Based on Official Syllabus Topics of Actual Amazon SCS-C01 Exam [Q29-Q49]

Based on Official Syllabus Topics of Actual Amazon SCS-C01 Exam

Free SCS-C01 Dumps are Available for Instant Access

NEW QUESTION # 29
A security team is responsible for reviewing AWS API call activity in the cloud environment for security
violations. These events must be recorded and retained in a centralized location for both current and future
AWS regions.
What is the SIMPLEST way to meet these requirements?

• A. Enable AWS CloudTrail by creating individual trails for each region, and specify a single Amazon S3
  bucket to receive log files for later analysis.
• B. Enable AWS Trusted Advisor security checks in the AWS Console, and report all security incidents for
  all regions.
• C. Enable AWS CloudTrail by creating a new trail and applying the trail to all regions. Specify a single
  Amazon S3 bucket as the storage location.
• D. Enable Amazon CloudWatch logging for all AWS services across all regions, and aggregate them to a
  single Amazon S3 bucket for later analysis.

Answer: A

Explanation:
Explanation/Reference:
Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-
console-first-time.html

NEW QUESTION # 30
Your company has an external web site. This web site needs to access the objects in an S3 bucket. Which of the following would allow the web site to access the objects in the most secure manner?
Please select:

• A. Grant a role that can be assumed by the web site
• B. Use the aws:sites key in the condition clause for the bucket policy
• C. Grant public access for the bucket via the bucket policy
• D. Use the aws:Referer key in the condition clause for the bucket policy

Answer: D

Explanation:
Explanation
An example of this is given intheAWS Documentatioi
Restricting Access to a Specific HTTP Referrer
Suppose you have a website with domain name (www.example.com or example.com) with links to photos and videos stored in your S3 bucket examplebucket. By default, all the S3 resources are private, so only the AWS account that created the resources can access them. To allow read access to these objects from your website, you can add a bucket policy that allows s3:GetObject permission with a condition, using the aws:referer key, that the get request must originate from specific webpages. The following policy specifies the StringLike condition with the aws:Referer condition key.

Option A is invalid because giving public access is not a secure way to provide access Option C is invalid because aws:sites is not a valid condition key Option D is invalid because IAM roles will not be assigned to web sites For more information on example bucket policies please visit the below Link:
1 https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html The correct answer is: Use the aws:Referer key in the condition clause for the bucket policy Submit your Feedback/Queries to our Experts

NEW QUESTION # 31
An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised.
What techniques will limit lateral movement and allow evidence gathering?

• A. Remove the instance from the load balancer and terminate it.
• B. Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.
• C. Stop the instance and make a snapshot of the root EBS volume.
• D. Reboot the instance and check for any Amazon CloudWatch alarms.

Answer: B

Explanation:
Explanation
https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf

NEW QUESTION # 32
Your company is planning on using AWS EC2 and ELB for deployment for their web applications. The security policy mandates that all traffic should be encrypted. Which of the following options will ensure that this requirement is met. Choose 2 answers from the options below.
Please select:

• A. Ensure the HTTPS listener sends requests to the instances on port 80
• B. Ensure the HTTPS listener sends requests to the instances on port 443
• C. Ensure the load balancer listens on port 443
• D. Ensure the load balancer listens on port 80

Answer: B,C

Explanation:
The AWS Documentation mentions the following
You can create a load balancer that listens on both the HTTP (80) and HTTPS (443) ports. If you specify that the HTTPS listener sends requests to the instances on port 80, the load balancer terminates the requests and communication from the load balancer to the instances is not encrypted, if the HTTPS listener sends requests to the instances on port 443, communication from the load balancer to the instances is encrypted.
Option A is invalid because there is a need for secure traffic, so port 80 should not be used
Option D is invalid because for the HTTPS listener you need to use port 443
For more information on HTTPS with ELB, please refer to the below Link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.htmll
The correct answers are: Ensure the load balancer listens on port 443, Ensure the HTTPS listener sends requests to the instances on port 443
Submit your Feedback/Queries to our Experts

NEW QUESTION # 33
An employee keeps terminating EC2 instances on the production environment. You've determined the best way to ensure this doesn't happen is to add an extra layer of defense against terminating the instances. What is the best method to ensure the employee does not terminate the production instances? Choose the 2 correct answers from the options below Please select:

• A. Tag the instance with a production-identifying tag and modify the employees group to allow only start stop, and reboot API calls and not the terminate instance call.
• B. Modify the IAM policy on the user to require MFA before deleting EC2 instances and disable MFA access to the employee
• C. Modify the IAM policy on the user to require MFA before deleting EC2 instances
• D. Tag the instance with a production-identifying tag and add resource-level permissions to the employee user with an explicit deny on the terminate API call to instances with the production tag. <

