• Home
  • Articles
  • Download Free Amazon SCS-C01 Exam Questions & Answer [Q94-Q109]

Download Free Amazon SCS-C01 Exam Questions & Answer [Q94-Q109]

Share

Download Free Amazon SCS-C01 Exam Questions & Answer 

Online VALID SCS-C01 Exam Dumps File Instantly

NEW QUESTION 94
You have a requirement to serve up private content using the keys available with Cloudfront. How can this be achieved?
Please select:

  • A. Add the keys to the S3 bucket
  • B. Add the keys to the backend distribution.
  • C. Use AWS Access keys
  • D. Create pre-signed URL's

Answer: D

Explanation:
Option A and B are invalid because you will not add keys to either the backend distribution or the S3 bucket.
Option D is invalid because this is used for programmatic access to AWS resources You can use Cloudfront key pairs to create a trusted pre-signed URL which can be distributed to users Specifying the AWS Accounts That Can Create Signed URLs and Signed Cookies (Trusted Signers) Topics
* Creating CloudFront Key Pairs for Your Trusted Signers
* Reformatting the CloudFront Private Key (.NET and Java Only)
* Adding Trusted Signers to Your Distribution
* Verifying that Trusted Signers Are Active (Optional) 1 Rotating CloudFront Key Pairs To create signed URLs or signed cookies, you need at least one AWS account that has an active CloudFront key pair. This accou is known as a trusted signer. The trusted signer has two purposes:
* As soon as you add the AWS account ID for your trusted signer to your distribution, CloudFront starts to require that users us signed URLs or signed cookies to access your objects.
' When you create signed URLs or signed cookies, you use the private key from the trusted signer's key pair to sign a portion of the URL or the cookie. When someone requests a restricted object CloudFront compares the signed portion of the URL or cookie with the unsigned portion to verify that the URL or cookie hasn't been tampered with. CloudFront also verifies that the URL or cookie is valid, meaning, for example, that the expiration date and time hasn't passed.
For more information on Cloudfront private trusted content please visit the following URL:
* https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-s The correct answer is: Create pre-signed URL's Submit your Feedback/Queries to our Experts

 

NEW QUESTION 95
A company has external vendors that must deliver files to the company. These vendors have cross-account that gives them permission to upload objects to one of the company's S3 buckets.
What combination of steps must the vendor follow to successfully deliver a file to the company? Select 2 answers from the options given below Please select:

  • A. Encrypt the object with a KMS key controlled by the company.
  • B. Attach an IAM role to the bucket that grants the bucket owner full permissions to the object
  • C. Upload the file to the company's S3 bucket
  • D. Add a bucket policy to the bucket that grants the bucket owner full permissions to the object
  • E. Add a grant to the objects ACL giving full permissions to bucket owner.

Answer: C,E

Explanation:
This scenario is given in the AWS Documentation
A bucket owner can enable other AWS accounts to upload objects. These objects are owned by the accounts that created them. The bucket owner does not own objects that were not created by the bucket owner. Therefore, for the bucket owner to grant access to these objects, the object owner must first grant permission to the bucket owner using an object ACL. The bucket owner can then delegate those permissions via a bucket policy. In this example, the bucket owner delegates permission to users in its own account.

Option A and D are invalid because bucket ACL's are used to give grants to bucket Option C is not required since encryption is not part of the requirement For more information on this scenario please see the below Link:
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroushs-manaeing-access-example3.htmll The correct answers are: Add a grant to the objects ACL giving full permissions to bucket owner., Upload the file to the company's S3 bucket Submit your Feedback/Queries to our Experts

 

NEW QUESTION 96
An application is designed to run on an EC2 Instance. The applications needs to work with an S3 bucket. From a security perspective , what is the ideal way for the EC2 instance/ application to be configured?
Please select:

  • A. Assign an 1AM Role and assign it to the EC2 Instance
  • B. Use the AWS access keys ensuring that they are frequently rotated.
  • C. Assign an 1AM group and assign it to the EC2 Instance
  • D. Assign an 1AM user to the application that has specific access to only that S3 bucket

