16 October, 2023

Printable Amazon-Web-Services SCS-C01 Training Tools Online

Want to know Pass4sure SCS-C01 Exam practice test features? Want to lear more about Amazon-Web-Services AWS Certified Security- Specialty certification experience? Study Pinpoint Amazon-Web-Services SCS-C01 answers to Avant-garde SCS-C01 questions at Pass4sure. Gat a success with an absolute guarantee to pass Amazon-Web-Services SCS-C01 (AWS Certified Security- Specialty) test on your first attempt.

Online Amazon-Web-Services SCS-C01 free dumps demo Below:

Page: 1 / 27

Total 330 questions Full Exam Access

Question 1

Your company has a set of resources defined in the AWS Cloud. Their IT audit department has requested to get a list of resources that have been defined across the account. How can this be achieved in the easiest manner?
Please select:

Create a powershell script using the AWS CL

Query for all resources with the tag of production.

Create a bash shell script with the AWS CL

Query for all resources in all region

Store the results in an S3 bucket.

Use Cloud Trail to get the list of all resources

Use AWS Config to get the list of all resources

Question 2

A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password.
Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)

Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.

Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.

Configure automatic rotation of credentials in AWS Secrets Manager.

Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Stor

Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it.

Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotate

Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.

Question 3

A company stores critical data in an S3 bucket. There is a requirement to ensure that an extra level of security is added to the S3 bucket. In addition , it should be ensured that objects are available in a secondary region if the primary one goes down. Which of the following can help fulfil these requirements? Choose 2 answers from the options given below
Please select:

Enable bucket versioning and also enable CRR

Enable bucket versioning and enable Master Pays

For the Bucket policy add a condition for {"Null": {"aws:MultiFactorAuthAge": true}} i

Enable the Bucket ACL and add a condition for {"Null": {"aws:MultiFactorAuthAge": true}}

My answer: -

Reference answer: AC

Reference analysis:

The AWS Documentation mentions the following Adding a Bucket Policy to Require MFA
Amazon S3 supports MFA-protected API access, a feature that can enforce multi-factor authentication (MFA) for access to your Amazon S3 resources. Multi-factor authentication provides an extra level of security you can apply to your AWS environment. It is a security feature that requires users to prove physical possession of an MFA device by providing a valid MFA code. For more information, go to AWS Multi-Factor Authentication. You can require MFA authentication for any requests to access your Amazoi. S3 resources.
You can enforce the MFA authentication requirement using the aws:MultiFactorAuthAge key in a bucket policy. 1AM users car access Amazon S3 resources by using temporary credentials issued by the AWS Security Token Service (STS). You provide the MFA code at the time of the STS request.
When Amazon S3 receives a request with MFA authentication, the aws:MultiFactorAuthAge key provides a numeric value indicating how long ago (in seconds) the temporary credential was created. If the temporary credential provided in the request was not created using an MFA device, this key value is null (absent). In a bucket policy, you can add a condition to check this value, as shown in the following example bucket policy. The policy denies any Amazon S3 operation on the /taxdocuments folder in the examplebucket bucket if the request is not MFA authenticated. To learn more about MFA authentication, see Using Multi-Factor Authentication (MFA) in AWS in the 1AM User Guide.
SCS-C01 dumps exhibit
C:\Users\wk\Desktop\mudassar\Untitled.jpg
Option B is invalid because just enabling bucket versioning will not guarantee replication of objects Option D is invalid because the condition for the bucket policy needs to be set accordingly For more information on example bucket policies, please visit the following URL: • https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
Also versioning and Cross Region replication can ensure that objects will be available in the destination region in case the primary region fails.
For more information on CRR, please visit the following URL: https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html
The correct answers are: Enable bucket versioning and also enable CRR, For the Bucket policy add a condition for {"Null": { "aws:MultiFactorAuthAge": true}}
Submit your Feedback/Queries to our Experts

Question 4

A company stores data on an Amazon EBS volume attached to an Amazon EC2 instance. The data is asynchronously replicated to an Amazon S3 bucket. Both the EBS volume and the S3 bucket are encrypted
with the same AWS KMS Customer Master Key (CMK). A former employee scheduled a deletion of that CMK before leaving the company.
The company’s Developer Operations department learns about this only after the CMK has been deleted. Which steps must be taken to address this situation?

Copy the data directly from the EBS encrypted volume before the volume is detached from the EC2 instance.

Recover the data from the EBS encrypted volume using an earlier version of the KMS backing key.

Make a request to AWS Support to recover the S3 encrypted data.

Make a request to AWS Support to restore the deleted CMK, and use it to recover the data.

