SCS-C01 (Page 26)

A company is using AWS Organizations to create OUs for its accounts.The company has more than 20 accounts that are all part of the OUs.A security engineer must implement a solution to ensure that no account can stop log file delivery to AWS CloudTrail.Which solution will meet this requirement?Read More →

A company is designing a multi-account structure for its development teams.The company is using AWS Organizations and AWS Single Sign-On (AWS SSO).The company must implement a solution so that the development teams can use only specific AWS Regions and so that each AWS account allows access to only specific AWS services.Which solution will meet these requirements with the LEAST operational overhead?Read More →

A company’s data is encrypted in an Amazon S3 bucket by an AWS Key Management Service (AWS KMS) customer managed key.The company has AWS Lambda functions that run in the same account as the S3 bucket.The Lambda functions need to access the data in the S3 bucket.A security engineer must ensure that each Lambda function has its own programmatic access control permissions to use the KMS key.What should the security engineer do to meet this requirement?Read More →

Compliance requirements state that all communications between company on-premises hosts and EC2 instances be encrypted in transit.Hosts use custom proprietary protocols for their communication, and EC2 instances need to be fronted by a load balancer for increased availability.Which of the following solutions will meet these requirements?Read More →

A DevOps team is planning to deploy a containerized application on Amazon Elastic Container Service (Amazon ECS).The team will use an Application Load Balancer (ALB) to distribute the incoming traffic for the ECS application.A security engineer needs to terminate the TLS traffic at the ALB to ensure security of data in transit.Which solutions can the security engineer use to create a certificate and deploy the certificate at the ALB to meet these requirements? (Choose two.)Read More →

A company has hundreds of AWS accounts, and a centralized Amazon S3 bucket used to collect AWS CloudTrail logs for all of these accounts.A SecurityEngineer wants to create a solution that will enable the company to run ad hoc queries against its CloudTrail logs dating back 3 years from when the trails were first enabled in the company’s AWS account.How should the company accomplish this with the least amount of administrative overhead?Read More →

A development team recently deployed a Java application on a default AWS Elastic Beanstalk environment.The application is unable to connect to an Amazon S3 bucket that has a default configuration in the same account.What should a security engineer do to troubleshoot this issue?Read More →

A company uses SAML federation with AWS Identity and Access Management (IAM) to provide internal users with SSO for their AWS accounts.The company’s identity provider certificate was rotated as part of its normal lifecycle.Shortly after, users started receiving the following error when attempting to log in:”Error: Response Signature Invalid (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken)”A security engineer needs to address the immediate issue and ensure that it will not occur again.Which combination of steps should the security engineer take to accomplish this? (Choose two.)Read More →

A security engineer is attempting to troubleshoot a problem.An application that runs on an Amazon EC2 instance in a VPC cannot communicate with an Amazon RDS DB instance in another subnet of the same VPC.The connection request is timing out.Which issues could be causing this problem? (Choose two.)Read More →

A company has decided to use AWS Key Management Service (AWS KMS) for all of its encryption keys.The company plans to create all of its keys as customer managed CMKs and will not import any encryption keys.The company must rotate its encryption keys once every 12 months.Which solution will meet these requirements?Read More →