Home
Amazon
SCS-C01: AWS Certified Security - Specialty Exam Dumps

Free Amazon SCS-C01 Exam Dumps

Here you can find all the free questions related with Amazon AWS Certified Security - Specialty Exam (SCS-C01) exam. You can also find on this page links to recently updated premium files with which you can practice for actual Amazon AWS Certified Security - Specialty Exam . These premium versions are provided as SCS-C01 exam practice tests, both as desktop software and browser based application, you can use whatever suits your style. Feel free to try the AWS Certified Security - Specialty Exam premium files for free, Good luck with your Amazon AWS Certified Security - Specialty Exam .

Question No: 11

MultipleChoice

Every application in a company's portfolio has a separate AWS account for development and production. The security team wants to prevent the root user and all 1AM users in the production accounts from accessing a specific set of unneeded services. How can they control this functionality?

Please select:

Options

ACreate a Service Control Policy that denies access to the services. Assemble all production accounts in an organizational unit. Apply the policy to that organizational unit.

BCreate a Service Control Policy that denies access to the services. Apply the policy to the root account.

CCreate an 1AM policy that denies access to the services. Associate the policy with an 1AM group and enlist all users and the root users in this group.

DCreate an 1AM policy that denies access to the services. Create a Config Rule that checks that all users have the policy m assigned. Trigger a Lambda function that adds the policy when found missing.

Answer
AExplanation

As an administrator of the master account of an organization, you can restrict which AWS services and individual API actions the users and roles in each member account can access. This restriction even overrides the administrators of member accounts in the organization. When AWS Organizations blocks access to a service or API action for a member account a user or role in that account can't access any prohibited service or API action, even if an administrator of a member account explicitly grants such permissions in an 1AM policy. Organization permissions overrule account permissions.

Option B is invalid because service policies cannot be assigned to the root account at the account level.

Option C and D are invalid because 1AM policies alone at the account level would not be able to suffice the requirement

For more information, please visit the below URL

id=docs_orgs_console

https://docs.aws.amazon.com/IAM/latest/UserGi

manage attach-policy.html

The correct answer is: Create a Service Control Policy that denies access to the services. Assemble all production accounts in an organizational unit. Apply the policy to that organizational unit

Submit your Feedback/Queries to our Experts

Question No: 12

MultipleChoice

An organization has setup multiple 1AM users. The organization wants that each 1AM user accesses the 1AM console only within the organization and not from outside. How can it achieve this?

Please select:

Options

ACreate an 1AM policy with the security group and use that security group for AWS console login

BCreate an 1AM policy with a condition which denies access when the IP address range is not from the organization

CConfigure the EC2 instance security group which allows traffic only from the organization's IP range

DCreate an 1AM policy with VPC and allow a secure gateway between the organization and AWS Console

Answer
BExplanation

You can actually use a Deny condition which will not allow the person to log in from outside. The below example shows the Deny condition to ensure that any address specified in the source address is not allowed to access the resources in aws.

Option A is invalid because you don't mention the security group in the 1AM policy

Option C is invalid because security groups by default don't allow traffic

Option D is invalid because the 1AM policy does not have such an option

For more information on 1AM policy conditions, please visit the URL:

http://docs.aws.amazon.com/IAM/latest/UserGuide/access pol

examples.htm l#iam-policy-example-ec2-two-condition!

The correct answer is: Create an 1AM policy with a condition which denies access when the IP address range is not from the organization

Submit your Feedback/Queries to our Experts

Question No: 13

MultipleChoice

Attach the following SCP to the OU that contains this account:

Options

AIn the Amazon EC2 console, select the Always Encrypt new EBS volumes setting for each AWS Region.

BOption

CFor each finding In the audit report, run the ec2 copy-snapshot command and use the encrypted flag specifying an AWS Key Management Service (AWS KMS) CMK

DCreate a private AMI for the company Configure encryption for the private AMI by selecting the custom AMI in the Amazon EC2 console, the destination AWS Region and the source account s AWS Key Management Service (AWS KMS) master key.

Answer
A

Question No: 14

MultipleChoice

A recent security audit identified that a company's application team injects database credentials into the environment variables of an AWS Fargate task. The company's security policy mandates that all sensitive data be encrypted at rest and in transit.

When combination of actions should the security team take to make the application compliant within the security policy? (Select THREE)

Store the credentials securely in a file in an Amazon S3 bucket with restricted access to the application team IAM role Ask the application team to read the credentials from the S3 object instead

Create an AWS Secrets Manager secret and specify the key/value pairs to be stored in this secret

Modify the application to pull credentials from the AWS Secrets Manager secret instead of the environment variables.

Add the following statement to the container instance IAM role policy

Add the following statement to the execution role policy.

Log in to the AWS Fargate instance, create a script to read the secret value from AWS Secret Manager, and inject the environment variables. Ask the application team to redeploy the application.

Options

AOption A

BOption B

COption C

DOption D

EOption E

FOption F

Answer
B, E, F

Question No: 15

MultipleChoice

A company has several workloads running on AWS Employees are required to authenticate using on-premises ADFS and SSO to access the AWS Management Console Developers migrated an existing legacy web application to an Amazon EC2 instance Employees need to access this application from anywhere on the internet but currently, mere is no authentication system but into the application.

How should the Security Engineer implement employee-only access to this system without changing the application?

Options

APlace the application behind an Application Load Balancer (ALB) Use Amazon Cognito as authentication (or the ALB Define a SAML-based Amazon Cognito user pool and connect it to ADFS
implement AWS SSO in the master account and link it to ADFS as an identity provide' Define the EC2 instance as a managed resource, then apply an IAM policy on the resource

BDefine an Amazon Cognito identity pool then install the connector on the Active Directory server Use the Amazon Cognito SDK on the application instance to authenticate the employees using their C. Active Directory user names and passwords

DCreate an AWS Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2 Ensure the security group on Amazon EC2 only allows access from the Lambda function.

Answer
B

Question No: 16

MultipleChoice

A company has a website with an Amazon CloudFront HTTPS distribution, an Application Load Balancer (ALB) with multiple web instances for dynamic website content, and an Amazon S3 bucket for static website content. The company's security engineer recently updated the website security requirements:

* HTTPS needs to be enforced for all data in transit with specific ciphers.

* The CloudFront distribution needs to be accessible from the internet only.

Which solution will meet these requirements?

Set up an S3 bucket policy with the awssecuretransport key Configure the CloudFront origin access identity (OAI) with the S3 bucket Configure CloudFront to use specific ciphers. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers Link the ALB with AWS WAF to allow access from the CloudFront IP ranges.

Set up an S3 bucket policy with the aws:securetransport key. Configure the CloudFront origin access identity (OAI) with the S3 bucket. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers.

Modify the CloudFront distribution to use AWS WAF. Force HTTPS on the S3 bucket with specific ciphers in the bucket policy. Configure an HTTPS listener only for the ALB. Set up a security group to limit access to the ALB from the CloudFront IP ranges

Modify the CloudFront distribution to use the ALB as the origin. Enforce an HTTPS listener on the ALB. Create a path-based routing rule on the ALB with proxies that connect lo Amazon S3. Create a bucket policy to allow access from these proxies only.

A company Is trying to replace its on-premises bastion hosts used to access on-premises Linux servers with AWS Systems Manager Session Manager. A security engineer has installed the Systems Manager Agent on all servers. The security engineer verifies that the agent is running on all the servers, but Session Manager cannot connect to them. The security engineer needs to perform verification steps before Session Manager will work on the servers.

Which combination of steps should the security engineer perform? (Select THREE.)

Options

AOpen inbound port 22 to 0 0.0.0/0 on all Linux servers.

BEnable the advanced-instances tier in Systems Manager.

CCreate a managed-instance activation for the on-premises servers.

DReconfigure the Systems Manager Agent with the activation code and ID.

