Free SCS-C01 Dumps Learning Materials Updated To Achieve Success

We’ve released a new AWS Certified Security – Specialty (SCS-C01) dumps learning material to help you prepare for the AWS Certified Specialty certification exam. If you have a valid SCS-C01 dumps question and answer learning material, you will succeed. The passitdump.com choice is the choice of success.

You can view the real problems with the updated free SCS-C01 dumps

Question 1:

A company\’s security team has defined a set of AWS Config rules that must be enforced globally in all AWS accounts the company owns. What should be done to provide a consolidated compliance overview for the security team?

A. Use AWS Organizations to limit AWS Config rules to the appropriate Regions, and then consolidate the Amazon CloudWatch dashboard into one AWS account.

B. Use AWS Config aggregation to consolidate the views into one AWS account, and provide role access to the security team.

C. Consolidate AWS Config rule results with an AWS Lambda function and push data to Amazon SQS. Use Amazon SNS to consolidate and alert when some metrics are triggered.

D. Use Amazon GuardDuty to load data results from the AWS Config rules compliance status, aggregate GuardDuty findings of all AWS accounts into one AWS account, and provide role access to the security team.

Correct Answer: B


Question 2:

A security engineer is designing an incident response plan to address the risk of a compromised Amazon EC2 instance. The plan must recommend a solution to meet the following requirements:

1.

A trusted forensic environment must be provisioned

2.

Automated response processes must be orchestrated

Which AWS services should be included in the plan? (Select TWO)

A. AWS CloudFormation

B. Amazon GuardDuty

C. Amazon Inspector

D. Amazon Macie

E. AWS Step Functions

Correct Answer: AB

Reference: https://aws.amazon.com/blogs/security/how-to-automate-incident-response-in-aws-cloud-forec2-instances/


Question 3:

A security engineer has been tasked with implementing a solution that allows the company\’s development team to have interactive command line access to Amazon EC2 Linux instances using the AWS Management Console.

Which steps should the security engineer take to satisfy this requirement while maintaining least privilege?

A. Enable AWS Systems Manager in the AWS Management Console and configure for access to EC2 instances using the default AmazonEC2RoleforSSM role. Install the Systems Manager Agent on all EC2 Linux instances that need interactive access. Configure IAM user policies to allow development team access to the Systems Manager Session Manager and attach to the team\’s IAM users.

B. Enable console SSH access in the EC2 console. Configure IAM user policies to allow development team access to the AWS Systems Manager Session Manager and attach to the development team\’s IAM users.

C. Enable AWS Systems Manager in the AWS Management Console and configure to access EC2 instances using the default AmazonEC2RoleforSSM role. Install the Systems Manager Agent on all EC2 Linux instances that need interactive access. Configure a security group that allows SSH port 22

from all published IP addresses. Configure IAM user policies to allow development team access to the

AWS Systems Manager Session Manager and attach to the team\’s IAM users.

D. Enable AWS Systems Manager in the AWS Management Console and configure to access EC2 instances using the default AmazonEC2RoleforSSM role Install the Systems Manager Agent on all EC2 Linux instances that need interactive access. Configure IAM policies to allow development team access to the EC2 console and attach to the teams IAM users.

Correct Answer: A


Question 4:

Unapproved changes were previously made to a company\’s Amazon S3 bucket. A security engineer configured AWS Config to record configuration changes made to the company\’s S3 buckets. The engineer discovers there are S3 configuration changes being made, but no Amazon SNS notifications are being sent. The engineer has already checked the configuration of the SNS topic and has confirmed the configuration is valid.

Which combination of steps should the security engineer take to resolve the issue? (Select TWO.)

A. Configure the S3 bucket ACLs to allow AWS Config to record changes to the buckets.

B. Configure policies attached to S3 buckets to allow AWS Config to record changes to the buckets.

C. Attach the AmazonS3ReadOnryAccess managed policy to the IAM user.

D. Verify the security engineer\’s IAM user has an attached policy that allows all AWS Config actions.

E. Assign the AWSConfigRole managed policy to the AWS Config role

Correct Answer: BE


Question 5:

A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon POS cluster a recent report suggests this software platform is vulnerable to SQL injection attacks. with samples of attacks provided. The company\’s security engineer must secure this system against SQL injection attacks within 24 hours. The secure, engineer\’s solution involve the least amount of effort and maintain normal operations during implementation. What should the security engineer do to meet these requirements?

A. Create an Application Load Balancer with the existing EC2 instances as a target group Create an AWS WAF web ACL containing rules mat protect the application from this attach. then apply it to the ALB Test to ensure me vulnerability has been mitigated, then redirect thee Route 53 records to point to the ALB Update security groups on the EC 2 instances to prevent direct access from the internet

B. Create an Amazon CloudFront distribution specifying one EC2 instance as an origin Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to me distribution Test to ensure the vulnerability has mitigated, then redirect the Route 53 records to point to CloudFront

C. Obtain me latest source code for the platform and make ire necessary updates Test me updated code to ensure that the vulnerability has been irrigated, then deploy me patched version of the platform to the EC2 instances

D. Update the security group mat is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database Create an AWS WAF web ACL containing rules mat protect me application from this attack, men apply it to the EC2 instances Test to ensure me vulnerability has been mitigated. then restore the security group to me onginal setting

Correct Answer: A


Question 6:

A security engineer has noticed that VPC Flow Logs are getting a lot REJECT traffic originating from a single Amazon EC2 instance in an Auto Scaling group. The security engineer is concerned that this EC2 instance may be compromised.

What immediate action should the security engineer take?

A. Remove me instance from the Auto Seating group Close me security group mm ingress only from a single forensic P address to perform an analysis.

B. Remove me instance from the Auto Seating group Change me network ACL rules to allow traffic only from a single forensic IP address to perform en analysis Add a rule to deny all other traffic.

C. Remove the instance from the Auto Scaling group Enable Amazon GuardDuty in that AWS account Install the Amazon Inspector agent cm the suspicious EC 2 instance to perform a scan.

D. Take a snapshot of the suspicious EC2 instance. Create a new EC2 instance from me snapshot in a closed security group with ingress only from a single forensic IP address to perform an analysis

Correct Answer: B


Question 7:

A company is collecting AWS CloudTrail log data from multiple AWS accounts by managing individual

trails in each account and forwarding log data to a centralized Amazon S3 bucket residing in a log archive

account. After CloudTrail introduced support for AWS Organizations trails, the company decided to further

centralize management and automate deployment of the CloudTrail logging capability across all of its AWS

accounts.

The company\’s security engineer created an AWS Organizations trail in the master account, enabled

server-side encryption with AWS KMS managed keys (SSE-KMS) for the log files, and specified the same

bucket as the storage location.

However, the engineer noticed that logs recorded by the new trail were not delivered to the bucket.

Which factors could cause this issue? (Select TWO.)

A. The CMK key policy does not allow CloudTrail to make encrypt and decrypt API calls against the key.

B. The CMK key policy does not allow CloudTrail to make GenerateDataKey API calls against the key.

C. The IAM role used by the CloudTrail trail does not have permissions to make PutObject API calls against a folder created for the Organizations trail.

D. The S3 bucket policy does not allow CloudTrail to make PutObject API calls against a folder created for the Organizations trail.

E. The CMK key policy does not allow the IAM role used by the CloudTrail trail to use the key for crypto graphicaI operations.

Correct Answer: AD


Question 8:

Which of the following are valid configurations for using SSL certificates with Amazon CloudFront? (Select THREE )

A. Default AWS Certificate Manager certificate

B. Custom SSL certificate stored in AWS KMS

C. Default CloudFront certificate

D. Custom SSL certificate stored in AWS Certificate Manager

E. Default SSL certificate stored in AWS Secrets Manager

F. Custom SSL certificate stored in AWS IAM

Correct Answer: ACD


Question 9:

A company has implemented centralized logging and monitoring of AWS CloudTrail logs from all Regions in an Amazon S3 bucket. The log Hies are encrypted using AWS KMS. A Security Engineer is attempting to review the log files using a third-party tool hosted on an Amazon EC2 instance The Security Engineer is unable to access the logs in the S3 bucket and receives an access denied error message

What should the Security Engineer do to fix this issue?

A. Check that the role the Security Engineer uses grants permission to decrypt objects using the KMS CMK.

B. Check that the role the Security Engineer uses grants permission to decrypt objects using the KMS CMK and gives access to the S3 bucket and objects

C. Check that the role the EC2 instance profile uses grants permission lo decrypt objects using the KMS

CMK and gives access to the S3 bucket and objects

D. Check that the role the EC2 instance profile uses grants permission to decrypt objects using the KMS CMK

Correct Answer: C


Question 10:

A company has a VPC with several Amazon EC2 instances behind a NAT gateway. The company\’s security policy states that all network traffic must be logged and must include the original source and destination IP addresses. The existing VPC Flow Logs do not include this information. A security engineer needs to recommend a solution.

Which combination of steps should the security engineer recommend? (Choose two.)

A. Edit the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.

B. Delete and recreate the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.

C. Change the destination to Amazon CloudWatch Logs.

D. Include the pkt-srcaddr and pkt-dstaddr fields in the log format.

E. Include the subnet-id and instance-id fields in the log format.

Correct Answer: BD

Reference: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html


Question 11:

A company recently performed an annual security assessment of its AWS environment. The assessment showed that audit logs are not available beyond 90 days and that unauthorized changes to IAM policies are made without detection.

How should a security engineer resolve these issues?

A. Create an Amazon S3 lifecycle policy that archives AWS CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources.

B. Configure AWS Artifact to archive AWS CloudTrail logs Configure AWS Trusted Advisor to provide a notification when a policy change is made to resources.

C. Configure Amazon CloudWatch to export log groups to Amazon S3. Configure AWS CloudTrail to provide a notification when a policy change is made to resources.

D. Create an AWS CloudTrail trail that stores audit logs in Amazon S3. Configure an AWS Config rule to provide a notif cation when a policy change is made to resources.

Correct Answer: A


Question 12:

A security engineer is asked to update an AW3 CoudTrail log file prefix for an existing trail. When attempting to save the change in the CloudTrail console, the security engineer receives the following error message. “There is a problem with the bucket policy\’\’

What will enable the security engineer to saw the change?

A. Create a new trail with the updated log file prefix, and then delete the original nail Update the existing bucket policy in the Amazon S3 console with the new log the prefix, and then update the log file prefix in the CloudTrail console

B. Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform PutBucketPolicy. and then update the log file prefix in the CloudTrail console

C. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.

D. Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console

Correct Answer: C

Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-forcloudtrail.html


Question 13:

A Web Administrator for the website example.com has created an Amazon CloudFront distribution for dev.example.com, with a requirement to configure HTTPS using a custom TLS certificate imported to AWS Certificate Manager.

Which combination of steps is required to ensure availability of the certificate in the CloudFront console? (Choose two.)

A. Call UploadServerCertificate with /cloudfront/dev/ in the path parameter.

B. Import the certificate with a 4,096-bit RSA public key.

C. Ensure that the certificate, private key, and certificate chain are PKCS #12-encoded.

D. Import the certificate in the us-east-1 (N. Virginia) Region.

E. Ensure that the certificate, private key, and certificate chain are PEM-encoded.

Correct Answer: DE


Question 14:

A company\’s Security Engineer has been asked to monitor and report all AWS account root user activities.

Which of the following would enable the Security Engineer to monitor and report all root user activities? (Select TWO)

A. Configuring AWS Organizations to monitor root user API calls on the paying account

B. Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported

C. Configuring Amazon Inspector to scan the AWS account for any root user activity

D. Configuring AWS Trusted Advisor to send an email to the Security team when the root user logs in to the console

E. Using Amazon SNS to notify the target group

Correct Answer: BE


Question 15:

A company Is building a data lake on Amazon S3. The data consists of millions of small files containing sensitive information. The security team has the following requirements for the architecture:

1.

Data must be encrypted in transit.

2.

Data must be encrypted at rest.

3.

The bucket must be private, but if the bucket is accidentally made public, the data must remain confidential.

Which combination of steps would meet the requirements? (Select THREE.)

A. Enable AES-256 encryption using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) on the S3 bucket

B. Enable default encryption with server-side encryption with AWS KMS-managed keys (SSE-KMS) on the S3 bucket.

C. Add a bucket policy that includes a deny if a PutObject request does not include awsiSecureTcanspoct.

D. Add a bucket policy with ws: Sourcelpto Allow uploads and downloads from the corporate intranet only.

E. Add a bucket policy that includes a deny if a PutObject request does not include s3:x- amz-sairv9rside-enctyption: “aws: kms”.

F. Enable Amazon Macie to monitor and act on changes to the data lake\’s S3 bucket.

Correct Answer: BDF