SCS-C01 Exam Dumps - AWS Certified Security - Specialty

"To turn off access to instance metadata on an existing instance....." https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/configuring-instance-metadata-service.html You can disable the service for existing (running or stopped) ec2 instances. https://docs. IAM.amazon.com/cli/latest/reference/ec2/modify-instance-metadata-options.html

The IAM Documentation mentions the following

All IAM accounts have root user credentials (that is, the credentials of the account owner). These credentials allow full access to all resources in the account. Because you cant restrict permissions for root user credentials, we recommend that you delete your root user access keys. Then create IAM Identity and Access Management (IAM) user credentials for everyday interaction with IAM.

Option A is incorrect since you cannot delete the root access account

Option C is partially correct but cannot be used as the ideal solution for safeguarding the account

For more information on root access vs admin IAM users, please refer to below URL:

https://docs.IAM.amazon.com/eeneral/latest/er/root-vs-iam.html

The correct answers are: Create an Admin IAM user with the necessary permissions. Delete the root access keys Submit your Feedback/Queries to our Experts

Create a Direct Connect connection so that corporate users can access the IAM account

Option B is incorrect because IAM policies are not directly mapped to group memberships in the corporate directory. It is IAM roles which are mapped.

Option C is incorrect because Lambda functions is an incorrect option to assign roles.

Option D is incorrect because IAM users are not directly mapped to employees' corporate identities.

For more information on Direct Connect, please refer to below URL:

' https://IAM.amazon.com/directconnect/

From the IAM Documentation, for federated access, you also need to ensure the right policy permissions are in place

Configure permissions in IAM for your federated users

The next step is to create an IAM role that establishes a trust relationship between IAM and your organization's IdP that identifies your IdP as a principal (trusted entity) for purposes of federation. The role also defines what users authenticated your organization's IdP are allowed to do in IAM. You can use the IAM console to create this role. When you create the trust policy that indicates who can assume the role, you specify the SAML provider that you created earlier in IAM along with one or more SAML attributes that a user must match to be allowed to assume the role. For example, you can specify that only users whose SAML eduPersonOrgDN value is ExampleOrg are allowed to sign in. The role wizard automatically adds a condition to test the saml:aud attribute to make sure that the role is assumed only for sign-in to the IAM Management Console. The trust policy for the role might look like this:

C:\Users\wk\Desktop\mudassar\Untitled.jpg

For more information on SAML federation, please refer to below URL:

https://docs.IAM.amazon.com/IAM/latest/UserGuide/id_roles_providers_enabli

Note:

What directories can I use with IAM SSO?

You can connect IAM SSO to Microsoft Active Directory, running either on-premises or in the IAM Cloud. IAM SSO supports IAM Directory Service for Microsoft Active Directory, also known as IAM Managed Microsoft AD, and AD Connector. IAM SSO does not support Simple AD. See IAM Directory Service Getting Started to learn more.

To connect to your on-premises directory with AD Connector, you need the following:

VPC

Set up a VPC with the following:

• At least two subnets. Each of the subnets must be in a different Availability Zone.

• The VPC must be connected to your on-premises network through a virtual private network (VPN) connection or IAM Direct

Connect.

• The VPC must have default hardware tenancy.

• https://IAM.amazon.com/single-sign-on/

• https://IAM.amazon.com/single-sign-on/faqs/

• https://IAM.amazon.com/bloj using-corporate-credentials/

• https://docs.IAM.amazon.com/directoryservice/latest/admin-

The correct answers are: Create a Direct Connect connection between on-premise network and IAM. Use an AD connector connecting IAM with on-premise active directory.. Create an IAM role that establishes a trust relationship between IAM and corporate directory identity provider (IdP)

Submit your Feedback/Queries to our Experts

This is given in the IAM Documentation Creating a Key Pair

You can use Amazon EC2 to create your key pair. For more information, see Creating a Key Pair Using Amazon EC2.

Alternatively, you could use a third-party tool and then import the public key to Amazon EC2. For more information, see Importing Your Own Public Key to Amazon EC2.

Option B is Correct, because you can use the IAM CLI to create a new key pair 1 https://docs.IAM.amazon.com/cli/latest/userguide/cli-ec2-keypairs.html

Option D is invalid because the public key needs to be stored in the EC2 Instance For more information on EC2 Key pairs, please visit the below URL:

* https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/ec2-key-pairs

The correct answers are: Use a third party tool to create the Key pair. Create a new key pair using the IAM CLI, Import the public key into EC2

Submit your Feedback/Queries to our Experts

The policy consists of 2 statements, one is the allow for the user mark to the bucket and the next is the deny policy for all other users. The deny permission will override the allow and hence all users will not have access to the bucket.

Options A,B and D are all invalid because this policy is used to deny all access to the bucket mybucket

For examples on S3 bucket policies, please refer to the below Link:

http://docs.IAM.amazon.com/AmazonS3/latest/dev/example-bucket-policies.htmll

The correct answer is: It will deny all access to the bucket mybucket

Submit your FeedbacK/Quenes to our Experts

When you go to the security dashboard, the security status will show the best practices for initiating the first level of security.

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option D is invalid because as per the dashboard, this is not part of the security recommendation For more information on best security practices please visit the URL:

https://IAM.amazon.com/whitepapers/IAM-security-best-practices;

The correct answers are: Create individual IAM users, Configure MFA on the root account and for privileged IAM users. Assign IAM users and groups configured with policies granting least privilege access

Submit your Feedback/Queries to our Experts