Question 5

Your company manages thousands of EC2 Instances. There is a mandate to ensure that all servers don't have any critical security flaws. Which of the following can be done to ensure this? Choose 2 answers from the options given below.
Please select:

Use AWS Config to ensure that the servers have no critical flaws.

Use AWS inspector to ensure that the servers have no critical flaws.

Use AWS inspector to patch the servers

Use AWS SSM to patch the servers

My answer: -

Reference answer: BD

Reference analysis:

The AWS Documentation mentions the following on AWS Inspector
Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.
Option A is invalid because the AWS Config service is not used to check the vulnerabilities on servers Option C is invalid because the AWS Inspector service is not used to patch servers
For more information on AWS Inspector, please visit the following URL: https://aws.amazon.com/inspector>
Once you understand the list of servers which require critical updates, you can rectify them by installing the required patches via the SSM tool.
For more information on the Systems Manager, please visit the following URL: https://docs.aws.amazon.com/systems-manager/latest/APIReference/Welcome.html
The correct answers are: Use AWS Inspector to ensure that the servers have no critical flaws.. Use AWS SSM to patch the servers

Question 6

A company is building a data lake on Amazon S3. The data consists of millions of small files containing sensitive information. The Security team has the following requirements for the architecture:
• Data must be encrypted in transit.
• Data must be encrypted at rest.
• The bucket must be private, but if the bucket is accidentally made public, the data must remain confidential. Which combination of steps would meet the requirements? (Choose two.)

Enable AES-256 encryption using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) on the S3 bucket.

Enable default encryption with server-side encryption with AWS KMS-managed keys (SSE-KMS) on the S3 bucket.

Add a bucket policy that includes a deny if a PutObject request does not include aws:SecureTransport.

Add a bucket policy with aws:SourceIp to Allow uploads and downloads from the corporate intranet only.

Add a bucket policy that includes a deny if a PutObject request does not include s3:x-amz-server-side-encryption: "aws:kms".

Enable Amazon Macie to monitor and act on changes to the data lake's S3 bucket.

Question 7

A Devops team is currently looking at the security aspect of their CI/CD pipeline. They are making use of AWS resource? for their infrastructure. They want to ensure that the EC2 Instances don't have any high security vulnerabilities. They want to ensure a complete DevSecOps process. How can this be achieved?
Please select:

Use AWS Config to check the state of the EC2 instance for any sort of security issues.

Use AWS Inspector API's in the pipeline for the EC2 Instances

Use AWS Trusted Advisor API's in the pipeline for the EC2 Instances

Use AWS Security Groups to ensure no vulnerabilities are present

Question 8

The InfoSec team has mandated that in the future only approved Amazon Machine Images (AMIs) can be used.
How can the InfoSec team ensure compliance with this mandate?

Terminate all Amazon EC2 instances and relaunch them with approved AMIs.

Patch all running instances by using AWS Systems Manager.

Deploy AWS Config rules and check all running instances for compliance.

Define a metric filter in Amazon CloudWatch Logs to verify compliance.

Question 9

A company has complex connectivity rules governing ingress, egress, and communications between Amazon EC2 instances. The rules are so complex that they cannot be implemented within the limits of the maximum number of security groups and network access control lists (network ACLs).
What mechanism will allow the company to implement all required network rules without incurring additional cost?

Configure AWS WAF rules to implement the required rules.

Use the operating system built-in, host-based firewall to implement the required rules.

Use a NAT gateway to control ingress and egress according to the requirements.

Launch an EC2-based firewall product from the AWS Marketplace, and implement the required rules in that product.

Question 10

A company hosts data in S3. There is now a mandate that going forward all data in the S3 bucket needs to encrypt at rest. How can this be achieved?
Please select:

Use AWS Access keys to encrypt the data

Use SSL certificates to encrypt the data

Enable server side encryption on the S3 bucket

Enable MFA on the S3 bucket

Question 11

A Security Engineer must design a system that can detect whether a file on an Amazon EC2 host has been modified. The system must then alert the Security Engineer of the modification.
What is the MOST efficient way to meet these requirements?

Install antivirus software and ensure that signatures are up-to-dat

Configure Amazon CloudWatch alarms to send alerts for security events.

Install host-based IDS software to check for file integrit

Export the logs to Amazon CloudWatch Logs for monitoring and alerting.

Export system log files to Amazon S3. Parse the log files using an AWS Lambda function that will send alerts of any unauthorized system login attempts through Amazon SNS.

Use Amazon CloudWatch Logs to detect file system change

If a change is detected, automatically terminate and recreate the instance from the most recent AM

Use Amazon SNS to send notification of the event.

Question 12

A company recently experienced a DDoS attack that prevented its web server from serving content. The website is static and hosts only HTML, CSS, and PDF files that users download.
Based on the architecture shown in the image, what is the BEST way to protect the site against future attacks while minimizing the ongoing operational overhead?
SCS-C01 dumps exhibit

Move all the files to an Amazon S3 bucke

Have the web server serve the files from the S3 bucket.

Launch a second Amazon EC2 instance in a new subne

Launch an Application Load Balancer in front of both instances.

Launch an Application Load Balancer in front of the EC2 instanc

Create an Amazon CloudFront distribution in front of the Application Load Balancer.

Move all the files to an Amazon S3 bucke

Create a CloudFront distribution in front of the bucket and terminate the web server.

Question 13

Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which three 1AM best practices should you consider implementing?
Please select:

Create individual 1AM users

Configure MFA on the root account and for privileged 1AM users

Assign 1AM users and groups configured with policies granting least privilege access

Ensure all users have been assigned and dre frequently rotating a password, access ID/secret key, andX.509 certificate

Question 14

Your company has the following setup in AWS
a:. A set of EC2 Instances hosting a web application
b: An application load balancer placed in front of the EC2 Instances
There seems to be a set of malicious requests coming from a set of IP addresses. Which of the following can be used to protect against these requests?
Please select:

Use Security Groups to block the IP addresses

Use VPC Flow Logs to block the IP addresses

Use AWS inspector to block the IP addresses

Use AWS WAF to block the IP addresses

Question 15

An IAM user with fill EC2 permissions could bot start an Amazon EC2 instance after it was stopped for a maintenance task. Upon starting the instance, the instance state would change to “Pending”, but after a few seconds, it would switch back to “Stopped”.
An inspection revealed that the instance has attached Amazon EBS volumes that were encrypted by using a Customer Master Key (CMK). When these encrypted volumes were detached, the IAM user was able to start the EC2 instances.
The IAM user policy is as follows:
SCS-C01 dumps exhibit

What additional items need to be added to the IAM user policy? (Choose two.)

kms:GenerateDataKey

kms:Decrypt

kms:CreateGrant

“Condition”: {“Bool”: {“kms:ViaService”: “ec2.us-west-2.amazonaws.com”}}

“Condition”: {“Bool”: {“kms:GrantIsForAWSResource”: true}}

Question 16

You are hosting a web site via website hosting on an S3 bucket - http://demo.s3-website-us-east-l .amazonaws.com. You have some web pages that use Javascript that access resources in another bucket which has web site hosting also enabled. But when users access the web pages , they are getting a blocked Javascript error. How can you rectify this?
Please select:

Enable CORS for the bucket

Enable versioning for the bucket

Enable MFA for the bucket

Enable CRR for the bucket

My answer: -

Reference answer: A

Reference analysis:

Your answer is incorrect Answer-A
Such a scenario is also given in the AWS Documentation Cross-Origin Resource Sharing: Use-case Scenarios The following are example scenarios for using CORS:
• Scenario
1: Suppose that you are hosting a website in an Amazon S3 bucket named website as described in Hosting a Static Website on Amazon S3. Your users load the website endpoint http://website.s3-website-us-east-1
.a mazonaws.com. Now you want to use JavaScript on the webpages that are stored in this bucket to be able to make authenticated GET and PUT requests against the same bucket by using the Amazon S3 API endpoint for the bucket website.s3.amazonaws.com. A browser would normally block JavaScript from allowing those requests, but with CORS you can configure your bucket to explicitly enable cross-origin requests from website.s3-website-us-east-1 .amazonaws.com.
• Scenario 2: Suppose that you want to host a web font from your S3 bucket. Again, browsers require a CORS check (also called a preflight check) for loading web fonts. You would configure the bucket that is hosting the web font to allow any origin to make these requests.
Option Bis invalid because versioning is only to create multiple versions of an object and can help in accidental deletion of objects
Option C is invalid because this is used as an extra measure of caution for deletion of objects Option D is invalid because this is used for Cross region replication of objects
For more information on Cross Origin Resource sharing, please visit the following URL
• ittps://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html The correct answer is: Enable CORS for the bucket
Submit your Feedback/Queries to our Experts

Question 17

Which technique can be used to integrate AWS 1AM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service?
Please select:

Use an 1AM policy that references the LDAP account identifiers and the AWS credentials.

Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP.

Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials.

Use 1AM roles to automatically rotate the 1AM credentials when LDAP credentials are updated.

Question 18

Your company has just set up a new central server in a VPC. There is a requirement for other teams who have their servers located in different VPC's in the same region to connect to the central server. Which of the below options is best suited to achieve this requirement.
Please select:

Set up VPC peering between the central server VPC and each of the teams VPCs.

