Amazon SCS-C01 Practice Test - Questions Answers, Page 45
Question list
List of questions
Related questions
A recent security audit found that AWS CloudTrail logs are insufficiently protected from tampering and unauthorized access Which actions must the Security Engineer take to address these audit findings? (Select THREE )
A company's Security Auditor discovers that users are able to assume roles without using multifactor authentication (MFA). An example of a current policy being applied to these users is as follows:
The Security Auditor finds that the users who are able to assume roles without MFA are alt coming from the AWS CLI. These users are using long-term AWS credentials. Which changes should a Security Engineer implement to resolve this security issue? (Select TWO.)
A company hosts multiple externally facing applications, each isolated in its own AWS account The company'B Security team has enabled AWS WAF. AWS Config. and Amazon GuardDuty on all accounts. The company's Operations team has also joined all of the accounts to AWS Organizations and established centralized logging for CloudTrail. AWS Config, and GuardDuty. The company wants the Security team to take a reactive remediation in one account, and automate implementing this remediation as proactive prevention in all the other accounts.
How should the Security team accomplish this?
A company is using AWS Secrets Manager to store secrets for its production Amazon RDS database.
The Security Officer has asked that secrets be rotated every 3 months. Which solution would allow the company to securely rotate the secrets? (Select TWO.)
A corporation is preparing to acquire several companies. A Security Engineer must design a solution to ensure that newly acquired AWS accounts follow the corporation's security best practices. The solution should monitor each Amazon S3 bucket for unrestricted public write access and use AWS managed services.
What should the Security Engineer do to meet these requirements?
A Security Engineer is troubleshooting an issue with a company's custom logging application. The application logs are written to an Amazon S3 bucket with event notifications enabled to send events lo an Amazon SNS topic. All logs are encrypted at rest using an AWS KMS CMK. The SNS topic is subscribed to an encrypted Amazon SQS queue. The logging application polls the queue for new messages that contain metadata about the S3 object. The application then reads the content of the object from the S3 bucket for indexing.
The Logging team reported that Amazon CloudWatch metrics for the number of messages sent or received is showing zero. No togs are being received. What should the Security Engineer do to troubleshoot this issue?
Developers in an organization have moved from a standard application deployment to containers.
The Security Engineer is tasked with ensuring that the containers are secure. Which strategies will reduce the attack surface and enhance the security of the containers? (Select TWO.)
An organization wants to log all AWS API calls made within all of its AWS accounts, and must have a central place to analyze these logs. What steps should be taken to meet these requirements in the MOST secure manner? (Select TWO)
An IT department currently has a Java web application deployed on Apache Tomcat running on Amazon EC2 instances. All traffic to the EC2 instances is sent through an internet-facing Application Load Balancer (ALB) The Security team has noticed during the past two days thousands of unusual read requests coming from hundreds of IP addresses. This is causing the Tomcat server to run out of threads and reject new connections Which the SIMPLEST change that would address this server issue?
An organization has a multi-petabyte workload that it is moving to Amazon S3, but the CISO is concerned about cryptographic wear-out and the blast radius if a key is compromised. How can the CISO be assured that AWS KMS and Amazon S3 are addressing the concerns? (Select TWO )
Question