SCS-C01 Exam Dumps
Amazon SCS-C01 This Week Result
They can't be wrong
Score in Real Exam at Testing Centre
Questions came word by word from this dumps
Best Amazon SCS-C01 Dumps - pass your exam In First Attempt
Our SCS-C01 dumps are better than all other cheap SCS-C01 study material.
Only best way to pass your Amazon SCS-C01 is that if you will get reliable exam study materials. We ensure you that realexamdumps is one of the most authentic website for Amazon AWS Certified Specialty exam question answers. Pass your SCS-C01 AWS Certified Security - Specialty with full confidence. You can get free AWS Certified Security - Specialty demo from realexamdumps. We ensure 100% your success in SCS-C01 Exam with the help of Amazon Dumps. you will feel proud to become a part of realexamdumps family.
Our success rate from past 5 year very impressive. Our customers are able to build their carrier in IT field.


45000+ Exams

Desire Exam

Exam
Related Exam
Realexamdumps Providing most updated AWS Certified Specialty Question Answers. Here are a few exams:
Sample Questions
Realexamdumps Providing most updated AWS Certified Specialty Question Answers. Here are a few sample questions:
Amazon SCS-C01 Sample Question 1
A company became aware that one of its access keys was exposed on a code sharing website 11 days ago. A Security Engineer must review all use of the exposed access keys to determine the extent of the exposure. The company enabled IAM CloudTrail m an regions when it opened the account Which of the following will allow (he Security Engineer 10 complete the task?
Options:
Answer: D
Amazon SCS-C01 Sample Question 2
Your team is designing a web application. The users for this web application would need to sign in via an external ID provider such asfacebook or Google. Which of the following IAM service would you use for authentication? Please select:
Options:
Answer: A Explanation: Explanation: The IAM Documentation mentions the followingAmazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users ca sign in directly with a user name and password, or through a third party such as Facebook, Amazon, or Google.Option B is incorrect since this is used for identity federationOption C is incorrect since this is pure Identity and Access managementOption D is incorrect since IAM is a configuration serviceFor more information on IAM Cognito please refer to the below Link:https://docs.IAM.amazon.com/coenito/latest/developerguide/what-is-amazon-cognito.html The correct answer is: IAM CognitoSubmit your Feedback/Queries to our Expertt
Amazon SCS-C01 Sample Question 3
There is a set of Ec2 Instances in a private subnet. The application hosted on these EC2 Instances need to access a DynamoDB table. It needs to be ensured that traffic does not flow out to the internet. How can this be achieved? Please select:
Options:
Answer: A Explanation: Explanation: The following diagram from the IAM Documentation shows how you can access the DynamoDB service from within a V without going to the Internet This can be done with the help of a VPC endpointC:UserswkDesktopmudassarUntitled.jpgOption B is invalid because this is used for connection between an on-premise solution and IAMOption C is invalid because there is no such optionOption D is invalid because this is used to connect 2 VPCsFor more information on VPC endpointsfor DynamoDB, please visit the URL:The correct answer is: Use a VPC endpoint to the DynamoDB table Submit your Feedback/Queries to our Expertt
Amazon SCS-C01 Sample Question 4
Developers in an organization have moved from a standard application deployment to containers. The Security Engineer is tasked with ensuring that the containers are secure. Which strategies will reduce the attack surface and enhance the security of the containers? (Select TWO.)
Options:
Answer: A, D
Amazon SCS-C01 Sample Question 5
An IT department currently has a Java web application deployed on Apache Tomcat running on Amazon EC2 instances. All traffic to the EC2 instances is sent through an internet-facing Application Load Balancer (ALB) The Security team has noticed during the past two days thousands of unusual read requests coming from hundreds of IP addresses. This is causing the Tomcat server to run out of threads and reject new connections Which the SIMPLEST change that would address this server issue?
Options:
Answer: B
Amazon SCS-C01 Sample Question 6
A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet with port 80 and a Database server in the private subnet with port 3306. The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). which of the below mentioned entries is required in the private subnet database security group DBSecGrp? Please select:
Options:
Answer: A Explanation: Explanation: Since the Web server needs to talk to the database server on port 3306 that means that the database server should allow incoming traffic on port 3306. The below table from the IAM documentation shows how the security groups should be set up.C:UserswkDesktopmudassarUntitled.jpgOption B is invalid because you need to allow incoming access for the database server from the WebSecGrp security group.Options C and D are invalid because you need to allow Outbound traffic and not inbound traffic For more information on security groups please visit the below Link:http://docs.IAM.amazon.com/AmazonVPC/latest/UserGuide/VPC Scenario2.html The correct answer is: Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp. Submit your Feedback/Queries to our Expertt
Amazon SCS-C01 Sample Question 7
An organization has a multi-petabyte workload that it is moving to Amazon S3, but the CISO is concerned about cryptographic wear-out and the blast radius if a key is compromised. How can the CISO be assured that IAM KMS and Amazon S3 are addressing the concerns? (Select TWO )
Options:
Answer: C, F
Amazon SCS-C01 Sample Question 8
You need to have a cloud security device which would allow to generate encryption keys based on FIPS 140-2 Level 3. Which of the following can be used for this purpose. Please select:
Options:
Answer: A, D Explanation: Explanation: IAM Key Management Service (KMS) now uses FIPS 140-2 validated hardware security modules (HSM) and supports FIPS 140-2 validated endpoints, which provide independent assurances about the confidentiality and integrity of your keys.All master keys in IAM KMS regardless of their creation date or origin are automatically protected using FIPS 140-2 validatedHSMs. defines four levels of security, simply named "Level 1' to "Level 4". It does not specify in detail what level of security is required by any particular application.⢠FIPS 140-2 Level 1 the lowest, imposes very limited requirements; loosely, all components must be "production-grade" anc various egregious kinds of insecurity must be absent⢠FIPS 140-2 Level 2 adds requirements for physical tamper-evidence and role-based authentication.⢠FIPS 140-2 Level 3 adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to sensitive information contained in the module) and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces.⢠FIPS 140-2 Level 4 makes the physical security requirements more stringent and requires robustness against environmental attacks.IAMCIoudHSM provides you with a FIPS 140-2 Level 3 validated single-tenant HSM cluster in your Amazon Virtual Private Cloud (VPQ to store and use your keys. You have exclusive control over how your keys are used via an authentication mechanism independent from IAM. You interact with keys in your IAM CloudHSM cluster similar to the way you interact with your applications running in Amazon EC2.IAM KMS allows you to create and control the encryption keys used by your applications and supported IAM services in multiple regions around the world from a single console. The service uses a FIPS 140-2 validated HSM to protect the security of your keys. Centralized management of all your keys in IAM KMS lets you enforce who can use your keys under which conditions, when they get rotated, and who can manage them.IAM KMS HSMs are validated at level 2 overall and at level 3 in the following areas:⢠Cryptographic Module Specification⢠Roles, Services, and Authentication⢠Physical Security⢠Design AssuranceSo I think that we can have 2 answers for this question. Both A & D.⢠https://IAM.amazon.com/blo15s/security/IAM-key-management-service- now-ffers-flps-140-2-validated-cryptographic-m ⢠https://a ws.amazon.com/cloudhsm/faqs/ ⢠https://IAM.amazon.com/kms/faqs/ ⢠https://en.wikipedia.org/wiki/RPS The IAM Documentation mentions the followingIAM CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the IAM Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs. CloudHSM offers you the flexibility to integrate with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions ()CE). and Microsoft CryptoNG (CNG) libraries. CloudHSM is also standards-compliant and enables you to export all of your keys to most other commercially-available HSMs. It is a fully-managed service that automates time-consuming administrative tasks for you, such as hardware provisioning, software patching, high-availability, and backups. CloudHSM also enables you to scale quickly by adding and removing HSM capacity on-demand, with no up-front costs.All other options are invalid since IAM Cloud HSM is the prime service that offers FIPS 140-2 Level 3 complianceFor more information on CloudHSM, please visit the following urlhttps://IAM.amazon.com/cloudhsm; The correct answers are: IAM KMS, IAM Cloud HSM Submit your Feedback/Queries to our Expertt
Amazon SCS-C01 Sample Question 9
A company has two teams, and each team needs to access its respective Amazon S3 buckets. The company anticipates adding more teams that also will have their own S3 buckets. When the company adds these teams, team members will need the ability to be assigned to multiple teams. Team members also will need the ability to change teams. Additional S3 buckets can be created or deleted. An IAM administrator must design a solution to accomplish these goals. The solution also must be scalable and must require the least possible operational overhead. Which solution meets these requirements?
