SCS-C01 PDF Dumps | Jan 28, 2022 Recently Updated Questions
SCS-C01 Exam Questions – Valid SCS-C01 Dumps Pdf
Introduction to Amazon AWS-Security-Specialty: AWS Certified Security - Specialty Exam
As businesses shift jobs rapidly into the public cloud, cloud computing has developed from an enticing capacity to a profound business. AWS is considered an industry pioneer and the most experienced provider in the cloud business as a pioneer in ideas and a benchmark among all of its rivals. This transition involves a variety of features to develop, implement, and maintain cloud infrastructure systems. Get accredited AWS systems with all of the qualifications (plus the best performers) that are better tested by one of the most popular cloud computing firms. Across an organization, certification reflects a mutual definition of a network, agreed terminology, and a basic level of cloud expertise that can speed up cloud work evaluation. The following guide includes the AWS Architect-Professional Qualification test, the Professional qualification salary of Amazon AWS-Security-Specialty: AWS Certified Security - Specialty exam, and all facts of the test such as information about AWS certified security - specialty practice exams.
NEW QUESTION 242
A corporate cloud security policy states that communications between the company's VPC and KMS must travel entirely within the AWS network and not use public service endpoints.
Which combination of the following actions MOST satisfies this requirement? (Choose two.)
- A. Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.
- B. Create a VPC endpoint for AWS KMS with private DNS enabled.
- C. Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN.
- D. Add the aws:sourceVpcecondition to the AWS KMS key policy referencing the company's VPC endpoint ID.
- E. Add the following condition to the AWS KMS key policy: "aws:SourceIp": "10.0.0.0/16".
Answer: B,D
Explanation:
An IAM policy can deny access to KMS except through your VPC endpoint with the following condition statement:
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-0295a3caf8414c94a"
}
}
If you select the Enable Private DNS Name option, the standard AWS KMS DNS hostname (https://kms.<region>.amazonaws.com) resolves to your VPC endpoint.
NEW QUESTION 243
A security team is responsible for reviewing AWS API call activity in the cloud environment for security violations. These events must be recorded and retained in a centralized location for both current and future AWS regions.
What is the SIMPLEST way to meet these requirements?
- A. Enable AWS Trusted Advisor security checks in the AWS Console, and report all security incidents for all regions.
- B. Enable AWS CloudTrail by creating a new trail and applying the trail to all regions. Specify a single Amazon S3 bucket as the storage location.
- C. Enable AWS CloudTrail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later analysis.
- D. Enable Amazon CloudWatch logging for all AWS services across all regions, and aggregate them to a single Amazon S3 bucket for later analysis.
Answer: B
NEW QUESTION 244
Auditors for a health care company have mandated that all data volumes be encrypted at rest. Infrastructure is deployed mainly via AWS CloudFormation; however, third-party frameworks and manual deployment are required on some legacy systems.
What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?
- A. Set up Amazon Inspector rules for volume encryption to run on a recurring schedule.
- B. Configure an AWS Config rule to run on a recurring basis for volume encryption.
- C. Use CloudWatch Logs to determine whether instances were created with an encrypted volume.
- D. On a recurring basis, update all IAM user policies to require that EC2 instances are created with an encrypted volume.
Answer: B
Explanation:
Using AWS Config Rules, you can run continuous assessment checks on your resources to verify that they comply with your own security policies, industry best practices, and compliance regimes such as PCI/HIPAA.
For example, AWS Config provides a managed AWS Config Rules to ensure that encryption is turned on for all EBS volumes in your account. You can also write a custom AWS Config Rule to essentially "codify" your own corporate security policies. AWS Config alerts you in real time when a resource is misconfigured, or when a resource violates a particular security policy.
Reference: https://d1.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
NEW QUESTION 245
A company has multiple VPCs in their account that are peered, as shown in the diagram. A Security Engineer wants to perform penetration tests of the Amazon EC2 instances in all three VPCs.
How can this be accomplished? (Choose two.)
- A. Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Do not complete the penetration test request form.
- B. Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Complete the penetration test request form for all three VPCs.
- C. Create a VPN connection from the data center to VPC A.
Use an on-premises scanning engine to scan the instances in all three VPCs. Complete the penetration test request form for all three VPCs. - D. Deploy a pre-authorized scanning engine from the AWS Marketplace into VPC B, and use it to scan instances in all three VPCs. Do not complete the penetration test request form.
- E. Deploy a pre-authorized scanning engine from the Marketplace into each VPC, and scan instances in each VPC from the scanning engine in that VPC. Do not complete the penetration test request form.
Answer: B,C
NEW QUESTION 246
A Devops team is currently looking at the security aspect of their CI/CD pipeline. They are making use of AWS resource? for their infrastructure. They want to ensure that the EC2 Instances don't have any high security vulnerabilities. They want to ensure a complete DevSecOps process. How can this be achieved?
