SCS-C01 (Page 36)

A security engineer is attempting to push a Linux-based container image to an Amazon Elastic Container Registry (Amazon ECR) repository that is in the us-east-1 Region.The security engineer has retrieved an authentication token by using the aws ecr get-login-password AWS CLI command within the last 4 hours.The security engineer has confirmed that the correct permissions are in place to push the container image to the repository.When the security engineer tries to push the container image, the security engineer receives the following error: “no basic auth credentials”.What should the security engineer do to resolve this error?Read More →

A pharmaceutical company has digitized versions of historical prescriptions stored on premises.The company would like to move these prescriptions to AWS and perform analytics on the data in them.Any operation with this data requires that the data be encrypted in transit and at rest.Which application flow would meet the data protection requirements on AWS?Read More →

Amazon GuardDuty has detected communications to a known command and control endpoint from a company’s Amazon EC2 instance.The instance was found to be running a vulnerable version of a common web framework.The company’s security operations team wants to quickly identify other compute resources with the specific version of that framework installed.Which approach should the team take to accomplish this task?Read More →

A company has multiple AWS accounts that are part of AWS Organizations.The company’s Security team wants to ensure that even those Administrators with full access to the company’s AWS accounts are unable to access the company’s Amazon S3 buckets.How should this be accomplished?Read More →

An organization wants to log all AWS API calls made within all of its AWS accounts, and must have a central place to analyze these logs.What steps should be taken to meet these requirements in the MOST secure manner? (Choose two.)Read More →

A company plans to use custom AMIs to launch Amazon EC2 instances across multiple AWS accounts in a single Region to perform security monitoring and analytics tasks.The EC2 instances are launched in EC2 Auto Scaling groups.To increase the security of the solution, a Security Engineer will manage the lifecycle of the custom AMIs in a centralized account and will encrypt them with a centrally managed AWS KMS CMK.The Security Engineer configured the KMS key policy to allow cross-account access.However, the EC2 instances are still not being properly launched by the EC2 Auto Scaling groups.Which combination of configuration steps should the Security Engineer take to ensure the EC2 Auto Scaling groups have been granted the proper permissions to execute tasks?Read More →

A company wants to encrypt the private network between its on-premises environment and AWS.The company also wants a consistent network experience for its employees.What should the company do to meet these requirements?Read More →

A Development team has built an experimental environment to test a simple static web application.It has built an isolated VPC with a private and a public subnet.The public subnet holds only an Application Load Balancer, a NAT gateway, and an internet gateway.The private subnet holds all of the Amazon EC2 instances.There are 3 different types of servers.Each server type has its own Security Group that limits access to only required connectivity.The Security Groups have both inbound and outbound rules applied.Each subnet has both inbound and outbound network ACLs applied to limit access to only required connectivity.Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Choose three.)Read More →

Auditors for a health care company have mandated that all data volumes be encrypted at rest.Infrastructure is deployed mainly via AWS CloudFormation; however, third-party frameworks and manual deployment are required on some legacy systems.What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?Read More →

A company’s Developers plan to migrate their on-premises applications to Amazon EC2 instances running Amazon Linux AMIs.The applications are accessed by a group of partner companies.The Security Engineer needs to implement the following host-based security measures for these instances:✑ Block traffic from documented known bad IP addresses.✑ Detect known software vulnerabilities and CIS Benchmarks compliance.Which solution addresses these requirements?Read More →