Special Summer Discounts Limited Time 55% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 63r59951

SCS-C01 AWS Certified Security - Specialty Questions and Answers

Questions 4

A company became aware that one of its access keys was exposed on a code sharing website 11 days ago. A Security Engineer must review all use of the exposed access keys to determine the extent of the exposure. The company enabled IAM CloudTrail m an regions when it opened the account

Which of the following will allow (he Security Engineer 10 complete the task?

Options:

A.

Filter the event history on the exposed access key in the CloudTrail console Examine the data from the past 11 days.

B.

Use the IAM CLI lo generate an IAM credential report Extract all the data from the past 11 days.

C.

Use Amazon Athena to query the CloudTrail logs from Amazon S3 Retrieve the rows for the exposed access key tor the past 11 days.

D.

Use the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days.

Buy Now
Questions 5

A company is deploying a new web application on IAM. Based on their other web applications, they anticipate being the target of frequent DDoS attacks. Which steps can the company use to protect their application? Select 2 answers from the options given below.

Please select:

Options:

A.

Associate the EC2 instances with a security group that blocks traffic from blacklisted IP addresses.

B.

Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic.

C.

Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious traffic.

D.

Use CloudFront and IAM WAF to prevent malicious traffic from reaching the application

E.

Enable GuardDuty to block malicious traffic from reaching the application

Buy Now
Questions 6

What is the result of the following bucket policy?

SCS-C01 Question 6

Choose the correct answer:

Please select:

Options:

A.

It will allow all access to the bucket mybucket

B.

It will allow the user mark from IAM account number 111111111 all access to the bucket but deny everyone else all access to the bucket

C.

It will deny all access to the bucket mybucket

D.

None of these

Buy Now
Questions 7

Your team is designing a web application. The users for this web application would need to sign in via an external ID provider such asfacebook or Google. Which of the following IAM service would you use for authentication?

Please select:

Options:

A.

IAM Cognito

B.

IAM SAML

C.

IAM IAM

D.

IAM Config

Buy Now
Questions 8

There is a set of Ec2 Instances in a private subnet. The application hosted on these EC2 Instances need to access a DynamoDB table. It needs to be ensured that traffic does not flow out to the internet. How can this be achieved?

Please select:

Options:

A.

Use a VPC endpoint to the DynamoDB table

B.

Use a VPN connection from the VPC

C.

Use a VPC gateway from the VPC

D.

Use a VPC Peering connection to the DynamoDB table

Buy Now
Questions 9

A company hosts critical data in an S3 bucket. Even though they have assigned the appropriate permissions to the bucket, they are still worried about data deletion. What measures can be taken to restrict the risk of data deletion on the bucket. Choose 2 answers from the options given below

Please select:

Options:

A.

Enable versioning on the S3 bucket

B.

Enable data at rest for the objects in the bucket

C.

Enable MFA Delete in the bucket policy

D.

Enable data in transit for the objects in the bucket

Buy Now
Questions 10

Developers in an organization have moved from a standard application deployment to containers. The Security Engineer is tasked with ensuring that the containers are secure. Which strategies will reduce the attack surface and enhance the security of the containers? (Select TWO.)

Options:

A.

Use the containers to automate security deployments.

B.

Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries.

C.

Segregate containers by host, function, and data classification.

D.

Use Docker Notary framework to sign task definitions.

E.

Enable container breakout at the host kernel.

Buy Now
Questions 11

A company wants to establish separate IAM Key Management Service (IAM KMS) keys to use for different IAM services. The company's security engineer created the following key policy lo allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructureDeployment IAM role:

SCS-C01 Question 11

The security engineer recently discovered that IAM roles other than the InfrastructureDeployment role used this key (or other services. Which change to the policy should the security engineer make to resolve these issues?

Options:

A.

In the statement block that contains the Sid "Allow use of the key", under the "Condition" block, change StringEquals to StringLike.

B.

In the policy document, remove the statement Dlock that contains the Sid "Enable IAM User Permissions". Add key management policies to the KMS policy.

C.

In the statement block that contains the Sid "Allow use of the Key", under the "Condition" block, change the Kms:ViaService value to ec2.us-east-1 .amazonIAM com.

D.

In the policy document, add a new statement block that grants the kms:Disable' permission to the security engineer's IAM role.

Buy Now
Questions 12

You have several S3 buckets defined in your IAM account. You need to give access to external IAM accounts to these S3 buckets. Which of the following can allow you to define the permissions for the external accounts? Choose 2 answers from the options given below

Please select:

Options:

A.

IAM policies

B.

Buckets ACL's

C.

IAM users

D.

Bucket policies

Buy Now
Questions 13

A developer signed in to a new account within an IAM Organization organizational unit (OU) containing multiple accounts. Access to the Amazon $3 service is restricted with the following SCP.

SCS-C01 Question 13

How can the security engineer provide the developer with Amazon $3 access without affecting other account?

Options:

A.

Move the SCP to the root OU of organization to remove the restriction to access Amazon $3.

B.

Add an IAM policy for the developer, which grants $3 access.

C.

Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU.

D.

Add an allow list for the developer account for the $3 service.

Buy Now
Questions 14

An IT department currently has a Java web application deployed on Apache Tomcat running on Amazon EC2 instances. All traffic to the EC2 instances is sent through an internet-facing Application Load Balancer (ALB) The Security team has noticed during the past two days thousands of unusual read requests coming from hundreds of IP addresses. This is causing the Tomcat server to run out of threads and reject new connections

Which the SIMPLEST change that would address this server issue?

Options:

A.

Create an Amazon CloudFront distribution and configure the ALB as the origin

B.

Block the malicious IPs with a network access list (NACL).

C.

Create an IAM Web Application Firewall (WAF). and attach it to the ALB

D.

Map the application domain name to use Route 53

Buy Now
Questions 15

You have an EBS volume attached to an EC2 Instance which uses KMS for Encryption. Someone has now gone ahead and deleted the Customer Key which was used for the EBS encryption. What should be done to ensure the data can be decrypted.

Please select:

Options:

A.

Create a new Customer Key using KMS and attach it to the existing volume

B.

You cannot decrypt the data that was encrypted under the CMK, and the data is not recoverable.

C.

Request IAM Support to recover the key

D.

Use IAM Config to recover the key

Buy Now
Questions 16

A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet with port 80 and a Database server in the private subnet with port 3306. The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). which of the below mentioned entries is required in the private subnet database security group DBSecGrp?

Please select:

Options:

A.

Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.

B.

Allow Inbound on port 3306 from source 20.0.0.0/16

C.

Allow Outbound on port 3306 for Destination Web Server Security Group WebSecGrp.

D.

Allow Outbound on port 80 for Destination NAT Instance IP

Buy Now
Questions 17

An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise's account. The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party. Which of the following would meet all of these conditions?

Please select:

Options:

A.

From the IAM Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.

B.

Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application. Create a new access and secret key for the user and provide these credentials to the SaaS provider.

C.

Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.

D.

Create an IAM role for EC2 instances, assign it a policy that allows only the actions required tor the Saas application to work, provide the role ARN to the SaaS provider to use when launching their application instances.

Buy Now
Questions 18

You have private video content in S3 that you want to serve to subscribed users on the Internet. User IDs, credentials, and subscriptions are stored in an Amazon RDS database. Which configuration will allow you to securely serve private content to your users?

Please select:

Options:

A.

Generate pre-signed URLs for each user as they request access to protected S3 content

B.

Create an IAM user for each subscribed user and assign the GetObject permission to each IAM user

C.

Create an S3 bucket policy that limits access to your private content to only your subscribed users'credentials

D.

Crpafp a Cloud Front Clriein Identity user for vnur suhsrrihprl users and assign the GptOhiprt oprmissinn to this user

Buy Now
Questions 19

A development team is using an IAM Key Management Service (IAM KMS) CMK to try to encrypt and decrypt a secure string parameter from IAM Systems Manager Parameter Store. However, the development team receives an error message on each attempt.

Which issues that are related to the CMK could be reasons for the error? (Select TWO.)

Options:

A.

The CMK that is used in the attempt does not exist.

B.

The CMK that is used in the attempt needs to be rotated.

C.

The CMK that is used in the attempt is using the CMK's key ID instead of the CMK ARN.

D.

The CMK that is used in the attempt is not enabled.

E.

The CMK that is used in the attempt is using an alias.

Buy Now
Questions 20

A company's IAM account consists of approximately 300 IAM users. Now there is a mandate that an access change is required for 100 IAM users to have unlimited privileges to S3.As a system administrator, how can you implement this effectively so that there is no need to apply the policy at the individual user level?

Please select:

Options:

A.

Create a new role and add each user to the IAM role

B.

Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group

C.

Create a policy and apply it to multiple users using a JSON script

D.

Create an S3 bucket policy with unlimited access which includes each user's IAM account ID

Buy Now
Questions 21

A company has hired a third-party security auditor, and the auditor needs read-only access to all IAM resources and logs of all VPC records and events that have occurred on IAM. How can the company meet the auditor's requirements without comprising security in the IAM environment? Choose the correct answer from the options below

Please select:

Options:

A.

Create a role that has the required permissions for the auditor.

B.

Create an SNS notification that sends the CloudTrail log files to the auditor's email when CIoudTrail delivers the logs to S3, but do not allow the auditor access to the IAM environment.

C.

The company should contact IAM as part of the shared responsibility model, and IAM will grant required access to th^ third-party auditor.

D.

Enable CloudTrail logging and create an IAM user who has read-only permissions to the required IAM resources, including the bucket containing the CloudTrail logs.

Buy Now
Questions 22

An organization has a multi-petabyte workload that it is moving to Amazon S3, but the CISO is concerned about cryptographic wear-out and the blast radius if a key is compromised. How can the CISO be assured that IAM KMS and Amazon S3 are addressing the concerns? (Select TWO )

Options:

A.

There is no API operation to retrieve an S3 object in its encrypted form.

B.

Encryption of S3 objects is performed within the secure boundary of the KMS service.

C.

S3 uses KMS to generate a unique data key for each individual object.

D.

Using a single master key to encrypt all data includes having a single place to perform audits and usage validation.

E.

The KMS encryption envelope digitally signs the master key during encryption to prevent cryptographic wear-out

Buy Now
Questions 23

You need to have a cloud security device which would allow to generate encryption keys based on FIPS 140-2 Level 3. Which of the following can be used for this purpose.

Please select:

Options:

A.

IAM KMS

B.

IAM Customer Keys

C.

IAM managed keys

D.

IAM Cloud HSM

Buy Now
Questions 24

A company has two teams, and each team needs to access its respective Amazon S3 buckets. The company anticipates adding more teams that also will have their own S3 buckets. When the company adds these teams, team members will need the ability to be assigned to multiple teams. Team members also will need the ability to change teams. Additional S3 buckets can be created or deleted.

An IAM administrator must design a solution to accomplish these goals. The solution also must be scalable and must require the least possible operational overhead.

Which solution meets these requirements?

Options:

A.

Add users to groups that represent the teams. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding group.

B.

Create an IAM role for each team. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding role.

C.

Create IAM roles that are labeled with an access tag value of a team. Create one policy that allows dynamic access to S3 buckets with the same tag. Attach the policy to the IAM roles. Tag the S3 buckets accordingly.

D.

Implement a role-based access control (RBAC) authorization model. Create the corresponding policies, and attach them to the IAM users.

Buy Now
Questions 25

A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots.

After performing a gap analysis of its disaster recovery procedures and backup strategies, the company is concerned that, next time, it will not be able to recover the EC2 instances if the IAM account was compromised and Amazon EBS snapshots were deleted.

All EBS snapshots are encrypted using an IAM KMS CMK.

Which solution would solve this problem?

Options:

A.

Create a new Amazon S3 bucket Use EBS lifecycle policies to move EBS snapshots to the new S3 bucket. Move snapshots to Amazon S3 Glacier using lifecycle policies, and apply Glacier Vault Lock policies to prevent deletion

B.

Use IAM Systems Manager to distribute a configuration that performs local backups of all attached disks to Amazon S3.

C.

Create a new IAM account with limited privileges. Allow the new account to access the IAM KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots to the new account on a recuning basis

D.

Use IAM Backup to copy EBS snapshots to Amazon S3.

Buy Now
Questions 26

An company is using IAM Secrets Manager to store secrets that are encrypted using a CMK and are stored in the security account 111122223333. One of the company's production accounts. 444455556666, must to retrieve the secret values from the security account 111122223333. A security engineer needs to apply a policy to the secret in the security account based on least privilege access so the production account can retrieve the secret value only.

Which policy should the security engineer apply?

SCS-C01 Question 26

SCS-C01 Question 26

SCS-C01 Question 26

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Buy Now
Questions 27

A company hosts data in S3. There is a requirement to control access to the S3 buckets. Which are the 2 ways in which this can be achieved?

Please select:

Options:

A.

Use Bucket policies

B.

Use the Secure Token service

C.

Use IAM user policies

D.

Use IAM Access Keys

Buy Now
Questions 28

A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an EC2 Auto Scaling group across multiple Availability Zones. The website is under a DDoS attack by a specific loT device brand that is visible in the user agent A security engineer needs to mitigate the attack without impacting the availability of the public website.

What should the security engineer do to accomplish this?

Options:

A.

Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT device. Associate the v/eb ACL with the ALB.

B.

Configure an Amazon CloudFront distribution to use the ALB as an origin. Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT device. Associate the web ACL with the ALB Change the public DNS entry of the website to point to the CloudFront distribution.

C.

Configure an Amazon CloudFront distribution to use a new ALB as an origin. Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT device. Change the ALB security group to alow access from CloudFront IP address ranges only Change the public DNS entry of the website to point to the CloudFront distribution.

D.

Activate IAM Shield Advanced to enable DDoS protection. Apply an IAM WAF ACL to the ALB. and configure a listener rule on the ALB to block loT devices based on the user agent.

Buy Now
Questions 29

A Security Engineer is troubleshooting a connectivity issue between a web server that is writing log files to the logging server in another VPC. The Engineer has confirmed that a peering relationship exists between the two VPCs. VPC flow logs show that requests sent from the web server are accepted by the togging server but the web server never receives a reply

Which of the following actions could fix this issue1?

Options:

A.

Add an inbound rule to the security group associated with the logging server that allows requests from the web server

B.

Add an outbound rule to the security group associated with the web server that allows requests to the logging server.

C.

Add a route to the route table associated with the subnet that hosts the logging server that targets the peering connection

D.

Add a route to the route table associated with the subnet that hosts the web server that targets the peering connection

Buy Now
Questions 30

A company wants to encrypt the private network between its orvpremises environment and IAM. The company also wants a consistent network experience for its employees.

What should the company do to meet these requirements?

Options:

A.

Establish an IAM Direct Connect connection with IAM and set up a Direct Connect gateway. In the Direct Connect gateway configuration, enable IPsec and BGP, and then leverage native IAM network encryption between Availability Zones and Regions,

B.

Establish an IAM Direct Connect connection with IAM and set up a Direct Connect gateway. Using the Direct Connect gateway, create a private virtual interface and advertise the customer gateway private IP addresses. Create a VPN connection using the customer gateway and the virtual private gateway

C.

Establish a VPN connection with the IAM virtual private cloud over the internet

D.

Establish an IAM Direct Connect connection with IAM and establish a public virtual interface. For prefixes that need to be advertised, enter the customer gateway public IP addresses. Create a VPN connection over Direct Connect using the customer gateway and the virtual private gateway.

Buy Now
Questions 31

A company is using IAM Organizations to manage multiple IAM member accounts. All of these accounts have Amazon GuardDuty enabled in all Regions. The company's IAM Security Operations Center has a centralized security account for logging and monitoring. One of the member accounts has received an excessively high bill A security engineer discovers that a compromised Amazon EC2 instance is being used to mine crypto currency. The Security Operations Center did not receive a GuardDuty finding in the central security account.

but there was a GuardDuty finding in the account containing the compromised EC2 instance. The security engineer needs to ensure an GuardDuty finding are available in the security account.

What should the security engineer do to resolve this issue?

Options:

A.

Set up an Amazon CloudWatch Event rule to forward ail GuardDuty findings to the security account Use an IAM Lambda function as a target to raise findings

B.

Set up an Amazon CloudWatch Events rule to forward all GuardDuty findings to the security account Use an IAM Lambda function as a target to raise findings in IAM Security Hub

C.

Check that GuardDuty in the security account is able to assume a role in the compromised account using the GuardDuty fast findings permission Schedule an Amazon CloudWatch Events rule and an IAM Lambda function to periodically check for GuardDuty findings

D.

Use the IAM GuardDuty get-members IAM CLI command m the security account to see if the account is listed Send an invitation from GuardDuty m the security account to GuardDuty in the compromised account Accept the invitation to forward all future GuardDuty findings

Buy Now
Questions 32

A company had one of its Amazon EC2 key pairs compromised. A Security Engineer must identify which current Linux EC2 instances were deployed and used the compromised key pair.

How can this task be accomplished?

Options:

A.

Obtain the list of instances by directly querying Amazon EC2 using: IAM ec2 describe-instances --fi1ters "Name=key-name,Values=KEYNAMEHERE".

B.

Obtain the fingerprint for the key pair from the IAM Management Console, then search for the fingerprint in the Amazon Inspector logs.

C.

Obtain the output from the EC2 instance metadata using: curl http: //169.254.169.254/latest/meta-data/public- keys/0/.

D.

Obtain the fingerprint for the key pair from the IAM Management Console, then search for the fingerprint in Amazon CloudWatch Logs using: IAM logs filter-log-events.

Buy Now
Questions 33

An IAM account administrator created an IAM group and applied the following managed policy to require that each individual user authenticate using multi-factor authentication:

SCS-C01 Question 33

After implementing the policy, the administrator receives reports that users are unable to perform Amazon EC2 commands using the IAM CLI. What should the administrator do to resolve this problem while still enforcing multi-factor authentication?

Options:

A.

Change the value of IAM MultiFactorAuthPresent to true.

B.

Instruct users to run the IAM sts get-session-token CLI command and pass the multi-factor authentication —serial-number and —token-code parameters. Use these resulting values to make API/CLI calls

C.

