A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB).
The website is experiencing a global DDoS attack from a specific IoT device brand that uses a unique user agent. A security engineer is creating an AWS WAF web ACL and will associate it with the ALB.
Which rule statement will mitigate the current attack and future attacks from these IoT devices without blocking legitimate customers?
A. Use an IP set match rule statement.A company's platform has grown rapidly over the past 6 months. The company's platform architecture evolved quickly to accommodate the growth. The company's development team has been deploying features quickly by using different AWS services. The development team has not performed formal architecture reviews.
The company needs to evaluate its security posture against AWS security best practices.
Which solution will meet these requirements?
A. Create a new workload in the AWS Well-Architected Tool. Work with the development team to answer security questions based on the team's current state. Use the save milestone feature to track improvements against identified high-risk items.A company has configured an organization in AWS Organizations for its AWS accounts. AWS CloudTrail is enabled in all AWS Regions.
A security engineer must implement a solution toprevent CloudTrail from being disabled.
Which solution will meet this requirement?
A. Enable CloudTrail log file integrity validation from the organization ' s management account.A company has a compliance requirement to encrypt all data in transit. The company recently discovered an Amazon Aurora cluster that does not meet this requirement.
How can the company enforce encryption for all connections to the Aurora cluster?
A. In the Aurora cluster configuration, set therequire_secure_transportDB cluster parameter toON.An ecommerce website was down for 1 hour following a DDoS attack. Users were unable to connect to the website during the attack period. The ecommerce company ' s security team is worried about future potential attacks and wants to prepare for such events. The company needs to minimize downtime in its response to similar attacks in the future.
Which steps would help achieve this? (Select TWO.)
A. Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access.A company runs a web application on a fleet of Amazon EC2 instances that are in an Auto Scaling group.
The EC2 instances are in the same VPC subnet as other workloads.
A security engineer deploys Amazon GuardDuty and integrates it with AWS Security Hub. The security engineer needs to implement anautomated solutionto detect and respond to anomalous traffic patterns.
The solution must follow AWS best practices forinitial incident responseand mustminimize disruptionto the web application.
Which solution will meet these requirements?
A. Disable the instance profile access keys by using AWS Lambda.A company is developing an application that runs across a combination of Amazon EC2 On-Demand Instances and Spot Instances. A security engineer needs to provide a logging solution that makes logs for all instances available from a single location. The solution must allow only a specific set of users to analyze the logs for event patterns. The users must be able to use SQL queries on the logs to perform root cause analysis.
Which solution will meet these requirements?
A. Configure the EC2 instances to send application logs to a single Amazon CloudWatch Logs log group. Allow only specific users to access the log group. Use CloudWatch Logs Insights to query the log group.A workload runs in private subnets with no route to the internet. The application must read objects from Amazon S3 and call AWS KMS without using public internet paths. The design must preserve private connectivity for both services.
Which combination of changes should the security engineer make? Choose two.
A. Create a gateway VPC endpoint for Amazon S3 and associate it with the private subnet route tables.A company recently experienced a malicious attack on its cloud-based environment. The company successfully contained and eradicated the attack. A security engineer is performing incident response work.
The security engineer needs to recover an Amazon RDS database cluster to the last known good version.
The database cluster is configured to generate automated backups with a retention period of 14 days. The initial attack occurred 5 days ago at exactly 3:15 PM.
Which solution will meet this requirement?
A. Identify the Regional cluster ARN for the database. Use the ARN to restore the Regional cluster by using the restore to point in time feature. Set a target time 5 days ago at 3:14 PM.A security engineer uses Amazon Macie to scan a company ' s Amazon S3 buckets for sensitive data. The company has many S3 buckets and many objects stored in the S3 buckets. The security engineer must identify S3 buckets that contain sensitive data and must perform additional scanning on those S3 buckets.
Which solution will meet these requirements with the LEAST administrative overhead?
A. Configure S3 Cross-Region Replication (CRR) on the S3 buckets to replicate the objects to a second AWS Region. Configure Macie in the second Region to scan the replicated objects daily.Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.