Answer: A,D

Explanation:
Explanation
Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type - you can quickly identify a specific resource based on the tags you've assigned to it. Each tag consists of a key and an optional value, both of which you define Options C&D are incorrect because it will not ensure that the employee cannot terminate the instance.
For more information on tagging answer resources please refer to the below URL:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Usins_Tags.htmll
The correct answers are: Tag the instance with a production-identifying tag and add resource-level permissions to the employe user with an explicit deny on the terminate API call to instances with the production tag.. Tag the instance with a production-identifying tag and modify the employees group to allow only start stop, and reboot API calls and not the terminate instance Submit your Feedback/Queries to our Experts

NEW QUESTION # 34
A security team is creating a response plan in the event an employee executes unauthorized actions on AWS infrastructure. They want to include steps to determine if the employee's IAM permissions changed as part of the incident.
What steps should the team document in the plan?
Please select:

• A. Use Trusted Advisor to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
• B. Use CloudTrail to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
• C. Use Made to examine the employee's IAM permissions prior to the incident and compare them to the employee's A current IAM permissions.
• D. Use AWS Config to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.

Answer: D

Explanation:
You can use the AWSConfig history to see the history of a particular item.
The below snapshot shows an example configuration for a user in AWS Config

Option B,C and D are all invalid because these services cannot be used to see the history of a particular configuration item. This can only be accomplished by AWS Config.
For more information on tracking changes in AWS Config, please visit the below URL:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/TrackineChanees.htmll
The correct answer is: Use AWS Config to examine the employee's IAM permissions prior to the incident and compare them the employee's current IAM permissions.
Submit your Feedback/Queries to our Experts

NEW QUESTION # 35
You are designing a connectivity solution between on-premises infrastructure and Amazon VPC. Your server's on-premises will be communicating with your VPC instances. You will be establishing IPSec tunnels over the internet. Yo will be using VPN gateways and terminating the IPsec tunnels on AWS-supported customer gateways. Which of the following objectives would you achieve by implementing an IPSec tunnel as outlined above? Choose 4 answers form the options below Please select:

• A. Data encryption across the internet
• B. End-to-end protection of data in transit
• C. Protection of data in transit over the Internet
• D. Data integrity protection across the Internet
• E. End-to-end Identity authentication
• F. Peer identity authentication between VPN gateway and customer gateway

Answer: A,C,D,F

Explanation:
Explanation
IPSec is a widely adopted protocol that can be used to provide end to end protection for data

NEW QUESTION # 36
A company is planning on using IAM EC2 and IAM Cloudfrontfor their web application. For which one of the below attacks is usage of Cloudfront most suited for?
Please select:

• A. DDoS attacks
• B. Cross side scripting
• C. Malware attacks
• D. SQL injection

Answer: A

Explanation:
The below table from IAM shows the security capabilities of IAM Cloudfront IAM Cloudfront is more prominent for DDoS attacks.

Options A,B and D are invalid because Cloudfront is specifically used to protect sites against DDoS attacks For more information on security with Cloudfront, please refer to the below Link:
https://d1.IAMstatic.com/whitepapers/Security/Secure content delivery with CloudFront whitepaper.pdi The correct answer is: DDoS attacks Submit your Feedback/Queries to our Experts

NEW QUESTION # 37
A company has decided to use encryption in its AWS account to secure the objects in Amazon S3 using server- side encryption. Object sizes range from 16,000 B to 5 MB. The requirements are as follows:
* The key material must be generated and stored in a certified Federal Information Processing Standard (FIPS) 140-2 Level 3 machine.
* The key material must be available in multiple Regions.
Which option meets these requirements?

• A. Use an AWS KMS customer managed key and store the key material in AWS with replication across Regions.
• B. Use an AWS KMS custom key store backed by AWS CloudHSM clusters, and copy backups across Regions.
• C. Use AWS CloudHSM to generate the key material and backup keys across Regions. Use the Java Cryptography Extension (JCE) and Public Key Cryptography Standards #11 (PKCS #11) encryption libraries to encrypt and decrypt the data.
• D. Use an AWS customer managed key, import the key material into AWS KMS using in-house AWS CloudHSM, and store the key material securely in Amazon S3.

