Month End Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

  1. Home
  2. Amazon Web Services
  3. AWS Certified Specialty
  4. SCS-C01 - AWS Certified Security - Specialty
Note! Following SCS-C01 Exam is Retired now. Please select the alternative replacement for your Exam Certification. The new exam code is SCS-C02

SCS-C01 Exam Dumps - AWS Certified Security - Specialty

Go to page:
Question # 25

A company's information security team want to do near-real-time anomaly detection on Amazon EC2 performance and usage statistics. Log aggregation is the responsibility of a security engineer. To do the study, the Engineer needs gather logs from all of the company's IAM accounts in a single place.

How should the Security Engineer go about doing this?

A.

Log in to each account four times a day and filter the IAM CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.

B.

Set up Amazon CloudWatch to stream data to an Amazon S3 bucket in each source account. Set up bucket replication for each source account into a centralized bucket owned by the Security Engineer.

C.

Set up an IAM Config aggregator to collect IAM configuration data from multiple sources.

D.

Set up Amazon CloudWatch cross-account log data sharing with subscriptions in each account. Send the logs to Amazon Kinesis Data Firehose in the Security Engineer's account.

Full Access
Question # 26

A developer is creating an IAM Lambda function that requires environment variables to store connection information and logging settings. The developer is required to use an IAM KMS Customer Master Key (CMK> supplied by the information security department in order to adhere to company standards for securing Lambda environment variables.

Which of the following are required for this configuration to work? (Select TWO.)

A.

The developer must configure Lambda access to the VPC using the --vpc-config parameter.

B.

The Lambda function execution role must have the kms:Decrypt- permission added in the IAM IAM policy.

C.

The KMS key policy must allow permissions for the developer to use the KMS key.

D.

The IAM IAM policy assigned to the developer must have the kmseGcnerate-DataKcy permission added.

E.

The Lambda execution role must have the kms:Encrypt permission added in the IAM IAM policy.

Full Access
Question # 27

A company has several critical applications running on a large fleet of Amazon EC2 instances. As part of a security operations review, the company needs to apply a critical operating system patch to EC2 instances within 24 hours of the patch becoming available from the operating system vendor. The company does not have a patching solution deployed on IAM, but does have IAM Systems Manager configured. The solution must also minimize administrative overhead.

What should a security engineer recommend to meet these requirements?

A.

Create an IAM Config rule defining the patch as a required configuration for EC2 instances.

B.

Use the IAM Systems Manager Run Command to patch affected instances.

C.

Use an IAM Systems Manager Patch Manager predefined baseline to patch affected instances.

D.

Use IAM Systems Manager Session Manager to log in to each affected instance and apply the patch.

Full Access
Question # 28

A financial institution has the following security requirements:

  • Cloud-based users must be contained in a separate authentication domain.
  • Cloud-based users cannot access on-premises systems.

As part of standing up a cloud environment, the financial institution is creating a number of Amazon managed databases and Amazon EC2 instances. An Active Directory service exists on-premises that has all the administrator accounts, and these must be able to access the databases and instances.

How would the organization manage its resources in the MOST secure manner? (Choose two.)

A.

Configure an IAM Managed Microsoft AD to manage the cloud resources.

B.

Configure an additional on-premises Active Directory service to manage the cloud resources.

C.

Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service.

D.

Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service.

E.

Establish a two-way trust between the new and existing Active Directory services.

Full Access
Question # 29

A company's Security Officer is concerned about the risk of IAM account root user logins and has assigned a Security Engineer to implement a notification solution for near-real-time alerts upon account root user logins.

How should the Security Engineer meet these requirements?

A.

Create a cron job that runs a script lo download the IAM IAM security credentials We. parse the file for account root user logins and email the Security team's distribution 1st

B.

Run IAM CloudTrail logs through Amazon CloudWatch Events to detect account roo4 user logins and trigger an IAM Lambda function to send an Amazon SNS notification to the Security team's distribution list.

C.

Save IAM CloudTrail logs to an Amazon S3 bucket in the Security team's account Process the CloudTrail logs with the Security Engineer's logging solution for account root user logins Send an Amazon SNS notification to the Security team upon encountering the account root user login events

D.

Save VPC Plow Logs to an Amazon S3 bucket in the Security team's account and process the VPC Flow Logs with their logging solutions for account root user logins Send an Amazon SNS notification to the Security team upon encountering the account root user login events

Full Access
Question # 30

Which of the following are valid configurations for using SSL certificates with Amazon CloudFront? (Select THREE )

A.

Default IAM Certificate Manager certificate

B.

Custom SSL certificate stored in IAM KMS

C.

Default CloudFront certificate

D.

Custom SSL certificate stored in IAM Certificate Manager

E.

Default SSL certificate stored in IAM Secrets Manager

F.

Custom SSL certificate stored in IAM IAM

Full Access
Question # 31

A Security Engineer launches two Amazon EC2 instances in the same Amazon VPC but in separate Availability Zones. Each instance has a public IP address and is able to connect to external hosts on the internet. The two instances are able to communicate with each other by using their private IP addresses, but they are not able to communicate with each other when using their public IP addresses.

Which action should the Security Engineer take to allow communication over the public IP addresses?

A.

Associate the instances to the same security groups.

B.

Add 0.0.0.0/0 to the egress rules of the instance security groups.

C.

Add the instance IDs to the ingress rules of the instance security groups.

D.

Add the public IP addresses to the ingress rules of the instance security groups.

Full Access
Question # 32

A company has a compliance requirement to rotate its encryption keys on an annual basis. A Security Engineer needs a process to rotate the KMS Customer Master Keys (CMKs) that were created using imported key material.

How can the Engineer perform the key rotation process MOST efficiently?

A.

Create a new CMK, and redirect the existing Key Alias to the new CMK

B.

Select the option to auto-rotate the key

C.

Upload new key material into the existing CMK.

D.

Create a new CMK, and change the application to point to the new CMK

Full Access
Go to page:

Hot Exams

ADM-201 Dumps
Platform-App-Builder Dumps
AZ-500 Dumps
350-701 Dumps
SY0-601 Dumps
NCSE-Core Dumps
PDP9 Dumps
DP-203 Dumps
AZ-700 Dumps
NSE7_EFW-7.0 Dumps
Integration-Architect Dumps
CS0-003 Dumps