Please select:
- A. Use AWS Security Groups to ensure no vulnerabilities are present
- B. Use AWS Inspector API's in the pipeline for the EC2 Instances
- C. Use AWS Config to check the state of the EC2 instance for any sort of security issues.
- D. Use AWS Trusted Advisor API's in the pipeline for the EC2 Instances
Answer: B
Explanation:
Explanation
Amazon Inspector offers a programmatic way to find security defects or misconfigurations in your operating systems and applications. Because you can use API calls to access both the processing of assessments and the results of your assessments, integration of the findings into workflow and notification systems is simple.
DevOps teams can integrate Amazon Inspector into their CI/CD pipelines and use it to identify any pre-existing issues or when new issues are introduced.
Option A.C and D are all incorrect since these services cannot check for Security Vulnerabilities. These can only be checked by the AWS Inspector service.
For more information on AWS Security best practices, please refer to below URL:
https://d1.awsstatic.com/whitepapers/Security/AWS Security Best Practices.pdl The correct answer is: Use AWS Inspector API's in the pipeline for the EC2 Instances Submit your Feedback/Queries to our Experts
NEW QUESTION 247
A company is designing the security architecture for a global latency-sensitive web application it plans to deploy to AWS. A security engineer needs to configure a highly available and secure two-tier architecture. The security design must include controls to prevent common attacks such as DDoS, cross-site scripting, and SQL injection.
Which solution meets these requirements?
- A. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.
- B. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate AWS WAF ACLs and enable them on the ALB.
- C. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.
- D. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate AWS WAF ACLs and enable them on the ALB.
Answer: C
NEW QUESTION 248
To meet regulatory requirements, a Security Engineer needs to implement an IAM policy that restricts the use of AWS services to the us-east-1 Region.
What policy should the Engineer implement?
- A.
- B.
- C.
- D.
Answer: D
NEW QUESTION 249
You need to ensure that objects in an S3 bucket are available in another region. This is because of the criticality of the data that is hosted in the S3 bucket. How can you achieve this in the easiest way possible?
Please select:
- A. Enable versioning which will copy the objects to the destination region
- B. Create an S3 snapshot in the destination region
- C. Enable cross region replication for the bucket
- D. Write a script to copy the objects to another bucket in the destination region
Answer: C
Explanation:
Option B is partially correct but a big maintenance over head to create and maintain a script when the functionality is already available in S3 Option C is invalid because snapshots are not available in S3 Option D is invalid because versioning will not replicate objects The AWS Documentation mentions the following Cross-region replication is a bucket-level configuration that enables automatic, asynchronous copying of objects across buck in different AWS Regions.
For more information on Cross region replication in the Simple Storage Service, please visit the below URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html
The correct answer is: Enable cross region replication for the bucket Submit your Feedback/Queries to our Experts
NEW QUESTION 250
Your current setup in AWS consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup Please select:
- A. Consider creating a private subnet and adding a NAT instance to that subnet
- B. Consider moving both the web and database server to a private subnet
- C. Consider moving the web server to a private subnet
- D. Consider moving the database server to a private subnet
Answer: D
Explanation:
Explanation
The ideal setup is to ensure that the web server is hosted in the public subnet so that it can be accessed by users on the internet. The database server can be hosted in the private subnet.
The below diagram from the AWS Documentation shows how this can be setup
Option A and C are invalid because if you move the web server to a private subnet, then it cannot be accessed by users Option D is invalid because NAT instances should be present in the public subnet For more information on public and private subnets in AWS, please visit the following url com/AmazonVPC/latest/UserGuide/VPC Scenario2.
The correct answer is: Consider moving the database server to a private subnet Submit your Feedback/Queries to our Experts
NEW QUESTION 251
Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which three IAM best practices should you consider implementing?
Please select:
- A. 509 certificate
- B. Assign IAM users and groups configured with policies granting least privilege access
- C. Configure MFA on the root account and for privileged IAM users
- D. Create individual IAM users
- E. Ensure all users have been assigned and dre frequently rotating a password, access ID/secret key, and
Answer: B,C,D
Explanation:
Explanation
When you go to the security dashboard, the security status will show the best practices for initiating the first level of security.
