Note! Following SCS-C01 Exam is Retired now. Please select the alternative replacement for your Exam Certification. The new exam code is SCS-C02

SCS-C01 Exam Dumps - AWS Certified Security - Specialty

Go to page:

<< First
Prev
1
2
3
4
5
6
7
8
9
10
Next
Last >>

Question # 9

A recent security audit identified that a company's application team injects database credentials into the environment variables of an IAM Fargate task. The company's security policy mandates that all sensitive data be encrypted at rest and in transit.

When combination of actions should the security team take to make the application compliant within the security policy? (Select THREE)

Store the credentials securely in a file in an Amazon S3 bucket with restricted access to the application team IAM role Ask the application team to read the credentials from the S3 object instead

Create an IAM Secrets Manager secret and specify the key/value pairs to be stored in this secret

Modify the application to pull credentials from the IAM Secrets Manager secret instead of the environment variables.

Add the following statement to the container instance IAM role policy

Add the following statement to the execution role policy.

Log in to the IAM Fargate instance, create a script to read the secret value from IAM Secret Manager, and inject the environment variables. Ask the application team to redeploy the application.

Full Access

Question # 10

A Security Engineer manages IAM Organizations for a company. The Engineer would like to restrict IAM usage to allow Amazon S3 only in one of the organizational units (OUs). The Engineer adds the following SCP to the OU:

The next day. API calls to IAM IAM appear in IAM CloudTrail logs In an account under that OU. How should the Security Engineer resolve this issue?

Move the account to a new OU and deny IAM:* permissions.

Add a Deny policy for all non-S3 services at the account level.

Change the policy to:

{

â€œVersionâ€: â€œ2012-10-17â€,

â€œStatementâ€: [

{

â€œSidâ€: â€œAllowS3â€,

"Effect": "Allow",

"Action": "s3:*",

"Resource": "*/*Â»

}

]

}

Detach the default FullIAMAccess SCP

Full Access

Question # 11

An organization policy states that all encryption keys must be automatically rotated every 12 months.

Which IAM Key Management Service (KMS) key type should be used to meet this requirement?

IAM managed Customer Master Key (CMK)

Customer managed CMK with IAM generated key material

Customer managed CMK with imported key material

IAM managed data key

Full Access

Question # 12

A company's application runs on Amazon EC2 and stores data in an Amazon S3 bucket The company wants additional security controls in place to limit the likelihood of accidental exposure of data to external parties

Which combination of actions will meet this requirement? (Select THREE.)

Encrypt the data in Amazon S3 using server-side encryption with Amazon S3 managed encryption keys (SSE-S3)

Encrypt the data in Amazon S3 using server-side encryption with IAM KMS managed encryption keys (SSE-KMS)

Create a new Amazon S3 VPC endpoint and modify the VPC's routing tables to use the new endpoint

Use the Amazon S3 Block Public Access feature.

Configure the bucket policy to allow access from the application instances only

Use a NACL to filter traffic to Amazon S3

Full Access

Question # 13

A company needs its Amazon Elastic Block Store (Amazon EBS) volumes to be encrypted at all times. During a security incident. EBS snapshots of suspicious instances are shared to a forensics account for analysis A security engineer attempting to share a suspicious EBS snapshot to the forensics account receives the following error

"Unable to share snapshot: An error occurred (OperationNotPermitted) when calling the ModifySnapshotAttribute operation: Encrypted snapshots with EBS default key cannot be shared.

Which combination of steps should the security engineer take in the incident account to complete the sharing operation? (Select THREE )

Create a customer managed CMK Copy the EBS snapshot encrypting the destination snapshot using the new CMK.

Allow forensics accounting principals to use the CMK by modifying its policy.

Create an Amazon EC2 instance. Attach the encrypted and suspicious EBS volume. Copy data from the suspicious volume to an unencrypted volume. Snapshot the unencrypted volume

Copy the EBS snapshot to the new decrypted snapshot

Restore a volume from the suspicious EBS snapshot. Create an unencrypted EBS volume of the same size.

Share the target EBS snapshot with the forensics account.

Full Access

Question # 14

A company uses Microsoft Active Directory for access management for on-premises resources and wants to use the same mechanism for accessing its IAM accounts. Additionally, the development team plans to launch a public-facing application for which they need a separate authentication solution.

When coma nation of the following would satisfy these requirements? (Select TWO)

Set up domain controllers on Amazon EC2 to extend the on-premises directory to IAM

Establish network connectivity between on-premises and the user's VPC

Use Amazon Cognito user pools for application authentication

Use AD Connector tor application authentication.

Set up federated sign-in to IAM through ADFS and SAML.

Full Access

Question # 15

A company uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using Amazon CloudFront. HLS splits the video content into chunks so that the user can request the right chunk based on different conditions Because the video events last for several hours, the total video is made up of thousands of chunks

The origin URL is not disclosed and every user is forced to access the CloudFront URL The company has a web application that authenticates the paying users against an internal repository and a CloudFront key pair that is already issued.

What is the simplest and MOST effective way to protect the content?

Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content.

Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.

Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content

Keep the CloudFront URL encrypted inside the application, and use IAM KMS to resolve the URL on-the-fly after the user is authenticated.

Full Access

Question # 16

A company's development team is designing an application using IAM Lambda and Amazon Elastic Container Service (Amazon ECS). The development team needs to create IAM roles to support these systems. The company's security team wants to allow the developers to build IAM roles directly, but the security team wants to retain control over the permissions the developers can delegate to those roles. The development team needs access to more permissions than those required for the application's IAM services. The solution must minimize management overhead.

How should the security team prevent privilege escalation for both teams?

Enable IAM CloudTrail. Create a Lambda function that monitors the event history for privilege escalation events and notifies the security team.

Create a managed IAM policy for the permissions required. Reference the IAM policy as a permissions boundary within the development team's IAM role.

Enable IAM Organizations Create an SCP that allows the IAM CreateUser action but that has a condition that prevents API calls other than those required by the development team

Create an IAM policy with a deny on the IAMCreateUser action and assign the policy to the development team. Use a ticket system to allow the developers to request new IAM roles for their applications. The IAM roles will then be created by the security team.

Full Access

Go to page: