SCS-C01 (Page 4)

During a recent security audit, it was discovered that multiple teams in a large organization have placed restricted data in multiple Amazon S3 buckets, and the data may have been exposed.The auditor has requested that the organization identify all possible objects that contain personally identifiable information (PII) and then determine whether this information has been accessed.What solution will allow the Security team to complete this request?Read More →

Company A has an AWS account that is named Account A.Company A recently acquired Company B, which has an AWS account that is named Account B.Company B stores its files in an Amazon S3 bucket.The administrators need to give a user from Account A full access to the S3 bucket in Account B.After the administrators adjust the IAM permissions for the user in Account A to access the S3 bucket in Account B, the user still cannot access any files in the S3 bucket.Which solution will resolve this issue?Read More →

A Security Engineer has been asked to troubleshoot inbound connectivity to a web server.This single web server is not receiving inbound connections from the internet, whereas all other web servers are functioning properly.The architecture includes network ACLs, security groups, and a virtual security appliance.In addition, the Development team has implemented Application LoadBalancers (ALBs) to distribute the load across all web servers.It is a requirement that traffic between the web servers and the internet flow through the virtual security appliance.The Security Engineer has verified the following:1.The rule set in the Security Groups is correct2.The rule set in the network ACLs is correct3.The rule set in the virtual appliance is correctWhich of the following are other valid items to troubleshoot in this scenario? (Choose two.)Read More →

A company has an IAM group.All of the IAM users in the group have been assigned a multi-factor authentication (MFA) device and have full access to AmazonS3.The company needs to ensure that users in the group can perform S3 actions only after the users authenticate with MFA.A security engineer must design a solution that accomplishes this goal with the least maintenance overhead.Which combination of actions will meet these requirements? (Choose two.)Read More →

A company is migrating one of its legacy systems from an on-premises data center to AWS.The application server will run on AWS, but the database must remain in the on-premises data center for compliance reasons.The database is sensitive to network latency.Additionally, the data that travels between the on-premises data center and AWS must have IPsec encryption.Which combination of AWS solutions will meet these requirements? (Choose two.)Read More →

A Security Administrator is performing a log analysis as a result of a suspected AWS account compromise.The Administrator wants to analyze suspicious AWSCloudTrail log files but is overwhelmed by the volume of audit logs being generated.What approach enables the Administrator to search through the logs MOST efficiently?Read More →

An international company has established a new business entity in South Korea.The company also has established a new AWS account to contain the workload for the South Korean region.The company has set up the workload in the new account in the ap-northeast-2 Region.The workload consists of three Auto Scaling groups of Amazon EC2 instances.All workloads that operate in this Region must keep system logs and application logs for 7 years.A security engineer must implement a solution to ensure that no logging data is lost for each instance during scaling activities.The solution also must keep the logs for only the required period of 7 years.Which combination of steps should the security engineer take to meet these requirements? (Choose three.)Read More →

A company uses AWS Organizations to manage several AWs accounts.The company processes a large volume of sensitive data.The company uses a serverless approach to microservices.The company stores all the data in either Amazon S3 or Amazon DynamoDB.The company reads the data by using either AWS Lambda functions or container-based services that the company hosts on Amazon Elastic Kubernetes Service (Amazon EKS) on AWS Fargate.The company must implement a solution to encrypt all the data at rest and enforce least privilege data access controls.The company creates an AWS Key Management Service (AWS KMS) customer managed key.What should the company do next to meet these requirements?Read More →

A company has deployed workloads in multiple AWS accounts that are all within a single organization in AWS Organizations.The company is using Amazon CloudWatch Logs to implement a new logging solution.The company runs a workload on Amazon EC2 instances that are in an account within the organization.The company has installed the CloudWatch agent on each workload instance and has configured the agent identically on each instance.The configuration specifies that application logs will be forwarded to CloudWatch Logs.The workload VPC has both public and private subnet tiers.The EC2 instances that are in the public subnets have the frontend-instance-role IAM role attached.The EC2 instances that are in the private subnets have the backend-instance-role IAM role attached.The workload uses VPC endpoints to communicate with various AWS services.Recently, log records from instances that use the frontend-instance-role role stopped appearing in CloudWatch Logs.CloudWatch Logs still receives log files from instances that use the backend-instance-role role.Which reason explains why the EC2 instances that use the frontend-instance-role stopped sending logs to CloudWatch Logs?Read More →

A company’s security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue.All the company’s accounts are within an organization in AWS Organizations.The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools that are outside of AWS.What should the security engineer do to meet these requirements?Read More →