SCS-C01 (Page 5)

A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data from production host running inside AWS (Account 1).The threat was documented as follows:Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials for an AWS account (Account 2) they control and uploading data to an Amazon S3 bucket within their control.Server X has outbound internet access configured via a proxy server.Legitimate access to S3 is required so that the application can upload encrypted files to anS3 bucket.Server X is currently using an IAM instance role.The proxy server is not able to inspect any of the server communication due to TLS encryption.Which of the following options will mitigate the threat? (Choose two.)Read More →

A company has contracted with a third party to audit several AWS accounts.To enable the audit, cross-account IAM roles have been created in each account targeted for audit.The Auditor is having trouble accessing some of the accounts.Which of the following may be causing this problem? (Choose three.)Read More →

The Security team believes that a former employee may have gained unauthorized access to AWS resources sometime in the past 3 months by using an identified access key.What approach would enable the Security team to find out what the former employee may have done within AWS?Read More →

A company is storing data in Amazon S3 Glacier.The security engineer implemented a new vault lock policy for 10TB of data and called initiate-vault-lock operation 12 hours ago.The audit team identified a typo in the policy that is allowing unintended access to the vault.What is the MOST cost-effective way to correct this?Read More →

An application is currently secured using network access control lists and security groups.Web servers are located in public subnets behind an Application LoadBalancer (ALB); application servers are located in private subnets.How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose two.)Read More →

A company wants to control access to its AWS resources by using identities and groups that are defined in its existing Microsoft Active Directory.What must the company create in its AWS account to map permissions for AWS services to Active Directory user attributes?Read More →

A company’s application team needs to host a MySQL database on AWS.According to the company’s security policy, all data that is stored on AWS must be encrypted at rest.In addition, all cryptographic material must be compliant with FIPS 140-2 Level 3 validation.The application team needs a solution that satisfies the company’s security requirements and minimizes operational overhead.Which solution will meet these requirements?Read More →

A company uses an external identity provider to allow federation into different AWS accounts.A security engineer for the company needs to identify the federated user that terminated a production Amazon EC2 instance a week ago.What is the FASTEST way for the security engineer to identify the federated user?Read More →

A company’s Security Engineer has been tasked with restricting a contractor’s IAM account access to the company’s Amazon EC2 console without providing access to any other AWS services.The contractor’s IAM account must not be able to gain access to any other AWS service, even if the IAM account is assigned additional permissions based on IAM group membership.What should the Security Engineer do to meet these requirements?Read More →

A company is implementing new compliance requirements to meet customer needs.According to the new requirements, the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage.The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created.The solution also must terminate the unencrypted DB instance or DB cluster.Which solution will meet these requirements in the MOST operationally efficient manner?Read More →