Free SCS-C01 Exam Braindumps

- (Exam Topic 3)
Which of the following is the responsibility of the customer? Choose 2 answers from the options given below. Please select:

1. A. Management of the Edge locations
2. B. Encryption of data at rest
3. C. Protection of data in transit
4. D. Decommissioning of old storage devices

Correct Answer: BC
Below is the snapshot of the Shared Responsibility Model C:\Users\wk\Desktop\mudassar\Untitled.jpg

For more information on AWS Security best practises, please refer to below URL awsstatic corn/whitepapers/Security/AWS Practices.
The correct answers are: Encryption of data at rest Protection of data in transit Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
An application uses Amazon Cognito to manage end users’ permissions when directly accessing AWS resources, including Amazon DynamoDB. A new feature request reads as follows:
Provide a mechanism to mark customers as suspended pending investigation or suspended permanently. Customers should still be able to log in when suspended, but should not be able to make changes.
The priorities are to reduce complexity and avoid potential for future security issues. Which approach will meet these requirements and priorities?

1. A. Create a new database field “suspended_status” and modify the application logic to validate that field when processing requests.
2. B. Add suspended customers to second Cognito user pool and update the application login flow to check both user pools.
3. C. Use Amazon Cognito Sync to push out a “suspension_status” parameter and split the lAM policy into normal users and suspended users.
4. D. Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.

Correct Answer: D
https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-based-access-control-2/

- (Exam Topic 3)
Every application in a company's portfolio has a separate AWS account for development and production. The security team wants to prevent the root user and all IAM users in the production accounts from accessing a specific set of unneeded services. How can they control this functionality?
Please select:

1. A. Create a Service Control Policy that denies access to the service
2. B. Assemble all production accounts in an organizational uni
3. C. Apply the policy to that organizational unit.
4. D. Create a Service Control Policy that denies access to the service
5. E. Apply the policy to the root account.
6. F. Create an IAM policy that denies access to the service
7. G. Associate the policy with an IAM group and enlist all users and the root users in this group.
8. H. Create an IAM policy that denies access to the service
9. I. Create a Config Rule that checks that all users have the policy m assigne
10. J. Trigger a Lambda function that adds the policy when found missing.

Correct Answer: A
As an administrator of the master account of an organization, you can restrict which AWS services and individual API actions the users and roles in each member account can access. This restriction even overrides the administrators of member accounts in the organization. When AWS Organizations blocks access to a service or API action for a member account a user or role in that account can't access any prohibited service or API action, even if an administrator of a member account explicitly grants such permissions in an IAM policy. Organization permissions overrule account permissions.
Option B is invalid because service policies cannot be assigned to the root account at the account level. Option C and D are invalid because IAM policies alone at the account level would not be able to suffice the
requirement
For more information, please visit the below URL id=docs_orgs_console https://docs.aws.amazon.com/IAM/latest/UserGi manage attach-policy.html
The correct answer is: Create a Service Control Policy that denies access to the services. Assemble all production accounts in an organizational unit. Apply the policy to that organizational unit
Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
A distributed web application is installed across several EC2 instances in public subnets residing in two Availability Zones. Apache logs show several intermittent brute-force attacks from hundreds of IP addresses at the layer 7 level over the past six months.
What would be the BEST way to reduce the potential impact of these attacks in the future?

1. A. Use custom route tables to prevent malicious traffic from routing to the instances.
2. B. Update security groups to deny traffic from the originating source IP addresses.
3. C. Use network ACLs.
4. D. Install intrusion prevention software (IPS) on each instance.

Correct Answer: D
https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html NACL has limit 20 (can increase to maximum 40 rule), and more rule will make more low-latency

- (Exam Topic 3)
Development teams in your organization use S3 buckets to store the log files for various applications hosted ir development environments in AWS. The developers want to keep the logs for one month for troubleshooting purposes, and then purge the logs. What feature will enable this requirement?
Please select:

1. A. Adding a bucket policy on the S3 bucket.
2. B. Configuring lifecycle configuration rules on the S3 bucket.
3. C. Creating an IAM policy for the S3 bucket.
4. D. Enabling CORS on the S3 bucket.

Correct Answer: B
The AWS Documentation mentions the following on lifecycle policies
Lifecycle configuration enables you to specify the lifecycle management of objects in a bucket. The configuration is a set of one or more rules, where each rule defines an action for Amazon S3 to apply to a group of objects. These actions can be classified a« follows:
Transition actions - In which you define when objects transition to another . For example, you may choose to transition objects to the STANDARDJA (IA, for infrequent access) storage class 30 days after creation, or
archive objects to the GLACIER storage class one year after creation.
Expiration actions - In which you specify when the objects expire. Then Amazon S3 deletes the expired objects on your behalf.
Option A and C are invalid because neither bucket policies neither IAM policy's can control the purging of logs Option D is invalid CORS is used for accessing objects across domains and not for purging of logs For more information on AWS S3 Lifecycle policies, please visit the following URL:
com/AmazonS3/latest/d<
The correct answer is: Configuring lifecycle configuration rules on the S3 bucket. Submit your Feedback/Queries to our Experts