SCS-C01 (Page 7)

What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account? (Choose two.)Read More →

A company has enabled Amazon GuardDuty in all Regions as part of its security monitoring strategy.In one of the VPCs, the company hosts an Amazon EC2 instance working as an FTP server that is contacted by a high number of clients from multiple locations.This is identified by GuardDuty as a brute force attack due to the high number of connections that happen every hour.The finding has been flagged as a false positive.However, GuardDuty keeps raising the issue.A Security Engineer has been asked to improve the signal-to-noise ratio.The Engineer needs to ensure that changes do not compromise the visibility of potential anomalous behavior.How can the Security Engineer address the issue?Read More →

An Amazon EC2 instance is denied access to a newly created AWS KMS CMK used for decrypt actions.The environment has the following configuration:✑ The instance is allowed the kms:Decrypt action in its IAM role for all resources✑ The AWS KMS CMK status is set to enabled✑ The instance can communicate with the KMS API using a configured VPC endpointWhat is causing the issue?Read More →

A Security Engineer discovered a vulnerability in an application running on Amazon ECS.The vulnerability allowed attackers to install malicious code.Analysis of the code shows it exfiltrates data on port 5353 in batches at random time intervals.While the code of the containers is being patched, how can Engineers quickly identify all compromised hosts and stop the egress of data on port 5353?Read More →

An organization is using AWS CloudTrail, Amazon CloudWatch Logs, and Amazon CloudWatch to send alerts when new access keys are created.However, the alerts are no longer appearing in the Security Operations mail box.Which of the following actions would resolve this issue?Read More →

Which approach will generate automated security alerts should too many unauthorized AWS API requests be identified?Read More →

A company uses user data scripts that contain sensitive information to bootstrap Amazon EC2 instances.A Security Engineer discovers that this sensitive information is viewable by people who should not have access to it.What is the MOST secure way to protect the sensitive information used to bootstrap the instances?Read More →

A Security Engineer for a large company is managing a data processing application used by 1,500 subsidiary companies.The parent and subsidiary companies all use AWS.The application uses TCP port 443 and runs on Amazon EC2 behind a Network Load Balancer (NLB).For compliance reasons, the application should only be accessible to the subsidiaries and should not be available on the public internet.To meet the compliance requirements for restricted access, the Engineer has received the public and private CIDR block ranges for each subsidiary.What solution should the Engineer use to implement the appropriate access restrictions for the application?Read More →

A company has a group of Amazon EC2 instances in a single private subnet of a VPC with no internet gateway attached.A security engineer has installed the Amazon CloudWatch agent on all instances in that subnet to capture logs from a specific application.To ensure that the logs flow securely, the company’s networking team has created VPC endpoints for CloudWatch monitoring and CloudWatch logs.The networking team has attached the endpoints to the VPC.The application is generating logs.However, when the security engineer queries CloudWatch, the logs do not appear.Which combination of steps should the security engineer take to troubleshoot this issue? (Choose three.)Read More →

A company had one of its Amazon EC2 key pairs compromised.A Security Engineer must identify which current Linux EC2 instances were deployed and used the compromised key pair.How can this task be accomplished?Read More →