Month End Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

  1. Home
  2. Amazon Web Services
  3. AWS Certified Specialty
  4. SCS-C01 - AWS Certified Security - Specialty
Note! Following SCS-C01 Exam is Retired now. Please select the alternative replacement for your Exam Certification. The new exam code is SCS-C02

SCS-C01 Exam Dumps - AWS Certified Security - Specialty

Go to page:
Question # 137

A Security Engineer must design a solution that enables the Incident Response team to audit for changes to a user’s IAM permissions in the case of a security incident.

How can this be accomplished?

A.

Use IAM Config to review the IAM policy assigned to users before and after the incident.

B.

Run the GenerateCredentialReport via the IAM CLI, and copy the output to Amazon S3 daily for auditing purposes.

C.

Copy IAM CloudFormation templates to S3, and audit for changes from the template.

D.

Use Amazon EC2 Systems Manager to deploy images, and review IAM CloudTrail logs for changes.

Full Access
Question # 138

While analyzing a company's security solution, a Security Engineer wants to secure the IAM account root user.

What should the Security Engineer do to provide the highest level of security for the account?

A.

Create a new IAM user that has administrator permissions in the IAM account. Delete the password for the IAM account root user.

B.

Create a new IAM user that has administrator permissions in the IAM account. Modify the permissions for the existing IAM users.

C.

Replace the access key for the IAM account root user. Delete the password for the IAM account root user.

D.

Create a new IAM user that has administrator permissions in the IAM account. Enable multi-factor authentication for the IAM account root user.

Full Access
Question # 139

A company runs an application on IAM that needs to be accessed only by employees. Most employees work from the office, but others work remotely or travel.

How can the Security Engineer protect this workload so that only employees can access it?

A.

Add each employee’s home IP address to the security group for the application so that only those users can access the workload.

B.

Create a virtual gateway for VPN connectivity for each employee, and restrict access to the workload from within the VPC.

C.

Use a VPN appliance from the IAM Marketplace for users to connect to, and restrict workload access to traffic from that appliance.

D.

Route all traffic to the workload through IAM WAF. Add each employee’s home IP address into an IAM WAF rule, and block all other traffic.

Full Access
Question # 140

A company recently experienced a DDoS attack that prevented its web server from serving content. The website is static and hosts only HTML, CSS, and PDF files that users download.

Based on the architecture shown in the image, what is the BEST way to protect the site against future attacks while minimizing the ongoing operational overhead?

A.

Move all the files to an Amazon S3 bucket. Have the web server serve the files from the S3 bucket.

B.

Launch a second Amazon EC2 instance in a new subnet. Launch an Application Load Balancer in front of both instances.

C.

Launch an Application Load Balancer in front of the EC2 instance. Create an Amazon CloudFront distribution in front of the Application Load Balancer.

D.

Move all the files to an Amazon S3 bucket. Create a CloudFront distribution in front of the bucket and terminate the web server.

Full Access
Question # 141

A company has two IAM accounts, each containing one VPC. The first VPC has a VPN connection with its corporate network. The second VPC, without a VPN, hosts an Amazon Aurora database cluster in private subnets. Developers manage the Aurora database from a bastion host in a public subnet as shown in the image.

A security review has flagged this architecture as vulnerable, and a Security Engineer has been asked to make this design more secure. The company has a short deadline and a second VPN connection to the Aurora account is not possible.

How can a Security Engineer securely set up the bastion host?

A.

Move the bastion host to the VPC with VPN connectivity. Create a VPC peering relationship between the bastion host VPC and Aurora VPC.

B.

Create a SSH port forwarding tunnel on the Developer’s workstation to the bastion host to ensure that only authorized SSH clients can access the bastion host.

C.

Move the bastion host to the VPC with VPN connectivity. Create a cross-account trust relationship between the bastion VPC and Aurora VPC, and update the Aurora security group for the relationship.

D.

Create an IAM Direct Connect connection between the corporate network and the Aurora account, and adjust the Aurora security group for this connection.

Full Access
Question # 142

Some highly sensitive analytics workloads are to be moved to Amazon EC2 hosts. Threat modeling has found that a risk exists where a subnet could be maliciously or accidentally exposed to the internet.

Which of the following mitigations should be recommended?

A.

Use IAM Config to detect whether an Internet Gateway is added and use an IAM Lambda function to provide auto-remediation.

B.

Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses.

C.

Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet.

D.

Move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.

Full Access
Question # 143

A company has multiple VPCs in their account that are peered, as shown in the diagram. A Security Engineer wants to perform penetration tests of the Amazon EC2 instances in all three VPCs.

How can this be accomplished? (Choose two.)

A.

Deploy a pre-authorized scanning engine from the IAM Marketplace into VPC B, and use it to scan instances in all three VPCs. Do not complete the penetration test request form.

B.

Deploy a pre-authorized scanning engine from the Marketplace into each VPC, and scan instances in each VPC from the scanning engine in that VPC. Do not complete the penetration test request form.

C.

Create a VPN connection from the data center to VPC A. Use an on-premises scanning engine to scan the instances in all three VPCs. Complete the penetration test request form for all three VPCs.

D.

Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Do not complete the penetration test request form.

E.

Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Complete the penetration test request form for all three VPCs.

Full Access
Question # 144

Which of the following is used as a secure way to log into an EC2 Linux Instance?

Please select:

A.

IAM User name and password

B.

Key pairs

C.

IAM Access keys

D.

IAM SDK keys

Full Access
Go to page:

Hot Exams

ADM-201 Dumps
Platform-App-Builder Dumps
AZ-500 Dumps
350-701 Dumps
SY0-601 Dumps
NCSE-Core Dumps
PDP9 Dumps
DP-203 Dumps
AZ-700 Dumps
NSE7_EFW-7.0 Dumps
Integration-Architect Dumps
CS0-003 Dumps