• Home
  • Articles
  • 2024 New SCS-C01 Dumps - Real Amazon Exam Questions [Q106-Q122]

2024 New SCS-C01 Dumps - Real Amazon Exam Questions [Q106-Q122]

Share

2024 New SCS-C01 Dumps - Real Amazon Exam Questions

Dependable SCS-C01 Exam Dumps to Become Amazon Certified

NEW QUESTION # 106
A company uses a third-party application to store encrypted data in Amazon S3. The company uses another third-party application trial decrypts the data from Amazon S3 to ensure separation of duties Between the applications A Security Engineer warns to separate the permissions using IAM roles attached to Amazon EC2 instances. The company prefers to use native IAM services.
Which encryption method will meet these requirements?

  • A. Use encrypted Amazon EBS volumes with Amazon default keys (IAM EBS)
  • B. Use server-side encryption with customer-provided keys (SSE-C)
  • C. Use server-side encryption with Amazon S3 managed keys (SSE-S3)
  • D. Use server-side encryption with IAM KMS managed keys (SSE-KMS)

Answer: D


NEW QUESTION # 107
A Security Engineer is setting up an AWS CloudTrail trail for all regions in an AWS account. For added security, the logs are stored using server-side encryption with AWS KMS-managed keys (SSE-KMS) and have log integrity validation enabled.
While testing the solution, the Security Engineer discovers that the digest files are readable, but the log files are not. What is the MOST likely cause?

  • A. The log files fail integrity validation and automatically are marked as unavailable.
  • B. The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.
  • C. The KMS key policy does not grant the Security Engineer's IAM user or role permissions to decrypt with it.
  • D. An IAM policy applicable to the Security Engineer's IAM user or role denies access to the "CloudTrail/" prefix in the Amazon S3 bucket

Answer: C

Explanation:
Enabling server-side encryption encrypts the log files but not the digest files with SSE-KMS. Digest files are encrypted with Amazon S3-managed encryption keys (SSE-S3). https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html


NEW QUESTION # 108
A company is planning on using AWS for hosting their applications. They want complete separation and isolation of their production , testing and development environments. Which of the following is an ideal way to design such a setup?
Please select:

  • A. Use separate AWS accounts for each of the environments
  • B. Use separate IAM Policies for each of the environments
  • C. Use separate VPCs for each of the environments
  • D. Use separate IAM Roles for each of the environments

Answer: A

Explanation:
A recommendation from the AWS Security Best practices highlights this as well

option A is partially valid, you can segregate resources, but a best practise is to have multiple accounts for this setup.
Options B and C are invalid because from a maintenance perspective this could become very difficult For more information on the Security Best practices, please visit the following URL:
https://dl.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
The correct answer is: Use separate AWS accounts for each of the environments Submit your Feedback/Queries to our Experts


NEW QUESTION # 109
An organization has launched 5 instances: 2 for production and 3 for testing. The organization wants that one particular group of IAM users should only access the test instances and not the production ones. How can the organization set that as a part of the policy?
Please select:

  • A. Create an IAM policy with a condition which allows access to only small instances
  • B. Launch the test and production instances in separate regions and allow region wise access to the group
  • C. Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specification tags
  • D. Define the IAM policy which allows access based on the instance ID

Answer: C

Explanation:
Tags enable you to categorize your IAM resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type - you can quickly identify a specific resource based on the tags you've assigned to it Option A is invalid because this is not a recommended practices Option B is invalid because this is an overhead to maintain this in policies Option C is invalid because the instance type will not resolve the requirement For information on resource tagging, please visit the below URL:
http://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/Usine_Tags.htmll
The correct answer is: Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specific tags Submit your Feedback/Queries to our Experts


NEW QUESTION # 110
You are hosting a web site via website hosting on an S3 bucket - http://demo.s3-website-us-east-l .amazonIAM.com. You have some web pages that use Javascript that access resources in another bucket which has web site hosting also enabled. But when users access the web pages , they are getting a blocked Javascript error. How can you rectify this?
Please select:

  • A. Enable versioning for the bucket
  • B. Enable CORS for the bucket
  • C. Enable MFA for the bucket
  • D. Enable CRR for the bucket

Answer: B

Explanation:
Your answer is incorrect
Answer-A
Such a scenario is also given in the IAM Documentation Cross-Origin Resource Sharing: Use-case Scenarios The following are example scenarios for using CORS:
* Scenario 1: Suppose that you are hosting a website in an Amazon S3 bucket named website as described in Hosting a Static Website on Amazon S3. Your users load the website endpoint http://website.s3-website-us-east-1 .amazonIAM.com. Now you want to use JavaScript on the webpages that are stored in this bucket to be able to make authenticated GET and PUT requests against the same bucket by using the Amazon S3 API endpoint for the bucket website.s3.amazonIAM.com. A browser would normally block JavaScript from allowing those requests, but with CORS you can configure your bucket to explicitly enable cross-origin requests from website.s3-website-us-east-1 .amazonIAM.com.
* Scenario 2: Suppose that you want to host a web font from your S3 bucket. Again, browsers require a CORS check (also called a preflight check) for loading web fonts. You would configure the bucket that is hosting the web font to allow any origin to make these requests.
Option Bis invalid because versioning is only to create multiple versions of an object and can help in accidental deletion of objects Option C is invalid because this is used as an extra measure of caution for deletion of objects Option D is invalid because this is used for Cross region replication of objects For more information on Cross Origin Resource sharing, please visit the following URL
* ittps://docs.IAM.amazon.com/AmazonS3/latest/dev/cors.html
The correct answer is: Enable CORS for the bucket
Submit your Feedback/Queries to our Experts


NEW QUESTION # 111
A security engineer is responsible for providing secure access to IAM resources for thousands of developer in a company's corporate identity provider (idp). The developers access a set of IAM services from the corporate premises using IAM credential. Due to the velum of require for provisioning new IAM users, it is taking a long time to grant access permissions. The security engineer receives reports that developer are sharing their IAM credentials with others to avoid provisioning delays. The causes concern about overall security for the security engineer.
Which actions will meet the program requirements that address security?

  • A. Create multiple IAM rotes for each IAM user Ensure that users who use the same IAM credentials cannot assume the same IAM role at the same time.
  • B. Create a VPN tunnel between the corporate premises and the VPC Allow permissions to all IAM services only if it originates from corporate premises.
  • C. Create a federation between IAM and the existing corporate IdP Leverage IAM roles to provide federated access to IAM resources
  • D. Create an Amazon CloudWatch alarm for IAM CloudTrail Events Create a metric filter to send a notification when me same set of IAM credentials is used by multiple developer

Answer: C


NEW QUESTION # 112
A recent security audit found that AVVS CloudTrail logs are insufficiently protected from tampering and unauthorized access Which actions must the Security Engineer take to address these audit findings? (Select THREE )

  • A. Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage
  • B. Use an S3 bucket with tight access controls that exists m a separate account
  • C. Encrypt the CloudTrail log files with server-side encryption with AWS KMS-managed keys (SSE-KMS)
  • D. Use Amazon Inspector to monitor the file integrity of CloudTrail log files.
  • E. Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files
  • F. Ensure CloudTrail log file validation is turned on

Answer: D,E,F


NEW QUESTION # 113
A company wants to deploy a distributed web application on a fleet of EC2 instances. The fleet will be fronted by a Classic Load Balancer that will be configured to terminate the TLS connection. The company wants to make sure that all past and current TLS traffic to the Classic Load Balancer stays secure, even if the certificate private key is leaked.
To ensure the company meets these requirements, a Security Engineer can configure a Classic Load Balancer with:

  • A. A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.
  • B. An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.
  • C. An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.
  • D. An HTTPS listener that uses the latest AWS predefined ELBSecurityPolicy-TLS-1-2-2017-01 security policy.

Answer: C


NEW QUESTION # 114
A company is setting up products to deploy in AWS Service Catalog. Management is concerned that when users launch products, elevated IAM privileges will be required to create resources. How should the company mitigate this concern?

  • A. Define resource update constraints for each product in the portfolio.
  • B. Add a launch constraint to each product in the portfolio.
  • C. Update the AWS CloudFormalion template backing the product to include a service role configuration.
  • D. Add a template constraint to each product in the portfolio.

Answer: B

Explanation:
https://docs.aws.amazon.com/servicecatalog/latest/adminguide/constraints-launch.html Launch constraints apply to products in the portfolio (product-portfolio association). Launch constraints do not apply at the portfolio level or to a product across all portfolios. To associate a launch constraint with all products in a portfolio, you must apply the launch constraint to each product individually.


