Amazon SCS-C01 Exam

Certification Provider: Amazon

Exam Name: AWS Certified Security - Specialty

Duration: 170 Minutes

Number of questions in our database: 534

Exam Version: May. 03, 2022

SCS-C01 Exam Official Topics:

Topic 1: An Understanding of Specialized Data Classifications and AWS Data Protection Mechanisms
Topic 2: An Understanding of Data Encryption Methods and AWS Mechanisms to Implement Them
Topic 3: An Understanding of Secure Internet Protocols and AWS Mechanisms to Implement Them
Topic 4: A Working Knowledge of AWS Security Services and Features of Services to Provide a Secure Production Environment
Topic 5: Competency Gained from Two or More Years of Production Deployment Experience Using AWS Security Services and Features
Topic 6: Ability to Make Tradeoff Decisions with Regard to Cost, Security, and Deployment Complexity Given a Set of Application Requirements
Topic 7: An Understanding of Security Operations and Risk

Free Amazon SCS-C01 Exam Actual Questions

The questions for SCS-C01 were last updated On May. 03, 2022

Question #1

A business stores website images in an Amazon S3 bucket. The firm serves the photos to end users through Amazon CloudFront. The firm learned lately that the photographs are being accessible from nations in which it does not have a distribution license.

Which steps should the business take to safeguard the photographs and restrict their distribution? (Select two.)

AUpdate the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).

BUpdate the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.

CAdd a CloudFront geo restriction deny list of countries where the company lacks a license.

DUpdate the S3 bucket policy with a deny list of countries where the company lacks a license.

EEnable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.

Reveal Solution

Correct Answer: A, C

For Enable Geo-Restriction, choose Yes. For Restriction Type, choose Whitelist to allow access to certain countries, or choose Blacklist to block access from certain countries. https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-geo-restriction/

Question #2

A company has multiple departments. Each department has its own AWS account. All these accounts belong to the same organization in AWS Organizations.

A large .csv file is stored in an Amazon S3 bucket in the sales department's AWS account. The company wants to allow users from the other accounts to access the .csv file's content through the combination of AWS Glue and Amazon Athen

a. However, the company does not want to allow users from the other accounts to access other files in the same folder.

Which solution will meet these requirements?

AApply a user policy in the other accounts to allow AWS Glue and Athena lo access the .csv We.

BUse S3 Select to restrict access to the .csv lie. In AWS Glue Data Catalog, use S3 Select as the source of the AWS Glue database.

CDefine an AWS Glue Data Catalog resource policy in AWS Glue to grant cross-account S3 object access to the .csv file.

DGrant AWS Glue access to Amazon S3 in a resource-based policy that specifies the organization as the principal.

Reveal Solution

Correct Answer: A

Question #3

A company manages multiple AWS accounts using AWS Organizations. The company's security team notices that some member accounts are not sending AWS CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured (or all existing accounts and for any account that is created in the future.

Which set of actions should the security team implement to accomplish this?

ACreate a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.

BDeploy an AWS Lambda function in every account to check if there is an existing trail and create a new trail, if needed.

CEdit the existing trail in the Organizations master account and apply it to the organization.

DCreate an SCP to deny the cloudtrail:Delete' and cloudtrail:Stop' actions. Apply the SCP to all accounts.

Reveal Solution

Correct Answer: C

Question #4

A company's cloud operations team is responsible for building effective security for AWS cross-account access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows:

Which recommendations should the security engineer make to resolve this issue? (Select TWO.)

AAsk the developers to change their password and use a different web browser.

BEnsure that developers are using multi-factor authentication (MFA) when they log in to their developer account as the developer role.

CModify the production account ReadS3 role policy to allow the PutBucketPolicy action on the productionapp S3 bucket.

DUpdate the trust relationship policy on the production account S3 role to allow the account number of the developer account.

EUpdate the developer group permissions in the developer account to allow access to the productionapp S3 bucket.

Reveal Solution

Correct Answer: A, D

Question #5

A company is using AWS Organizations to develop a multi-account secure networking strategy. The company plans to use separate centrally managed accounts for shared services, auditing, and security inspection. The company plans to provide dozens of additional accounts to application owners for production and development environments.

Company security policy requires that all internet traffic be routed through a centrally managed security inspection layer in the security inspection account. A security engineer must recommend a solution that minimizes administrative overhead and complexity.

Which solution meets these requirements?

AUse AWS Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route table. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account.

BCreate a centrally managed VPC in the security inspection account. Establish VPC peering connections between the security inspection account and other accounts. Instruct account owners to create default routes in their account route tables that point to the VPC peer. Create an SCP that denies the
Attach InternetGateway action. Attach the SCP to all accounts except the security inspection account.

CUse AWS Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transit
gateway and to create a default route to the transit gateway in the default route table. Create an SCP that denies the AttachlnternetGateway action. Attach the SCP to all accounts except the security inspection account.

DEnable AWS Resource Access Manager (AWS RAM) for AWS Organizations. Create a shared transit gateway, and make it available by using an AWS RAM resource share. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account. Create routes in the route tables of all accounts that point to the shared transit gateway.

Reveal Solution

Correct Answer: C

Unlock all SCS-C01 Exam Questions with Advanced Practice Test Features:

Select Question Types you want
Set your Desired Pass Percentage
Allocate Time (Hours : Minutes)
Create Multiple Practice tests with Limited Questions
Customer Support

Get Full Access Now

Disscuss Amazon SCS-C01 Topics, Questions or Ask Anything Related

Submit Cancel