SCS-C01 (Page 3)

An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs a network port scan against other instances in the VPC.When the Security team performs its own internal tests in a separate account by using pre-approved third-party scanners from the AWS Marketplace, the Security team also then receives multiple Amazon GuardDuty events from Amazon CloudWatch alerting on its test activities.How can the Security team suppress alerts about authorized security tests while still receiving alerts about the unauthorized activity?Read More →

A security engineer is trying to use Amazon EC2 Image Builder to create an image of an EC2 instance.The security engineer has configured the pipeline to send logs to an Amazon S3 bucket.When the security engineer runs the pipeline, the build fails with the following error: “AccessDenied: Access Denied status code: 403”.The security engineer must resolve the error by implementing a solution that complies with best practices for least privilege access.Which combination of steps will meet these requirements? (Choose two.)Read More →

A security engineer for a company wants to maintain all IAM users and roles according to the principle of least privilege.The security engineer plans to audit the IAM permissions once every 365 days.The security engineer must view the permissions that each IAM identity used in the last 365 days and must remove any unused permissions.Which solution will meet these requirements?Read More →

A security engineer needs to ensure their company’s use of AWS meets AWS security best practices.As part of this, the AWS account root user must not be used for daily work.The root user must be monitored for use, and the security team must be alerted as quickly as possible if the root user is used.Which solution meets these requirements?Read More →

A Developer’s laptop was stolen.The laptop was not encrypted, and it contained the SSH key used to access multiple Amazon EC2 instances.A SecurityEngineer has verified that the key has not been used, and has blocked port 22 to all EC2 instances while developing a response plan.How can the Security Engineer further protect currently running instances?Read More →

A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2 instances.The company security policy states that application logs for the reporting service must be centrally collected.What is the MOST efficient way to meet these requirements?Read More →

A company has deployed a custom DNS server in AWS.The Security Engineer wants to ensure that Amazon EC2 instances cannot use the Amazon-providedDNS.How can the Security Engineer block access to the Amazon-provided DNS in the VPC?Read More →

A company operates a web application that runs on Amazon EC2 instances.The application listens on port 80 and port 443.The company uses an Application Load Balancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the application instances only on port 80.The ALB is in public subnets that are associated with a network ACL that is named NACL.The application instances are in dedicated private subnets that are associated with a network ACL that is named NACL2.An Amazon RDS for PostgreSQL DB instance that uses port 5432 is in a dedicated private subnet that is associated with a network ACL that is named NACL3.All the network ACLs currently allow all inbound and outbound traffic.Which set of network ACL changes will increase the security of the application while ensuring functionality?Read More →

A company has a security team that manages its AWS Key Management Service (AWS KMS) CMKs.Members of the security team must be the only ones to administer the CMKs.The company’s application team has a software process that needs temporary access to the CMKS occasionally.The security team must provide the application team’s software process access to the CMKs.Which solution meets these requirements with the LEAST overhead?Read More →

A company is designing a solution to serve content from an Amazon CloudFront distribution that will have an Amazon S3 bucket as the origin.A security engineer needs to encrypt S3 data at rest with an AWS Key Management Service (KMS) customer managed key rather than with an S3 managed key.The solution must minimize operational overhead.Which combination of steps should the security engineer take to meet these requirements? (Choose three.)Read More →