Month End Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

  1. Home
  2. Amazon Web Services
  3. AWS Certified Specialty
  4. SCS-C01 - AWS Certified Security - Specialty
Note! Following SCS-C01 Exam is Retired now. Please select the alternative replacement for your Exam Certification. The new exam code is SCS-C02

SCS-C01 Exam Dumps - AWS Certified Security - Specialty

Go to page:
Question # 145

A company has a forensic logging use case whereby several hundred applications running on Docker on EC2 need to send logs to a central location. The Security Engineer must create a logging solution that is able to perform real-time analytics on the log files, grants the ability to replay events, and persists data.

Which IAM Services, together, can satisfy this use case? (Select two.)

A.

Amazon Elasticsearch

B.

Amazon Kinesis

C.

Amazon SQS

D.

Amazon CloudWatch

E.

Amazon Athena

Full Access
Question # 146

A Security Engineer must enforce the use of only Amazon EC2, Amazon S3, Amazon RDS, Amazon DynamoDB, and IAM STS in specific accounts.

What is a scalable and efficient approach to meet this requirement?

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 147

A company requires that IP packet data be inspected for invalid or malicious content.

Which of the following approaches achieve this requirement? (Choose two.)

A.

Configure a proxy solution on Amazon EC2 and route all outbound VPC traffic through it. Perform inspection within proxy software on the EC2 instance.

B.

Configure the host-based agent on each EC2 instance within the VPC. Perform inspection within the host-based agent.

C.

Enable VPC Flow Logs for all subnets in the VPC. Perform inspection from the Flow Log data within Amazon CloudWatch Logs.

D.

Configure Elastic Load Balancing (ELB) access logs. Perform inspection from the log data within the ELB access log files.

E.

Configure the CloudWatch Logs agent on each EC2 instance within the VPC. Perform inspection from the log data within CloudWatch Logs.

Full Access
Question # 148

A company uses identity federation to authenticate users into an identity account (987654321987) where the users assume an IAM role named IdentityRole. The users then assume an IAM role named JobFunctionRole in the target IAM account (123456789123) to perform their job functions.

A user is unable to assume the IAM role in the target account. The policy attached to the role in the identity account is:

What should be done to enable the user to assume the appropriate role in the target account?

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 149

A company is hosting a website that must be accessible to users for HTTPS traffic. Also port 22 should be open for administrative purposes. The administrator's workstation has a static IP address of 203.0.113.1/32. Which of the following security group configurations are the MOST secure but still functional to support these requirements? Choose 2 answers from the options given below

Please select:

A.

Port 443 coming from 0.0.0.0/0

B.

Port 443 coming from 10.0.0.0/16

C.

Port 22 coming from 0.0.0.0/0

D.

Port 22 coming from 203.0.113.1/32

Full Access
Question # 150

A Security Engineer is implementing a solution to allow users to seamlessly encrypt Amazon S3 objects without having to touch the keys directly. The solution must be highly scalable without requiring continual management. Additionally, the organization must be able to immediately delete the encryption keys.

Which solution meets these requirements?

A.

Use IAM KMS with IAM managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary.

B.

Use KMS with IAM imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.

C.

Use IAM CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.

D.

Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the key if necessary.

Full Access
Question # 151

An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised.

What techniques will limit lateral movement and allow evidence gathering?

A.

Remove the instance from the load balancer and terminate it.

B.

Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.

C.

Reboot the instance and check for any Amazon CloudWatch alarms.

D.

Stop the instance and make a snapshot of the root EBS volume.

Full Access
Question # 152

A Systems Engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the Development team wants to use security groups and network ACLs to accomplish various security requirements in the environment.

What configuration is necessary to allow the virtual security appliance to route the traffic?

A.

Disable network ACLs.

B.

Configure the security appliance's elastic network interface for promiscuous mode.

C.

Disable the Network Source/Destination check on the security appliance's elastic network interface

D.

Place the security appliance in the public subnet with the internet gateway

Full Access
Go to page:

Hot Exams

ADM-201 Dumps
Platform-App-Builder Dumps
AZ-500 Dumps
350-701 Dumps
SY0-601 Dumps
NCSE-Core Dumps
PDP9 Dumps
DP-203 Dumps
AZ-700 Dumps
NSE7_EFW-7.0 Dumps
Integration-Architect Dumps
CS0-003 Dumps