Implement federated API/CLI access using SAML 2.0, then configure the identity provider to enforce multi-factor authentication.

D.

Create a role and enforce multi-factor authentication in the role trust policy Instruct users to run the sts assume-role CLI command and pass --serial-number and —token-code parameters Store the resulting values in environment variables. Add sts:AssumeRole to NotAction in the policy.

Buy Now
Questions 34

A company has an encrypted Amazon S3 bucket. An Application Developer has an IAM policy that allows access to the S3 bucket, but the Application Developer is unable to access objects within the bucket.

What is a possible cause of the issue?

Options:

A.

The S3 ACL for the S3 bucket fails to explicitly grant access to the Application Developer

B.

The IAM KMS key for the S3 bucket fails to list the Application Developer as an administrator

C.

The S3 bucket policy fails to explicitly grant access to the Application Developer

D.

The S3 bucket policy explicitly denies access to the Application Developer

Buy Now
Questions 35

A recent security audit identified that a company's application team injects database credentials into the environment variables of an IAM Fargate task. The company's security policy mandates that all sensitive data be encrypted at rest and in transit.

When combination of actions should the security team take to make the application compliant within the security policy? (Select THREE)

Options:

A.

Store the credentials securely in a file in an Amazon S3 bucket with restricted access to the application team IAM role Ask the application team to read the credentials from the S3 object instead

B.

Create an IAM Secrets Manager secret and specify the key/value pairs to be stored in this secret

C.

Modify the application to pull credentials from the IAM Secrets Manager secret instead of the environment variables.

D.

Add the following statement to the container instance IAM role policy

35

E.

Add the following statement to the execution role policy.

35

F.

Log in to the IAM Fargate instance, create a script to read the secret value from IAM Secret Manager, and inject the environment variables. Ask the application team to redeploy the application.

Buy Now
Questions 36

A security engineer need to ensure their company’s uses of IAM meets IAM security best practices. As part of this, the IAM account root user must not be used for daily work. The root user must be monitored for use, and the Security team must be alerted as quickly as possible if the root user is used.

Which solution meets these requirements?

Options:

A.

Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification.

B.

Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification logs from S3 and generate notifications using Amazon SNS.

C.

Set up a rule in IAM config to trigger root user events. Trigger an IAM Lambda function and generate notifications using Amazon SNS.

D.

Use Amazon Inspector to monitor the usage of the root user and generate notifications using Amazon SNS

Buy Now
Questions 37

A company has implemented centralized logging and monitoring of IAM CloudTrail logs from all Regions in an Amazon S3 bucket. The log Hies are encrypted using IAM KMS. A Security Engineer is attempting to review the log files using a third-party tool hosted on an Amazon EC2 instance The Security Engineer is unable to access the logs in the S3 bucket and receives an access denied error message

What should the Security Engineer do to fix this issue?

Options:

A.

Check that the role the Security Engineer uses grants permission to decrypt objects using the KMS CMK.

B.

Check that the role the Security Engineer uses grants permission to decrypt objects using the KMS CMK and gives access to the S3 bucket and objects

C.

Check that the role the EC2 instance profile uses grants permission lo decrypt objects using the KMS CMK and gives access to the S3 bucket and objects

D.

Check that the role the EC2 instance profile uses grants permission to decrypt objects using the KMS CMK

Buy Now
Questions 38

A convoys data lake uses Amazon S3 and Amazon Athena. The company's security engineer has been asked to design an encryption solution that meets the company's data protection requirements. The encryption solution must work with Amazon S3 and keys managed by the company. The encryption solution must be protected in a hardware security module that is validated id Federal information Processing Standards (FPS) 140-2 Level 3.

Which solution meets these requirements?

Options:

A.

Use client-side encryption with an IAM KMS customer-managed key implemented with the IAM Encryption SDK

B.

Use IAM CloudHSM to store the keys and perform cryptographic operations Save the encrypted text in Amazon S3

C.

Use an IAM KMS customer-managed key that is backed by a custom key store using IAM CloudHSM

D.

Use an IAM KMS customer-managed key with the bring your own key (BYOK) feature to import a key stored in IAM CloudHSM

Buy Now
Questions 39

A company's Security Engineer has been asked to monitor and report all IAM account root user activities.

Which of the following would enable the Security Engineer to monitor and report all root user activities? (Select TWO)

Options:

A.

Configuring IAM Organizations to monitor root user API calls on the paying account

B.

Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported

C.

Configuring Amazon Inspector to scan the IAM account for any root user activity

D.

Configuring IAM Trusted Advisor to send an email to the Security team when the root user logs in to the console

E.

Using Amazon SNS to notify the target group

Buy Now
Questions 40

A security engineer is designing an incident response plan to address the risk of a compromised Amazon EC2 instance. The plan must recommend a solution to meet the following requirements:

• A trusted forensic environment must be provisioned

• Automated response processes must be orchestrated

Which IAM services should be included in the plan? {Select TWO)

Options:

A.

IAM CloudFormation

B.

Amazon GuardDuty

C.

Amazon Inspector

D.

Amazon Macie

E.

IAM Step Functions

Buy Now
Questions 41

A company is configuring three Amazon EC2 instances with each instance in a separate Availability Zone. The EC2 instances wilt be used as transparent proxies for outbound internet traffic for ports 80 and 443 so the proxies can block traffic to certain internet destinations as required by the company's security policies. A Security Engineer completed the following:

• Set up the proxy software on the EC2 instances.

• Modified the route tables on the private subnets to use the proxy EC2 instances as the default route.

• Created a security group rule opening inbound port 80 and 443 TCP protocols on the proxy EC2 instance security group.

However, the proxy EC2 instances are not successfully forwarding traffic to the internet.

What should the Security Engineer do to make the proxy EC2 instances route traffic to the internet?

Options:

A.

Put all the proxy EC2 instances in a cluster placement group.

B.

Disable source and destination checks on the proxy EC2 instances.

C.

Open all inbound ports on the proxy EC2 instance security group.

D.

Change the VPC's DHCP domain-name-servers options set to the IP addresses of proxy EC2 instances.