Set up AWS DirectConnect between the central server VPC and each of the teams VPCs.

Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.

None of the above options will work.

Question 19

Which option for the use of the AWS Key Management Service (KMS) supports key management best practices that focus on minimizing the potential scope of data exposed by a possible future key compromise?

Use KMS automatic key rotation to replace the master key, and use this new master key for future encryption operations without re-encrypting previously encrypted data.

Generate a new Customer Master Key (CMK), re-encrypt all existing data with the new CMK, and use it for all future encryption operations.

Change the CMK alias every 90 days, and update key-calling applications with the new key alias.

Change the CMK permissions to ensure that individuals who can provision keys are not the same individuals who can use the keys.

Question 20

An application has a requirement to be resilient across not only Availability Zones within the application’s primary region but also be available within another region altogether.
Which of the following supports this requirement for AWS resources that are encrypted by AWS KMS?

Copy the application’s AWS KMS CMK from the source region to the target region so that it can be used to decrypt the resource after it is copied to the target region.

Configure AWS KMS to automatically synchronize the CMK between regions so that it can be used to decrypt the resource in the target region.

Use AWS services that replicate data across regions, and re-wrap the data encryption key created in the source region by using the CMK in the target region so that the target region’s CMK can decrypt the database encryption key.

Configure the target region’s AWS service to communicate with the source region’s AWS KMS so that it can decrypt the resource in the target region.

Question 21

A Security Engineer is looking for a way to control access to data that is being encrypted under a CMK. The Engineer is also looking to use additional authenticated data (AAD) to prevent tampering with ciphertext.
Which action would provide the required functionality?

Pass the key alias to AWS KMS when calling Encrypt and Decrypt API actions.

Use IAM policies to restrict access to Encrypt and Decrypt API actions.

Use kms:EncryptionContext as a condition when defining IAM policies for the CMK.

Use key policies to restrict access to the appropriate IAM groups.

Question 22

An application uses Amazon Cognito to manage end users’ permissions when directly accessing AWS resources, including Amazon DynamoDB. A new feature request reads as follows:
Provide a mechanism to mark customers as suspended pending investigation or suspended permanently. Customers should still be able to log in when suspended, but should not be able to make changes.
The priorities are to reduce complexity and avoid potential for future security issues. Which approach will meet these requirements and priorities?

Create a new database field “suspended_status” and modify the application logic to validate that field when processing requests.

Add suspended customers to second Cognito user pool and update the application login flow to check both user pools.

Use Amazon Cognito Sync to push out a “suspension_status” parameter and split the lAM policy into normal users and suspended users.

Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.

Question 23

You want to ensure that you keep a check on the Active EBS Volumes, Active snapshots and Elastic IP addresses you use so that you don't go beyond the service limit. Which of the below services can help in this regard?
Please select:

AWS Cloudwatch

AWS EC2

AWS Trusted Advisor

AWS SNS

Question 24

A Security Engineer for a large company is managing a data processing application used by 1,500 subsidiary companies. The parent and subsidiary companies all use AWS. The application uses TCP port 443 and runs on Amazon EC2 behind a Network Load Balancer (NLB). For compliance reasons, the application should only be accessible to the subsidiaries and should not be available on the public internet. To meet the compliance requirements for restricted access, the Engineer has received the public and private CIDR block ranges for each subsidiary
What solution should the Engineer use to implement the appropriate access restrictions for the application?

Create a NACL to allow access on TCP port 443 from the 1;500 subsidiary CIDR block ranges.Associate the NACL to both the NLB and EC2 instances

Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block range

Associate the security group to the NL

Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group.

Create an AWS PrivateLink endpoint service in the parent company account attached to the NL

Create an AWS security group for the instances to allow access on TCP port 443 from the AWS PrivateLink endpoin

Use AWS PrivateLink interface endpoints in the 1,500 subsidiary AWS accounts to connect to the data processing application.

Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block range

Associate the security group with EC2 instances.

Question 25

You have private video content in S3 that you want to serve to subscribed users on the Internet. User IDs, credentials, and subscriptions are stored in an Amazon RDS database. Which configuration will allow you to securely serve private content to your users?
Please select:

Generate pre-signed URLs for each user as they request access to protected S3 content

Create an 1AM user for each subscribed user and assign the GetObject permission to each 1AM user

Create an S3 bucket policy that limits access to your private content to only your subscribed users'credentials

Crpafp a Cloud Front Clriein Identity user for vnur suhsrrihprl users and assign the GptOhiprt oprmissinn to this user

Page: 1 / 27

Total 330 questions Full Exam Access