Free Amazon SCS-C01 Exam Dumps and SCS-C01 Exam Questions

Question No: 1

MultipleChoice

A company's security team is building a solution for logging and visualization. The solution will assist the company with the large variety and velocity of data that it receives from IAM across multiple accounts. The security team has enabled IAM CloudTrail and VPC Flow Logs in all of its accounts In addition, the company has an organization in IAM Organizations and has an IAM Security Hub master account.

The security team wants to use Amazon Detective However the security team cannot enable Detective and is unsure why

What must the security team do to enable Detective?

Options

AEnable Amazon Macie so that Secunty H jb will allow Detective to process findings from Macie.

BDisable IAM Key Management Service (IAM KMS) encryption on CtoudTrail logs in every member account of the organization

CEnable Amazon GuardDuty on all member accounts Try to enable Detective in 48 hours

DEnsure that the principal that launches Detective has the organizations ListAccounts permission

Question No: 2

MultipleChoice

A company created an IAM account for its developers to use for testing and learning purposes Because MM account will be shared among multiple teams of developers, the company wants to restrict the ability to stop and terminate Amazon EC2 instances so that a team can perform these actions only on the instances it owns.

Developers were Instructed to tag al their instances with a Team tag key and use the team name in the tag value One of the first teams to use this account is Business Intelligence A security engineer needs to develop a highly scalable solution for providing developers with access to the appropriate resources within the account The security engineer has already created individual IAM roles for each team.

Which additional configuration steps should the security engineer take to complete the task?

A.

For each team, create an AM policy similar to the one that fellows Populate the ec2: ResourceTag/Team condition key with a proper team name Attach resulting policies to the corresponding IAM roles.

B.

For each team create an IAM policy similar to the one that follows Populate the IAM TagKeys/Team condition key with a proper team name. Attach the resuming policies to the corresponding IAM roles.

C.

Tag each IAM role with a Team lag key. and use the team name in the tag value. Create an IAM policy similar to the one that follows, and attach 4 to all the IAM roles used by developers.

D.

Tag each IAM role with the Team key, and use the team name in the tag value. Create an IAM policy similar to the one that follows, and it to all the IAM roles used by developers.

Options

AOption A

BOption B

COption C

DOption D

Question No: 3

MultipleChoice

A company is using AWS Organizations to manage multiple AWS accounts. The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an AWS KMS CMK However when users try to access the files in the S3 bucket they get an access denied error.

What should a Security Engineer do to troubleshoot this error? (Select THREE )

Options

AEnsure the KMS policy allows the AppUser role to have permission to decrypt for the CMK

BEnsure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket

CEnsure the CMK was created before the S3 bucket.

DEnsure the S3 block public access feature is enabled for the S3 bucket.

EEnsure that automatic key rotation is disabled for the CMK

FEnsure the SCPs within Organizations allow access to the S3 bucket.

Question No: 4

MultipleChoice

A company has multiple production AWS accounts. Each account has AWS CloudTrail configured to log to a single Amazon S3 bucket in a central account. Two of the production accounts have trails that are not logging anything to the S3 bucket.

Which steps should be taken to troubleshoot the issue? (Choose three.)

Options

AVerify that the log file prefix is set to the name of the S3 bucket where the logs should go.

BVerify that the S3 bucket policy allows access for CloudTrail from the production AWS account IDs.

CCreate a new CloudTrail configuration in the account, and configure it to log to the account's S3 bucket.

DConfirm in the CloudTrail Console that each trail is active and healthy.

EOpen the global CloudTrail configuration in the master account, and verify that the storage location is set to the correct S3 bucket.

FConfirm in the CloudTrail Console that the S3 bucket name is set correctly.

Question No: 5

MultipleChoice

A company has a website with an Amazon CloudFront HTTPS distribution, an Application Load Balancer (ALB) with multiple web instances for dynamic website content, and an Amazon S3 bucket for static website content. The company's security engineer recently updated the website security requirements:

* HTTPS needs to be enforced for all data in transit with specific ciphers.

* The CloudFront distribution needs to be accessible from the internet only.

