A company's security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue. All the company's accounts are within an organization in AWS Organizations. The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools outside of AWS.
What should the security engineer do to meet these requirements?
A. Create security groups and attach them to all SQS queues.A company finds that one of its Amazon EC2 instances suddenly has a high CPU usage. The company does not know whether the EC2 instance is compromised or whether the operating system is performing background cleanup.
Which combination of steps should a security engineer take before investigating the issue? (Select THREE.)
A. Disable termination protection for the EC2 instance if termination protection has not been disabled.A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided. The company ' s security engineer must secure this system against SQL injection attacks within 24 hours. The security engineer's solution must involve the least amount of effort and maintain normal operations during implementation.
What should the security engineer do to meet these requirements?
A. Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Updatesecurity groups on the EC2 instances to prevent direct access from the internet.An application is running on an Amazon EC2 instance that has an IAM role attached. The IAM role provides access to an AWS Key Management Service (AWS KMS) customer managed key and an Amazon S3 bucket. The key is used to access 2 TB of sensitive data that is stored in the S3 bucket. A security engineer discovers a potential vulnerability on the EC2 instance that could result in the compromise of the sensitive data. Due to other critical operations, the security engineer cannot immediately shut down the EC2 instance for vulnerability patching.
What is the FASTEST way to prevent the sensitive data from being exposed?
A. Download the data from the existing S3 bucket to a new EC2 instance. Then delete the data from the S3 bucket. Re-encrypt the data with a client-based key. Upload the data to a new S3 bucket.A company runs several applications on Amazon Elastic Kubernetes Service (Amazon EKS). The company needs a solution to detect any Kubernetes security risks by monitoring Amazon EKS audit logs in addition to operating system, networking, and file events. The solution must send email alerts for any identified risks to a mailing list that is associated with a security team.
Which solution will meet these requirements?
A. Deploy AWS Security Hub and enable security standards that contain EKS controls. Create an Amazon Simple Notification Service (Amazon SNS) topic and set the security team ' s mailing list as a subscriber. Use an Amazon EventBridge rule to send relevant Security Hub events to the SNS topic.A company is using Amazon EC2 instances to host an application in a private subnet in a VPC. The application needs to use AWS KMS.
What is the MOST secure way for a security engineer to meet this requirement?
A. Attach an internet gateway to the VPC. Move the EC2 instances to a public subnet. Use the internet gateway to connect to AWS KMS.A company sends Amazon RDS snapshots to two accounts as part of its disaster recovery (DR) plan. The snapshots must be encrypted. However, each account needs to be able to decrypt the snapshots in case of a DR event.
Which solution will meet these requirements?
A. Use the default AWS Key Management Service (AWS KMS) key to generate the snapshots. Create an AWS Lambda function that copies the KMS encryption key to the two accounts.A security engineer must investigate an Amazon GuardDuty finding. The finding indicates potential cryptocurrency mining activity on an Amazon EC2 instance. The security engineer must validate the finding and assess the impact.
Which data sources should the security engineer analyze to meet these requirements?
A. Check the instance's CPU utilization metrics in Amazon CloudWatch. Examine the finding's MITRE ATT & CK tactic classification. Review any associated IAM role permissions.A company wants to improve the remediation of specific security incidents. Currently, a security engineer performs network isolation manually if traffic from Amazon EC2 instances to known command and control servers is detected. The manual network isolation process is error prone. The security engineer must automate the process.
The security engineer enables Amazon GuardDuty. The security engineer configures instances to be managed by AWS Systems Manager. The security engineer prepares a Systems Manager Automation document to change security groups on selected instances.
Which solution will meet these requirements?
A. Create a permanent Amazon Detective investigation. Select all resources to monitor. Configure Detective to invoke the Systems Manager document if known command and control traffic is detected.A company is storing data in Amazon S3 Glacier. A security engineer implemented a new vault lock policy for 10 TB of data and called the initiate-vault-lock operation 12 hours ago. The audit team identified a typo in the policy that is allowing unintended access to the vault.
What is the MOST cost-effective way to correct this error?
A. Call the abort-vault-lock operation. Update the policy. Call the initiate-vault-lock operation again.Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.