Updated PDF (New 2021) Actual Amazon SCS-C01 Exam Questions [Q216-Q238]

Updated PDF (New 2021) Actual Amazon SCS-C01 Exam Questions

Verified SCS-C01 Exam Dumps PDF [2021] Access using DumpsKing

NEW QUESTION 216
A new application will be deployed on EC2 instances in private subnets. The application will transfer sensitive data to and from an S3 bucket. Compliance requirements state that the data must not traverse the public internet. Which solution meets the compliance requirement?
Please select:

• A. Access the S3 bucket through a NAT gateway.
• B. Access the S3 bucket through a VPC endpoint for S3
• C. Access the S3 bucket through the SSL protected S3 endpoint
• D. Access the S3 bucket through a proxy server

Answer: B

Explanation:
The AWS Documentation mentions the following
A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.
Option A is invalid because using a proxy server is not sufficient enough Option B and D are invalid because you need secure communication which should not traverse the internet For more information on VPC endpoints please see the below link
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.htmll The correct answer is: Access the S3 bucket through a VPC endpoint for S3 Submit your Feedback/Queries to our Experts

 

NEW QUESTION 217
A Lambda function reads metadata from an S3 object and stores the metadata in a DynamoDB table. The function is triggered whenever an object is stored within the S3 bucket.
How should the Lambda function be given access to the DynamoDB table?
Please select:

• A. Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.
• B. Create an IAM user with permissions to write to the DynamoDB table. Store an access key for that user in the Lambda environment variables.
• C. Create a VPC endpoint for DynamoDB within a VPC. Configure the Lambda function to access resources in the VPC.
• D. Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the poll to the DynamoDB table.

Answer: A

Explanation:
The ideal way is to create an IAM role which has the required permissions and then associate it with the Lambda function The AWS Documentation additionally mentions the following Each Lambda function has an IAM role (execution role) associated with it. You specify the IAM role when you create your Lambda function. Permissions you grant to this role determine what AWS Lambda can do when it assumes the role. There are two types of permissions that you grant to the IAM role:
If your Lambda function code accesses other AWS resources, such as to read an object from an S3 bucket or write logs to CloudWatch Logs, you need to grant permissions for relevant Amazon S3 and CloudWatch actions to the role.
If the event source is stream-based (Amazon Kinesis Data Streams and DynamoDB streams), AWS Lambda polls these streams on your behalf. AWS Lambda needs permissions to poll the stream and read new records on the stream so you need to grant the relevant permissions to this role.
Option A is invalid because the VPC endpoint allows access instances in a private subnet to access DynamoDB Option B is invalid because resources policies are present for resources such as S3 and KMS, but not AWS Lambda Option C is invalid because AWS Roles should be used and not IAM Users For more information on the Lambda permission model, please visit the below URL:
https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html The correct answer is: Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.
Submit your Feedback/Queries to our Exp

 

NEW QUESTION 218
One of the EC2 Instances in your company has been compromised. What steps would you take to ensure that you could apply digital forensics on the Instance. Select 2 answers from the options given below Please select:

• A. Create a separate forensic instance
• B. Ensure that the security groups only allow communication to this forensic instance
• C. Remove the role applied to the Ec2 Instance
• D. Terminate the instance

Answer: A,B

Explanation:
Option A is invalid because removing the role will not help completely in such a situation Option D is invalid because terminating the instance means that you cannot conduct forensic analysis on the instance One way to isolate an affected EC2 instance for investigation is to place it in a Security Group that only the forensic investigators can access. Close all ports except to receive inbound SSH or RDP traffic from one single IP address from which the investigators can safely examine the instance.
For more information on security scenarios for your EC2 Instance, please refer to below URL:
https://d1.awsstatic.com/Marketplace/scenarios/security/
SEC 11 TSB Final.pd1 The correct answers are: Create a separate forensic instance. Ensure that the security groups only allow communication to this forensic instance Submit your Feedback/Queries to our Experts

 

NEW QUESTION 219
A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running on AWS.
Which combination of AWS services and features will provide protection in this scenario? (Select THREE).

• A. Amazon GuardDuty
• B. AWS Certificate Manager (ACM)
• C. AWS Shield
• D. Amazon Route 53
• E. Amazon S3
• F. Elastic Load Balancer

Answer: A,C,F

 

NEW QUESTION 220
Attach the following SCP to the OU that contains this account:

• A. Option
  
• B. In the Amazon EC2 console, select the Always Encrypt new EBS volumes setting for each AWS Region.
• C. Create a private AMI for the company Configure encryption for the private AMI by selecting the custom AMI in the Amazon EC2 console, the destination AWS Region and the source account s AWS Key Management Service (AWS KMS) master key.
• D. For each finding In the audit report, run the ec2 copy-snapshot command and use the encrypted flag specifying an AWS Key Management Service (AWS KMS) CMK

