SCS-C01 Exam Dumps - AWS Certified Security - Specialty

Your answer is incorrect

Answer -D

The IAM Documentation mentions the following on IAM WAF which can be used to protect Application Load Balancers and Cloud front

A web access control list (web ACL) gives you fine-grained control over the web requests that your Amazon CloudFront distributions or Application Load Balancers respond to. You can allow or block the following types of requests:

Originate from an IP address or a range of IP addresses

Originate from a specific country or countries

Contain a specified string or match a regular expression (regex) pattern in a particular part of requests

Exceed a specified length

Appear to contain malicious SQL code (known as SQL injection)

Appear to contain malicious scripts (known as cross-site scripting)

Option A is invalid because by default Security Groups have the Deny policy

Options B and C are invalid because these services cannot be used to block IP addresses

For information on IAM WAF, please visit the below URL:

https://docs.IAM.amazon.com/waf/latest/developerguide/web-acl.html

The correct answer is: Use IAM WAF to block the IP addresses

Submit your Feedback/Queries to our Experts

The IAM Documentation mentions the following

IAM Identity and Access Management (IAM) now makes it easier for you to control access to your IAM resources by using the IAM organization of IAM principals (users and roles). For some services, you grant permissions using resource-based policies to specify the accounts and principals that can access the resource and what actions they can perform on it. Now, you can use a new condition key, IAM:PrincipalOrglD, in these policies to require all principals accessing the resource to be from an account in the organization

Option B.C and D are invalid because the condition in the bucket policy has to mention IAM:PrincipalOrglD

For more information on controlling access via Organizations, please refer to the below Link:

https://IAM.amazon.com/blogs/security/control-access-to-IAM-resources-by-usins-the-IAM-organization-of-iam-principal

(

The correct answer is: Ensure the bucket policy has a condition which involves IAM:PrincipalOrglD Submit your Feedback/Queries to our Experts

Below is a snapshot of the service limits that the Trusted Advisor can monitor

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A is invalid because even though you can monitor resources, it cannot be checked against the service limit.

Option B is invalid because this is the Elastic Compute cloud service Option D is invalid because it can be send notification but not check on service limit For more information on the Trusted Advisor monitoring, please visit the below URL:

https://IAM.amazon.com/premiumsupport/ta-faqs >

The correct answer is: IAM Trusted Advisor

Submit your Feedback/Queries to our Experts

You need to ensure that UserB is given access via the Key policy for the Key

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option is invalid because you don't assign roles to IAM users

For more information on Key policies please visit the below Link:

https://docs.IAM.amazon.com/kms/latest/developerguide/key-poli

The correct answer is: Ensure that UserB is given the right permissions in the Key policy

The IAM Documentation mentions the following

Server-side encryption protects data at rest. Server-side encryption with Amazon S3-managed encryption keys (SSE-S3) uses strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it rotates regularly. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.

All other options are invalid since here you need to ensure the keys are manually rotated since you manage the entire key set Using IAM S3 Server side encryption, IAM will manage the rotation of keys automatically.

For more information on Server side encryption, please visit the following URL:

https://docs.IAM.amazon.com/AmazonS3/latest/dev/UsineServerSideEncryption.htmll

The correct answer is: IAM S3 Server side encryption Submit your Feedback/Queries to our Experts

Tags enable you to categorize your IAM resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type — you can quickly identify a specific resource based on the tags you've assigned to it. Each tag consists of a key and an optional value, both of which you define

Options C&D are incorrect because it will not ensure that the employee cannot terminate the instance.

For more information on tagging answer resources please refer to the below URL:

http://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/Usins_Tags.htmll

The correct answers are: Tag the instance with a production-identifying tag and add resource-level permissions to the employe user with an explicit deny on the terminate API call to instances with the production tag.. Tag the instance with a production-identifying tag and modify the employees group to allow only start stop, and reboot API calls and not the terminate instance

Submit your Feedback/Queries to our Experts

This is mentioned clearly as a use case for S3 cross-region replication

You might configure cross-region replication on a bucket for various reasons, including the following:

• Compliance requirements - Although, by default Amazon S3 stores your data across multiple geographically distant Availability Zones, compliance requirements might dictate that you store data at even further distances. Cross-region replication allows you to replicate data between distant IAM Regions to satisfy these compliance requirements.

Option A is invalid because Multi-AZ cannot be used to S3 buckets

Option B is invalid because copying it to an EBS volume is not a recommended practice

Option C is invalid because creating snapshots is not possible in S3

For more information on S3 cross-region replication, please visit the following URL:

https://docs.IAM.amazon.com/AmazonS3/latest/dev/crr.htmll

The correct answer is: Enable Cross region replication for the S3 bucket

Submit your Feedback/Queries to our Experts

The CMK keys themselves can only be used for encrypting data that is maximum 4KB in size. Hence it can be used for encryptii information such as passwords and RSA keys.

Option A and B are invalid because the actual CMK key can only be used to encrypt small amounts of data and not large amoui of data. You have to generate the data key from the CMK key in order to encrypt high amounts of data

For more information on the concepts for KMS, please visit the following URL:

https://docs.IAM.amazon.com/kms/latest/developereuide/concepts.htmll

The correct answers are: Password, RSA Keys Submit your Feedback/Queries to our Experts