Month End Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

  1. Home
  2. Amazon Web Services
  3. AWS Certified Specialty
  4. SCS-C01 - AWS Certified Security - Specialty
Note! Following SCS-C01 Exam is Retired now. Please select the alternative replacement for your Exam Certification. The new exam code is SCS-C02

SCS-C01 Exam Dumps - AWS Certified Security - Specialty

Go to page:
Question # 121

An application team wants to use IAM Certificate Manager (ACM) to request public certificates to ensure that data is secured in transit. The domains that are being used are not currently hosted on Amazon Route 53

The application team wants to use an IAM managed distribution and caching solution to optimize requests to its systems and provide better points of presence to customers The distribution solution will use a primary domain name that is customized The distribution solution also will use several alternative domain names The certificates must renew automatically over an indefinite period of time

Which combination of steps should the application team take to deploy this architecture? (Select THREE.)

A.

Request a certificate (torn ACM in the us-west-2 Region Add the domain names that the certificate will secure

B.

Send an email message to the domain administrators to request vacation of the domains for ACM

C.

Request validation of the domains for ACM through DNS Insert CNAME records into each domain's DNS zone

D.

Create an Application Load Balancer for me caching solution Select the newly requested certificate from ACM to be used for secure connections

E.

Create an Amazon CloudFront distribution for the caching solution Enter the main CNAME record as the Origin Name Enter the subdomain names or alternate names in the Alternate Domain Names Distribution Settings Select the newly requested certificate from ACM to be used for secure connections

F.

Request a certificate from ACM in the us-east-1 Region Add the domain names that the certificate wil secure

Full Access
Question # 122

A company's engineering team is developing a new application that creates IAM Key Management Service (IAM KMS) CMK grants for users immediately after a grant IS created users must be able to use the CMK tu encrypt a 512-byte payload. During load testing, a bug appears |intermittently where AccessDeniedExceptions are occasionally triggered when a user first attempts to encrypt using the CMK

Which solution should the c0mpany‘s security specialist recommend‘?

A.

Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.

B.

Instruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token. Instruct use to use that grant token in their call to encrypt.

C.

Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name as the grant token in the call to encrypt.

D.

Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.

Full Access
Question # 123

A company is running workloads in a single IAM account on Amazon EC2 instances and Amazon EMR clusters a recent security audit revealed that multiple Amazon Elastic Block Store (Amazon EBS) volumes and snapshots are not encrypted

The company's security engineer is working on a solution that will allow users to deploy EC2 Instances and EMR clusters while ensuring that all new EBS volumes and EBS snapshots are encrypted at rest. The solution must also minimize operational overhead

Which steps should the security engineer take to meet these requirements?

A.

Create an Amazon Event Bridge (Amazon Cloud watch Events) event with an EC2 instance as the source and create volume as the event trigger. When the event is triggered invoke an IAM Lambda function to evaluate and notify the security engineer if the EBS volume that was created is not encrypted.

B.

Use a customer managed IAM policy that will verify that the encryption flag of the Createvolume context is set to true. Apply this rule to all users.

C.

Create an IAM Config rule to evaluate the configuration of each EC2 instance on creation or modification. Have the IAM Config rule trigger an IAM Lambdafunction to alert the security team and terminate the instance it the EBS volume is not encrypted. 5

D.

Use the IAM Management Console or IAM CLi to enable encryption by default for EBS volumes in each IAM Region where the company operates.

Full Access
Question # 124

A developer has created an AWS Lambda function in a company's development account. The Lambda function requires the use of an AWS Key Management Service (AWS KMS) customer managed key that exists in a security account that the company's security team controls. The developer obtains the ARN of the KMS key from a previous Lambda function in the development account. The previous Lambda function had been working properly with the KMS key.

When the developer uses the ARN and tests the new Lambda function an error message states that access is denied to the KMS key in the security account. The developer tests the previous Lambda function that uses the same KMS key and discovers that the previous Lambda function still can encrypt data as expected.

A security engineer must resolve the problem so that the new Lambda function in the development account can use the KMS key from the security account.

Which combination of steps should the security engineer take to meet these requirements? (Select TWO.)

A.

In the security account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

B.

In the development account configure an IAM role for the new Lambda function. Attach a key policy that allows access to the KMS key in the security account.

C.

In the development account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

D.

Configure a key policy for the KMS key m the security account to allow access to the IAM role of the new Lambda function in the security account.

E.

Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account.

Full Access
Question # 125

Auditors for a health care company have mandated that all data volumes be encrypted at rest Infrastructure is deployed mainly via IAM CloudFormation however third-party frameworks and manual deployment are required on some legacy systems

What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

A.

On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume

B.

Configure an IAM Config rule lo run on a recurring basis 'or volume encryption

C.

Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule

D.

Use CloudWatch Logs to determine whether instances were created with an encrypted volume

Full Access
Question # 126

A systems engineer deployed containers from several custom-built images that an application team provided through a QA workflow The systems engineer used Amazon Elastic Container Service (Amazon ECS) with the Fargate launch type as the target platform The system engineer now needs to collect logs from all containers into an existing Amazon CloudWatch log group

Which solution will meet this requirement?

A.

Turn on the awslogs log driver by specifying parameters for awslogs-group and awslogs-region m the LogConfiguration property

B.

Download and configure the CloudWatch agent on the container instances

C.

Set up Fluent Bit and FluentO as a DaemonSet to send logs to Amazon CloudWatch Logs

D.

Configure an 1AM policy that includes the togs CreateLogGroup action Assign the policy to the container instances

Full Access
Question # 127

A company uses Amazon API Gateway to present REST APIs to users. An API developer wants to analyze API access patterns without the need to parse the log files.

Which combination of steps will meet these requirements with the LEAST effort? (Select TWO.)

A.

Configure access logging for the required API stage.

B.

Configure an AWS CloudTrail trail destination for API Gateway events. Configure filters on the userldentity, userAgent, and sourcelPAddress fields.

C.

Configure an Amazon S3 destination for API Gateway logs. Run Amazon Athena queries to analyze API access information.

D.

Use Amazon CloudWatch Logs Insights to analyze API access information.

E.

Select the Enable Detailed CloudWatch Metrics option on the required API stage.

Full Access
Question # 128

A company stores sensitive documents in Amazon S3 by using server-side encryption with an IAM Key Management Service (IAM KMS) CMK. A new requirement mandates that the CMK that is used for these documents can be used only for S3 actions.

Which statement should the company add to the key policy to meet this requirement?

A)

B)

A.

Option A

B.

Option B

Full Access
Go to page:

Hot Exams

ADM-201 Dumps
Platform-App-Builder Dumps
AZ-500 Dumps
350-701 Dumps
SY0-601 Dumps
NCSE-Core Dumps
PDP9 Dumps
DP-203 Dumps
AZ-700 Dumps
NSE7_EFW-7.0 Dumps
Integration-Architect Dumps
CS0-003 Dumps