By:
On:
In: SCS-C01
With: 0 Comments

A security engineer receives an abuse report email message from the AWS Trust and Safety team.The abuse report identifies a resource that appears to be compromised.The abuse report indicates that the resource is an IAM access key that belongs to a DevOps engineer in the security engineer’s company.The access key is used in a deployment system that uses AWS Lambda functions to launch AWS CloudFormation stacks.The security engineer must address the abuse report, prevent any further use of the exposed access key, and implement security best practices.Which solution will meet these requirements?Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A company’s application uses standard tier secure string parameters from AWS Systems Manager Parameter Store.The application is receiving error messages when the company tries to update a parameter.The parameter uses an AWS Key Management Service (AWS KMS) customer managed key for encryption and decryption.What are the reasons for the error messages? (Choose two.)Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A company wants to implement host-based security for Amazon EC2 instances and containers in Amazon Elastic Container Registry (Amazon ECR).The company has deployed AWS Systems Manager Agent (SSM Agent) on the EC2 instances.All the company’s AWS accounts are in one organization in AWS Organizations.The company will analyze the workloads for software vulnerabilities and unintended network exposure.The company will push any findings to AWS Security Hub, which the company has configured for the organization.The company must deploy the solution to all member accounts, including new accounts, automatically.When new workloads come online, the solution must scan the workloads.Which solution will meet these requirements?Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A Security Engineer is setting up an AWS CloudTrail trail for all regions in an AWS account.For added security, the logs are stored using server-side encryption with AWS KMS-managed keys (SSE-KMS) and have log integrity validation enabled.While testing the solution, the Security Engineer discovers that the digest files are readable, but the log files are not.What is the MOST likely cause?Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A company has a few dozen application servers in private subnets behind an Elastic Load Balancer (ELB) in an AWS Auto Scaling group.The application is accessed from the web over HTTPS.The data must always be encrypted in transit.The Security Engineer is worried about potential key exposure due to vulnerabilities in the application software.Which approach will meet these requirements while protecting the external certificate during a breach?Read More →

By:
On:
In: SCS-C01
With: 0 Comments

A Security Engineer is working with a Product team building a web application on AWS.The application uses Amazon S3 to host the static content, Amazon APIGateway to provide RESTful services; and Amazon DynamoDB as the backend data store.The users already exist in a directory that is exposed through a SAML identity provider.Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)Read More →

By:
On:
In: SCS-C01
With: 0 Comments

The Accounting department at Example Corp. has made a decision to hire a third-party firm, AnyCompany, to monitor Example Corp.’s AWS account to help optimize costs.The Security Engineer for Example Corp. has been tasked with providing AnyCompany with access to the required Example Corp. AWS resources. The Engineer has created an IAM role and granted permission to AnyCompany’s AWS account to assume this role.When customers contact AnyCompany, they provide their role ARN for validation. The Engineer is concerned that one of AnyCompany’s other customers might deduce Example Corp.’s role ARN and potentially compromise the company’s account.What steps should the Engineer perform to prevent this outcome?Read More →