Note! Following SCS-C01 Exam is Retired now. Please select the alternative replacement for your Exam Certification. The new exam code is SCS-C02

SCS-C01 Exam Dumps - AWS Certified Security - Specialty

Go to page:

Question # 129

An Incident Response team is investigating an IAM access key leak that resulted in Amazon EC2 instances being launched. The company did not discover the incident until many months later The Director of Information Security wants to implement new controls that will alert when similar incidents happen in the future

Which controls should the company implement to achieve this? {Select TWO.)

Enable VPC Flow Logs in all VPCs Create a scheduled IAM Lambda function that downloads and parses the logs, and sends an Amazon SNS notification for violations.

Use IAM CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3 bucket to receive all the CloudTrail log files

Add the following bucket policy to the company's IAM CloudTrail bucket to prevent log tampering

{

"Version": "2012-10-17-,

"Statement": {

"Effect": "Deny",

"Action": "s3:PutObject",

"Principal": "-",

"Resource": "arn:IAM:s3:::cloudtrail/IAMLogs/111122223333/*"

}

Create an Amazon S3 data event for an PutObject attempts, which sends notifications to an Amazon SNS topic.

Create a Security Auditor role with permissions to access Amazon CloudWatch Logs m all Regions Ship the logs to an Amazon S3 bucket and make a lifecycle policy to ship the logs to Amazon S3 Glacier.

Verify that Amazon GuardDuty is enabled in all Regions, and create an Amazon CloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as the rule's target

Full Access

Question # 130

A company has an AWS Key Management Service (AWS KMS) customer managed key with imported key material Company policy requires all encryption keys to be rotated every year

What should a security engineer do to meet this requirement for this customer managed key?

Enable automatic key rotation annually for the existing customer managed key

Use the AWS CLI to create an AWS Lambda function to rotate the existing customer managed key annually

Import new key material to the existing customer managed key Manually rotate the key

Create a new customer managed key Import new key material to the new key Point the key alias to the new key

Full Access

Question # 131

A company wants to deploy a distributed web application on a fleet of EC2 instances. The fleet will be fronted by a Classic Load Balancer that will be configured to terminate the TLS connection The company wants to make sure that all past and current TLS traffic to the Classic Load Balancer stays secure even if the certificate private key is leaked.

To ensure the company meets these requirements, a Security Engineer can configure a Classic Load Balancer with:

An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.

An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites

An HTTPS listener that uses the latest IAM predefined ELBSecuntyPolicy-TLS-1 -2-2017-01 security policy

A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.

Full Access

Question # 132

You have a 2 tier application hosted in IAM. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-123) and database security group(db-345). Which combination of the following security group rules will allow the application to be secure and functional. Choose 2 answers from the options given below.

Please select:

wg-123 -Allow ports 80 and 443 from 0.0.0.0/0

db-345 - Allow port 1433 from wg-123

wg-123 - Allow port 1433 from wg-123

db-345 -Allow ports 1433 from 0.0.0.0/0

Full Access

Question # 133

A company has deployed a custom DNS server in IAM. The Security Engineer wants to ensure that Amazon EC2 instances cannot use the Amazon-provided DNS.

How can the Security Engineer block access to the Amazon-provided DNS in the VPC?

Deny access to the Amazon DNS IP within all security groups.

Add a rule to all network access control lists that deny access to the Amazon DNS IP.

Add a route to all route tables that black holes traffic to the Amazon DNS IP.

Disable DNS resolution within the VPC configuration.

Full Access

Question # 134

An organization has three applications running on IAM, each accessing the same data on Amazon S3. The data on Amazon S3 is server-side encrypted by using an IAM KMS Customer Master Key (CMK).

What is the recommended method to ensure that each application has its own programmatic access control permissions on the KMS CMK?

Change the key policy permissions associated with the KMS CMK for each application when it must access the data in Amazon S3.

Have each application assume an IAM role that provides permissions to use the IAM Certificate Manager CMK.

Have each application use a grant on the KMS CMK to add or remove specific access controls on the KMS CMK.

Have each application use an IAM policy in a user context to have specific access permissions on the KMS CMK.

Full Access

Question # 135

A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of â€œSensitive,â€ â€œConfidential,â€ and â€œRestricted.â€ The security solution must meet all of the following requirements:

Each object must be encrypted using a unique key.
Items that are stored in the â€œRestrictedâ€ bucket require two-factor authentication for decryption.
IAM KMS must automatically rotate encryption keys annually.

Which of the following meets these requirements?

Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the â€œRestrictedâ€ CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.

Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK.

Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket.

Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the â€œRestrictedâ€ key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.

Full Access

Question # 136

A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data from production host running inside IAM (Account 1). The threat was documented as follows:

Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials for an IAM account (Account 2) they control and uploading data to an Amazon S3 bucket within their control.

Server X has outbound internet access configured via a proxy server. Legitimate access to S3 is required so that the application can upload encrypted files to an S3 bucket. Server X is currently using an IAM instance role. The proxy server is not able to inspect any of the server communication due to TLS encryption.

Which of the following options will mitigate the threat? (Choose two.)

Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.

Block outbound access to public S3 endpoints on the proxy server.

Configure Network ACLs on Server X to deny access to S3 endpoints.

Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application server.

Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted application config file.

Full Access

Go to page: