Why did GuardDuty fail to alert to this behavior?

2025-10-16
By:
In: SCS-C01
With: 1 Comment

A company has Windows Amazon EC2 instances in a VPC that are joined to on-premises Active Directory servers for domain services.The security team has enabled Amazon GuardDuty on the AWS account to alert on issues with the instances.During a weekly audit of network traffic, the Security Engineer notices that one of the EC2 instances is attempting to communicate with a known command-and- control server but failing.This alert does not show up in GuardDuty.Why did GuardDuty fail to alert to this behavior?Read More →

Which of the following actions will resolve the access denied error?

2025-10-16
By:
In: SCS-C01
With: 1 Comment

The AWS Systems Manager Parameter Store is being used to store database passwords used by an AWS Lambda function.Because this is sensitive data, the parameters are stored as type SecureString and protected by an AWS KMS key that allows access through IAM.When the function executes, this parameter cannot be retrieved as the result of an access denied error.Which of the following actions will resolve the access denied error?Read More →

What steps should the Engineer perform to prevent this outcome?

2025-10-16
By:
In: SCS-C01
With: 1 Comment

The Accounting department at Example Corp. has made a decision to hire a third-party firm, AnyCompany, to monitor Example Corp.’s AWS account to help optimize costs.The Security Engineer for Example Corp. has been tasked with providing AnyCompany with access to the required Example Corp. AWS resources. The Engineer has created an IAM role and granted permission to AnyCompany’s AWS account to assume this role.When customers contact AnyCompany, they provide their role ARN for validation. The Engineer is concerned that one of AnyCompany’s other customers might deduce Example Corp.’s role ARN and potentially compromise the company’s account.What steps should the Engineer perform to prevent this outcome?Read More →

Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs?

2025-10-16
By:
In: SCS-C01
With: 1 Comment

A Security Engineer is working with a Product team building a web application on AWS.The application uses Amazon S3 to host the static content, Amazon APIGateway to provide RESTful services; and Amazon DynamoDB as the backend data store.The users already exist in a directory that is exposed through a SAML identity provider.Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)Read More →

Which approach will meet these requirements while protecting the external certificate during a breach?

2025-10-16
By:
In: SCS-C01
With: 1 Comment

A company has a few dozen application servers in private subnets behind an Elastic Load Balancer (ELB) in an AWS Auto Scaling group.The application is accessed from the web over HTTPS.The data must always be encrypted in transit.The Security Engineer is worried about potential key exposure due to vulnerabilities in the application software.Which approach will meet these requirements while protecting the external certificate during a breach?Read More →

What is the MOST likely cause?

2025-10-16
By:
In: SCS-C01
With: 1 Comment

A Security Engineer is setting up an AWS CloudTrail trail for all regions in an AWS account.For added security, the logs are stored using server-side encryption with AWS KMS-managed keys (SSE-KMS) and have log integrity validation enabled.While testing the solution, the Security Engineer discovers that the digest files are readable, but the log files are not.What is the MOST likely cause?Read More →