Free Amazon SCS-C01 Exam Dumps and SCS-C01 Exam Questions

Question No: 11

MultipleChoice

A company has several workloads running on AWS Employees are required to authenticate using on-premises ADFS and SSO to access the AWS Management Console Developers migrated an existing legacy web application to an Amazon EC2 instance Employees need to access this application from anywhere on the internet but currently, mere is no authentication system but into the application.

How should the Security Engineer implement employee-only access to this system without changing the application?

Options

APlace the application behind an Application Load Balancer (ALB) Use Amazon Cognito as authentication (or the ALB Define a SAML-based Amazon Cognito user pool and connect it to ADFS
implement AWS SSO in the master account and link it to ADFS as an identity provide' Define the EC2 instance as a managed resource, then apply an IAM policy on the resource

BDefine an Amazon Cognito identity pool then install the connector on the Active Directory server Use the Amazon Cognito SDK on the application instance to authenticate the employees using their C. Active Directory user names and passwords

DCreate an AWS Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2 Ensure the security group on Amazon EC2 only allows access from the Lambda function.

Question No: 12

MultipleChoice

A company has a website with an Amazon CloudFront HTTPS distribution, an Application Load Balancer (ALB) with multiple web instances for dynamic website content, and an Amazon S3 bucket for static website content. The company's security engineer recently updated the website security requirements:

* HTTPS needs to be enforced for all data in transit with specific ciphers.

* The CloudFront distribution needs to be accessible from the internet only.

Which solution will meet these requirements?

Set up an S3 bucket policy with the awssecuretransport key Configure the CloudFront origin access identity (OAI) with the S3 bucket Configure CloudFront to use specific ciphers. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers Link the ALB with AWS WAF to allow access from the CloudFront IP ranges.

Set up an S3 bucket policy with the aws:securetransport key. Configure the CloudFront origin access identity (OAI) with the S3 bucket. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers.

Modify the CloudFront distribution to use AWS WAF. Force HTTPS on the S3 bucket with specific ciphers in the bucket policy. Configure an HTTPS listener only for the ALB. Set up a security group to limit access to the ALB from the CloudFront IP ranges

Modify the CloudFront distribution to use the ALB as the origin. Enforce an HTTPS listener on the ALB. Create a path-based routing rule on the ALB with proxies that connect lo Amazon S3. Create a bucket policy to allow access from these proxies only.

A company Is trying to replace its on-premises bastion hosts used to access on-premises Linux servers with AWS Systems Manager Session Manager. A security engineer has installed the Systems Manager Agent on all servers. The security engineer verifies that the agent is running on all the servers, but Session Manager cannot connect to them. The security engineer needs to perform verification steps before Session Manager will work on the servers.

Which combination of steps should the security engineer perform? (Select THREE.)

Options

AOpen inbound port 22 to 0 0.0.0/0 on all Linux servers.

BEnable the advanced-instances tier in Systems Manager.

CCreate a managed-instance activation for the on-premises servers.

DReconfigure the Systems Manager Agent with the activation code and ID.

EAssign an IAM role to all of the on-premises servers.

FInitiate an inventory collection with Systems Manager on the on-premises servers

Question No: 13

MultipleChoice

Auditors tor a health care company have mandated mat all data volumes be encrypted at rest Infrastructure is deployed mainly via AWS CloudFormation however third-party frameworks and manual deployment are required on some legacy systems

What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

Options

AOn a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume

BConfigure an AWS Config rule lo run on a recurring basis 'or volume encryption

CSet up Amazon Inspector rules tor volume encryption to run on a recurring schedule

DUse CloudWatch Logs to determine whether instances were created with an encrypted volume

Question No: 14

MultipleChoice

A company created an AWS account for its developers to use for testing and learning purposes Because MM account will be shared among multiple teams of developers, the company wants to restrict the ability to stop and terminate Amazon EC2 instances so that a team can perform these actions only on the instances it owns.

Developers were Instructed to tag al their instances with a Team tag key and use the team name in the tag value One of the first teams to use this account is Business Intelligence A security engineer needs to develop a highly scalable solution for providing developers with access to the appropriate resources within the account The security engineer has already created individual 1AM roles for each team.

Which additional configuration steps should the security engineer take to complete the task?