Answer: A

Explanation:
The below diagram from the AWS whitepaper shows the best security practicse of allocating a role that has access to the S3 bucket

Options A,B and D are invalid because using users, groups or access keys is an invalid security practise when giving access to resources from other AWS resources.
For more information on the Security Best practices, please visit the following URL:
https://d1.awsstatic.com/whitepapers/Security/AWS Security Best Practices.pdl The correct answer is: Assign an 1AM Role and assign it to the EC2 Instance Submit your Feedback/Queries to our Experts

 

NEW QUESTION 97
A Developer signed in to a new account within an AWS Organizations organizations unit (OU) containing multiple accounts. Access to the Amazon S3 service is restricted with the following SCP:

How can the Security Engineer provide the Developer with Amazon S3 access without affecting other accounts?

  • A. Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.
  • B. Add an IAM policy for the Developer, which grants S3 access.
  • C. Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.
  • D. Add an allow list for the Developer account for the S3 service.

Answer: B

 

NEW QUESTION 98
A company is using AWS Organizations to develop a multi-account secure networking strategy. The company plans to use separate centrally managed accounts for shared services, auditing, and security inspection. The company plans to provide dozens of additional accounts to application owners for production and development environments.
Company security policy requires that all internet traffic be routed through a centrally managed security inspection layer in the security inspection account. A security engineer must recommend a solution that minimizes administrative overhead and complexity.
Which solution meets these requirements?

  • A. Create a centrally managed VPC in the security inspection account. Establish VPC peering connections between the security inspection account and other accounts. Instruct account owners to create default routes in their account route tables that point to the VPC peer. Create an SCP that denies the
    Attach InternetGateway action. Attach the SCP to all accounts except the security inspection account.
  • B. Enable AWS Resource Access Manager (AWS RAM) for AWS Organizations. Create a shared transit gateway, and make it available by using an AWS RAM resource share. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account. Create routes in the route tables of all accounts that point to the shared transit gateway.
  • C. Use AWS Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transit
    gateway and to create a default route to the transit gateway in the default route table. Create an SCP that denies the AttachlnternetGateway action. Attach the SCP to all accounts except the security inspection account.
  • D. Use AWS Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route table. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account.

Answer: C

 

NEW QUESTION 99
A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2 instances.
The company security policy states that application logs for the reporting service must be centrally collected.
What is the MOST efficient way to meet these requirements?

  • A. Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync.
  • B. Enable AWS CloudTrail logging for the AWS account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail.
  • C. Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.
  • D. Write an AWS Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket.

Answer: C

Explanation:
Explanation
https://aws.amazon.com/blogs/aws/cloudwatch-log-service/

 

NEW QUESTION 100
A company's information security team wants to analyze Amazon EC2 performance and utilization data in the near-real time for anomalies. A Sec Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company's AWS accounts in centralized location to perform the analysis.
How should the Security Engineer do this?
Log in to each account four te a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.

  • A. Set up Amazon CloudWatch cross-account log data sharing with subscriptions in each account. Send the logs to Amazon Kinesis Data Firehose in the Security Engineer's account.
  • B. Set up an AWS config aggregator to collect AWS configuration data from multiple sources.
  • C. Set up an AWS Config aggregator to collect AWS configuration data from multiple sources.
  • D. Set up Amazon CloudWatch to stream data to an Amazon S3 bucket in each source account. Set up bucket replication for each source account into a centralized bucket owned by the security Engineer.

Answer: D

 

NEW QUESTION 101
You company has mandated that all data in AWS be encrypted at rest. How can you achieve this for EBS volumes? Choose 2 answers from the options given below Please select:

  • A. Use AWS Systems Manager to encrypt the existing EBS volumes
  • B. Use Windows bit locker for EBS volumes on Windows instances
  • C. Use TrueEncrypt for EBS volumes on Linux instances
  • D. Boot EBS volume can be encrypted during launch without using custom AMI EBS encryption can also be enabled when the volume is created and not for existing volumes. One can use existing tools for OS level encryption.

