Month End Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

  1. Home
  2. Amazon Web Services
  3. AWS Certified Specialty
  4. SCS-C01 - AWS Certified Security - Specialty
Note! Following SCS-C01 Exam is Retired now. Please select the alternative replacement for your Exam Certification. The new exam code is SCS-C02

SCS-C01 Exam Dumps - AWS Certified Security - Specialty

Go to page:
Question # 153

An organization has a system in IAM that allows a large number of remote workers to submit data files. File sizes vary from a few kilobytes to several megabytes. A recent audit highlighted a concern that data files are not encrypted while in transit over untrusted networks.

Which solution would remediate the audit finding while minimizing the effort required?

A.

Upload an SSL certificate to IAM, and configure Amazon CloudFront with the passphrase for the private key.

B.

Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() server-side.

C.

Use IAM Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service’s servers.

D.

Create a new VPC with an Amazon VPC VPN endpoint, and update the web service’s DNS record.

Full Access
Question # 154

A Security Engineer is working with the development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an IAM KMS customer master key (CMK) to encrypt the data on Amazon S3. The inventory data on Amazon S3 will be shared of vendors. All vendors will use IAM principals from their own IAM accounts to access the data on Amazon S3. The vendor list may change weekly, and the solution must support cross-account access.

What is the MOST efficient way to manage access control for the KMS CMK7?

A.

Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.

B.

Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.

C.

Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access.

D.

Use delegated access across IAM accounts by using IAM roles to manage key access. Programmatically update the IAM trust policy to manage cross-account vendor access.

Full Access
Question # 155

A company plans to move most of its IT infrastructure to IAM. They want to leverage their existing on-premises Active Directory as an identity provider for IAM.

Which combination of steps should a Security Engineer take to federate the company’s on-premises Active Directory with IAM? (Choose two.)

A.

Create IAM roles with permissions corresponding to each Active Directory group.

B.

Create IAM groups with permissions corresponding to each Active Directory group.

C.

Configure Amazon Cloud Directory to support a SAML provider.

D.

Configure Active Directory to add relying party trust between Active Directory and IAM.

E.

Configure Amazon Cognito to add relying party trust between Active Directory and IAM.

Full Access
Question # 156

During a recent internal investigation, it was discovered that all API logging was disabled in a production account, and the root user had created new API keys that appear to have been used several times.

What could have been done to detect and automatically remediate the incident?

A.

Using Amazon Inspector, review all of the API calls and configure the inspector agent to leverage SNS topics to notify security of the change to IAM CloudTrail, and revoke the new API keys for the root user.

B.

Using IAM Config, create a config rule that detects when IAM CloudTrail is disabled, as well as any calls to the root user create-api-key. Then use a Lambda function to re-enable CloudTrail logs and deactivate the root API keys.

C.

Using Amazon CloudWatch, create a CloudWatch event that detects IAM CloudTrail deactivation and a separate Amazon Trusted Advisor check to automatically detect the creation of root API keys. Then use a Lambda function to enable IAM CloudTrail and deactivate the root API keys.

D.

Using Amazon CloudTrail, create a new CloudTrail event that detects the deactivation of CloudTrail logs, and a separate CloudTrail event that detects the creation of root API keys. Then use a Lambda function to enable CloudTrail and deactivate the root API keys.

Full Access
Question # 157

Amazon CloudWatch Logs agent is successfully delivering logs to the CloudWatch Logs service. However, logs stop being delivered after the associated log stream has been active for a specific number of hours.

What steps are necessary to identify the cause of this phenomenon? (Choose two.)

A.

Ensure that file permissions for monitored files that allow the CloudWatch Logs agent to read the file have not been modified.

B.

Verify that the OS Log rotation rules are compatible with the configuration requirements for agent streaming.

C.

Configure an Amazon Kinesis producer to first put the logs into Amazon Kinesis Streams.

D.

Create a CloudWatch Logs metric to isolate a value that changes at least once during the period before logging stops.

E.

Use IAM CloudFormation to dynamically create and maintain the configuration file for the CloudWatch Logs agent.

Full Access
Question # 158

An organization is moving non-business-critical applications to IAM while maintaining a mission-critical application in an on-premises data center. An on-premises application must share limited confidential information with the applications in IAM. The internet performance is unpredictable.

Which configuration will ensure continued connectivity between sites MOST securely?

A.

VPN and a cached storage gateway

B.

IAM Snowball Edge

C.

VPN Gateway over IAM Direct Connect

D.

IAM Direct Connect

Full Access
Question # 159

A Security Administrator is restricting the capabilities of company root user accounts. The company uses IAM Organizations and has enabled it for all feature sets, including consolidated billing. The top-level account is used for billing and administrative purposes, not for operational IAM resource purposes.

How can the Administrator restrict usage of member root user accounts across the organization?

A.

Disable the use of the root user account at the organizational root. Enable multi-factor authentication of the root user account for each organizational member account.

B.

Configure IAM user policies to restrict root account capabilities for each Organizations member account.

C.

Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU.

D.

Configure IAM CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric filter for RootAccountUsage.

Full Access
Question # 160

An Amazon S3 bucket is encrypted using an IAM KMS CMK. An IAM user is unable to download objects from the S3 bucket using the IAM Management Console; however, other users can download objects from the S3 bucket.

Which policies should the Security Engineer review and modify to resolve this issue? (Select three.)

A.

The CMK policy

B.

The VPC endpoint policy

C.

The S3 bucket policy

D.

The S3 ACL

E.

The IAM policy

Full Access
Go to page:

Hot Exams

ADM-201 Dumps
Platform-App-Builder Dumps
AZ-500 Dumps
350-701 Dumps
SY0-601 Dumps
NCSE-Core Dumps
PDP9 Dumps
DP-203 Dumps
AZ-700 Dumps
NSE7_EFW-7.0 Dumps
Integration-Architect Dumps
CS0-003 Dumps