Answer: B

 

NEW QUESTION 221
An organization has setup multiple 1AM users. The organization wants that each 1AM user accesses the 1AM console only within the organization and not from outside. How can it achieve this?
Please select:

• A. Create an 1AM policy with the security group and use that security group for AWS console login
• B. Configure the EC2 instance security group which allows traffic only from the organization's IP range
• C. Create an 1AM policy with VPC and allow a secure gateway between the organization and AWS Console
• D. Create an 1AM policy with a condition which denies access when the IP address range is not from the organization

Answer: D

Explanation:
Explanation
You can actually use a Deny condition which will not allow the person to log in from outside. The below example shows the Deny condition to ensure that any address specified in the source address is not allowed to access the resources in aws.
Option A is invalid because you don't mention the security group in the 1AM policy Option C is invalid because security groups by default don't allow traffic Option D is invalid because the 1AM policy does not have such an option For more information on 1AM policy conditions, please visit the URL:
http://docs.aws.amazon.com/IAM/latest/UserGuide/access
pol
examples.htm l#iam-policy-example-ec2-two-condition!
The correct answer is: Create an 1AM policy with a condition which denies access when the IP address range is not from the organization Submit your Feedback/Queries to our Experts

 

NEW QUESTION 222
Two Amazon EC2 instances in different subnets should be able to connect to each other but cannot. It has been confirmed that other hosts in the same subnets are able to communicate successfully, and that security groups have valid ALLOW rules in place to permit this traffic.
Which of the following troubleshooting steps should be performed?

• A. Check inbound and outbound security groups, looking for DENY rules
• B. Check inbound and outbound Network ACL rules, looking for DENY rules
• C. Use AWS X-Ray to trace the end-to-end application flow
• D. Review the rejected packet reason codes in the VPC Flow Logs

Answer: D

 

NEW QUESTION 223
Which of the following are valid event sources that are associated with web access control lists that trigger AWS WAF rules? (Choose two.)

• A. Amazon S3 static web hosting
• B. Application Load Balancer
• C. Amazon Route 53
• D. Amazon CloudFront distribution
• E. VPC Flow Logs

Answer: B,D

Explanation:
Explanation
Explanation
A web access control list (web ACL) gives you fine-grained control over the web requests that your Amazon API Gateway API, Amazon CloudFront distribution or Application Load Balancer responds to.

 

NEW QUESTION 224
You are planning to use AWS Configto check the configuration of the resources in your AWS account. You are planning on using an existing 1AM role and using it for the AWS Config resource. Which of the following is required to ensure the AWS config service can work as required?
Please select:

• A. Ensure that there is a user policy in place for the AWS Config service within the role
• B. Ensure that there is a trust policy in place for the AWS Config service within the role
• C. Ensure that there is a grant policy in place for the AWS Config service within the role
• D. Ensure that there is a group policy in place for the AWS Config service within the role

Answer: B

Explanation:
Explanation

Options B,C and D are invalid because you need to ensure a trust policy is in place and not a grant, user or group policy or more information on the 1AM role permissions please visit the below Link:
https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.htmll The correct answer is: Ensure that there is a trust policy in place for the AWS Config service within the role Submit your Feedback/Queries to our Experts

 

NEW QUESTION 225
You have a vendor that needs access to an AWS resource. You create an AWS user account. You want to restrict access to the resource using a policy for just that user over a brief period. Which of the following would be an ideal policy to use?
Please select:

• A. A Bucket Policy
• B. An Inline Policy
• C. An AWS Managed Policy
• D. A bucket ACL

Answer: B

Explanation:
The AWS Documentation gives an example on such a case
Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the principal entity that if s applied to. For example, you want to be sure that the permissions in a policy are not inadvertently assigned to a principal entity other than the one they're intended for. When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong principal entity. In addition, when you use the AWS Management Console to delete that principal entit the policies embedded in the principal entity are deleted as well. That's because they are part of the principal entity.
Option A is invalid because AWS Managed Polices are ok for a group of users, but for individual users, inline policies are better.
Option C and D are invalid because they are specifically meant for access to S3 buckets For more information on policies, please visit the following URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access managed-vs-inline The correct answer is: An Inline Policy Submit your Feedback/Queries to our Experts

 

NEW QUESTION 226
A Security Administrator is configuring an Amazon S3 bucket and must meet the following security
requirements:
Encryption in transit

Encryption at rest

Logging of all object retrievals in AWS CloudTrail

Which of the following meet these security requirements? (Choose three.)

• A. Enable API logging of data events for all S3 objects.
• B. Specify "aws:SecureTransport": "true"within a condition in the S3 bucket policy.
• C. Set up default encryption for the S3 bucket.
• D. Enable S3 object versioning for the S3 bucket.
• E. Enable Amazon CloudWatch Logs for the AWS account.
• F. Enable a security group for the S3 bucket that allows port 443, but not port 80.

