SCS-C01 (Page 40)

The AWS Systems Manager Parameter Store is being used to store database passwords used by an AWS Lambda function.Because this is sensitive data, the parameters are stored as type SecureString and protected by an AWS KMS key that allows access through IAM.When the function executes, this parameter cannot be retrieved as the result of an access denied error.Which of the following actions will resolve the access denied error?Read More →

A company has Windows Amazon EC2 instances in a VPC that are joined to on-premises Active Directory servers for domain services.The security team has enabled Amazon GuardDuty on the AWS account to alert on issues with the instances.During a weekly audit of network traffic, the Security Engineer notices that one of the EC2 instances is attempting to communicate with a known command-and- control server but failing.This alert does not show up in GuardDuty.Why did GuardDuty fail to alert to this behavior?Read More →

An AWS Lambda function was misused to alter data, and a Security Engineer must identify who invoked the function and what output was produced.The Engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.Which of the following explains why the logs are not available?Read More →

A company is testing a new version of its application.The company is using a public Amazon API Gateway API to expose the application.Currently, the company wants to allow only testers from its network to access the new application.Which solutions can the company use to meet these requirements? (Choose two.)Read More →

A company wants to implement a content delivery network for an upcoming product launch.The origin for distribution is an object store outside of AWS and requires the Authorization header from the request to be passed to it.How can a security engineer meet this requirement in the LEAST amount of time?Read More →

A company’s security engineer receives an abuse notification from AWS.The notification indicates that someone is hosting malware from the company’s AWS account.After investigation, the security engineer finds a new Amazon S3 bucket that an IAM user created without authorization.Which combination of steps should the security engineer take to MINIMIZE the consequences of this compromise? (Choose three.)Read More →

A company has two web applications that run on Amazon EC2 and Amazon S3.The applications failed an HTTP security audit, and users are reporting latency issues.The applications need to deliver web content at low latencies while improving security and privacy for users and content providers.The company must implement a solution that does not require changes to the application code.Which combination of actions should the company take to meet these requirements? (Choose two.)Read More →

A security engineer is attempting to assign a virtual multi-factor authentication (MFA) device to an IAM user whose current virtual MFA device is faulty.The security engineer receives an error message that indicates that the security engineer is not authorized to perform iam:DeleteVirtualMFADevice.The IAM role that the security engineer is using has the correct permissions to delete, list, and create a virtual MFA device.The IAM user also has permissions to delete their own virtual MFA device, but only if the IAM user is authenticated with MFA.What should the security engineer do to resolve this issue?Read More →

A company wants to prevent public exposure of data that is stored in Amazon S3.Which combination of steps should a security engineer take to meet this requirement? (Choose two.)Read More →

A company is operating an AWS workload that consists of multiple applications that are deployed on Amazon EC2 instances.Recent changes to a security group caused connectivity issues for some application instances that use the security group.The company now needs all changes to security groups to initiate an alert to a specific company email address.Which solution will meet this requirement in the MOST operationally efficient manner?Read More →