SCS-C01 Exam Dumps - AWS Certified Security - Specialty

IAM CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your IAM account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your IAM infrastructure. CloudTrail provides a history of IAM API calls for your account including API calls made through the IAM Management Console, IAM SDKs, command line tools, and other IAM services. This history simplifies security analysis, resource change tracking, and troubleshooting.

Option A and C are incorrect since Cloudtrail needs to be used as part of the solution

Option B is incorrect since the auditor needs to have access to Cloudtrail

For more information on cloudtrail, please visit the below URL:

https://IAM.amazon.com/cloudtraiL

The correct answer is: Enable CloudTrail logging and create an IAM user who has read-only permissions to the required IAM resources, including the bucket containing the CloudTrail logs.

Submit your Feedback/Queries to our Experts

As an administrator of the master account of an organization, you can restrict which IAM services and individual API actions the users and roles in each member account can access. This restriction even overrides the administrators of member accounts in the organization. When IAM Organizations blocks access to a service or API action for a member account a user or role in that account can't access any prohibited service or API action, even if an administrator of a member account explicitly grants such permissions in an IAM policy. Organization permissions overrule account permissions.

Option B is invalid because service policies cannot be assigned to the root account at the account level.

Option C and D are invalid because IAM policies alone at the account level would not be able to suffice the requirement

For more information, please visit the below URL

id=docs_orgs_console

https://docs.IAM.amazon.com/IAM/latest/UserGi

manage attach-policy.html

The correct answer is: Create a Service Control Policy that denies access to the services. Assemble all production accounts in an organizational unit. Apply the policy to that organizational unit

Submit your Feedback/Queries to our Experts

Tags enable you to categorize your IAM resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type — you can quickly identify a specific resource based on the tags you've assigned to it

Option A is invalid because this is not a recommended practices

Option B is invalid because this is an overhead to maintain this in policies

Option C is invalid because the instance type will not resolve the requirement

For information on resource tagging, please visit the below URL:

http://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/Usine_Tags.htmll

The correct answer is: Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specific tags

Submit your Feedback/Queries to our Experts

The enc

config rule for IAM Config can be used to check for unencrypted volumes.

encrypted-volurrn

5 volumes that are in an attached state are encrypted. If you specify the ID of a KMS key for encryptio using the kmsld parameter, the rule checks if the EBS volumes in an attached state are encrypted with that KMS key*1.

Options A and C are incorrect since these services cannot be used to check for unencrypted EBS volumes

Option D is incorrect because even though this is possible, trying to implement the solution alone with just the Lambda servk

would be too difficult

For more information on IAM Config and encrypted volumes, please refer to below URL:

• https://docs.IAM.amazon.com/config/latest/developerguide/encrypted-volumes.html

Submit your Feedback/Queries to our Experts

The IAM blogs mention the following to support the use of IAM GuardDuty

GuardDuty voraciously consumes multiple data streams, including several threat intelligence feeds, staying aware of malicious addresses, devious domains, and more importantly, learning to accurately identify malicious or unauthorized behavior in your IAM accounts. In combination with information gleaned from your VPC Flow Logs, IAM CloudTrail Event Logs, and DNS logs, th allows GuardDuty to detect many different types of dangerous and mischievous behavior including probes for known vulnerabilities, port scans and probes, and access from unusual locations. On the IAM side, it looks for suspicious IAM account activity such as unauthorized deployments, unusual CloudTrail activity, patterns of access to IAM API functions, and attempts to exceed multiple service limits. GuardDuty will also look for compromised EC2 instances talking to malicious entities or services, data exfiltration attempts, and instances that are mining cryptocurrency.

Options A, B and C are invalid because these services cannot be used to detect port scans

For more information on IAM Guard Duty, please refer to the below Link:

https://IAM.amazon.com/blogs/IAM/amazon-guardduty-continuous-security-monitoring-threat-detection;

(

The correct answer is: Use IAM Guard Duty to monitor any malicious port scans Submit your Feedback/Queries to our Experts

The IAM Documentation mentions the following

You can quickly remediate patch and association compliance issues by using Systems Manager Run Command. You can tat either instance IDs or Amazon EC2 tags and execute the IAM-RefreshAssociation document or the IAM-RunPatchBaseline document. If refreshing the association or re-running the patch baseline fails to resolve the compliance issue, then you need to investigate your associations, patch baselines, or instance configurations to understand why the Run Command executions did not resolve the problem

Options A and B are invalid because even though this is possible, still from a maintenance perspective it would be difficult to maintain the Lambda functions

Option C is invalid because this service cannot be used to patch servers

For more information on using Systems Manager for compliance remediation please visit the below Link:

https://docs.IAM.amazon.com/systems-manaeer/latest/usereuide/sysman-compliance-fixing.html

The correct answer is: Use IAM Systems Manager to patch the servers Submit your Feedback/Queries to our Experts

The below table from IAM shows the security capabilities of IAM Cloudfront IAM Cloudfront is more prominent for DDoS attacks.

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Options A,B and D are invalid because Cloudfront is specifically used to protect sites against DDoS attacks For more information on security with Cloudfront, please refer to the below Link:

https://d1.IAMstatic.com/whitepapers/Security/Secure content delivery with CloudFront whitepaper.pdi

The correct answer is: DDoS attacks

Submit your Feedback/Queries to our Experts

Option A and B are invalid because you will not add keys to either the backend distribution or the S3 bucket.

Option D is invalid because this is used for programmatic access to IAM resources

You can use Cloudfront key pairs to create a trusted pre-signed URL which can be distributed to users

Specifying the IAM Accounts That Can Create Signed URLs and Signed Cookies (Trusted Signers)

Topics

• Creating CloudFront Key Pairs for Your Trusted Signers

• Reformatting the CloudFront Private Key (.NET and Java Only)

• Adding Trusted Signers to Your Distribution

• Verifying that Trusted Signers Are Active (Optional) 1 Rotating CloudFront Key Pairs

To create signed URLs or signed cookies, you need at least one IAM account that has an active CloudFront key pair. This accou is known as a trusted signer. The trusted signer has two purposes:

• As soon as you add the IAM account ID for your trusted signer to your distribution, CloudFront starts to require that users us signed URLs or signed cookies to access your objects.

' When you create signed URLs or signed cookies, you use the private key from the trusted signer's key pair to sign a portion of the URL or the cookie. When someone requests a restricted object CloudFront compares the signed portion of the URL or cookie with the unsigned portion to verify that the URL or cookie hasn't been tampered with. CloudFront also verifies that the URL or cookie is valid, meaning, for example, that the expiration date and time hasn't passed.

For more information on Cloudfront private trusted content please visit the following URL:

• https://docs.IAM.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-s

The correct answer is: Create pre-signed URL's Submit your Feedback/Queries to our Experts