Buy Now
Questions 42

A website currently runs on Amazon EC2 with mostly static content on the site. Recently, the site was subjected to a DDoS attack, and a Security Engineer was tasked with redesigning the edge security to help mitigate this risk in the future

What are some ways the Engineer could achieve this? (Select THREE )

Options:

A.

Use IAM X-Ray to inspect the traffic going 10 the EC2 instances

B.

Move the state content to Amazon S3 and font this with an Amazon CloudFront distribution

C.

Change the security group configuration to block the source of the attack traffic

D.

Use IAM WAF security rules to inspect the inbound traffic

E.

Use Amazon inspector assessment templates to inspect the inbound traffic

F.

Use Amazon Route 53 to distribute traffic

Buy Now
Questions 43

A Developer signed in to a new account within an IAM Organizations organizations unit (OU) containing multiple accounts. Access to the Amazon S3 service is restricted with the following SCP:

SCS-C01 Question 43

How can the Security Engineer provide the Developer with Amazon S3 access without affecting other accounts?

Options:

A.

Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.

B.

Add an IAM policy for the Developer, which grants S3 access.

C.

Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.

D.

Add an allow list for the Developer account for the S3 service.

Buy Now
Questions 44

An external Auditor finds that a company's user passwords have no minimum length. The company is currently using two identity providers:

• IAM IAM federated with on-premises Active Directory

• Amazon Cognito user pools to accessing an IAM Cloud application developed by the company

Which combination o1 actions should the Security Engineer take to solve this issue? (Select TWO.)

Options:

A.

Update the password length policy In the on-premises Active Directory configuration.

B.

Update the password length policy In the IAM configuration.

C.

Enforce an IAM policy In Amazon Cognito and IAM IAM with a minimum password length condition.

D.

Update the password length policy in the Amazon Cognito configuration.

E.

Create an SCP with IAM Organizations that enforces a minimum password length for IAM IAM and Amazon Cognito.

Buy Now
Questions 45

A company recently performed an annual security assessment of its IAM environment. The assessment showed that audit logs are not available beyond 90 days and that unauthorized changes to IAM policies are made without detection.

How should a security engineer resolve these issues?

Options:

A.

Create an Amazon S3 lifecycle policy that archives IAM CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources.

B.

Configure IAM Artifact to archive IAM CloudTrail logs Configure IAM Trusted Advisor to provide a notification when a policy change is made to resources.

C.

Configure Amazon CloudWatch to export log groups to Amazon S3. Configure IAM CloudTrail to provide a notification when a policy change is made to resources.

D.

Create an IAM CloudTrail trail that stores audit logs in Amazon S3. Configure an IAM Config rule to provide a notification when a policy change is made to resources.

Buy Now
Questions 46

A company has decided to migrate sensitive documents from on-premises data centers to Amazon S3. Currently, the hard drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key.

Which of the following requires the LEAST amount of configuration when implementing this approach?

Options:

A.

Place each file into a different S3 bucket. Set the default encryption of each bucket to use a different IAM KMS customer managed key.

B.

Put all the files in the same S3 bucket. Using S3 events as a trigger, write an IAM Lambda function to encrypt each file as it is added using different IAM KMS data keys.

C.

Use the S3 encryption client to encrypt each file individually using S3-generated data keys

D.

Place all the files in the same S3 bucket. Use server-side encryption with IAM KMS-managed keys (SSE-KMS) to encrypt the data

Buy Now
Questions 47

An organization policy states that all encryption keys must be automatically rotated every 12 months.

Which IAM Key Management Service (KMS) key type should be used to meet this requirement?

Options:

A.

IAM managed Customer Master Key (CMK)

B.

Customer managed CMK with IAM generated key material

C.

Customer managed CMK with imported key material

D.

IAM managed data key

Buy Now
Questions 48

A security engineer has created an Amazon Cognito user pool. The engineer needs to manually verify the ID and access token sent by the application for troubleshooting purposes

What is the MOST secure way to accomplish this?

Options:

A.

Extract the subject (sub), audience (aud), and cognito:username from the ID token payload Manually check the subject and audience for the user name In the user pool

B.

Search for the public key with a key ID that matches the key ID In the header of the token. Then use a JSON Web Token (JWT) library to validate the signature of the token and extract values, such as the expiry date

C.

Verify that the token is not expired. Then use the token_use claim function In Amazon Cognito to validate the key IDs

D.

Copy the JSON Web Token (JWT) as a JSON document Obtain the public JSON Web Key (JWK) and convert It to a pem file. Then use the file to validate the original JWT.

Buy Now
Questions 49

A Security Engineer launches two Amazon EC2 instances in the same Amazon VPC but in separate Availability Zones. Each instance has a public IP address and is able to connect to external hosts on the internet. The two instances are able to communicate with each other by using their private IP addresses, but they are not able to communicate with each other when using their public IP addresses.

Which action should the Security Engineer take to allow communication over the public IP addresses?

Options:

A.

Associate the instances to the same security groups.

B.

Add 0.0.0.0/0 to the egress rules of the instance security groups.

C.

Add the instance IDs to the ingress rules of the instance security groups.

D.

Add the public IP addresses to the ingress rules of the instance security groups.

Buy Now
Questions 50

A company has several critical applications running on a large fleet of Amazon EC2 instances. As part of a security operations review, the company needs to apply a critical operating system patch to EC2 instances within 24 hours of the patch becoming available from the operating system vendor. The company does not have a patching solution deployed on IAM, but does have IAM Systems Manager configured. The solution must also minimize administrative overhead.

What should a security engineer recommend to meet these requirements?

Options:

A.

Create an IAM Config rule defining the patch as a required configuration for EC2 instances.

B.

Use the IAM Systems Manager Run Command to patch affected instances.

C.

Use an IAM Systems Manager Patch Manager predefined baseline to patch affected instances.

D.

Use IAM Systems Manager Session Manager to log in to each affected instance and apply the patch.

Buy Now
Questions 51

Unapproved changes were previously made to a company's Amazon S3 bucket. A security engineer configured IAM Config to record configuration changes made to the company's S3 buckets. The engineer discovers there are S3 configuration changes being made, but no Amazon SNS notifications are being sent. The engineer has already checked the configuration of the SNS topic and has confirmed the configuration is valid.

Which combination of steps should the security engineer take to resolve the issue? (Select TWO.)