EAssign an IAM role to all of the on-premises servers.

FInitiate an inventory collection with Systems Manager on the on-premises servers

Answer
C, E, F

Question No: 17

MultipleChoice

Auditors tor a health care company have mandated mat all data volumes be encrypted at rest Infrastructure is deployed mainly via AWS CloudFormation however third-party frameworks and manual deployment are required on some legacy systems

What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

Options

AOn a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume

BConfigure an AWS Config rule lo run on a recurring basis 'or volume encryption

CSet up Amazon Inspector rules tor volume encryption to run on a recurring schedule

DUse CloudWatch Logs to determine whether instances were created with an encrypted volume

Answer
A

Question No: 18

MultipleChoice

A company created an AWS account for its developers to use for testing and learning purposes Because MM account will be shared among multiple teams of developers, the company wants to restrict the ability to stop and terminate Amazon EC2 instances so that a team can perform these actions only on the instances it owns.

Developers were Instructed to tag al their instances with a Team tag key and use the team name in the tag value One of the first teams to use this account is Business Intelligence A security engineer needs to develop a highly scalable solution for providing developers with access to the appropriate resources within the account The security engineer has already created individual 1AM roles for each team.

Which additional configuration steps should the security engineer take to complete the task?

Options

AFor each team, create an AM policy similar to the one that fellows Populate the ec2: ResourceTag/Team condition key with a proper team name Attach resulting policies to the corresponding 1AM roles.

BFor each team create an 1AM policy similar to the one that follows Populate the aws TagKeys/Team condition key with a proper team name. Attach the resuming policies to the corresponding 1AM roles.

CTag each 1AM role with a Team lag key. and use the team name in the tag value. Create an 1AM policy similar to the one that follows, and attach 4 to all the 1AM roles used by developers.

DTag each IAM role with the Team key, and use the team name in the tag value. Create an IAM policy similar to the one that follows, and it to all the IAM roles used by developers.

Answer
A

Question No: 19

MultipleChoice

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements:

* Encryption in transit

* Encryption at rest

* Logging of all object retrievals in AWS CloudTrail

Which of the following meet these security requirements? (Choose three.)

Options

ASpecify ''aws:SecureTransport'': ''true'' within a condition in the S3 bucket policy.

BEnable a security group for the S3 bucket that allows port 443, but not port 80.

CSet up default encryption for the S3 bucket.

DEnable Amazon CloudWatch Logs for the AWS account.

EEnable API logging of data events for all S3 objects.

FEnable S3 object versioning for the S3 bucket.

Answer
A, C, E

Question No: 20

MultipleChoice

A financial institution has the following security requirements:

* Cloud-based users must be contained in a separate authentication domain.

* Cloud-based users cannot access on-premises systems.

As part of standing up a cloud environment, the financial institution is creating a number of Amazon managed databases and Amazon EC2 instances. An Active Directory service exists on-premises that has all the administrator accounts, and these must be able to access the databases and instances.

How would the organization manage its resources in the MOST secure manner? (Choose two.)

Options

AConfigure an AWS Managed Microsoft AD to manage the cloud resources.

BConfigure an additional on-premises Active Directory service to manage the cloud resources.

CEstablish a one-way trust relationship from the existing Active Directory to the new Active Directory service.

DEstablish a one-way trust relationship from the new Active Directory to the existing Active Directory service.

EEstablish a two-way trust between the new and existing Active Directory services.

Answer
A, BExplanation

Deploy a new forest/domain on AWS with one-way trust. If you are planning on leveraging credentials from an on-premises AD on AWS member servers, you must establish at least a one-way trust to the Active Directory running on AWS. In this model, the AWS domain becomes the resource domain where computer objects are located and on-premises domain becomes the account domain. Ref: https://d1.awsstatic.com/whitepapers/adds-on-aws.pdf

Limited Time Offer

25%

Off

Get Premium SCS-C01 Questions as Interactive Web-Based Practice Test or PDF