By:
On:
In: SCS-C01
With: 0 Comments

A company has an organization in AWS Organizations.The company’s security team is developing automation to capture Amazon EC2 forensic evidence within any AWS account in the organization.The company has encrypted the Amazon Elastic Block Store (Amazon EBS) volumes of all the EC2 instances in the organization by default by using the AWS managed key.The automation consists of AWS Lambda functions and AWS Step Functions state machines.The automation assumes an IAM role in the target AWS account.The automation takes snapshots of suspicious EC2 instances and assigns permissions to allow the security team’s account to copy the snapshots.The security team has an AWS Key Management Service (AWS KMS) key to encrypt the snapshots.During testing, the automation fails to copy the snapshots into the security team’s AWS account.Which combination of steps should the security team take so that the automation can capture EC2 forensic evidence in all AWS accounts in the organization? (Choose three.)Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A company uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using Amazon CloudFront.HLS splits the video content into chunks so that the user can request the right chunk based on different conditions.Because the video events last for several hours, the total video is made up of thousands of chunks.The origin URL is not disclosed, and every user is forced to access the CloudFront URL.The company has a web application that authenticates the paying users against an internal repository and a CloudFront key pair that is already issued.What is the simplest and MOST effective way to protect the content?Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A company’s Information Security team wants to analyze Amazon EC2 performance and utilization data in near-real time for anomalies.A Security Engineer is responsible for log aggregation.The Engineer must collect logs from all of the company’s AWS accounts in a centralized location to perform the analysis.How should the Security Engineer do this?Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A company has two applications: Application A and Application B. The applications run in different VPCs in the same account. The account is not part of an organization in AWS Organizations. The company’s development team manages both applications by using AWS CloudFormation.The development team splits into two teams, Now, Team A manages Application A. Team B manages Application B. AWS CloudTrail logs in the account are sent to an Amazon S3 bucket.The company needs to prevent faults in one application from affecting the other application, ensure that teams can access only their own workloads, and send CloudTrail logs to a central S3 bucket. In addition, the company needs granular billing for each application.What is the MOST operationally efficient solution that meets these requirements?Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A security engineer recently rotated all IAM access keys in an AWS account.The security engineer then configured AWS Config and enabled the following AWSConfig managed rules; mfa-enabled-for-iam-console-access, iam-user-mfa-enabled, access-key-rotated, and iam-user-unused-credentials-check.The security engineer notices that all resources are displaying as noncompliant after the IAM GenerateCredentialReport API operation is invoked.What could be the reason for the noncompliant status?Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A company’s public website consists of an Application Load Balancer (ALB), a set of Amazon EC2 instances that run a stateless application behind the ALB, and an Amazon DynamoDB table from which the application reads data.The company is concerned about malicious scanning and DDoS attacks.The company wants to impose a restriction in which each client IP address can read the data only 3 times in any 5-minute period.Which solution will meet this requirement with the LEAST effort?Read More →