Options:

A.

Configure the S3 bucket ACLs to allow IAM Config to record changes to the buckets.

B.

Configure policies attached to S3 buckets to allow IAM Config to record changes to the buckets.

C.

Attach the AmazonS3ReadOnryAccess managed policy to the IAM user.

D.

Verify the security engineer's IAM user has an attached policy that allows all IAM Config actions.

E.

Assign the IAMConfigRole managed policy to the IAM Config role

Buy Now
Questions 52

A company's information security team want to do near-real-time anomaly detection on Amazon EC2 performance and usage statistics. Log aggregation is the responsibility of a security engineer. To do the study, the Engineer needs gather logs from all of the company's IAM accounts in a single place.

How should the Security Engineer go about doing this?

Options:

A.

Log in to each account four times a day and filter the IAM CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.

B.

Set up Amazon CloudWatch to stream data to an Amazon S3 bucket in each source account. Set up bucket replication for each source account into a centralized bucket owned by the Security Engineer.

C.

Set up an IAM Config aggregator to collect IAM configuration data from multiple sources.

D.

Set up Amazon CloudWatch cross-account log data sharing with subscriptions in each account. Send the logs to Amazon Kinesis Data Firehose in the Security Engineer's account.

Buy Now
Questions 53

An IAM Lambda function was misused to alter data, and a Security Engineer must identify who invoked the function and what output was produced. The Engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.

Which of the following explains why the logs are not available?

Options:

A.

The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.

B.

The Lambda function was executed by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.

C.

The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.

D.

The version of the Lambda function that was executed was not current.

Buy Now
Questions 54

The Security Engineer has discovered that a new application that deals with highly sensitive data is storing Amazon S3 objects with the following key pattern, which itself contains highly sensitive data.

Pattern:

"randomID_datestamp_PII.csv"

Example:

"1234567_12302017_000-00-0000 csv"

The bucket where these objects are being stored is using server-side encryption (SSE).

Which solution is the most secure and cost-effective option to protect the sensitive data?

Options:

A.

Remove the sensitive data from the object name, and store the sensitive data using S3 user-defined metadata.

B.

Add an S3 bucket policy that denies the action s3:GetObject

C.

Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes.

D.

Store all sensitive objects in Binary Large Objects (BLOBS) in an encrypted Amazon RDS instance.

Buy Now
Questions 55

The Security Engineer created a new IAM Key Management Service (IAM KMS) key with the following key policy:

SCS-C01 Question 55

What are the effects of the key policy? (Choose two.)

Options:

A.

The policy allows access for the IAM account 111122223333 to manage key access though IAM policies.

B.

The policy allows all IAM users in account 111122223333 to have full access to the KMS key.

C.

The policy allows the root user in account 111122223333 to have full access to the KMS key.

D.

The policy allows the KMS service-linked role in account 111122223333 to have full access to the KMS key.

E.

The policy allows all IAM roles in account 111122223333 to have full access to the KMS key.

Buy Now
Questions 56

You are hosting a web site via website hosting on an S3 bucket - http://demo.s3-website-us-east-l .amazonIAM.com. You have some web pages that use Javascript that access resources in another bucket which has web site hosting also enabled. But when users access the web pages , they are getting a blocked Javascript error. How can you rectify this?

Please select:

Options:

A.

Enable CORS for the bucket

B.

Enable versioning for the bucket

C.

Enable MFA for the bucket

D.

Enable CRR for the bucket

Buy Now
Questions 57

An organization operates a web application that serves users globally. The application runs on Amazon EC2 instances behind an Application Load Balancer. There is an Amazon CloudFront distribution in front of the load balancer, and the organization uses IAM WAF. The application is currently experiencing a volumetric attack whereby the attacker is exploiting a bug in a popular mobile game.

The application is being flooded with HTTP requests from all over the world with the User-Agent set to the following string: Mozilla/5.0 (compatible; ExampleCorp; ExampleGame/1.22; Mobile/1.0)

What mitigation can be applied to block attacks resulting from this bug while continuing to service legitimate requests?

Options:

A.

Create a rule in IAM WAF rules with conditions that block requests based on the presence of ExampleGame/1.22 in the User-Agent header

B.

Create a geographic restriction on the CloudFront distribution to prevent access to the application from most geographic regions

C.

Create a rate-based rule in IAM WAF to limit the total number of requests that the web application services.

D.

Create an IP-based blacklist in IAM WAF to block the IP addresses that are originating from requests that contain ExampleGame/1.22 in the User-Agent header.

Buy Now
Questions 58

Which of the following is used as a secure way to log into an EC2 Linux Instance?

Please select:

Options:

A.

IAM User name and password

B.

Key pairs

C.

IAM Access keys

D.

IAM SDK keys

Buy Now
Questions 59

Your company has defined privileged users for their IAM Account. These users are administrators for key resources defined in the company. There is now a mandate to enhance the security authentication for these users. How can this be accomplished?

Please select:

Options:

A.

Enable MFA for these user accounts

B.

Enable versioning for these user accounts

C.

Enable accidental deletion for these user accounts

D.

Disable root access for the users

Buy Now
Questions 60

A company has five IAM accounts and wants to use IAM CloudTrail to log API calls. The log files must be stored in an Amazon S3 bucket that resides in a new account specifically built for centralized services with a unique top-level prefix for each trail. The configuration must also enable detection of any modification to the logs.

Which of the following steps will implement these requirements? (Choose three.)

Options:

A.

Create a new S3 bucket in a separate IAM account for centralized storage of CloudTrail logs, and enable “Log File Validation” on all trails.

B.

Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.

C.

Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.

D.

Use unique log file prefixes for trails in each IAM account.

E.

Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.

F.

Enable encryption of the log files by using IAM Key Management Service

Buy Now
Questions 61

An organization has three applications running on IAM, each accessing the same data on Amazon S3. The data on Amazon S3 is server-side encrypted by using an IAM KMS Customer Master Key (CMK).

What is the recommended method to ensure that each application has its own programmatic access control permissions on the KMS CMK?

Options:

A.

Change the key policy permissions associated with the KMS CMK for each application when it must access the data in Amazon S3.

B.

Have each application assume an IAM role that provides permissions to use the IAM Certificate Manager CMK.

C.

Have each application use a grant on the KMS CMK to add or remove specific access controls on the KMS CMK.

D.

Have each application use an IAM policy in a user context to have specific access permissions on the KMS CMK.

Buy Now
Questions 62

A company recently experienced a DDoS attack that prevented its web server from serving content. The website is static and hosts only HTML, CSS, and PDF files that users download.

Based on the architecture shown in the image, what is the BEST way to protect the site against future attacks while minimizing the ongoing operational overhead?

SCS-C01 Question 62

Options:

A.

Move all the files to an Amazon S3 bucket. Have the web server serve the files from the S3 bucket.

B.

Launch a second Amazon EC2 instance in a new subnet. Launch an Application Load Balancer in front of both instances.

C.

Launch an Application Load Balancer in front of the EC2 instance. Create an Amazon CloudFront distribution in front of the Application Load Balancer.

D.

Move all the files to an Amazon S3 bucket. Create a CloudFront distribution in front of the bucket and terminate the web server.

Buy Now
Questions 63

A Security Engineer is working with a Product team building a web application on IAM. The application uses Amazon S3 to host the static content, Amazon API Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider.

Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)

Options:

A.

Create a custom authorization service using IAM Lambda.

B.

Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.

C.

Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.

D.

Configure an Amazon Cognito identity pool to integrate with social login providers.

E.

Update DynamoDB to store the user email addresses and passwords.

F.

Update API Gateway to use a COGNITO_USER_POOLS authorizer.

Buy Now
Questions 64

The Security Engineer implemented a new vault lock policy for 10TB of data and called initiate-vault-lock 12 hours ago. The Audit team identified a typo that is allowing incorrect access to the vault.

What is the MOST cost-effective way to correct this?

Options:

A.

Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again.

B.

Copy the vault data to Amazon S3, delete the vault, and create a new vault with the data.

C.

Update the policy, keeping the vault lock in place.

D.

Update the policy and call initiate-vault-lock again to apply the new policy.

Buy Now
Questions 65

Your IT Security team has advised to carry out a penetration test on the resources in their company's IAM Account. This is as part of their capability to analyze the security of the Infrastructure. What should be done first in this regard?

Please select:

Options:

A.

Turn on Cloud trail and carry out the penetration test

B.

Turn on VPC Flow Logs and carry out the penetration test

C.

Submit a request to IAM Support

D.

Use a custom IAM Marketplace solution for conducting the penetration test

Buy Now
Questions 66

Example.com hosts its internal document repository on Amazon EC2 instances. The application runs on EC2 instances and previously stored the documents on encrypted Amazon EBS volumes. To optimize the application for scale, example.com has moved the files to Amazon S3. The security team has mandated that all the files are securely deleted from the EBS volume, and it must certify that the data is unreadable before releasing the underlying disks.

Which of the following methods will ensure that the data is unreadable by anyone else?

Options:

A.

Change the volume encryption on the EBS volume to use a different encryption mechanism. Then, release the EBS volumes back to IAM.

B.

Release the volumes back to IAM. IAM immediately wipes the disk after it is deprovisioned.

C.

Delete the encryption key used to encrypt the EBS volume. Then, release the EBS volumes back to IAM.

D.

Delete the data by using the operating system delete commands. Run Quick Format on the drive and then release the EBS volumes back to IAM.

Buy Now
Questions 67

A company has a customer master key (CMK) with imported key materials. Company policy requires that all encryption keys must be rotated every year.

What can be done to implement the above policy?

Options:

A.

Enable automatic key rotation annually for the CMK.

B.

Use IAM Command Line Interface to create an IAM Lambda function to rotate the existing CMK annually.

C.

Import new key material to the existing CMK and manually rotate the CMK.

D.

Create a new CMK, import new key material to it, and point the key alias to the new CMK.

Buy Now
Questions 68

Compliance requirements state that all communications between company on-premises hosts and EC2 instances be encrypted in transit. Hosts use custom proprietary protocols for their communication, and EC2 instances need to be fronted by a load balancer for increased availability.

Which of the following solutions will meet these requirements?

Options:

A.

Offload SSL termination onto an SSL listener on a Classic Load Balancer, and use a TCP connection between the load balancer and the EC2 instances.

B.

Route all traffic through a TCP listener on a Classic Load Balancer, and terminate the TLS connection on the EC2 instances.

C.

Create an HTTPS listener using an Application Load Balancer, and route all of the communication through that load balancer.

D.

Offload SSL termination onto an SSL listener using an Application Load Balancer, and re-spawn and SSL connection between the load balancer and the EC2 instances.

Buy Now
Questions 69

While analyzing a company's security solution, a Security Engineer wants to secure the IAM account root user.

What should the Security Engineer do to provide the highest level of security for the account?

Options:

A.

Create a new IAM user that has administrator permissions in the IAM account. Delete the password for the IAM account root user.

B.

Create a new IAM user that has administrator permissions in the IAM account. Modify the permissions for the existing IAM users.

C.

Replace the access key for the IAM account root user. Delete the password for the IAM account root user.

D.

Create a new IAM user that has administrator permissions in the IAM account. Enable multi-factor authentication for the IAM account root user.

Buy Now
Questions 70

An application has a requirement to be resilient across not only Availability Zones within the application’s primary region but also be available within another region altogether.

Which of the following supports this requirement for IAM resources that are encrypted by IAM KMS?

Options:

A.

Copy the application’s IAM KMS CMK from the source region to the target region so that it can be used to decrypt the resource after it is copied to the target region.

B.

Configure IAM KMS to automatically synchronize the CMK between regions so that it can be used to decrypt the resource in the target region.

C.

Use IAM services that replicate data across regions, and re-wrap the data encryption key created in the source region by using the CMK in the target region so that the target region’s CMK can decrypt the database encryption key.

D.

Configure the target region’s IAM service to communicate with the source region’s IAM KMS so that it can decrypt the resource in the target region.

Buy Now
Questions 71

Which approach will generate automated security alerts should too many unauthorized IAM API requests be identified?

Options:

A.

Create an Amazon CloudWatch metric filter that looks for API call error codes and then implement an alarm based on that metric’s rate.

B.