Options

AFor each team, create an AM policy similar to the one that fellows Populate the ec2: ResourceTag/Team condition key with a proper team name Attach resulting policies to the corresponding 1AM roles.

BFor each team create an 1AM policy similar to the one that follows Populate the aws TagKeys/Team condition key with a proper team name. Attach the resuming policies to the corresponding 1AM roles.

CTag each 1AM role with a Team lag key. and use the team name in the tag value. Create an 1AM policy similar to the one that follows, and attach 4 to all the 1AM roles used by developers.

DTag each IAM role with the Team key, and use the team name in the tag value. Create an IAM policy similar to the one that follows, and it to all the IAM roles used by developers.

Question No: 15

MultipleChoice

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements:

* Encryption in transit

* Encryption at rest

* Logging of all object retrievals in AWS CloudTrail

Which of the following meet these security requirements? (Choose three.)

Options

ASpecify ''aws:SecureTransport'': ''true'' within a condition in the S3 bucket policy.

BEnable a security group for the S3 bucket that allows port 443, but not port 80.

CSet up default encryption for the S3 bucket.

DEnable Amazon CloudWatch Logs for the AWS account.

EEnable API logging of data events for all S3 objects.

FEnable S3 object versioning for the S3 bucket.

Question No: 16

MultipleChoice

A financial institution has the following security requirements:

* Cloud-based users must be contained in a separate authentication domain.

* Cloud-based users cannot access on-premises systems.

As part of standing up a cloud environment, the financial institution is creating a number of Amazon managed databases and Amazon EC2 instances. An Active Directory service exists on-premises that has all the administrator accounts, and these must be able to access the databases and instances.

How would the organization manage its resources in the MOST secure manner? (Choose two.)

Options

AConfigure an AWS Managed Microsoft AD to manage the cloud resources.

BConfigure an additional on-premises Active Directory service to manage the cloud resources.

CEstablish a one-way trust relationship from the existing Active Directory to the new Active Directory service.

DEstablish a one-way trust relationship from the new Active Directory to the existing Active Directory service.

EEstablish a two-way trust between the new and existing Active Directory services.

Question No: 17

MultipleChoice

A company is building a data lake on Amazon S3. The data consists of millions of small files containing sensitive information. The Security team has the following requirements for the architecture:

* Data must be encrypted in transit.

* Data must be encrypted at rest.

* The bucket must be private, but if the bucket is accidentally made public, the data must remain confidential.

Which combination of steps would meet the requirements? (Choose two.)

Options

AEnable AES-256 encryption using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) on the S3 bucket.

BEnable default encryption with server-side encryption with AWS KMS-managed keys (SSE-KMS) on the S3 bucket.

CAdd a bucket policy that includes a deny if a PutObject request does not include aws:SecureTransport.

DAdd a bucket policy with aws:SourceIp to Allow uploads and downloads from the corporate intranet only.

EAdd a bucket policy that includes a deny if a PutObject request does not include s3:x-amz-server-side-encryption: 'aws:kms'.

FEnable Amazon Macie to monitor and act on changes to the data lake's S3 bucket.

Question No: 18

MultipleChoice

You are designing a custom IAM policy that would allow uses to list buckets in S3 only if they are MFA authenticated. Which of the following would best match this requirement?

Options

AOption

BOption

COption

DOption

Question No: 19

MultipleChoice

Which of the following bucket policies will ensure that objects being uploaded to a bucket called 'demo' are encrypted.

Please select:

Options

AOption

BOption

COption

DOption

Question No: 20

MultipleChoice

A company's Director of information Security wants a daily email report from AWS that contains recommendations for each company account to meet AWS Security best practices

Which solution would meet these requirements?

Options

Ain every AWS account, configure AWS Lambda to query me AWS Support API tor AWS Trusted Advisor security checks Send the results from Lambda to an Amazon SNS topic to send reports.

BConfigure Amazon GuardDuty in a master account and invite all other accounts to be managed by the master account Use GuardDuty's integration with Amazon SNS to report on findings

CUse Amazon Athena and Amazon QuickSight to build reports off of AWS CloudTrail Create a daily Amazon CloudWatch trigger to run the report dally and email It using Amazon SNS

CUse AWS Artifact's prebuilt reports and subscriptions Subscribe the Director of Information Security to the reports by adding the Director as the security alternate contact tor each account