Answer: B

NEW QUESTION # 38
A company has a set of resources defined in AWS. It is mandated that all API calls to the resources be monitored. Also all API calls must be stored for lookup purposes. Any log data greater than 6 months must be archived. Which of the following meets these requirements? Choose 2 answers from the options given below. Each answer forms part of the solution.
Please select:

• A. Ensure a lifecycle policy is defined on the S3 bucket to move the data to Amazon Glacier after 6 months.
• B. Ensure a lifecycle policy is defined on the S3 bucket to move the data to EBS volumes after 6 months.
• C. Enable CloudTrail logging in all accounts into S3 buckets
• D. Enable CloudTrail logging in all accounts into Amazon Glacier

Answer: A,C

Explanation:
Cloudtrail publishes the trail of API logs to an S3 bucket
Option B is invalid because you cannot put the logs into Glacier from CloudTrail Option C is invalid because lifecycle policies cannot be used to move data to EBS volumes For more information on Cloudtrail logging, please visit the below URL:
https://docs.aws.amazon.com/awscloudtrail/latest/usereuide/cloudtrail-find-log-files.htmll
You can then use Lifecycle policies to transfer data to Amazon Glacier after 6 months For more information on S3 lifecycle policies, please visit the below URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html
The correct answers are: Enable CloudTrail logging in all accounts into S3 buckets. Ensure a lifecycle policy is defined on the bucket to move the data to Amazon Glacier after 6 months.
Submit your Feedback/Queries to our Experts

NEW QUESTION # 39
A company has an encrypted Amazon S3 bucket. An Application Developer has an IAM policy that allows access to the S3 bucket, but the Application Developer is unable to access objects within the bucket.
What is a possible cause of the issue?

• A. The S3 bucket policy explicitly denies access to the Application Developer
• B. The S3 ACL for the S3 bucket fails to explicitly grant access to the Application Developer
• C. The S3 bucket policy fails to explicitly grant access to the Application Developer
• D. The AWS KMS key for the S3 bucket fails to list the Application Developer as an administrator

Answer: C

Explanation:
Explanation/Reference: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

NEW QUESTION # 40
A developer signed in to a new account within an IAM Organization organizational unit (OU) containing multiple accounts. Access to the Amazon $3 service is restricted with the following SCP.

How can the security engineer provide the developer with Amazon $3 access without affecting other account?

• A. Add an IAM policy for the developer, which grants $3 access.
• B. Add an allow list for the developer account for the $3 service.
• C. Move the SCP to the root OU of organization to remove the restriction to access Amazon $3.
• D. Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU.

Answer: D

NEW QUESTION # 41
Your company has a set of resources defined in the AWS Cloud. Their IT audit department has requested to get a list of resources that have been defined across the account. How can this be achieved in the easiest manner?
Please select:

• A. Create a powershell script using the AWS CLI. Query for all resources with the tag of production.
• B. Create a bash shell script with the AWS CLI. Query for all resources in all regions. Store the results in an S3 bucket.
• C. Use AWS Config to get the list of all resources
• D. Use Cloud Trail to get the list of all resources

Answer: C

Explanation:
Explanation
The most feasible option is to use AWS Config. When you turn on AWS Config, you will get a list of resources defined in your AWS Account.
A sample snapshot of the resources dashboard in AWS Config is shown below

Option A is incorrect because this would give the list of production based resources and now all resources Option B is partially correct But this will just add more maintenance overhead.
Option C is incorrect because this can be used to log API activities but not give an account of all resou For more information on AWS Config, please visit the below URL:
https://docs.aws.amazon.com/config/latest/developereuide/how-does-confie-work.html The correct answer is: Use AWS Config to get the list of all resources Submit your Feedback/Queries to our Experts

NEW QUESTION # 42
A corporate cloud security policy states that communications between the company's VPC and KMS must travel entirely within the AWS network and not use public service endpoints.
Which combination of the following actions MOST satisfies this requirement? (Choose two.)

• A. Add the aws:sourceVpce condition to the AWS KMS key policy referencing the company's VPC endpoint ID.
• B. Add the following condition to the AWS KMS key policy: "aws:SourceIp": "10.0.0.0/16".
• C. Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.
• D. Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN.
• E. Create a VPC endpoint for AWS KMS with private DNS enabled.

Answer: A,E

Explanation:
An IAM policy can deny access to KMS except through your VPC endpoint with the following condition statement:
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-0295a3caf8414c94a"
}
}
If you select the Enable Private DNS Name option, the standard AWS KMS DNS hostname (Error! Hyperlink reference not valid.) resolves to your VPC endpoint.