Option D is invalid because as per the dashboard, this is not part of the security recommendation For more information on best security practices please visit the URL:
https://aws.amazon.com/whitepapers/aws-security-best-practices;
The correct answers are: Create individual IAM users, Configure MFA on the root account and for privileged IAM users. Assign IAM users and groups configured with policies granting least privilege access Submit your Feedback/Queries to our Experts
NEW QUESTION 252
You have several S3 buckets defined in your AWS account. You need to give access to external AWS accounts to these S3 buckets. Which of the following can allow you to define the permissions for the external accounts? Choose 2 answers from the options given below Please select:
- A. Bucket policies
- B. IAM users
- C. Buckets ACL's
- D. IAM policies
Answer: A,C
Explanation:
The AWS Security whitepaper gives the type of access control and to what level the control can be given
Options A and C are incorrect since for external access to buckets, you need to use either Bucket policies or Bucket ACL's or more information on Security for storage services role please refer to the below URL:
https://d1.awsstatic.com/whitepapers/Security/Security Storage Services Whitepaper.pdf The correct answers are: Buckets ACL's, Bucket policies Submit your Feedback/Queries to our Experts
NEW QUESTION 253
Which of the following bucket policies will ensure that objects being uploaded to a bucket called 'demo' are encrypted.
Please select:
- A. B
- B. D
- C. C
- D. A
Answer: D
Explanation:
The condition of "s3:x-amz-server-side-encryption":"aws:kms" ensures that objects uploaded need to be encrypted.
Options B,C and D are invalid because you have to ensure the condition of ns3:x-amz-server-side-encryption":"aws:kms" is present For more information on AWS KMS best practices, just browse to the below URL:
https://dl.awsstatic.com/whitepapers/aws-kms-best-praaices.pdf
Submit your Feedback/Queries to our Expert
NEW QUESTION 254
Your company has confidential documents stored in the simple storage service. Due to compliance requirements, you have to ensure that the data in the S3 bucket is available in a different geographical location. As an architect what is the change you would make to comply with this requirement.
Please select:
- A. Enable Cross region replication for the S3 bucket
- B. Copy the data to an EBS Volume in another Region
- C. Create a snapshot of the S3 bucket and copy it to another region
- D. Apply Multi-AZ for the underlying 53 bucket
Answer: A
Explanation:
This is mentioned clearly as a use case for S3 cross-region replication You might configure cross-region replication on a bucket for various reasons, including the following:
* Compliance requirements - Although, by default Amazon S3 stores your data across multiple geographically distant Availability Zones, compliance requirements might dictate that you store data at even further distances. Cross-region replication allows you to replicate data between distant AWS Regions to satisfy these compliance requirements.
Option A is invalid because Multi-AZ cannot be used to S3 buckets
Option B is invalid because copying it to an EBS volume is not a recommended practice Option C is invalid because creating snapshots is not possible in S3 For more information on S3 cross-region replication, please visit the following URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.htmll
The correct answer is: Enable Cross region replication for the S3 bucket Submit your Feedback/Queries to our Experts
NEW QUESTION 255
A company's Chief Security Officer has requested that a Security Analyst review and improve the security posture of each company AWS account The Security Analyst decides to do this by Improving AWS account root user security.
Which actions should the Security Analyst take to meet these requirements? (Select THREE.)
- A. Create a custom IAM policy to limit permissions to required actions for the account root user and attach the policy to the account root user.
- B. Implement a strong password to help protect account-level access to the AWS Management Console by the account root user.
- C. Enable multi-factor authentication (MFA) on every account root user in all accounts.
- D. Delete the access keys for the account root user in every account.
- E. Create an admin IAM user with administrative privileges and delete the account root user in every account.
- F. Attach an IAM role to the account root user to make use of the automated credential rotation in AWS STS.
Answer: A,C,D
NEW QUESTION 256
An application running on Amazon EC2 instances generates log files in a folder on a Linux file system. The instances block access to the console and file transfer utilities, such as Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP). The Application Support team wants to automatically monitor the application log files so the team can set up notifications in the future.
A Security Engineer must design a solution that meets the following requirements:
* Make the log files available through an AWS managed service.
* Allow for automatic monitoring of the logs.
* Provide an interface for analyzing logs.
* Minimize effort.
Which approach meets these requirements?
- A. Install Amazon Kinesis Agent on the instances. Stream the application log files to Amazon Kinesis Data Firehose and set the destination to Amazon Elasticsearch Service.
- B. Modify the application to use the AWS SDK. Write the application logs to an Amazon S3 bucket.
- C. Install AWS Systems Manager Agent on the instances. Configure an automation document to copy the application log files to AWS DeepLens.
- D. Install the unified Amazon CloudWatch agent on the instances. Configure the agent to collect the application log files on the EC2 file system and send them to Amazon CloudWatch Logs.
Answer: D
Explanation:
Explanation/Reference: https://docs.aws.amazon.com/systems-manager/latest/userguide/monitoring-cloudwatch-agent.html
NEW QUESTION 257
......
SCS-C01 dumps Sure Practice with 530 Questions: https://examtorrent.actual4test.com/SCS-C01_examcollection.html