Note! Following SCS-C01 Exam is Retired now. Please select the alternative replacement for your Exam Certification. The new exam code is SCS-C02

SCS-C01 Exam Dumps - AWS Certified Security - Specialty

Go to page:

Question # 161

A company has complex connectivity rules governing ingress, egress, and communications between Amazon EC2 instances. The rules are so complex that they cannot be implemented within the limits of the maximum number of security groups and network access control lists (network ACLs).

What mechanism will allow the company to implement all required network rules without incurring additional cost?

Configure IAM WAF rules to implement the required rules.

Use the operating system built-in, host-based firewall to implement the required rules.

Use a NAT gateway to control ingress and egress according to the requirements.

Launch an EC2-based firewall product from the IAM Marketplace, and implement the required rules in that product.

Full Access

Question # 162

An IAM account includes two S3 buckets: bucket1 and bucket2. The bucket2 does not have a policy defined, but bucket1 has the following bucket policy:

In addition, the same account has an IAM User named â€œaliceâ€, with the following IAM policy.

Which buckets can user â€œaliceâ€ access?

Bucket1 only

Bucket2 only

Both bucket1 and bucket2

Neither bucket1 nor bucket2

Full Access

Question # 163

Compliance requirements state that all communications between company on-premises hosts and EC2 instances be encrypted in transit. Hosts use custom proprietary protocols for their communication, and EC2 instances need to be fronted by a load balancer for increased availability.

Which of the following solutions will meet these requirements?

Offload SSL termination onto an SSL listener on a Classic Load Balancer, and use a TCP connection between the load balancer and the EC2 instances.

Route all traffic through a TCP listener on a Classic Load Balancer, and terminate the TLS connection on the EC2 instances.

Create an HTTPS listener using an Application Load Balancer, and route all of the communication through that load balancer.

Offload SSL termination onto an SSL listener using an Application Load Balancer, and re-spawn and SSL connection between the load balancer and the EC2 instances.

Full Access

Question # 164

A Security Engineer who was reviewing IAM Key Management Service (IAM KMS) key policies found this statement in each key policy in the company IAM account.

What does the statement allow?

All principals from all IAM accounts to use the key.

Only the root user from account 111122223333 to use the key.

All principals from account 111122223333 to use the key but only on Amazon S3.

Only principals from account 111122223333 that have an IAM policy applied that grants access to this key to use the key.

Full Access

Question # 165

You have enabled Cloudtrail logs for your company's IAM account. In addition, the IT Security department has mentioned that the logs need to be encrypted. How can this be achieved?

Please select:

Enable SSL certificates for the Cloudtrail logs

There is no need to do anything since the logs will already be encrypted

Enable Server side encryption for the trail

Enable Server side encryption for the destination S3 bucket

Full Access

Question # 166

Which approach will generate automated security alerts should too many unauthorized IAM API requests be identified?

Create an Amazon CloudWatch metric filter that looks for API call error codes and then implement an alarm based on that metricâ€™s rate.

Configure IAM CloudTrail to stream event data to Amazon Kinesis. Configure an IAM Lambda function on the stream to alarm when the threshold has been exceeded.

Run an Amazon Athena SQL query against CloudTrail log files. Use Amazon QuickSight to create an operational dashboard.

Use the Amazon Personal Health Dashboard to monitor the accountâ€™s use of IAM services, and raise an alert if service error rates increase.

Full Access

Question # 167

An application outputs logs to a text file. The logs must be continuously monitored for security incidents.

Which design will meet the requirements with MINIMUM effort?

Create a scheduled process to copy the componentâ€™s logs into Amazon S3. Use S3 events to trigger a Lambda function that updates Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.

Install and configure the Amazon CloudWatch Logs agent on the applicationâ€™s EC2 instance. Create a CloudWatch metric filter to monitor the application logs. Set up CloudWatch alerts based on the metrics.

Create a scheduled process to copy the application log files to IAM CloudTrail. Use S3 events to trigger Lambda functions that update CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.

Create a file watcher that copies data to Amazon Kinesis when the application writes to the log file. Have Kinesis trigger a Lambda function to update Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.

Full Access

Question # 168

A Security Engineer must implement mutually authenticated TLS connections between containers that communicate inside a VPC.

Which solution would be MOST secure and easy to maintain?

Use IAM Certificate Manager to generate certificates from a public certificate authority and deploy them to all the containers.

Create a self-signed certificate in one container and use IAM Secrets Manager to distribute the certificate to the other containers to establish trust.

Use IAM Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then create the private keys in the containers and sign them using the ACM PCA API.

Use IAM Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use IAM Certificate Manager to generate the private certificates and deploy them to all the containers.

Full Access

Go to page: