SCS-C01 (Page 24)

A company wants to deploy an application in a private VPC that will not be connected to the internet.The company’s security team will not allow bastion hosts or methods using SSH to log in to Amazon EC2 instances.The application team plans to use AWS Systems Manager Session Manager to connect to and manage the EC2 instances.Which combination of steps should the security team take? (Choose three.)Read More →

A Security Engineer must design a solution that enables the incident Response team to audit for changes to a user’s IAM permissions in the case of a security incident.How can this be accomplished?Read More →

An organization is using Amazon CloudWatch Logs with agents deployed on its Linux Amazon EC2 instances.The agent configuration files have been checked and the application log files to be pushed are configured correctly.A review has identified that logging from specific instances is missing.Which steps should be taken to troubleshoot the issue? (Choose two.)Read More →

A company has two AWS accounts: Account A and Account B.Account A has an IAM role that IAM users in Account B assume when they need to upload sensitive documents to Amazon S3 buckets in Account A.A new requirement mandates that users can assume the role only if they are authenticated with multi-factor authentication (MFA).A security engineer must recommend a solution that meets this requirement with minimum risk and effort.Which solution should the security engineer recommend?Read More →

A security engineer has enabled AWS Security Hub in their AWS account, and has enabled the Center for Internet Security (CIS) AWS Foundations compliance standard.No evaluation results on compliance are returned in the Security Hub console after several hours.The engineer wants to ensure that Security Hub can evaluate their resources for CIS AWS Foundations compliance.Which steps should the security engineer take to meet these requirements?Read More →

A company’s development team is designing an application using AWS Lambda and Amazon Elastic Container Service (Amazon ECS).The development team needs to create IAM roles to support these systems.The company’s security team wants to allow the developers to build IAM roles directly, but the security team wants to retain control over the permissions the developers can delegate to those roles.The development team needs access to more permissions than those required for application’s AWS services.The solution must minimize management overhead.How should the security team prevent privilege escalation for both teams?Read More →

An application team is developing an internal application in its AWS account.Employees will use the application to access their employee benefits information.The application has an Amazon S3 bucket that is encrypted with an AWS Key Management Service (AWS KMS) customer managed key.The application team has configured an S3 gateway VPC endpoint for the application to use.During testing, an IAM user is unable to download objects from the S3 bucket by using the AWS Management Console.However, other IAM users in the same AWS account can download objects from the S3 bucket.Which policies or ACL should a security engineer review and modify to resolve this issue? (Choose three.)Read More →

A web application gives users the ability to log in, verify their membership’s validity, and browse artifacts that are stored in an Amazon S3 bucket.When a user attempts to download an object, the application must verify the permission to access the object and allow the user to download the object from a custom domain name such as example.com.What is the MOST secure way for a security engineer to implement this functionality?Read More →

A company’s application uses Amazon DynamoDB to store data.The company’s security policy requires all data to be encrypted at rest.The security policy also requires the company to use an on-premises hardware security module (HSM) to generate and manage the company’s encryption keys.A security engineer uses the on-premises HSM to generate an encryption key.What should the security engineer do next to meet these requirements?Read More →

A company wants to protect its website from man-in-the-middle attacks by using Amazon CloudFront.Which solution will meet these requirements with the LEAST operational overhead?Read More →