Options:
Answer: B
Amazon SCS-C01 Sample Question 10
A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots. After performing a gap analysis of its disaster recovery procedures and backup strategies, the company is concerned that, next time, it will not be able to recover the EC2 instances if the IAM account was compromised and Amazon EBS snapshots were deleted. All EBS snapshots are encrypted using an IAM KMS CMK. Which solution would solve this problem?
Options:
Answer: B
Amazon SCS-C01 Sample Question 11
A company hosts data in S3. There is a requirement to control access to the S3 buckets. Which are the 2 ways in which this can be achieved? Please select:
Options:
Answer: A, C Explanation: Explanation: The IAM Documentation mentions the followingAmazon S3 offers access policy options broadly categorized as resource-based policies and user policies. Access policies you attach to your resources (buckets and objects) are referred to as resource-based policies. For example, bucket policies and access control lists (ACLs) are resource-based policies. You can also attach access policies to users in your account. These are called user policies. You may choose to use resource-based policies, user policies, or some combination of these to manage permissions to your Amazon S3 resources.Option B and D are invalid because these cannot be used to control access to S3 bucketsFor more information on S3 access control, please refer to the below Link:https://docs.IAM.amazon.com/AmazonS3/latest/dev/s3-access-control.htmll The correct answers are: Use Bucket policies. Use IAM user policies Submit your Feedback/Queries to our Expertt
Amazon SCS-C01 Sample Question 12
A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an EC2 Auto Scaling group across multiple Availability Zones. The website is under a DDoS attack by a specific loT device brand that is visible in the user agent A security engineer needs to mitigate the attack without impacting the availability of the public website. What should the security engineer do to accomplish this?
Options:
Answer: E
Amazon SCS-C01 Sample Question 13
A Security Engineer is troubleshooting a connectivity issue between a web server that is writing log files to the logging server in another VPC. The Engineer has confirmed that a peering relationship exists between the two VPCs. VPC flow logs show that requests sent from the web server are accepted by the togging server but the web server never receives a reply Which of the following actions could fix this issue1?
Options:
Answer: D
Amazon SCS-C01 Sample Question 14
A company wants to encrypt the private network between its orvpremises environment and IAM. The company also wants a consistent network experience for its employees. What should the company do to meet these requirements?
Options:
Answer: E
Amazon SCS-C01 Sample Question 15
A company had one of its Amazon EC2 key pairs compromised. A Security Engineer must identify which current Linux EC2 instances were deployed and used the compromised key pair. How can this task be accomplished?
Options:
Answer: B
Amazon SCS-C01 Sample Question 16
A company has an encrypted Amazon S3 bucket. An Application Developer has an IAM policy that allows access to the S3 bucket, but the Application Developer is unable to access objects within the bucket. What is a possible cause of the issue?
Options:
Answer: D
Amazon SCS-C01 Sample Question 17
A security engineer need to ensure their companyâs uses of IAM meets IAM security best practices. As part of this, the IAM account root user must not be used for daily work. The root user must be monitored for use, and the Security team must be alerted as quickly as possible if the root user is used. Which solution meets these requirements?
Options:
Answer: B
Amazon SCS-C01 Sample Question 18
A company has implemented centralized logging and monitoring of IAM CloudTrail logs from all Regions in an Amazon S3 bucket. The log Hies are encrypted using IAM KMS. A Security Engineer is attempting to review the log files using a third-party tool hosted on an Amazon EC2 instance The Security Engineer is unable to access the logs in the S3 bucket and receives an access denied error message What should the Security Engineer do to fix this issue?
