SCS-C01 (Page 6)

A company has a legacy application that runs on a single Amazon EC2 instance.A security audit shows that the application has been using an IAM access key within its code to access an Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET1 in the same AWS account.This access key pair has the s3:GetObject permission to all objects in only this S3 bucket.The company takes the application offline because the application is not compliant with the company’s security policies for accessing other AWS resources from Amazon EC2.A security engineer validates that AWS CloudTrail is turned on in all AWS Regions.CloudTrail is sending logs to an S3 bucket that is named DOC-EXAMPLE-BUCKET2.This S3 bucket is in the same AWS account as DOC-EXAMPLE-BUCKET1.However, CloudTrail has not been configured to send logs to Amazon CloudWatch Logs.The company wants to know if any objects in DOC-EXAMPLE-BUCKET1 were accessed with the IAM access key in the past 60 days.If any objects were accessed, the company wants to know if any of the objects that are text files (.txt extension) contained personally identifiable information (PII).Which combination of steps should the security engineer take to gather this information? (Choose two.)Read More →

A security engineer is working for a parent company that provides hosting and services to client companies.The parent company maintains an organization in AWS Organizations for all client company accounts.The parent company adds any new accounts to the organization when the new accounts are created.The parent company currently uses IAM users to administer the client company accounts.As more client accounts are added, the administration of the IAM accounts takes more time.The security engineer must design a solution to reduce the amount of time that the parent company spends on administration and access provisioning for client accounts.Which combination of steps should the security engineer take to meet these requirements? (Choose two.)Read More →

A Security Engineer has several thousand Amazon EC2 instances split across production and development environments.Each instance is tagged with its environment.The Engineer needs to analyze and patch all the development EC2 instances to ensure they are not currently exposed to any common vulnerabilities or exposures (CVEs).Which combination of steps is the MOST efficient way for the Engineer to meet these requirements? (Choose two.)Read More →

For compliance reasons, a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied.TheEngineer must also ensure that no system goes more than 30 days without the latest approved updates being applied.What would be the MOST efficient way to achieve these goals?Read More →

A company hosts an end user application on AWS.Currently, the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer.The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances.Which solution will meet this requirement with the LEAST operational effort?Read More →

A Security Engineer is building a Java application that is running on Amazon EC2.The application communicates with an Amazon RDS instance and authenticates with a user name and password.Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)Read More →

A security engineer is configuring a mechanism to send an alert when three or more failed sign-in attempts to the AWS Management Console occur during a 5-minute period.The security engineer creates a trail in AWS CloudTrail to assist in this work.Which solution will meet these requirements?Read More →

While analyzing a company’s security solution, a Security Engineer wants to secure the AWS account root user.What should the Security Engineer do to provide the highest level of security for the account?Read More →

A company is developing a mobile shopping web app.The company needs an environment that is configured to encrypt all resources in transit and at rest.A security engineer must develop a solution that will encrypt traffic in transit to the company’s Application Load Balancer and Amazon API Gateway resources.The solution also must encrypt traffic at rest for Amazon S3 storage.What should the security engineer do to meet these requirements?Read More →

A company has a requirement that none of its Amazon RDS resources can be publicly accessible.A security engineer needs to set up monitoring for this requirement and must receive a near-real-time notification if any RDS resource is noncompliant.Which combination of steps should the security engineer take to meet these requirements? (Choose three.)Read More →