SCS-C01 (Page 8)

A company has a serverless application for internal users deployed on AWS.The application uses AWS Lambda for the front end and for business logic.TheLambda function accesses an Amazon RDS database inside a VPC.The company uses AWS Systems Manager Parameter Store for storing database credentials.A recent security review highlighted the following issues:✑ The Lambda function has internet access.✑ The relational database is publicly accessible.✑ The database credentials are not stored in an encrypted state.Which combination of steps should the company take to resolve these security issues? (Choose three.)Read More →

A company’s on-premises data center forwards DNS logs to a third-party security incident events management (SIEM) solution that alerts on suspicious behavior.The company wants to introduce a similar capability to its AWS accounts that includes automatic remediation.The company expects to double in size within the next few months.Which solution meets the company’s current and future logging requirements?Read More →

An ecommerce website was down for 1 hour following a DDoS attack.Users were unable to connect to the website during the attack period.The ecommerce company’s security team is worried about future potential attacks and wants to prepare for such events.The company needs to minimize downtime in its response to similar attacks in the future.Which steps would help achieve this? (Choose two.)Read More →

A company has a VPC with several Amazon EC2 instances behind a NAT gateway.The company’s security policy states that all network traffic must be logged and must include the original source and destination IP addresses.The existing VPC Flow Logs do not include this information.A security engineer needs to recommend a solution.Which combination of steps should the security engineer recommend? (Choose two.)Read More →

A company manages multiple AWS accounts using AWS Organizations.The company’s security team notices that some member accounts are not sending AWSCloudTrail logs to a centralized Amazon S3 logging bucket.The security team wants to ensure there is at least one trail configured for all existing accounts and for any account that is created in the future.Which set of actions should the security team implement to accomplish this?Read More →

A security engineer received an Amazon GuardDuty alert indicating a finding involving the Amazon EC2 instance that hosts the company’s primary website.TheGuardDuty finding received read:UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.The security engineer confirmed that a malicious actor used API access keys intended for the EC2 instance from a country where the company does not operate.The security engineer needs to deny access to the malicious actor.What is the first step the security engineer should take?Read More →

Developers in an organization have moved from a standard application deployment to containers.The Security Engineer is tasked with ensuring that containers are secure.Which strategies will reduce the attack surface and enhance the security of the containers? (Choose two.)Read More →

An application outputs logs to a text file.The logs must be continuously monitored for security incidents.Which design will meet the requirements with MINIMUM effort?Read More →

An application has been written that publishes custom metrics to Amazon CloudWatch.Recently, IAM changes have been made on the account and the metrics are no longer being reported.Which of the following is the LEAST permissive solution that will allow the metrics to be delivered?Read More →

A Security Engineer received an AWS Abuse Notice listing EC2 instance IDs that are reportedly abusing other hosts.Which action should the Engineer take based on this situation? (Choose three.)Read More →