SCS-C01 (Page 27)

A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of `Sensitive,` `Confidential,` and `Restricted.` The security solution must meet all of the following requirements:✑ Each object must be encrypted using a unique key.✑ Items that are stored in the `Restricted` bucket require two-factor authentication for decryption.✑ AWS KMS must automatically rotate encryption keys annually.Which of the following meets these requirements?Read More →

A company has a web-based application using Amazon CloudFront and running on Amazon Elastic Container Service (Amazon ECS) behind an Application LoadBalancer (ALB).The ALB is terminating TLS and balancing load across ECS service tasks.A security engineer needs to design a solution to ensure that application content is accessible only through CloudFront and that it is never accessible directly.How should the security engineer build the MOST secure solution?Read More →

A city is implementing an election results reporting website that will use Amazon CloudFront.The website runs on a fleet of Amazon EC2 instances behind anApplication Load Balancer (ALB) in an Auto Scaling group.Election results are updated hourly and are stored as .pdf files in an Amazon S3 bucket.A security engineer needs to ensure that all external access to the website goes through CloudFront.Which solution meets these requirements?Read More →

A company wants to encrypt data locally while meeting regulatory requirements related to key exhaustion.The encryption key can be no more than 10 days old or encrypt more than 2^16 objects.Any encryption key must be generated on a FIPS-validated hardware security module (HSM).The company is cost-conscious, as it plans to upload an average of 100 objects to Amazon S3 each second for sustained operations across 5 data producers.Which approach MOST efficiently meets the company’s needs?Read More →

A large government organization is moving to the cloud and has specific encryption requirements.The first workload to move requires that a customer’s data be immediately destroyed when the customer makes that request.Management has asked the security team to provide a solution that will securely store the data, allow only authorized applications to perform encryption and decryption, and allow for immediate destruction of the data.Which solution will meet these requirements?Read More →

A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running in Amazon Elastic ContainerService (Amazon ECS).This solution will also handle volatile traffic patterns.Which solution would have the MOST scalability and LOWEST latency?Read More →

A company is running an application on Amazon EC2 instances in an Auto Scaling group.The application stores logs locally.A security engineer noticed that logs were lost after a scale-in event.The security engineer needs to recommend a solution to ensure the durability and availability of log data.All logs must be kept for a minimum of 1 year for auditing purposes.What should the security engineer recommend?Read More →

An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised.What techniques will limit lateral movement and allow evidence gathering?Read More →

A company is setting up products to deploy in AWS Service Catalog.Management is concerned that when users launch products, elevated IAM privileges will be required to create resources.How should the company mitigate this concern?Read More →

A company is using AWS Organizations to manage multiple AWS accounts.The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an AWS KMS CMK.However, when users try to access the files in the S3 bucket, they get an access denied error.What should a security engineer do to troubleshoot this error? (Choose three.)Read More →