Options:
Answer: D
Amazon SCS-C01 Sample Question 19
A security engineer is designing an incident response plan to address the risk of a compromised Amazon EC2 instance. The plan must recommend a solution to meet the following requirements: ⢠A trusted forensic environment must be provisioned ⢠Automated response processes must be orchestrated Which IAM services should be included in the plan? {Select TWO)
Options:
Answer: A, F
Amazon SCS-C01 Sample Question 20
A website currently runs on Amazon EC2 with mostly static content on the site. Recently, the site was subjected to a DDoS attack, and a Security Engineer was tasked with redesigning the edge security to help mitigate this risk in the future What are some ways the Engineer could achieve this? (Select THREE )
Options:
Answer: B, D, G
Amazon SCS-C01 Sample Question 21
A company recently performed an annual security assessment of its IAM environment. The assessment showed that audit logs are not available beyond 90 days and that unauthorized changes to IAM policies are made without detection. How should a security engineer resolve these issues?
Options:
Answer: D Explanation: Explanation: https://docs. IAM.amazon.com/IAMcloudtrail/latest/userguide/best-practices-security.html"For an ongoing record of events in your IAM account, you must create a trail. Although CloudTrail provides 90 days of event history information for management events in the CloudTrail console without creating a trail, it is not a permanent record, and it does not provide information about all possible types of events. For an ongoing record, and for a record that contains all the event types you specify, you must create a trail, which delivers log files to an Amazon S3 bucket that you specify."https:// IAM.amazon.com/blogs/security/how-to-record-and-govern-your-iam-resource-configurations-using-IAM-config/
Amazon SCS-C01 Sample Question 22
A company has decided to migrate sensitive documents from on-premises data centers to Amazon S3. Currently, the hard drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key. Which of the following requires the LEAST amount of configuration when implementing this approach?
Options:
Answer: D Explanation: Explanation: References:https://docs. IAM.amazon.com/AmazonS3/latest/dev/serv-side-encryption.htmlServer-Side Encryption with Amazon S3-Managed Keys (SSE-S3) When you use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), each object is encrypted with a unique key. Server-Side Encryption with Customer Master Keys (CMKs) Stored in IAM Key Management Service (SSE-KMS) is similar to SSE-S3, but with some additional benefits and charges for using this service.When you use SSE-KMS to protect your data without an S3 Bucket Key, Amazon S3 uses an individual IAM KMS data key for every object. It makes a call to IAM KMS every time a request is made against a KMS-encrypted object. https://docs. IAM.amazon.com/AmazonS3/latest/dev/bucket-key.htmlhttps://docs. IAM.amazon.com/kms/latest/developerguide/symmetric-asymmetric.htmm
Amazon SCS-C01 Sample Question 23
An organization policy states that all encryption keys must be automatically rotated every 12 months. Which IAM Key Management Service (KMS) key type should be used to meet this requirement?
Options:
Answer: C
Amazon SCS-C01 Sample Question 24
A security engineer has created an Amazon Cognito user pool. The engineer needs to manually verify the ID and access token sent by the application for troubleshooting purposes What is the MOST secure way to accomplish this?
Options:
Answer: B
Amazon SCS-C01 Sample Question 25
A Security Engineer launches two Amazon EC2 instances in the same Amazon VPC but in separate Availability Zones. Each instance has a public IP address and is able to connect to external hosts on the internet. The two instances are able to communicate with each other by using their private IP addresses, but they are not able to communicate with each other when using their public IP addresses. Which action should the Security Engineer take to allow communication over the public IP addresses?
Options:
Answer: D Explanation: Explanation: https://docs. IAM.amazon.com/IAMEC2/latest/UserGuide/security-group-rules-reference.html#sg-rules-other-instancet
Amazon SCS-C01 Sample Question 26
A company has several critical applications running on a large fleet of Amazon EC2 instances. As part of a security operations review, the company needs to apply a critical operating system patch to EC2 instances within 24 hours of the patch becoming available from the operating system vendor. The company does not have a patching solution deployed on IAM, but does have IAM Systems Manager configured. The solution must also minimize administrative overhead. What should a security engineer recommend to meet these requirements?
Options:
Answer: C
Amazon SCS-C01 Sample Question 27
An IAM Lambda function was misused to alter data, and a Security Engineer must identify who invoked the function and what output was produced. The Engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs. Which of the following explains why the logs are not available?
Options:
Answer: B
Amazon SCS-C01 Sample Question 28
The Security Engineer has discovered that a new application that deals with highly sensitive data is storing Amazon S3 objects with the following key pattern, which itself contains highly sensitive data. Pattern: "randomID_datestamp_PII.csv" Example: "1234567_12302017_000-00-0000 csv" The bucket where these objects are being stored is using server-side encryption (SSE). Which solution is the most secure and cost-effective option to protect the sensitive data?
Options:
Answer: C Explanation: Explanation: https://docs.IAM. amazon.com/AmazonS3/latest/dev/UsingMetadata.html https://IAM.amazon.com/blogs/database/best-practices-for-securing-sensitive-data-in-IAM-data-stores/
Amazon SCS-C01 Sample Question 29
You are hosting a web site via website hosting on an S3 bucket - http://demo.s3-website-us-east-l .amazonIAM.com. You have some web pages that use Javascript that access resources in another bucket which has web site hosting also enabled. But when users access the web pages , they are getting a blocked Javascript error. How can you rectify this? Please select:
Options:
Answer: A Explanation: Explanation: Your answer is incorrectAnswer-ASuch a scenario is also given in the IAM Documentation Cross-Origin Resource Sharing: Use-case ScenariosThe following are example scenarios for using CORS:⢠Scenario 1: Suppose that you are hosting a website in an Amazon S3 bucket named website as described in Hosting a Static Website on Amazon S3. Your users load the website endpoint http://website.s3-website-us-east-1 .amazonIAM.com. Now you want to use JavaScript on the webpages that are stored in this bucket to be able to make authenticated GET and PUT requests against the same bucket by using the Amazon S3 API endpoint for the bucket website.s3.amazonIAM.com. A browser would normally block JavaScript from allowing those requests, but with CORS you can configure your bucket to explicitly enable cross-origin requests from website.s3-website-us-east-1 .amazonIAM.com. ⢠Scenario 2: Suppose that you want to host a web font from your S3 bucket. Again, browsers require a CORS check (also called a preflight check) for loading web fonts. You would configure the bucket that is hosting the web font to allow any origin to make these requests.Option Bis invalid because versioning is only to create multiple versions of an object and can help in accidental deletion of objectsOption C is invalid because this is used as an extra measure of caution for deletion of objectsOption D is invalid because this is used for Cross region replication of objectsFor more information on Cross Origin Resource sharing, please visit the following URL⢠ittps://docs.IAM.amazon.com/AmazonS3/latest/dev/cors.htmlThe correct answer is: Enable CORS for the bucketSubmit your Feedback/Queries to our Expertt
Amazon SCS-C01 Sample Question 30
An organization operates a web application that serves users globally. The application runs on Amazon EC2 instances behind an Application Load Balancer. There is an Amazon CloudFront distribution in front of the load balancer, and the organization uses IAM WAF. The application is currently experiencing a volumetric attack whereby the attacker is exploiting a bug in a popular mobile game. The application is being flooded with HTTP requests from all over the world with the User-Agent set to the following string: Mozilla/5.0 (compatible; ExampleCorp; ExampleGame/1.22; Mobile/1.0) What mitigation can be applied to block attacks resulting from this bug while continuing to service legitimate requests?
Options:
Answer: A Explanation: Explanation: Since all the attack has http header- User-Agent set to string: Mozilla/5.0 (compatible; ExampleCorp;) it would be much more easier to block these attack by simply denying traffic with the header match . HTH ExampleGame/1.22; Mobile/1.0)
Amazon SCS-C01 Sample Question 31
Which of the following is used as a secure way to log into an EC2 Linux Instance? Please select:
Options:
Answer: B Explanation: Explanation: The IAM Documentation mentions the followingKey pairs consist of a public key and a private key. You use the private key to create a digital signature, and then IAM uses the corresponding public key to validate the signature. Key pairs are used only for Amazon EC2 and Amazon CloudFront.Option A.C and D are all wrong because these are not used to log into EC2 Linux InstancesFor more information on IAM Security credentials, please visit the below URL:https://docs.IAM.amazon.com/eeneral/latest/er/IAM-sec-cred-types.html The correct answer is: Key pairsSubmit your Feedback/Queries to our Expertt
Amazon SCS-C01 Sample Question 32
Your company has defined privileged users for their IAM Account. These users are administrators for key resources defined in the company. There is now a mandate to enhance the security authentication for these users. How can this be accomplished? Please select:
Options:
Answer: A Explanation: Explanation: The IAM Documentation mentions the following as a best practices for IAM users. For extra security, enable multi-factor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or APIs). With MFA, users have a device that generates unique authentication code (a one-time password, or OTP). Users must provide both their normal credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone).Option B,C and D are invalid because no such security options are available in IAM For more information on IAM best practices, please visit the below URL https://docs.IAM.amazon.com/IAM/latest/UserGuide/best-practices.html The correct answer is: Enable MFA for these user accounts Submit your Feedback/Queries to our Expertt
Amazon SCS-C01 Sample Question 33
A company has five IAM accounts and wants to use IAM CloudTrail to log API calls. The log files must be stored in an Amazon S3 bucket that resides in a new account specifically built for centralized services with a unique top-level prefix for each trail. The configuration must also enable detection of any modification to the logs. Which of the following steps will implement these requirements? (Choose three.)
Options:
Answer: A, C, E Explanation: Explanation: https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/best-practices-security.htmlIf you have created an organization in IAM Organizations, you can create a trail that will log all events for all IAM accounts in that organization. This is sometimes referred to as an organization trail. You can also choose to edit an existing trail in the master account and apply it to an organization, making it an organization trail. Organization trails log events for the master account and all member accounts in the organization. For more information about IAM Organizations, see Organizations Terminology and Concepts. Note Reference: https://docs. IAM.amazon.com/IAMcloudtrail/latest/userguide/creating-trail-organization.html You must be logged in with the master account for the organization in order to create an organization trail. You must also have sufficient permissions for the IAM user or role in the master account in order to successfully create an organization trail. If you do not have sufficient permissions, you will not see the option to apply a trail to an organization.
Amazon SCS-C01 Sample Question 34
An organization has three applications running on IAM, each accessing the same data on Amazon S3. The data on Amazon S3 is server-side encrypted by using an IAM KMS Customer Master Key (CMK). What is the recommended method to ensure that each application has its own programmatic access control permissions on the KMS CMK?
Options:
Answer: D
Amazon SCS-C01 Sample Question 35
A Security Engineer is working with a Product team building a web application on IAM. The application uses Amazon S3 to host the static content, Amazon API Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider. Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)
Options:
Answer: B, D, F
Amazon SCS-C01 Sample Question 36
Example.com hosts its internal document repository on Amazon EC2 instances. The application runs on EC2 instances and previously stored the documents on encrypted Amazon EBS volumes. To optimize the application for scale, example.com has moved the files to Amazon S3. The security team has mandated that all the files are securely deleted from the EBS volume, and it must certify that the data is unreadable before releasing the underlying disks. Which of the following methods will ensure that the data is unreadable by anyone else?
Options:
Answer: D Explanation: Explanation: Amazon EBS volumes are presented to you as raw unformatted block devices that have been wiped prior to being made available for use. Wiping occurs immediately before reuse so that you can be assured that the wipe process completed. If you have procedures requiring that all data be wiped via a specific method, such as those detailed in NIST 800-88 (âGuidelines for Media Sanitizationâ), you have the ability to do so on Amazon EBS. You should conduct a specialized wipe procedure prior to deleting the volume for compliance with your established requirements.https://d0. IAMstatic.com/whitepapers/IAM-security-whitepaper.pdg
Amazon SCS-C01 Sample Question 37
Compliance requirements state that all communications between company on-premises hosts and EC2 instances be encrypted in transit. Hosts use custom proprietary protocols for their communication, and EC2 instances need to be fronted by a load balancer for increased availability. Which of the following solutions will meet these requirements?
Options:
Answer: B Explanation: Explanation: https:// IAM.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to-your-container-using-the-network-load-balancer-with-amazon-ecs/
Amazon SCS-C01 Sample Question 38
An application has a requirement to be resilient across not only Availability Zones within the applicationâs primary region but also be available within another region altogether. Which of the following supports this requirement for IAM resources that are encrypted by IAM KMS?
Options:
Answer: D
Amazon SCS-C01 Sample Question 39
Which approach will generate automated security alerts should too many unauthorized IAM API requests be identified?