Answer: B,C

Explanation:
Option C is incorrect.
AWS Systems Manager is a management service that helps you automatically collect software inventory, apply OS patches, create system images, and configure Windows and Linux operating systems.
Option D is incorrect
You cannot choose to encrypt a non-encrypted boot volume on instance launch. To have encrypted boot volumes during launch , your custom AMI must have it's boot volume encrypted before launch.
For more information on the Security Best practices, please visit the following URL:
.com/whit Security Practices.
The correct answers are: Use Windows bit locker for EBS volumes on Windows instances. Use TrueEncrypt for EBS volumes on Linux instances Submit your Feedback/Queries to our Experts

 

NEW QUESTION 102
You have an Ec2 Instance in a private subnet which needs to access the KMS service. Which of the following methods can help fulfil this requirement, keeping security in perspective Please select:

  • A. Use a VPC endpoint
  • B. Attach a VPN connection to the VPC
  • C. Use VPC Peering
  • D. Attach an Internet gateway to the subnet

Answer: A

Explanation:
Explanation
The AWS Documentation mentions the following
You can connect directly to AWS KMS through a private endpoint in your VPC instead of connecting over the internet. When you use a VPC endpoint communication between your VPC and AWS KMS is conducted entirely within the AWS network.
Option B is invalid because this could open threats from the internet
Option C is invalid because this is normally used for communication between on-premise environments and AWS.
Option D is invalid because this is normally used for communication between VPCs For more information on accessing KMS via an endpoint, please visit the following URL
https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.htmll The correct answer is: Use a VPC endpoint Submit your Feedback/Queries to our Experts

 

NEW QUESTION 103
One of your company's EC2 Instances have been compromised. The company has strict po thorough investigation on finding the culprit for the security breach. What would you do in from the options given below.
Please select:

  • A. Ensure all passwords for all 1AM users are changed
  • B. Isolate the machine from the network
  • C. Make sure that logs are stored securely for auditing and troubleshooting purpose
  • D. Ensure that all access kevs are rotated.
  • E. Take a snapshot of the EBS volume

Answer: B,C,E

Explanation:
Explanation
Some of the important aspects in such a situation are
1) First isolate the instance so that no further security harm can occur on other AWS resources
2) Take a snapshot of the EBS volume for further investigation. This is incase if you need to shutdown the initial instance and do a separate investigation on the data
3) Next is Option
C. This indicates that we have already got logs and we need to make sure that it is stored securely so that n unauthorised person can access it and manipulate it.
Option D and E are invalid because they could have adverse effects for the other 1AM users.
For more information on adopting a security framework, please refer to below URL
https://d1 .awsstatic.com/whitepapers/compliance/NIST Cybersecurity Framework Note:
In the question we have been asked to take actions to find the culprit and to help the investigation or to further reduce the damage that has happened due to the security breach. So by keeping logs secure is one way of helping the investigation.
The correct answers are: Take a snapshot of the EBS volume. Isolate the machine from the network. Make sure that logs are stored securely for auditing and troubleshooting purpose Submit your Feedback/Queries to our Experts

 

NEW QUESTION 104
A company has Windows Amazon EC2 instances in a VPC that are joined to on-premises Active Directory servers for domain services. The security team has enabled Amazon GuardDuty on the AWS account to alert on issues with the instances.
During a weekly audit of network traffic, the Security Engineer notices that one of the EC2 instances is attempting to communicate with a known command-and-control server but failing. This alert does not show up in GuardDuty.
Why did GuardDuty fail to alert to this behavior?

  • A. GuardDuty does not report on command-and-control activity.
  • B. GuardDuty does not see these DNS requests.
  • C. GuardDuty only monitors active network traffic flow for command-and-control activity.
  • D. GuardDuty did not have the appropriate alerts activated.

Answer: C

 

NEW QUESTION 105
A company has multiple VPCs in their account that are peered, as shown in the diagram. A Security Engineer wants to perform penetration tests of the Amazon EC2 instances in all three VPCs.
How can this be accomplished? (Choose two.)

