SCS-C01 (Page 26)

A company has a VPC with several Amazon EC2 instances behind a NAT gateway.The company’s security policy states that all network traffic must be logged and must include the original source and destination IP addresses.The existing VPC Flow Logs do not include this information.A security engineer needs to recommend a solution.Which combination of steps should the security engineer recommend? (Choose two.)Read More →

A company manages multiple AWS accounts using AWS Organizations.The company’s security team notices that some member accounts are not sending AWSCloudTrail logs to a centralized Amazon S3 logging bucket.The security team wants to ensure there is at least one trail configured for all existing accounts and for any account that is created in the future.Which set of actions should the security team implement to accomplish this?Read More →

A security engineer received an Amazon GuardDuty alert indicating a finding involving the Amazon EC2 instance that hosts the company’s primary website.TheGuardDuty finding received read:UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.The security engineer confirmed that a malicious actor used API access keys intended for the EC2 instance from a country where the company does not operate.The security engineer needs to deny access to the malicious actor.What is the first step the security engineer should take?Read More →

Developers in an organization have moved from a standard application deployment to containers.The Security Engineer is tasked with ensuring that containers are secure.Which strategies will reduce the attack surface and enhance the security of the containers? (Choose two.)Read More →

An application outputs logs to a text file.The logs must be continuously monitored for security incidents.Which design will meet the requirements with MINIMUM effort?Read More →

An application has been written that publishes custom metrics to Amazon CloudWatch.Recently, IAM changes have been made on the account and the metrics are no longer being reported.Which of the following is the LEAST permissive solution that will allow the metrics to be delivered?Read More →

A Security Engineer received an AWS Abuse Notice listing EC2 instance IDs that are reportedly abusing other hosts.Which action should the Engineer take based on this situation? (Choose three.)Read More →

A security team is responsible for reviewing AWS API call activity in the cloud environment for security violations.These events must be recorded and retained in a centralized location for both current and future AWS regions.What is the SIMPLEST way to meet these requirements?Read More →

The Security Engineer is managing a web application that processes highly sensitive personal information.The application runs on Amazon EC2.The application has strict compliance requirements, which instruct that all incoming traffic to the application is protected from common web exploits and that all outgoing traffic from the EC2 instances is restricted to specific whitelisted URLs.Which architecture should the Security Engineer use to meet these requirements?Read More →

A company has a customer master key (CMK) with imported key materials.Company policy requires that all encryption keys must be rotated every year.What can be done to implement the above policy?Read More →