Options:
Answer: A Explanation: Explanation: https://docs. IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html#cloudwatch-alarms-for-cloudtrail-authorization-failuresOpen the CloudWatch console at https://console.IAM.amazon.com/clo udwatch/. In the navigation pane, choose Logs. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events. Choose Create Metric Filter. On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following: { ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") } Choose Assign Metric. For Filter Name, type AuthorizationFailures. For Metric Namespace, type CloudTrailMetrics. For Metric Name, type AuthorizationFailureCount.
Amazon SCS-C01 Sample Question 40
An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised. What techniques will limit lateral movement and allow evidence gathering?
Options:
Answer: B Explanation: Explanation: https://d1. IAMstatic.com/whitepapers/IAM_security_incident_response.pdg
Amazon SCS-C01 Sample Question 41
Your company has a set of resources defined in the IAM Cloud. Their IT audit department has requested to get a list of resources that have been defined across the account. How can this be achieved in the easiest manner? Please select:
Options:
Answer: D Explanation: Explanation: The most feasible option is to use IAM Config. When you turn on IAM Config, you will get a list of resources defined in your IAM Account.A sample snapshot of the resources dashboard in IAM Config is shown belowC:UserswkDesktopmudassarUntitled.jpgOption A is incorrect because this would give the list of production based resources and now all resourcesOption B is partially correct But this will just add more maintenance overhead.Option C is incorrect because this can be used to log API activities but not give an account of all resouFor more information on IAM Config, please visit the below URL:https://docs.IAM.amazon.com/config/latest/developereuide/how-does-confie-work.html The correct answer is: Use IAM Config to get the list of all resourcesSubmit your Feedback/Queries to our Expertt
Amazon SCS-C01 Sample Question 42
A company has complex connectivity rules governing ingress, egress, and communications between Amazon EC2 instances. The rules are so complex that they cannot be implemented within the limits of the maximum number of security groups and network access control lists (network ACLs). What mechanism will allow the company to implement all required network rules without incurring additional cost?
Options:
Answer: C
Amazon SCS-C01 Sample Question 43
A Security Engineer must implement mutually authenticated TLS connections between containers that communicate inside a VPC. Which solution would be MOST secure and easy to maintain?
Options:
Answer: E
Amazon SCS-C01 Sample Question 44
The Security Engineer is given the following requirements for an application that is running on Amazon EC2 and managed by using IAM CloudFormation templates with EC2 Auto Scaling groups: -Have the EC2 instances bootstrapped to connect to a backend database. -Ensure that the database credentials are handled securely. -Ensure that retrievals of database credentials are logged. Which of the following is the MOST efficient way to meet these requirements?
Options:
Answer: C
Amazon SCS-C01 Sample Question 45
A company is using CloudTrail to log all IAM API activity for all regions in all of its accounts. The CISO has asked that additional steps be taken to protect the integrity of the log files. What combination of steps will protect the log files from intentional or unintentional alteration? Choose 2 answers from the options given below Please select:
Options:
Answer: A, C Explanation: Explanation: The IAM Documentation mentions the followingTo determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it you can use CloudTrail log fill integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.Option B is invalid because there is no such thing as Trusted Advisor Cloud Trail checksOption D is invalid because Systems Manager cannot be used for this purpose.Option E is invalid because Security Groups cannot be used to block calls from other servicesFor more information on Cloudtrail log file validation, please visit the below URL:https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudtrail-loe-file-validation-intro.htmll For more information on delivering Cloudtrail logs from multiple accounts, please visit the below URL:https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html The correct answers are: Create an S3 bucket in a dedicated log account and grant the other accounts write only access. Deliver all log files from every account to this S3 bucket, Enable Cloud Trail log file integrity validationSubmit your Feedback/Queries to our Expertt
Amazon SCS-C01 Sample Question 46
Amazon CloudWatch Logs agent is successfully delivering logs to the CloudWatch Logs service. However, logs stop being delivered after the associated log stream has been active for a specific number of hours. What steps are necessary to identify the cause of this phenomenon? (Choose two.)
Options:
Answer: A, B Explanation: Explanation: https://acloud.guru/ forums/IAM-certified-security-specialty/discussion/-Lm5A3w6_NybQPhh6tRP/Cloudwatch%20Log%20questioo