NEW QUESTION # 43
A customer has an instance hosted in the AWS Public Cloud. The VPC and subnet used to host the Instance have been created with the default settings for the Network Access Control Lists. They need to provide an IT Administrator secure access to the underlying instance. How can this be accomplished.
Please select:

• A. Ensure the Network Access Control Lists allow Outbound SSH traffic from the IT Administrator's Workstation
• B. Ensure that the security group allows Outbound SSH traffic from the IT Administrator's Workstation Options A & B are invalid as default NACL rule will allow all inbound and outbound traffic.
• C. Ensure the Network Access Control Lists allow Inbound SSH traffic from the IT Administrator's Workstation
• D. Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation

Answer: D

Explanation:
The requirement is that the IT administrator should be able to access this EC2 instance from his workstation. For that we need to enable the Security Group of EC2 instance to allow traffic from the IT administrator's workstation. Hence option C is correct.
Option D is incorrect as we need to enable the Inbound SSH traffic on the EC2 instance Security Group since the traffic originate' , from the IT admin's workstation.
The correct answer is: Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation Submit your Feedback/Queries to our Experts

NEW QUESTION # 44
You need to create a Linux EC2 instance in AWS. Which of the following steps is used to ensure secure authentication the EC2 instance from a windows machine. Choose 2 answers from the options given below.
Please select:

• A. Ensure the password is passed securely using SSL
• B. Create a key pair using putty
• C. Ensure to create a strong password for logging into the EC2 Instance
• D. Use the private key to log into the instance

Answer: B,D

Explanation:
The AWS Documentation mentions the following
You can use Amazon EC2 to create your key pair. Alternatively, you could use a third-party tool and then import the public key to Amazon EC2. Each key pair requires a name. Be sure to choose a name that is easy to remember. Amazon EC2 associates the public key with the name that you specify as the key name.
Amazon EC2 stores the public key only, and you store the private key. Anyone who possesses your private key can decrypt login information, so it's important that you store your private keys in a secure place.
Options A and D are incorrect since you should use key pairs for secure access to Ec2 Instances
For more information on EC2 key pairs, please refer to below URL:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
The correct answers are: Create a key pair using putty. Use the private key to log into the instance
Submit your Feedback/Queries to our Experts

NEW QUESTION # 45
A Web Administrator for the website example.com has created an Amazon CloudFront distribution for dev.example.com, with a requirement to configure HTTPS using a custom TLS certificate imported to AWS Certificate Manager.
Which combination of steps is required to ensure availability of the certificate in the CloudFront console?
(Choose two.)

• A. Import the certificate with a 4,096-bit RSA public key.
• B. Import the certificate in the us-east-1 (N. Virginia) Region.
• C. Call UploadServerCertificatewith /cloudfront/dev/in the path parameter.
• D. Ensure that the certificate, private key, and certificate chain are PKCS #12-encoded.
• E. Ensure that the certificate, private key, and certificate chain are PEM-encoded.

Answer: A,B

NEW QUESTION # 46
A Security Engineer has been asked to create an automated process to disable IAM user access keys that are more than three months old.
Which of the following options should the Security Engineer use?

• A. In the AWS Console, choose the IAM service and select "Users". Review the "Access Key Age" column.
• B. Define an IAM policy that denies access if the key age is more than three months and apply to all users.
• C. Write a script that uses the GenerateCredentialReport, GetCredentialReport, and UpdateAccessKey APIs.
• D. Create an Amazon CloudWatch alarm to detect aged access keys and use an AWS Lambda function to disable the keys older than 90 days.

Answer: A

Explanation:
Explanation/Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html

NEW QUESTION # 47
A company's database developer has just migrated an Amazon RDS database credential to be stored and managed by AWS Secrets Manager. The developer has also enabled rotation of the credential within the Secrets Manager console and set the rotation to change every 30 days.
After a short period of time, a number of existing applications have failed with authentication errors.
What is the MOST likely cause of the authentication errors?

• A. Migrating the credential to RDS requires that all access come through requests to the Secrets Manager.
• B. Enabling rotation in Secrets Manager causes the secret to rotate immediately, and the applications are using the earlier credential.
• C. The Secrets Manager IAM policy does not allow access to the RDS database.
• D. The Secrets Manager IAM policy does not allow access for the applications.

Answer: A

NEW QUESTION # 48
A security alert has been raised for an Amazon EC2 instance in a customer account that is exhibiting strange behavior. The Security Engineer must first isolate the EC2 instance and then use tools for further investigation.
What should the Security Engineer use to isolate and research this event? (Choose three.)

• A. Security groups
• B. AWS Key Management Service (AWS KMS)
• C. Amazon Athena
• D. VPC Flow Logs
• E. AWS Firewall Manager
• F. AWS CloudTrail

Answer: A,D,F

NEW QUESTION # 49
......

The Most In-Demand SCS-C01 Pass Guaranteed Quiz : https://passking.actualtorrent.com/SCS-C01-exam-guide-torrent.html