NEW QUESTION # 115
During a recent security audit, it was discovered that multiple teams in a large organization have placed restricted data in multiple Amazon S3 buckets, and the data may have been exposed. The auditor has requested that the organization identify all possible objects that contain personally identifiable information (PII) and then determine whether this information has been accessed.
What solution will allow the Security team to complete this request?

  • A. Enable Amazon Inspector on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, query the S3 bucket logs by using Athena for GET operations.
  • B. Using Amazon Athena, query the impacted S3 buckets by using the PII query identifier function. Then, create a new Amazon CloudWatch metric for Amazon S3 object access to alert when the objects are accessed.
  • C. Enable Amazon GuardDuty and enable the PII rule set on the S3 buckets that were impacted, then perform data classification. Using the PII findings report from GuardDuty, query the S3 bucket logs by using Athena for GET operations.
  • D. Enable Amazon Macie on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, use the research function for auditing AWS CloudTrail logs and S3 bucket logs for GET operations.

Answer: D


NEW QUESTION # 116
You have an EC2 instance with the following security configured:
a. ICMP inbound allowed on Security Group
b. ICMP outbound not configured on Security Group
c. ICMP inbound allowed on Network ACL
d. ICMP outbound denied on Network ACL
If Flow logs is enabled for the instance, which of the following flow records will be recorded? Choose 3 answers from the options give below Please select:

  • A. A REJECT record for the response based on the NACL
  • B. An ACCEPT record for the request based on the Security Group
  • C. An ACCEPT record for the request based on the NACL
  • D. A REJECT record for the response based on the Security Group

Answer: A,B,C

Explanation:
Explanation
This example is given in the IAM documentation as well
For example, you use the ping command from your home computer (IP address is 203.0.113.12) to your instance (the network interface's private IP address is 172.31.16.139). Your security group's inbound rules allow ICMP traffic and the outbound rules do not allow ICMP traffic however, because security groups are stateful, the response ping from your instance is allowed. Your network ACL permits inbound ICMP traffic but does not permit outbound ICMP traffic. Because network ACLs are stateless, the response ping is dropped and will not reach your home computer. In a flow log, this is displayed as 2 flow log records:
An ACCEPT record for the originating ping that was allowed by both the network ACL and the security group, and therefore was allowed to reach your instance.
A REJECT record for the response ping that the network ACL denied.
Option C is invalid because the REJECT record would not be present For more information on Flow Logs, please refer to the below URL:
http://docs.IAM.amazon.com/AmazonVPC/latest/UserGuide/flow-loes.html
The correct answers are: An ACCEPT record for the request based on the Security Group, An ACCEPT record for the request based on the NACL, A REJECT record for the response based on the NACL Submit your Feedback/Queries to our Experts


NEW QUESTION # 117
You are designing a custom IAM policy that would allow uses to list buckets in S3 only if they are MFA authenticated. Which of the following would best match this requirement?

  • A. A
  • B. D
  • C. C
  • D. B

Answer: A

Explanation:
The Condition clause can be used to ensure users can only work with resources if they are MFA authenticated.
Option B and C are wrong since the aws:MultiFactorAuthPresent clause should be marked as true. Here you are saying that onl if the user has been MFA activated, that means it is true, then allow access.
Option D is invalid because the "boor clause is missing in the evaluation for the condition clause.
Boolean conditions let you construct Condition elements that restrict access based on comparing a key to "true" or "false." Here in this scenario the boot attribute in the condition element will return a value True for option A which will ensure that access is allowed on S3 resources.
For more information on an example on such a policy, please visit the following URL:


NEW QUESTION # 118
Which of the following is the most efficient way to automate the encryption of IAM CloudTrail logs using a Customer Master Key (CMK) in IAM KMS?

  • A. Use the KMS direct encrypt function on the log data every time a CloudTrail log is generated.
  • B. Use the default Amazon S3 server-side encryption with S3-managed keys to encrypt and decrypt the CloudTrail logs.
  • C. Configure CloudTrail to use server-side encryption using KMS-managed keys to encrypt and decrypt CloudTrail logs.
  • D. Use encrypted API endpoints so that all IAM API calls generate encrypted CloudTrail log entries using the TLS certificate from the encrypted API call.

