SCS-C01 (Page 7)

A company’s application uses Amazon DynamoDB to store data.The company’s security policy requires all data to be encrypted at rest.The security policy also requires the company to use an on-premises hardware security module (HSM) to generate and manage the company’s encryption keys.A security engineer uses the on-premises HSM to generate an encryption key.What should the security engineer do next to meet these requirements?Read More →

A company wants to protect its website from man-in-the-middle attacks by using Amazon CloudFront.Which solution will meet these requirements with the LEAST operational overhead?Read More →

A public subnet contains two Amazon EC2 instances.The subnet has a custom network ACL.A security engineer is designing a solution to improve the subnet security.The solution must allow outbound traffic to an internet service that uses TLS through port 443.The solution also must deny inbound traffic that is destined forMySQL port 3306.Which network ACL rule set meets these requirements?Read More →

A company’s security engineer has been asked to monitor and report all AWS account root user activities.Which of the following would enable the security engineer to monitor and report all root user activities? (Choose two.)Read More →

A company is hosting a web application on Amazon EC2 instances behind an Application Load Balancer (ALB).The application has become the target of a DoS attack.Application logging shows that requests are coming from small number of client IP addresses, but the addresses change regularly.The company needs to block the malicious traffic with a solution that requires the least amount of ongoing effort.Which solution meets these requirements?Read More →

A company’s data lake uses Amazon S3 and Amazon Athena.The company’s security engineer has been asked to design an encryption solution that meets the company’s data protection requirements.The encryption solution must work with Amazon S3 and keys managed by the company.The encryption solution must be protected in a hardware security module that is validated to Federal Information Processing Standards (FIPS) 140-2 Level 3.Which solution meets these requirements?Read More →

A developer reported that AWS CloudTrail was disabled on their account.A security engineer investigated the account and discovered the event was undetected by the current security solution.The security engineer must recommend a solution that will detect future changes to the CloudTrail configuration and send alerts when changes occur.What should the security engineer do to meet these requirements?Read More →

A company has multiple departments.Each department has its own AWS account.All these accounts belong to the same organization in AWS Organizations.A large .csv file is stored in an Amazon S3 bucket in the sales department’s AWS account.The company wants to allow users from the other accounts to access the .csv file’s content through the combination of AWS Glue and Amazon Athena.However, the company does not want to allow users from the other accounts to access other files in the same folder.Which solution will meet these requirements?Read More →

A company uses multiple AWS accounts managed with AWS Organizations.Security engineers have created a standard set of security groups for all these.accounts.The security policy requires that these security groups be used for all applications and delegates modification authority to the security team only.A recent security audit found that the security groups are inconsistently implemented across accounts and that unauthorized changes have been made to the security groups.A security engineer needs to recommend a solution to improve consistency and to prevent unauthorized changes in the individual accounts in the future.Which solution should the security engineer recommend?Read More →

A company has a serverless application for internal users deployed on AWS.The application uses AWS Lambda for the front end and for business logic.TheLambda function accesses an Amazon RDS database inside a VPC.The company uses AWS Systems Manager Parameter Store for storing database credentials.A recent security review highlighted the following issues:✑ The Lambda function has internet access.✑ The relational database is publicly accessible.✑ The database credentials are not stored in an encrypted state.Which combination of steps should the company take to resolve these security issues? (Choose three.)Read More →