read More →