Configure IAM CloudTrail to stream event data to Amazon Kinesis. Configure an IAM Lambda function on the stream to alarm when the threshold has been exceeded.

C.

Run an Amazon Athena SQL query against CloudTrail log files. Use Amazon QuickSight to create an operational dashboard.

D.

Use the Amazon Personal Health Dashboard to monitor the account’s use of IAM services, and raise an alert if service error rates increase.

Buy Now
Questions 72

An application makes calls to IAM services using the IAM SDK. The application runs on Amazon EC2 instances with an associated IAM role. When the application attempts to access an object within an Amazon S3 bucket; the Administrator receives the following error message: HTTP 403: Access Denied.

Which combination of steps should the Administrator take to troubleshoot this issue? (Select three.)

Options:

A.

Confirm that the EC2 instance's security group authorizes S3 access.

B.

Verify that the KMS key policy allows decrypt access for the KMS key for this IAM principle.

C.

Check the S3 bucket policy for statements that deny access to objects.

D.

Confirm that the EC2 instance is using the correct key pair.

E.

Confirm that the IAM role associated with the EC2 instance has the proper privileges.

F.

Confirm that the instance and the S3 bucket are in the same Region.

Buy Now
Questions 73

An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised.

What techniques will limit lateral movement and allow evidence gathering?

Options:

A.

Remove the instance from the load balancer and terminate it.

B.

Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.

C.

Reboot the instance and check for any Amazon CloudWatch alarms.

D.

Stop the instance and make a snapshot of the root EBS volume.

Buy Now
Questions 74

Your company has a set of resources defined in the IAM Cloud. Their IT audit department has requested to get a list of resources that have been defined across the account. How can this be achieved in the easiest manner?

Please select:

Options:

A.

Create a powershell script using the IAM CLI. Query for all resources with the tag of production.

B.

Create a bash shell script with the IAM CLI. Query for all resources in all regions. Store the results in an S3 bucket.

C.

Use Cloud Trail to get the list of all resources

D.

Use IAM Config to get the list of all resources

Buy Now
Questions 75

A company has complex connectivity rules governing ingress, egress, and communications between Amazon EC2 instances. The rules are so complex that they cannot be implemented within the limits of the maximum number of security groups and network access control lists (network ACLs).

What mechanism will allow the company to implement all required network rules without incurring additional cost?

Options:

A.

Configure IAM WAF rules to implement the required rules.

B.

Use the operating system built-in, host-based firewall to implement the required rules.

C.

Use a NAT gateway to control ingress and egress according to the requirements.

D.

Launch an EC2-based firewall product from the IAM Marketplace, and implement the required rules in that product.

Buy Now
Questions 76

A Security Engineer must implement mutually authenticated TLS connections between containers that communicate inside a VPC.

Which solution would be MOST secure and easy to maintain?

Options:

A.

Use IAM Certificate Manager to generate certificates from a public certificate authority and deploy them to all the containers.

B.

Create a self-signed certificate in one container and use IAM Secrets Manager to distribute the certificate to the other containers to establish trust.

C.

Use IAM Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then create the private keys in the containers and sign them using the ACM PCA API.

D.

Use IAM Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use IAM Certificate Manager to generate the private certificates and deploy them to all the containers.

Buy Now
Questions 77

The Security Engineer is given the following requirements for an application that is running on Amazon EC2 and managed by using IAM CloudFormation templates with EC2 Auto Scaling groups:

-Have the EC2 instances bootstrapped to connect to a backend database.

-Ensure that the database credentials are handled securely.

-Ensure that retrievals of database credentials are logged.

Which of the following is the MOST efficient way to meet these requirements?

Options:

A.

Pass databases credentials to EC2 by using CloudFormation stack parameters with the property set to true. Ensure that the instance is configured to log to Amazon CloudWatch Logs.

B.

Store database passwords in IAM Systems Manager Parameter Store by using SecureString parameters. Set the IAM role for the EC2 instance profile to allow access to the parameters.

C.

Create an IAM Lambda that ingests the database password and persists it to Amazon S3 with server-side encryption. Have the EC2 instances retrieve the S3 object on startup, and log all script invocations to syslog.

D.

Write a script that is passed in as UserData so that it is executed upon launch of the EC2 instance. Ensure that the instance is configured to log to Amazon CloudWatch Logs.

Buy Now
Questions 78

A company is using CloudTrail to log all IAM API activity for all regions in all of its accounts. The CISO has asked that additional steps be taken to protect the integrity of the log files.

What combination of steps will protect the log files from intentional or unintentional alteration? Choose 2 answers from the options given below

Please select:

Options:

A.

Create an S3 bucket in a dedicated log account and grant the other accounts write only access. Deliver all log files from every account to this S3 bucket.

B.

Write a Lambda function that queries the Trusted Advisor Cloud Trail checks. Run the function every 10 minutes.

C.

Enable CloudTrail log file integrity validation

D.

Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs.

E.

Create a Security Group that blocks all traffic except calls from the CloudTrail service. Associate the security group with) all the Cloud Trail destination S3 buckets.

Buy Now
Questions 79

Amazon CloudWatch Logs agent is successfully delivering logs to the CloudWatch Logs service. However, logs stop being delivered after the associated log stream has been active for a specific number of hours.

What steps are necessary to identify the cause of this phenomenon? (Choose two.)

Options:

A.

Ensure that file permissions for monitored files that allow the CloudWatch Logs agent to read the file have not been modified.

B.

Verify that the OS Log rotation rules are compatible with the configuration requirements for agent streaming.

C.

Configure an Amazon Kinesis producer to first put the logs into Amazon Kinesis Streams.

D.

Create a CloudWatch Logs metric to isolate a value that changes at least once during the period before logging stops.

E.

Use IAM CloudFormation to dynamically create and maintain the configuration file for the CloudWatch Logs agent.

Buy Now
Exam Code: SCS-C01
Exam Name: AWS Certified Security - Specialty
Last Update: Aug 10, 2022
Questions: 532

PDF + Testing Engine

$79.2  $175.99

Testing Engine

$59.4  $131.99
buy now SCS-C01 testing engine

PDF (Q&A)

$49.5  $109.99
buy now SCS-C01 pdf