Practice Exams:

Free SCS-C01 Exam Braindumps

Pass your AWS Certified Security- Specialty exam with these free Questions and Answers

Page 2 of 118
PDF with 589 Questions
QUESTION 1

- (Exam Topic 3)
You currently operate a web application In the AWS US-East region. The application runs on an auto-scaled layer of EC2 instances and an RDS Multi-AZ database. Your IT security compliance officer has tasked you to develop a reliable and durable logging solution to track changes made to your EC2.IAM and RDS resources. The solution must ensure the integrity and confidentiality of your log data. Which of these solutions would you recommend?
Please select:

  1. A. Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selecte
  2. B. Use IAM roles S3 bucket policies and Mufti Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.
  3. C. Create a new CloudTrail with one new S3 bucket to store the log
  4. D. Configure SNS to send log file delivery notifications to your management syste
  5. E. Use IAM roles and S3 bucket policies on the S3 bucket that stores your logs.
  6. F. Create a new CloudTrail trail with an existing S3 bucket to store the logs and with the global servicesoption selecte
  7. G. Use S3 ACLsand Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.
  8. H. Create three new CloudTrail trails with three new S3 buckets to store the logs one for the AWS Management console, one for AWS SDKs and one for command line tool
  9. I. Use IAM roles and S3 bucket policies on the S3 buckets that store your logs.

Correct Answer: A
AWS Identity and Access Management (IAM) is integrated with AWS CloudTrail, a service that logs AWS events made by or on behalf of your AWS account. CloudTrail logs authenticated AWS API calls and also AWS sign-in events, and collects this event information in files that are delivered to Amazon S3 buckets. You need to ensure that all services are included. Hence option B is partially correct.
Option B is invalid because you need to ensure that global services is select Option C is invalid because you should use bucket policies
Option D is invalid because you should ideally just create one S3 bucket For more information on Cloudtrail, please visit the below URL:
http://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-inteeration.html
The correct answer is: Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services o selected. Use IAM roles S3 bucket policies and Mulrj Factor Authentication (MFA) Delete on the S3 bucket that stores your l(
Submit your Feedback/Queries to our Experts

QUESTION 2

- (Exam Topic 2)
A Security Engineer is working with the development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an AWS KMS customer master key (CMK) to encrypt the data on Amazon S3. The inventory data on Amazon S3 will be shared of vendors. All vendors will use AWS principals from their own AWS accounts to access the data on Amazon S3. The vendor list may change weekly, and the solution must support cross-account access.
What is the MOST efficient way to manage access control for the KMS CMK7?

  1. A. Use KMS grants to manage key acces
  2. B. Programmatically create and revoke grants to manage vendor access.
  3. C. Use an IAM role to manage key acces
  4. D. Programmatically update the IAM role policies to manage vendor access.
  5. E. Use KMS key policies to manage key acces
  6. F. Programmatically update the KMS key policies to manage vendor access.
  7. G. Use delegated access across AWS accounts by using IAM roles to manage key access.Programmatically update the IAM trust policy to manage cross-account vendor access.

Correct Answer: A

QUESTION 3

- (Exam Topic 1)
A company is designing the securely architecture (or a global latency-sensitive web application it plans to deploy to AWS. A Security Engineer needs to configure a highly available and secure two-tier architecture. The security design must include controls to prevent common attacks such as DDoS, cross-site scripting, and SQL injection.
Which solution meets these requirements?

  1. A. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Regio
  2. B. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Regio
  3. C. Create an AmazonCloudFront distribution that uses the ALB as its origi
  4. D. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.
  5. E. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Regio
  6. F. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Regio
  7. G. Create an Amazon CloudFront distribution that uses the ALB as its origi
  8. H. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.
  9. I. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Regio
  10. J. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Regio
  11. K. Create appropriate AWS WAF ACLs and enable them on the ALB.
  12. L. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Regio
  13. M. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Regio
  14. N. Create appropriate AWS WAF ACLs and enable them on the ALB.

Correct Answer: A

QUESTION 4

- (Exam Topic 3)
A developer signed in to a new account within an AWS Organization organizational unit (OU) containing multiple accounts. Access to the Amazon $3 service is restricted with the following SCP.
SCS-C01 dumps exhibit
How can the security engineer provide the developer with Amazon $3 access without affecting other account?

  1. A. Move the SCP to the root OU of organization to remove the restriction to access Amazon $3.
  2. B. Add an IAM policy for the developer, which grants $3 access.
  3. C. Create a new OU without applying the SCP restricting $3 acces
  4. D. Move the developer account to this new OU.
  5. E. Add an allow list for the developer account for the $3 service.

Correct Answer: C

QUESTION 5

- (Exam Topic 2)
You have an instance setup in a test environment in AWS. You installed the required application and the promoted the server to a production environment. Your IT Security team has advised that there maybe traffic flowing in from an unknown IP address to port 22. How can this be mitigated immediately?
Please select:

  1. A. Shutdown the instance
  2. B. Remove the rule for incoming traffic on port 22 for the Security Group
  3. C. Change the AMI for the instance
  4. D. Change the Instance type for the instance

Correct Answer: B
In the test environment the security groups might have been opened to all IP addresses for testing purpose. Always to ensure to remove this rule once all testing is completed.
Option A, C and D are all invalid because this would affect the application running on the server. The easiest way is just to remove the rule for access on port 22.
For more information on authorizing access to an instance, please visit the below URL: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.htmll
The correct answer is: Remove the rule for incoming traffic on port 22 for the Security Group Submit your Feedback/Queries to our Experts

Page 2 of 118
PDF with 589 Questions

Post your Comments and Discuss Amazon-Web-Services SCS-C01 exam with other Community members: