Free SCS-C01 Exam Braindumps

- (Exam Topic 2)
A Security Engineer must design a system that can detect whether a file on an Amazon EC2 host has been modified. The system must then alert the Security Engineer of the modification.
What is the MOST efficient way to meet these requirements?

1. A. Install antivirus software and ensure that signatures are up-to-dat
2. B. Configure Amazon CloudWatch alarms to send alerts for security events.
3. C. Install host-based IDS software to check for file integrit
4. D. Export the logs to Amazon CloudWatch Logs for monitoring and alerting.
5. E. Export system log files to Amazon S3. Parse the log files using an AWS Lambda function that will send alerts of any unauthorized system login attempts through Amazon SNS.
6. F. Use Amazon CloudWatch Logs to detect file system change
7. G. If a change is detected, automatically terminate and recreate the instance from the most recent AM
8. H. Use Amazon SNS to send notification of the event.

Correct Answer: B

- (Exam Topic 3)
An application running on EC2 instances in a VPC must access sensitive data in the data center. The access must be encrypted in transit and have consistent low latency. Which hybrid architecture will meet these requirements?
Please select:

1. A. Expose the data with a public HTTPS endpoint.
2. B. A VPN between the VPC and the data center over a Direct Connect connection
3. C. A VPN between the VPC and the data center.
4. D. A Direct Connect connection between the VPC and data center

Correct Answer: B
Since this is required over a consistency low latency connection, you should use Direct Connect. For encryption, you can make use of a VPN
Option A is invalid because exposing an HTTPS endpoint will not help all traffic to flow between a VPC and the data center.
Option C is invalid because low latency is a key requirement Option D is invalid because only Direct Connect will not suffice
For more information on the connection options please see the below Link: https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpn-connection-sharint
The correct answer is: A VPN between the VPC and the data center over a Direct Connect connection Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
An organization is using AWS CloudTrail, Amazon CloudWatch Logs, and Amazon CloudWatch to send alerts when new access keys are created. However, the alerts are no longer appearing in the Security Operations mail box.
Which of the following actions would resolve this issue?

1. A. In CloudTrail, verify that the trail logging bucket has a log prefix configured.
2. B. In Amazon SNS, determine whether the “Account spend limit” has been reached for this alert.
3. C. In SNS, ensure that the subscription used by these alerts has not been deleted.
4. D. In CloudWatch, verify that the alarm threshold “consecutive periods” value is equal to, or greater than 1.

Correct Answer: C

- (Exam Topic 3)
You have a set of Customer keys created using the AWS KMS service. These keys have been used for around 6 months. You are now trying to use the new KMS features for the existing set of key's but are not able to do so. What could be the reason for this.
Please select:

1. A. You have not explicitly given access via the key policy
2. B. You have not explicitly given access via the IAM policy
3. C. You have not given access via the IAM roles
4. D. You have not explicitly given access via IAM users

Correct Answer: A
By default, keys created in KMS are created with the default key policy. When features are added to KMS, you need to explii update the default key policy for these keys.
Option B,C and D are invalid because the key policy is the main entity used to provide access to the keys For more information on upgrading key policies please visit the following URL: https://docs.aws.ama20n.com/kms/latest/developerguide/key-policy-upgrading.html
(
The correct answer is: You have not explicitly given access via the key policy Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
A Developer who is following AWS best practices for secure code development requires an application to encrypt sensitive data to be stored at rest, locally in the application, using AWS KMS. What is the simplest and MOST secure way to decrypt this data when required?

1. A. Request KMS to provide the stored unencrypted data key and then use the retrieved data key to decrypt the data.
2. B. Keep the plaintext data key stored in Amazon DynamoDB protected with IAM policie
3. C. Query DynamoDB to retrieve the data key to decrypt the data
4. D. Use the Encrypt API to store an encrypted version of the data key with another customer managed key.Decrypt the data key and use it to decrypt the data when required.
5. E. Store the encrypted data key alongside the encrypted dat
6. F. Use the Decrypt API to retrieve the data key to decrypt the data when required.

Correct Answer: D
We recommend that you use the following pattern to locally encrypt data: call the GenerateDataKey API, use the key returned in the Plaintext response field to locally encrypt data, and then erase the plaintext data key from memory. Store the encrypted data key (contained in the CiphertextBlob field) alongside of the locally encrypted data. The Decrypt API returns the plaintext key from the encrypted key. https://docs.aws.amazon.com/sdkfornet/latest/apidocs/items/MKeyManagementServiceKeyManagementService