Answer: C

Explanation:
https://docs.IAM.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html


NEW QUESTION # 119
A company has been using the IAM KMS service for managing its keys. They are planning on carrying out housekeeping activities and deleting keys which are no longer in use. What are the ways that can be incorporated to see which keys are in use? Choose 2 answers from the options given below Please select:

  • A. See who is assigned permissions to the master key
  • B. Use IAM cloudwatch events for events generated for the key
  • C. Determine the age of the master key
  • D. See Cloudtrail for usage of the key

Answer: A,D

Explanation:
Explanation
The direct ways that can be used to see how the key is being used is to see the current access permissions and cloudtrail logs Option A is invalid because seeing how long ago the key was created would not determine the usage of the key Option D is invalid because Cloudtrail Event is better for seeing for events generated by the key This is also mentioned in the IAM Documentation Examining CMK Permissions to Determine the Scope of Potential Usage Determining who or what currently has access to a customer master key (CMK) might help you determine how widely the CM was used and whether it is still needed. To learn how to determine who or what currently has access to a CMK, go to Determining Access to an IAM KMS Customer Master Key.
Examining IAM CloudTrail Logs to Determine Actual Usage
IAM KMS is integrated with IAM CloudTrail, so all IAM KMS API activity is recorded in CloudTrail log files. If you have CloudTrail turned on in the region where your customer master key (CMK) is located, you can examine your CloudTrail log files to view a history of all IAM KMS API activity for a particular CMK, and thus its usage history. You might be able to use a CMK's usage history to help you determine whether or not you still need it For more information on determining the usage of CMK keys, please visit the following URL:
* https://docs.IAM.amazon.com/kms/latest/developerguide/deleting-keys-determining-usage.html The correct answers are: See who is assigned permissions to the master key. See Cloudtrail for usage of the key Submit your Feedback/Queries to our Experts


NEW QUESTION # 120
A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents.
A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly.
Which combination of actions would build the required solution? (Choose three.)

  • A. Configure Amazon CloudWatch Events in the production accounts to send all S3 events to the security account event bus.
  • B. Enable Amazon GuardDuty in the security account, and join the production accounts as members.
  • C. Configure an Amazon CloudWatch Events rule in the security account to detect S3 bucket creation or modification events.
  • D. Enable AWS Trusted Advisor and activate email notifications for an email address assigned to the security contact.
  • E. Invoke an AWS Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team.
  • F. Configure event notifications on S3 buckets for PUT; POST, and DELETE events.

Answer: C,E,F


NEW QUESTION # 121
Your company has the following setup in IAM
a. A set of EC2 Instances hosting a web application
b. An application load balancer placed in front of the EC2 Instances
There seems to be a set of malicious requests coming from a set of IP addresses. Which of the following can be used to protect against these requests?
Please select:

  • A. Use Security Groups to block the IP addresses
  • B. Use IAM WAF to block the IP addresses
  • C. Use VPC Flow Logs to block the IP addresses
  • D. Use IAM inspector to block the IP addresses

Answer: B

Explanation:
Your answer is incorrect
Answer -D
The IAM Documentation mentions the following on IAM WAF which can be used to protect Application Load Balancers and Cloud front A web access control list (web ACL) gives you fine-grained control over the web requests that your Amazon CloudFront distributions or Application Load Balancers respond to. You can allow or block the following types of requests:
Originate from an IP address or a range of IP addresses
Originate from a specific country or countries
Contain a specified string or match a regular expression (regex) pattern in a particular part of requests Exceed a specified length Appear to contain malicious SQL code (known as SQL injection) Appear to contain malicious scripts (known as cross-site scripting) Option A is invalid because by default Security Groups have the Deny policy Options B and C are invalid because these services cannot be used to block IP addresses For information on IAM WAF, please visit the below URL:
https://docs.IAM.amazon.com/waf/latest/developerguide/web-acl.html
The correct answer is: Use IAM WAF to block the IP addresses
Submit your Feedback/Queries to our Experts


NEW QUESTION # 122
......

Get Ready with SCS-C01 Exam Dumps (2024): https://www.trainingdump.com/Amazon/SCS-C01-practice-exam-dumps.html

Realistic SCS-C01 Dumps are Available for Instant Access: https://drive.google.com/open?id=1KmuACPZPuRoi_GaUCMwVrqV4j2-KQyBK

Related Articles

more
Go To SCS-C01 Questions
0
0
0
0