Practice Exams:

Free SCS-C01 Exam Braindumps

Pass your AWS Certified Security- Specialty exam with these free Questions and Answers

Page 6 of 118
PDF with 589 Questions
QUESTION 21

- (Exam Topic 1)
A Security Engineer has several thousand Amazon EC2 instances split across production and development environments. Each instance is tagged with its environment. The Engineer needs to analyze and patch all the development EC2 instances to ensure they are not currently exposed to any common vulnerabilities or exposures (CVEs)
Which combination of steps is the MOST efficient way for the Engineer to meet these requirements? (Select TWO.)

  1. A. Log on to each EC2 instance, check and export the different software versions installed, and verify this against a list of current CVEs.
  2. B. Install the Amazon Inspector agent on all development instances Build a custom rule package, and configure Inspector to perform a scan using this custom rule on all instances tagged as being in the development environment.
  3. C. Install the Amazon Inspector agent on all development instances Configure Inspector to perform a scan using the CVE rule package on all instances tagged as being in the development environment.
  4. D. Install the Amazon EC2 System Manager agent on all development instances Issue the Run command to EC2 System Manager to update all instances
  5. E. Use AWS Trusted Advisor to check that all EC2 instances have been patched to the most recent versionof operating system and installed software.

Correct Answer: CD

QUESTION 22

- (Exam Topic 3)
You are trying to use the Systems Manager to patch a set of EC2 systems. Some of the systems are not getting covered in the patching process. Which of the following can be used to troubleshoot the issue? Choose 3 answers from the options given below.
Please select:

  1. A. Check to see if the right role has been assigned to the EC2 instances
  2. B. Check to see if the IAM user has the right permissions for EC2
  3. C. Ensure that agent is running on the instances.
  4. D. Check the Instance status by using the Health API.

Correct Answer: ACD
For ensuring that the instances are configured properly you need to ensure the followi .
1) You installed the latest version of the SSM Agent on your instance
2) Your instance is configured with an AWS Identity and Access Management (IAM) role that enables the instance to communicate with the Systems Manager API
3) You can use the Amazon EC2 Health API to quickly determine the following information about Amazon EC2 instances The status of one or more instances
The last time the instance sent a heartbeat value The version of the SSM Agent
The operating system
The version of the EC2Config service (Windows) The status of the EC2Config service (Windows)
Option B is invalid because IAM users are not supposed to be directly granted permissions to EC2 Instances For more information on troubleshooting AWS SSM, please visit the following URL:
https://docs.aws.amazon.com/systems-manager/latest/userguide/troubleshooting-remote-commands.html The correct answers are: Check to see if the right role has been assigned to the EC2 Instances, Ensure that
agent is running on the Instances., Check the Instance status by using the Health API.
Submit your Feedback/Queries to our Experts

QUESTION 23

- (Exam Topic 3)
A company's security team is building a solution for logging and visualization. The solution will assist the company with the large variety and velocity of data that it receives from AWS across multiple accounts. The security team has enabled AWS CloudTrail and VPC Flow Logs in all of its accounts In addition, the company has an organization in AWS Organizations and has an AWS Security Hub master account.
The security team wants to use Amazon Detective However the security team cannot enable Detective and is unsure why
What must the security team do to enable Detective?

  1. A. Enable Amazon Macie so that Secunty H jb will allow Detective to process findings from Macie.
  2. B. Disable AWS Key Management Service (AWS KMS) encryption on CtoudTrail logs in every member account of the organization
  3. C. Enable Amazon GuardDuty on all member accounts Try to enable Detective in 48 hours
  4. D. Ensure that the principal that launches Detective has the organizations ListAccounts permission

Correct Answer: D

QUESTION 24

- (Exam Topic 3)
A company is using AWS Secrets Manager to store secrets for its production Amazon RDS database. The Security Officer has asked that secrets be rotated every 3 months. Which solution would allow the company to securely rotate the secrets? (Select TWO.)

  1. A. Place the RDS instance in a public subnet and an AWS Lambda function outside the VP
  2. B. Schedule the Lambda function to run every 3 months to rotate the secrets.
  3. C. Place the RDS instance in a private subnet and an AWS Lambda function inside the VPC in the private subne
  4. D. Configure the private subnet to use a NAT gatewa
  5. E. Schedule the Lambda function to run every 3 months to rotate the secrets.
  6. F. Place the RDS instance in a private subnet and an AWS Lambda function outside the VP
  7. G. Configure the private subnet to use an internet gatewa
  8. H. Schedule the Lambda function to run every 3 months lo rotate the secrets.
  9. I. Place the RDS instance in a private subnet and an AWS Lambda function inside the VPC in the private subne
  10. J. Schedule the Lambda function to run quarterly to rotate the secrets.
  11. K. Place the RDS instance in a private subnet and an AWS Lambda function inside the VPC in the private subne
  12. L. Configure a Secrets Manager interface endpoin
  13. M. Schedule the Lambda function to run every 3 months to rotate the secrets.

Correct Answer: BE

QUESTION 25

- (Exam Topic 3)
A security engineer must troubleshoot an administrator's inability to make an existing Amazon S3 bucket public in an account that is part of an organization n AWS Organizations. The administrator switched the role from the master account to a member account and then attempted to make one S3 bucket public. This action was immediately denied
Which actions should the security engineer take to troubleshoot the permissions issue? (Select TWO.)

  1. A. Review the cross-account role permissions and the S3 bucket policy Verify that the Amazon S3 block public access option in the member account is deactivated.
  2. B. Review the role permissions m the master account and ensure it has sufficient privileges to perform S3 operations
  3. C. Filter AWS CloudTrail logs for the master account to find the original deny event and update the cross-account role m the member account accordingly Verify that the Amazon S3 block public access option in the master account is deactivated.
  4. D. Evaluate the SCPs covering the member account and the permissions boundary of the role in the member account for missing permissions and explicit denies.
  5. E. Ensure the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action for the role m the member account

Correct Answer: BE

Page 6 of 118
PDF with 589 Questions

Post your Comments and Discuss Amazon-Web-Services SCS-C01 exam with other Community members: