SCS-C01 Exam Dumps - AWS Certified Security - Specialty

Option B is incorrect because querying Trusted Advisor API's are not possible

Option C is incorrect because GuardDuty should be used to detect threats and not check the compliance of security protocols.

Option D states that Run Amazon Inspector using runtime behavior analysis rules which will analyze the behavior of your instances during an assessment run, and provide guidance about how to make your EC2 instances more secure.

Insecure Server Protocols

This rule helps determine whether your EC2 instances allow support for insecure and unencrypted ports/services such as FTP, Telnet HTTP, IMAP, POP version 3, SMTP, SNMP versions 1 and 2, rsh, and rlogin.

For more information, please refer to below URL: https://docs.IAM.amazon.eom/mspector/latest/userguide/inspector_runtime-behavior-analysis.html#insecure-protocols

(

The correct answer is: Run an Amazon Inspector assessment using the Runtime Behavior Analysis rules package against every EC2 instance.

Submit your Feedback/Queries to our Experts

The IAM Documentation mentions the following

Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users ca sign in directly with a user name and password, or through a third party such as Facebook, Amazon, or Google.

Option B is incorrect since this is used for identity federation

Option C is incorrect since this is pure Identity and Access management

Option D is incorrect since IAM is a configuration service

For more information on IAM Cognito please refer to the below Link:

https://docs.IAM.amazon.com/coenito/latest/developerguide/what-is-amazon-cognito.html

The correct answer is: IAM Cognito

Submit your Feedback/Queries to our Experts

All objects and buckets by default are private. The pre-signed URLs are useful if you want your user/customer to be able upload a specific object to your bucket but you don't require them to have IAM security credentials or permissions. When you create a pre-signed URL, you must provide your security credentials, specify a bucket name, an object key, an HTTP method (PUT for uploading objects), and an expiration date and time. The pre-signed URLs are valid only for the specified duration.

Option B is invalid because this would be too difficult to implement at a user level.

Option C is invalid because this is not possible

Option D is invalid because this is used to serve private content via Cloudfront

For more information on pre-signed urls, please refer to the Link:

http://docs.IAM.amazon.com/AmazonS3/latest/dev/PresienedUrlUploadObiect.htmll

The correct answer is: Generate pre-signed URLs for each user as they request access to protected S3 content Submit your Feedback/Queries to our Experts

Trusted Advisor checks for compliance with the following security recommendations:

Limited access to common administrative ports to only a small subset of addresses. This includes ports 22 (SSH), 23 (Telnet) 3389 (RDP), and 5500 (VNQ.

Limited access to common database ports. This includes ports 1433 (MSSQL Server), 1434 (MSSQL Monitor), 3306 (MySQL), Oracle (1521) and 5432 (PostgreSQL).

Option A is partially correct but then you would need to write custom rules for this. The IAM trusted advisor can give you all o these checks on its dashboard

Option C is incorrect. Amazon Inspector needs a software agent to be installed on all EC2 instances that are included in th.

assessment target, the security of which you want to evaluate with Amazon Inspector. It monitors the behavior of the EC2

instance on which it is installed, including network, file system, and process activity, and collects a wide set of behavior and

configuration data (telemetry), which it then passes to the Amazon Inspector service.

Our question's requirement is to choose a choice that is easy to implement. Hence Trusted Advisor is more appropriate for this )

question.

Options D is invalid because this service dont provide these details.

For more information on the Trusted Advisor, please visit the following URL

https://IAM.amazon.com/premiumsupport/trustedadvisor >

The correct answer is: IAM Trusted Advisor Submit your Feedback/Queries to our Experts

A recommendation for this is given in the IAM Security best practices

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A is incorrect since this would be applicable for resources in a VPC Options B and C are incorrect since operationally it would be difficult to manage For more information on IAM Security best practices please refer to the below URL

https://d1.IAMstatic.com/whitepapers/Security/IAM Security Best Practices.pdl

The correct answer is: Use multiple IAM accounts, each account for each department Submit your Feedback/Queries to our Experts

The IAM Documentation mentions the following

You can use Amazon EC2 to create your key pair. Alternatively, you could use a third-party tool and then import the public key to Amazon EC2. Each key pair requires a name. Be sure to choose a name that is easy to remember. Amazon EC2 associates the public key with the name that you specify as the key name.

Amazon EC2 stores the public key only, and you store the private key. Anyone who possesses your private key can decrypt login information, so it's important that you store your private keys in a secure place.

Options A and D are incorrect since you should use key pairs for secure access to Ec2 Instances

For more information on EC2 key pairs, please refer to below URL:

https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/ec2-key-pairs.html

The correct answers are: Create a key pair using putty. Use the private key to log into the instance

Submit your Feedback/Queries to our Experts

The IAM Documentation mentions some key aspects with regards to the configuration of On-premise AD with IAM

One is the Groups configuration in AD

Active Directory Configuration

Determining how you will create and delineate your AD groups and IAM roles in IAM is crucial to how you secure access to your account and manage resources. SAML assertions to the IAM environment and the respective IAM role access will be managed through regular expression (regex) matching between your on-premises AD group name to an IAM IAM role.

One approach for creating the AD groups that uniquely identify the IAM IAM role mapping is by selecting a common group naming convention. For example, your AD groups would start with an identifier, for example, IAM-, as this will distinguish your IAM groups from others within the organization. Next include the 12-digitIAM account number. Finally, add the matching role name within the IAM account. Here is an example:

C:\Users\wk\Desktop\mudassar\Untitled.jpg

And next is the configuration of the relying party which is IAM

ADFS federation occurs with the participation of two parties; the identity or claims provider (in this case the owner of the identity repository - Active Directory) and the relying party, which is another application that wishes to outsource authentication to the identity provider; in this case Amazon Secure Token Service (STS). The relying party is a federation partner that is represented by a claims provider trust in the federation service.

Option B is invalid because AD groups should not be matched to IAM Groups

Option C is invalid because the relying party should be configured in Active Directory Federation services

For more information on the federated access, please visit the following URL:

1 https://IAM.amazon.com/blogs/security/IAM-federated-authentication-with-active-directory-federation-services-ad-fs/

The correct answers are: Ensure the right match is in place for On-premise AD Groups and IAM Roles., Configure IAM as the relying party in Active Directory Federation services

Submit your Feedback/Queries to our Experts

Option A ,B and D are all invalid because the metadata will not be encrypted in any case and this is a key requirement from the question.

One key thing to note is that when the S3 bucket objects are encrypted, the meta data is not encrypted. So the best option is to use an encrypted DynamoDB table

Important

All GET and PUT requests for an object protected by IAM KMS will fail if they are not made via SSL or by using SigV4. SSE-KMS encrypts only the object data. Any object metadata is not encrypted. For more information on using KMS encryption for S3, please refer to below URL: 1 https://docs.IAM.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html

The correct answer is: Put the metadata in a DynamoDB table and ensure the table is encrypted during creation time. Submit your Feedback/Queries to our Experts