SCS-C01 (Page 5)

A company plans to create individual child accounts within an existing organization in AWS Organizations for each of its DevOps teams.AWS CloudTrail has been enabled and configured on all accounts to write audit logs to an Amazon S3 bucket in a centralized AWS account.A security engineer needs to ensure thatDevOps team members are unable to modify or disable this configuration.How can the security engineers meet these requirements?Read More →

A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running on AWS.Which combination of AWS services and features will provide protection in this scenario? (Choose three.)Read More →

An organization is moving non-business-critical applications to AWS while maintaining a mission-critical application in an on-premises data center.An on-premises application must share limited confidential information with the applications in AWS.The internet performance is unpredictable.Which configuration will ensure continued connectivity between sites MOST securely?Read More →

An organization operates a web application that serves users globally.The application runs on Amazon EC2 instances behind an Application Load Balancer.There is an Amazon CloudFront distribution in front of the load balancer, and the organization uses AWS WAF.The application is currently experiencing a volumetric attack whereby the attacker is exploiting a bug in a popular mobile game.The application is being flooded with HTTP requests from all over the world with the User-Agent set to the following string: Mozilla/5.0 (compatible; ExampleCorp;ExampleGame/1.22; Mobile/1.0)What mitigation can be applied to block attacks resulting from this bug while continuing to service legitimate requests?Read More →

An organization has tens of applications deployed on thousands of Amazon EC2 instances.During testing, the Application team needs information to let them know whether the network access control lists (network ACLs) and security groups are working as expected.How can the Application team’s requirements be met?Read More →

An application has a requirement to be resilient across not only Availability Zones within the application’s primary region but also be available within another region altogether.Which of the following supports this requirement for AWS resources that are encrypted by AWS KMS?Read More →

The Information Technology department has stopped using Classic Load Balancers and switched to Application Load Balancers to save costs.After the switch, some users on older devices are no longer able to connect to the website.What is causing this situation?Read More →

The Security Engineer has discovered that a new application that deals with highly sensitive data is storing Amazon S3 objects with the following key pattern, which itself contains highly sensitive data.Pattern:”randomID_datestamp_PII.csv”Example:”1234567_12302017_000-00-0000 csv”The bucket where these objects are being stored is using server-side encryption (SSE).Which solution is the most secure and cost-effective option to protect the sensitive data?Read More →

Example.com hosts its internal document repository on Amazon EC2 instances.The application runs on EC2 instances and previously stored the documents on encrypted Amazon EBS volumes.To optimize the application for scale, example.com has moved the files to Amazon S3.The security team has mandated that all the files are securely deleted from the EBS volume, and it must certify that the data is unreadable before releasing the underlying disks.Which of the following methods will ensure that the data is unreadable by anyone else?Read More →

A company wants to deploy an application in a private VPC that will not be connected to the internet.The company’s security team will not allow bastion hosts or methods using SSH to log in to Amazon EC2 instances.The application team plans to use AWS Systems Manager Session Manager to connect to and manage the EC2 instances.Which combination of steps should the security team take? (Choose three.)Read More →