Which solution will meet these requirements?

A company Is trying to replace its on-premises bastion hosts used to access on-premises Linux servers with AWS Systems Manager Session Manager. A security engineer has installed the Systems Manager Agent on all servers. The security engineer verifies that the agent is running on all the servers, but Session Manager cannot connect to them. The security engineer needs to perform verification steps before Session Manager will work on the servers.

Which combination of steps should the security engineer perform? (Select THREE.)

Options

AOpen inbound port 22 to 0 0.0.0/0 on all Linux servers.

BEnable the advanced-instances tier in Systems Manager.

CCreate a managed-instance activation for the on-premises servers.

DReconfigure the Systems Manager Agent with the activation code and ID.

EAssign an IAM role to all of the on-premises servers.

FInitiate an inventory collection with Systems Manager on the on-premises servers

Question No: 6

MultipleChoice

A security engineer must use AWS Key Management Service (AWS KMS) to design a key management solution for a set of Amazon Elastic Block Store (Amazon EBS) volumes that contain sensitive dat

a. The solution needs to ensure that the key material automatically expires in 90 days.

Which solution meets these criteria?

Options

AA customer managed CMK that uses customer provided key material

BA customer managed CMK that uses AWS provided key material

CAn AWS managed CMK

DOperating system-native encryption that uses GnuPG

Question No: 7

MultipleChoice

Every application in a company's portfolio has a separate AWS account for development and production. The security team wants to prevent the root user and all 1AM users in the production accounts from accessing a specific set of unneeded services. How can they control this functionality?

Please select:

Options

ACreate a Service Control Policy that denies access to the services. Assemble all production accounts in an organizational unit. Apply the policy to that organizational unit.

BCreate a Service Control Policy that denies access to the services. Apply the policy to the root account.

CCreate an 1AM policy that denies access to the services. Associate the policy with an 1AM group and enlist all users and the root users in this group.

DCreate an 1AM policy that denies access to the services. Create a Config Rule that checks that all users have the policy m assigned. Trigger a Lambda function that adds the policy when found missing.

Question No: 8

MultipleChoice

An organization has setup multiple 1AM users. The organization wants that each 1AM user accesses the 1AM console only within the organization and not from outside. How can it achieve this?

Please select:

Options

ACreate an 1AM policy with the security group and use that security group for AWS console login

BCreate an 1AM policy with a condition which denies access when the IP address range is not from the organization

CConfigure the EC2 instance security group which allows traffic only from the organization's IP range

DCreate an 1AM policy with VPC and allow a secure gateway between the organization and AWS Console

Question No: 9

MultipleChoice

Attach the following SCP to the OU that contains this account:

Options

AIn the Amazon EC2 console, select the Always Encrypt new EBS volumes setting for each AWS Region.

BOption

CFor each finding In the audit report, run the ec2 copy-snapshot command and use the encrypted flag specifying an AWS Key Management Service (AWS KMS) CMK

DCreate a private AMI for the company Configure encryption for the private AMI by selecting the custom AMI in the Amazon EC2 console, the destination AWS Region and the source account s AWS Key Management Service (AWS KMS) master key.

Question No: 10

MultipleChoice

A recent security audit identified that a company's application team injects database credentials into the environment variables of an AWS Fargate task. The company's security policy mandates that all sensitive data be encrypted at rest and in transit.

When combination of actions should the security team take to make the application compliant within the security policy? (Select THREE)

Store the credentials securely in a file in an Amazon S3 bucket with restricted access to the application team IAM role Ask the application team to read the credentials from the S3 object instead

Create an AWS Secrets Manager secret and specify the key/value pairs to be stored in this secret

Modify the application to pull credentials from the AWS Secrets Manager secret instead of the environment variables.

Add the following statement to the container instance IAM role policy

Add the following statement to the execution role policy.

Log in to the AWS Fargate instance, create a script to read the secret value from AWS Secret Manager, and inject the environment variables. Ask the application team to redeploy the application.

Options

AOption A

BOption B

COption C

DOption D

EOption E

FOption F