Free SCS-C01 Exam Braindumps

- (Exam Topic 1)
A company has an application hosted in an Amazon EC2 instance and wants the application to access secure strings stored in AWS Systems Manager Parameter Store When the application tries to access the secure string key value, it fails.
Which factors could be the cause of this failure? (Select TWO.)

1. A. The EC2 instance role does not have decrypt permissions on the AWS Key Management Sen/ice (AWS KMS) key used to encrypt the secret
2. B. The EC2 instance role does not have read permissions to read the parameters In Parameter Store
3. C. Parameter Store does not have permission to use AWS Key Management Service (AWS KMS) to decrypt the parameter
4. D. The EC2 instance role does not have encrypt permissions on the AWS Key Management Service (AWS KMS) key associated with the secret
5. E. The EC2 instance does not have any tags associated.

Correct Answer: CE

- (Exam Topic 2)
The InfoSec team has mandated that in the future only approved Amazon Machine Images (AMIs) can be used.
How can the InfoSec team ensure compliance with this mandate?

1. A. Terminate all Amazon EC2 instances and relaunch them with approved AMIs.
2. B. Patch all running instances by using AWS Systems Manager.
3. C. Deploy AWS Config rules and check all running instances for compliance.
4. D. Define a metric filter in Amazon CloudWatch Logs to verify compliance.

Correct Answer: C
https://docs.aws.amazon.com/config/latest/developerguide/approved-amis-by-id.html

- (Exam Topic 2)
A Systems Engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the Development team wants to use security groups and network ACLs to accomplish various security requirements in the environment.
What configuration is necessary to allow the virtual security appliance to route the traffic?

1. A. Disable network ACLs.
2. B. Configure the security appliance's elastic network interface for promiscuous mode.
3. C. Disable the Network Source/Destination check on the security appliance's elastic network interface
4. D. Place the security appliance in the public subnet with the internet gateway

Correct Answer: C
Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. In this case virtual security appliance instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance."

- (Exam Topic 3)
Your company has a requirement to work with a DynamoDB table. There is a security mandate that all data should be encrypted at rest. What is the easiest way to accomplish this for DynamoDB.
Please select:

1. A. Use the AWS SDK to encrypt the data before sending it to the DynamoDB table
2. B. Encrypt the DynamoDB table using KMS during its creation
3. C. Encrypt the table using AWS KMS after it is created
4. D. Use S3 buckets to encrypt the data before sending it to DynamoDB

Correct Answer: B
The most easiest option is to enable encryption when the DynamoDB table is created. The AWS Documentation mentions the following
Amazon DynamoDB offers fully managed encryption at rest. DynamoDB encryption at rest provides enhanced security by encrypting your data at rest using an AWS Key Management Service (AWS KMS) managed encryption key for DynamoDB. This functionality eliminates the operational burden and complexity involved in protecting sensitive data.
Option A is partially correct, you can use the AWS SDK to encrypt the data, but the easier option would be to encrypt the table before hand.
Option C is invalid because you cannot encrypt the table after it is created
Option D is invalid because encryption for S3 buckets is for the objects in S3 only.
For more information on securing data at rest for DynamoDB please refer to below URL: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.htmll The correct answer is: Encrypt the DynamoDB table using KMS during its creation Submit your
Feedback/Queries to our Experts

- (Exam Topic 3)
A company has a legacy application that outputs all logs to a local text file. Logs from all applications running on AWS must be continually monitored for security related messages.
What can be done to allow the company to deploy the legacy application on Amazon EC2 and still meet the monitoring requirement? Please select:

1. A. Create a Lambda function that mounts the EBS volume with the logs and scans the logs for security incident
2. B. Trigger the function every 5 minutes with a scheduled Cloudwatch event.
3. C. Send the local text log files to CloudWatch Logs and configure a CloudWatch metric filte
4. D. Trigger cloudwatch alarms based on the metrics.
5. E. Install the Amazon inspector agent on any EC2 instance running the legacy applicatio
6. F. Generate CloudWatch alerts a based on any Amazon inspector findings.
7. G. Export the local text log files to CloudTrai
8. H. Create a Lambda function that queries the CloudTrail logs for security ' incidents using Athena.

Correct Answer: B
One can send the log files to Cloudwatch Logs. Log files can also be sent from On-premise servers. You can then specify metrii to search the logs for any specific values. And then create alarms based on these metrics.
Option A is invalid because this will be just a long over drawn process to achieve this requirement Option C is invalid because AWS Inspector cannot be used to monitor for security related messages.
Option D is invalid because files cannot be exported to AWS Cloudtrail
For more information on Cloudwatch logs agent please visit the below URL: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2lnstance.hti
The correct answer is: Send the local text log files to Cloudwatch Logs and configure a Cloudwatch metric filter. Trigger cloudwatch alarms based on the metrics.
Submit your Feedback/Queries to our Experts