Amazon Web Services SCS-C01 Questions Answers

Page: 15 / 43

Question 60

A Security Engineer received an IAM Abuse Notice listing EC2 instance IDs that are reportedly abusing other hosts.

Which action should the Engineer take based on this situation? (Choose three.)

Options:

Use IAM Artifact to capture an exact image of the state of each instance.

Create EBS Snapshots of each of the volumes attached to the compromised instances.

Capture a memory dump.

Revoke all network ingress and egress except for to/from a forensics workstation.

Run Auto Recovery for Amazon EC2.

Question 61

A company’s database developer has just migrated an Amazon RDS database credential to be stored and managed by IAM Secrets Manager. The developer has also enabled rotation of the credential within the Secrets Manager console and set the rotation to change every 30 days.

After a short period of time, a number of existing applications have failed with authentication errors.

What is the MOST likely cause of the authentication errors?

Options:

Migrating the credential to RDS requires that all access come through requests to the Secrets Manager.

Enabling rotation in Secrets Manager causes the secret to rotate immediately, and the applications are using the earlier credential.

The Secrets Manager IAM policy does not allow access to the RDS database.

The Secrets Manager IAM policy does not allow access for the applications.

Question 62

Your company has a set of resources defined in the IAM Cloud. Their IT audit department has requested to get a list of resources that have been defined across the account. How can this be achieved in the easiest manner?

Please select:

Options:

Create a powershell script using the IAM CLI. Query for all resources with the tag of production.

Create a bash shell script with the IAM CLI. Query for all resources in all regions. Store the results in an S3 bucket.

Use Cloud Trail to get the list of all resources

Use IAM Config to get the list of all resources

Question 63

During a recent security audit, it was discovered that multiple teams in a large organization have placed restricted data in multiple Amazon S3 buckets, and the data may have been exposed. The auditor has requested that the organization identify all possible objects that contain personally identifiable information (PII) and then determine whether this information has been accessed.

What solution will allow the Security team to complete this request?

Options:

Using Amazon Athena, query the impacted S3 buckets by using the PII query identifier function. Then, create a new Amazon CloudWatch metric for Amazon S3 object access to alert when the objects are accessed.

Enable Amazon Macie on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, use the research function for auditing IAM CloudTrail logs and S3 bucket logs for GET operations.

Enable Amazon GuardDuty and enable the PII rule set on the S3 buckets that were impacted, then perform data classification. Using the PII findings report from GuardDuty, query the S3 bucket logs by using Athena for GET operations.

Enable Amazon Inspector on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, query the S3 bucket logs by using Athena for GET operations.

Page: 15 / 43