Which of the following approaches grants the finance staff the permissions they require without granting any unnecessary permissions?

2025-10-03
By:
In: SCS-C01
With: 1 Comment

A company uses AWS Organization to manage 50 AWS accounts.The finance staff members log in as AWS IAM users in the FinanceDept AWS account.The staff members need to read the consolidated billing information in the MasterPayer AWS account.They should not be able to view any other resources in theMasterPayer AWS account.IAM access to billing has been enabled in the MasterPayer account.Which of the following approaches grants the finance staff the permissions they require without granting any unnecessary permissions?Read More →

What should the security engineer do to resolve this issue?

2025-10-03
By:
In: SCS-C01
With: 1 Comment

A company is using AWS Organizations to manage multiple AWS member accounts.All of these accounts have Amazon GuardDuty enabled in all Regions.The company’s AWS Security Operations Center has a centralized security account for logging and monitoring.One of the member accounts has received an excessively high bill.A security engineer discovers that a compromised Amazon EC2 instance is being used to mine cryptocurrency.The Security OperationsCenter did not receive a GuardDuty finding in the central security account, but there was a GuardDuty finding in the account containing the compromised EC2 instance.The security engineer needs to ensure all GuardDuty findings are available in the security account.What should the security engineer do to resolve this issue?Read More →

How can the security engineer implement this solution?

2025-10-03
By:
In: SCS-C01
With: 1 Comment

A company is implementing a new application in a new AWS account.A VPC and subnets have been created for the application.The application has been peered to an existing VPC in another account in the same AWS Region for database access.Amazon EC2 instances will regularly be created and terminated in the application VPC, but only some of them will need access to the databases in the peered VPC over TCP port 1521.A security engineer must ensure that only theEC2 instances than need access to the databases can access them through the network.How can the security engineer implement this solution?Read More →

Which solution meets these requirements?

2025-10-03
By:
In: SCS-C01
With: 1 Comment

A company is designing the security architecture for a global latency-sensitive web application it plans to deploy to AWS.A security engineer needs to configure a highly available and secure two-tier architecture.The security design must include controls to prevent common attacks such as DDoS, cross-site scripting, andSQL injection.Which solution meets these requirements?Read More →

What should the security engineer do next?

2025-10-03
By:
In: SCS-C01
With: 1 Comment

A company hosts an application on Amazon EC2 that is subject to specific rules for regulatory compliance.One rule states that traffic to and from the workload must be inspected for network-level attacks.This involves inspecting the whole packet.To comply with this regulatory rule, a security engineer must install intrusion detection software on a c5n.4xlarge EC2 instance.The engineer must then configure the software to monitor traffic to and from the application instances.What should the security engineer do next?Read More →

How should the security engineer address this problem?

2025-10-03
By:
In: SCS-C01
With: 1 Comment

A company website runs on Amazon EC2 instances behind an Application Load Balancer (ALB).The instances run in an Auto Scaling group across multipleAvailability Zones.There is an Amazon CloudFront distribution in front of the ALB.Users are reporting performance problems.A security engineer discovers that the website is receiving a high rate of unwanted requests to the CloudFront distribution originating from a series of source IP addresses.How should the security engineer address this problem?Read More →