Free Amazon SCS-C01 Exam Dumps and SCS-C01 Exam Questions

Question No: 1

MultipleChoice

A company has an AWS account and allows a third-party contractor who uses another AWS account, to assume certain IAM roles. The company wants to ensure that IAM roles can be assumed by the contractor only if the contractor has multi-factor authentication enabled on their IAM user accounts

What should the company do to accomplish this?

Options

AOption A

BOption B

COption C

DOption D

Question No: 2

MultipleChoice

A company has multiple AWS accounts that are part of AW5 Organizations. The company's Security team wants to ensure that even those Administrators with full access to the company's AWS accounts are unable to access the company's Amazon S3 buckets

How should this be accomplished?

Options

AUseSCPs

BAdd a permissions boundary to deny access to Amazon S3 and attach it to all roles

CUse an S3 bucket policy

DCreate a VPC endpoint for Amazon S3 and deny statements for access to Amazon S3

Question No: 3

MultipleChoice

A Security Engineer manages AWS Organizations for a company. The Engineer would like to restrict AWS usage to allow Amazon S3 only in one of the organizational units (OUs). The Engineer adds the following SCP to the OU:

The next day. API calls to AWS IAM appear in AWS CloudTrail logs In an account under that OU. How should the Security Engineer resolve this issue?

Options

AMove the account to a new OU and deny IAM:* permissions.

BAdd a Deny policy for all non-S3 services at the account level.

CChange the policy to:
{
''Version'': ''2012-10-17'',
''Statement'': [
{
''Sid'': ''AllowS3'',
'Effect': 'Allow',
'Action': 's3:*',
'Resource': '*/*
}
]
}

DDetach the default FullAWSAccess SCP

Question No: 4

MultipleChoice

A company's information security team wants to analyze Amazon EC2 performance and utilization data in the near-real time for anomalies. A Sec Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company's AWS accounts in centralized location to perform the analysis.

How should the Security Engineer do this?

Log in to each account four te a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.

Options

ASet up Amazon CloudWatch to stream data to an Amazon S3 bucket in each source account. Set up bucket replication for each source account into a centralized bucket owned by the security Engineer.

BSet up an AWS Config aggregator to collect AWS configuration data from multiple sources.

CSet up an AWS config aggregator to collect AWS configuration data from multiple sources.

DSet up Amazon CloudWatch cross-account log data sharing with subscriptions in each account. Send the logs to Amazon Kinesis Data Firehose in the Security Engineer's account.

Question No: 5

MultipleChoice

A company's security team is building a solution for logging and visualization. The solution will assist the company with the large variety and velocity of data that it receives from IAM across multiple accounts. The security team has enabled IAM CloudTrail and VPC Flow Logs in all of its accounts In addition, the company has an organization in IAM Organizations and has an IAM Security Hub master account.

The security team wants to use Amazon Detective However the security team cannot enable Detective and is unsure why

What must the security team do to enable Detective?

Options

AEnable Amazon Macie so that Secunty H jb will allow Detective to process findings from Macie.

BDisable IAM Key Management Service (IAM KMS) encryption on CtoudTrail logs in every member account of the organization

CEnable Amazon GuardDuty on all member accounts Try to enable Detective in 48 hours

DEnsure that the principal that launches Detective has the organizations ListAccounts permission

Question No: 6

MultipleChoice

A company created an IAM account for its developers to use for testing and learning purposes Because MM account will be shared among multiple teams of developers, the company wants to restrict the ability to stop and terminate Amazon EC2 instances so that a team can perform these actions only on the instances it owns.

Developers were Instructed to tag al their instances with a Team tag key and use the team name in the tag value One of the first teams to use this account is Business Intelligence A security engineer needs to develop a highly scalable solution for providing developers with access to the appropriate resources within the account The security engineer has already created individual IAM roles for each team.

Which additional configuration steps should the security engineer take to complete the task?

For each team, create an AM policy similar to the one that fellows Populate the ec2: ResourceTag/Team condition key with a proper team name Attach resulting policies to the corresponding IAM roles.

For each team create an IAM policy similar to the one that follows Populate the IAM TagKeys/Team condition key with a proper team name. Attach the resuming policies to the corresponding IAM roles.

Tag each IAM role with a Team lag key. and use the team name in the tag value. Create an IAM policy similar to the one that follows, and attach 4 to all the IAM roles used by developers.

Tag each IAM role with the Team key, and use the team name in the tag value. Create an IAM policy similar to the one that follows, and it to all the IAM roles used by developers.

Options

AOption A

BOption B

COption C

DOption D

Question No: 7

MultipleChoice

A company is using AWS Organizations to manage multiple AWS accounts. The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an AWS KMS CMK However when users try to access the files in the S3 bucket they get an access denied error.

What should a Security Engineer do to troubleshoot this error? (Select THREE )

Options

AEnsure the KMS policy allows the AppUser role to have permission to decrypt for the CMK

BEnsure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket

CEnsure the CMK was created before the S3 bucket.

DEnsure the S3 block public access feature is enabled for the S3 bucket.

EEnsure that automatic key rotation is disabled for the CMK

FEnsure the SCPs within Organizations allow access to the S3 bucket.

Question No: 8

MultipleChoice

A company has multiple production AWS accounts. Each account has AWS CloudTrail configured to log to a single Amazon S3 bucket in a central account. Two of the production accounts have trails that are not logging anything to the S3 bucket.

Which steps should be taken to troubleshoot the issue? (Choose three.)

Options

AVerify that the log file prefix is set to the name of the S3 bucket where the logs should go.

BVerify that the S3 bucket policy allows access for CloudTrail from the production AWS account IDs.

CCreate a new CloudTrail configuration in the account, and configure it to log to the account's S3 bucket.

DConfirm in the CloudTrail Console that each trail is active and healthy.

EOpen the global CloudTrail configuration in the master account, and verify that the storage location is set to the correct S3 bucket.

FConfirm in the CloudTrail Console that the S3 bucket name is set correctly.

Question No: 9

MultipleChoice

A company has a website with an Amazon CloudFront HTTPS distribution, an Application Load Balancer (ALB) with multiple web instances for dynamic website content, and an Amazon S3 bucket for static website content. The company's security engineer recently updated the website security requirements:

* HTTPS needs to be enforced for all data in transit with specific ciphers.

* The CloudFront distribution needs to be accessible from the internet only.

Which solution will meet these requirements?

A company Is trying to replace its on-premises bastion hosts used to access on-premises Linux servers with AWS Systems Manager Session Manager. A security engineer has installed the Systems Manager Agent on all servers. The security engineer verifies that the agent is running on all the servers, but Session Manager cannot connect to them. The security engineer needs to perform verification steps before Session Manager will work on the servers.

Which combination of steps should the security engineer perform? (Select THREE.)

Options

AOpen inbound port 22 to 0 0.0.0/0 on all Linux servers.

BEnable the advanced-instances tier in Systems Manager.

CCreate a managed-instance activation for the on-premises servers.

DReconfigure the Systems Manager Agent with the activation code and ID.

EAssign an IAM role to all of the on-premises servers.

FInitiate an inventory collection with Systems Manager on the on-premises servers

Question No: 10

MultipleChoice

A security engineer must use AWS Key Management Service (AWS KMS) to design a key management solution for a set of Amazon Elastic Block Store (Amazon EBS) volumes that contain sensitive dat

a. The solution needs to ensure that the key material automatically expires in 90 days.

Which solution meets these criteria?

Options

AA customer managed CMK that uses customer provided key material

BA customer managed CMK that uses AWS provided key material

CAn AWS managed CMK

DOperating system-native encryption that uses GnuPG