SCS-C01 (Page 22)

A company uses Amazon RDS for MySQL as a database engine for its applications.A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest.A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected.Which combination of steps should the security engineer take to accomplish this? (Choose two.)Read More →

An external auditor finds that a company’s user passwords have no minimum length.The company is currently using two identity providers:✑ AWS IAM federated with on-premises Active Directory✑ Amazon Cognito user pools to accessing an AWS Cloud application developed by the companyWhich combination of actions should the security engineer take to solve this issue? (Choose two.)Read More →

A company allows users to download its mobile app onto their phones.The app is MQTT based and connects to AWS IoT Core to subscribe to specific client-related topics.Recently, the company discovered that some malicious attackers have been trying to get a Trojan horse onto legitimate mobile phones.The Trojan horse poses as the authentic application and uses a client ID with injected special characters to gain access to topics outside the client’s privilege scope.Which combination of actions should the company take to prevent this threat? (Choose two.)Read More →

A large company organizes hundreds of AWS accounts in AWS Organizations in Developer, Test, and Production OUs.Developers who have full administrative privileges in their respective accounts use the accounts in the Developer OU.The company wants to allow only certain Amazon EC2 instance types to be used within the Developer OU.How can the company prevent developer accounts from launching unapproved EC2 instance types?Read More →

A company has a single AWS account and uses an Amazon EC2 instance to test application code.The company recently discovered that the instance was compromised.The instance was serving up malware.The analysis of the instance showed that the instance was compromised 35 days ago.A security engineer must implement a continuous monitoring solution that automatically notifies the company’s security team about compromised instances through an email distribution list for high severity findings.The security engineer must implement the solution as soon as possible.Which combination of steps should the security engineer take to meet these requirements? (Choose three.)Read More →

A security engineer configures Amazon S3 Cross-Region Replication (CRR) for all objects that are in an S3 bucket in the us-east-1 Region.Some objects in this S3 bucket use server-side encryption with AWS KMS keys (SSE-KMS) for encryption at rest.The security engineer creates a destination S3 bucket in the us-west-2 Region.The destination S3 bucket is in the same AWS account as the source S3 bucket.The security engineer also creates a customer managed key in us-west-2 to encrypt objects at rest in the destination S3 bucket.The replication configuration is set to use the key in us-west-2 to encrypt objects in the destination S3 bucket.The security engineer has provided the S3 replication configuration with an IAM role to perform the replication in Amazon S3.After a day, the security engineer notices that no encrypted objects from the source S3 bucket are replicated to the destination S3 bucket.However, all the unencrypted objects are replicated.Which combination of steps should the security engineer take to remediate this issue? (Choose three.)Read More →

A company is operating a website using Amazon CloudFront.CloudFront serves some content from Amazon S3 and other content from web servers running onAmazon EC2 instances behind an Application Load Balancer (ALB).Amazon DynamoDB is used as the data store.The company already uses AWS CertificateManager (ACM) to store a public TLS certificate that can optionally secure connections between the website users and CloudFront.The company has a new requirement to enforce end-to-end encryption in transit.Which combination of steps should the company take to meet this requirement? (Choose three.)Read More →

A company is using Amazon GuardDuty in its AWS environment.The company asks a security engineer to suspend GuardDuty.Which combination of steps must the security engineer perform to meet this requirement? (Choose two.)Read More →

A company recently deployed a new AWS account and wants to be notified immediately if a specific number of unauthorized AWS API requests are detected.A security engineer has turned on AWS CloudTrail for the account and is sending CloudTrail logs to Amazon CloudWatch.Which other action must the security engineer perform to receive automated alerts about unauthorized AWS API calls?Read More →

A company maintains an open-source application that is hosted on a public GitHub repository.While creating a new commit to the repository, an engineer uploaded their AWS access key and secret access keys.The engineer reported the mistake to a manager, and the manager immediately disabled the access key.The company needs to assess the impact of the exposed access key.A security engineer must recommend a solution that requires the least possible managerial overhead.Which solution meets these requirements?Read More →