  • A. Deploy a pre-authorized scanning engine from the AWS Marketplace into VPC B, and use it to scan instances in all three VPCs. Do not complete the penetration test request form.
  • B. Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Do not complete the penetration test request form.
  • C. Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Complete the penetration test request form for all three VPCs.
  • D. Create a VPN connection from the data center to VPC A. Use an on-premises scanning engine to scan the instances in all three VPCs. Complete the penetration test request form for all three VPCs.
  • E. Deploy a pre-authorized scanning engine from the Marketplace into each VPC, and scan instances in each VPC from the scanning engine in that VPC. Do not complete the penetration test request form.

Answer: C,D

 

NEW QUESTION 106
Your company uses AWS to host its resources. They have the following requirements
1) Record all API calls and Transitions
2) Help in understanding what resources are there in the account
3) Facility to allow auditing credentials and logins Which services would suffice the above requirements Please select:

  • A. AWS SQS, IAM Credential Reports, CloudTrail
  • B. CloudTrail, AWS Config, IAM Credential Reports
  • C. AWS Inspector, CloudTrail, IAM Credential Reports
  • D. CloudTrail. IAM Credential Reports, AWS SNS

Answer: B

Explanation:
Explanation
You can use AWS CloudTrail to get a history of AWS API calls and related events for your account. This history includes calls made with the AWS Management Console, AWS Command Line Interface, AWS SDKs, and other AWS services.
Options A,B and D are invalid because you need to ensure that you use the services of CloudTrail, AWS Config, IAM Credential Reports For more information on Cloudtrail, please visit the below URL:
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html AWS Config is a service that enables you to assess, audit and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, char management and operational troubleshooting.
For more information on the config service, please visit the below URL
https://aws.amazon.com/config/
You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices. You can get a credential report from the AWS Management Console, the AWS SDKs and Command Line Tools, or the IAM API.
For more information on Credentials Report, please visit the below URL:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id
credentials_getting-report.html
The correct answer is: CloudTrail, AWS Config, IAM Credential Reports Submit your Feedback/Queries to our Experts

 

NEW QUESTION 107
A Security Engineer received an AWS Abuse Notice listing EC2 instance IDs that are reportedly abusing
other hosts.
Which action should the Engineer take based on this situation? (Choose three.)

  • A. Run Auto Recovery for Amazon EC2.
  • B. Use AWS Artifact to capture an exact image of the state of each instance.
  • C. Log in to each instance with administrative credentials to restart the instance.
  • D. Create EBS Snapshots of each of the volumes attached to the compromised instances.
  • E. Capture a memory dump.
  • F. Revoke all network ingress and egress except for to/from a forensics.

Answer: B,D,E

 

NEW QUESTION 108
Your company hosts a large section of EC2 instances in AWS. There are strict security rules governing the EC2 Instances. During a potential security breach , you need to ensure quick investigation of the underlying EC2 Instance. Which of the following service can help you quickly provision a test environment to look into the breached instance.
Please select:

  • A. AWS Config
  • B. AWS Cloudformation
  • C. AWS Cloudwatch
  • D. AWS Cloudtrail

Answer: B

Explanation:
Explanation
The AWS Security best practises mentions the following
Unique to AWS, security practitioners can use CloudFormation to quickly create a new, trusted environment in which to conduct deeper investigation. The CloudFormation template can pre-configure instances in an isolated environment that contains all the necessary tools forensic teams need to determine the cause of the incident This cuts down on the time it takes to gather necessary tools, isolates systems under examination, and ensures that the team is operating in a clean room.
Option A is incorrect since this is a logging service and cannot be used to provision a test environment Option C is incorrect since this is an API logging service and cannot be used to provision a test environment Option D is incorrect since this is a configuration service and cannot be used to provision a test environment For more information on AWS Security best practises, please refer to below URL:
https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pd1 The correct answer is: AWS Cloudformation Submit your Feedback/Queries to our Experts

 

NEW QUESTION 109
......

SCS-C01 Exam Dumps For Certification Exam Preparation: https://topexamcollection.pdfvce.com/Amazon/SCS-C01-exam-pdf-dumps.html

Related Articles

more
Amazon SCS-C01 Certification Practice Exam