Answer: B,C,E

 

NEW QUESTION 227
Your company has mandated that all calls to the AWS KMS service be recorded. How can this be achieved?
Please select:

• A. Enable logging on the KMS service
• B. Enable a trail in Cloudtrail
• C. Use Cloudwatch metrics
• D. Enable Cloudwatch logs

Answer: B

Explanation:
Explanation
The AWS Documentation states the following
AWS KMS is integrated with CloudTrail, a service that captures API calls made by or on behalf of AWS KMS in your AWS account and delivers the log files to an Amazon S3 bucket that you specify. CloudTrail captures API calls from the AWS KMS console or from the AWS KMS API. Using the information collected by CloudTrail, you can determine what request was made, the source IP address from which the request was made, who made the request when it was made, and so on.
Option A is invalid because logging is not possible in the KMS service
Option C and D are invalid because Cloudwatch cannot be used to monitor API calls For more information on logging using Cloudtrail please visit the below URL
https://docs.aws.amazon.com/kms/latest/developerguide/loeeing-usine-cloudtrail.html The correct answer is: Enable a trail in Cloudtrail Jubmit your Feedback/Queries to our Experts

 

NEW QUESTION 228
A company recently experienced a DDoS attack that prevented its web server from serving content. The website is static and hosts only HTML, CSS, and PDF files that users download.
Based on the architecture shown in the image, what is the BEST way to protect the site against future attacks while minimizing the ongoing operational overhead?

• A. Move all the files to an Amazon S3 bucket. Have the web server serve the files from the S3 bucket.
• B. Move all the files to an Amazon S3 bucket. Create a CloudFront distribution in front of the bucket and terminate the web server.
• C. Launch an Application Load Balancer in front of the EC2 instance. Create an Amazon CloudFront distribution in front of the Application Load Balancer.
• D. Launch a second Amazon EC2 instance in a new subnet. Launch an Application Load Balancer in front of both instances.

Answer: A

 

NEW QUESTION 229
An auditor needs access to logs that record all API events on AWS. The auditor only needs read-only access to the log files and does not need access to each AWS account. The company has multiple AWS accounts, and the auditor needs access to all the logs for all the accounts. What is the best way to configure access for the auditor to view event logs from all accounts? Choose the correct answer from the options below Please select:

• A. Configure the CloudTrail service in each AWS account, and have the logs delivered to an AWS bucket on each account, while granting the auditor permissions to the bucket via roles in the secondary accounts and a single primary 1AM account that can assume a read-only role in the secondary AWS accounts.
• B. Configure the CloudTrail service in each AWS account and enable consolidated logging inside of CloudTrail.
• C. Configure the CloudTrail service in each AWS account and have the logs delivered to a single AWS bucket in the primary account and erant the auditor access to that single bucket in the orimarv account.
• D. Configure the CloudTrail service in the primary AWS account and configure consolidated billing for all the secondary accounts. Then grant the auditor access to the S3 bucket that receives the CloudTrail log files.

Answer: C

Explanation:
Given the current requirements, assume the method of "least privilege" security design and only allow the auditor access to the minimum amount of AWS resources as possibli AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS infrastructure. CloudTrail provides a history of AWS API calls for your account including API calls made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This history simplifies security analysis, resource change tracking, and troubleshooting only be granted access in one location Option Option A is incorrect since the auditor should B is incorrect since consolidated billing is not a key requirement as part of the question Option C is incorrect since there is not consolidated logging For more information on Cloudtrail please refer to the below URL:
https://aws.amazon.com/cloudtraiL
(
The correct answer is: Configure the CloudTrail service in each AWS account and have the logs delivered to a single AWS bud in the primary account and grant the auditor access to that single bucket in the primary account.
Submit your Feedback/Queries to our Experts

 

NEW QUESTION 230
Which of the following is the most efficient way to automate the encryption of AWS CloudTrail logs using a Customer Master Key (CMK) in AWS KMS?

• A. Use the default Amazon S3 server-side encryption with S3-managed keys to encrypt and decrypt the CloudTrail logs.
• B. Configure CloudTrail to use server-side encryption using KMS-managed keys to encrypt and decrypt CloudTrail logs.
• C. Use the KMS direct encrypt function on the log data every time a CloudTrail log is generated.
• D. Use encrypted API endpoints so that all AWS API calls generate encrypted CloudTrail log entries using the TLS certificate from the encrypted API call.

Answer: B

Explanation:
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html

 

NEW QUESTION 231
A company's Security Engineer is copying all application logs to centralized Amazon S3 buckets. Currently, each of the company's application is in its own AWS account, and logs are pushed into S3 buckets associated with each account. The Engineer will deploy an AWS Lambda function into each account that copies the relevant log files to the centralized S3 bucket.
The Security Engineer is unable to access the log files in the centralized S3 bucket. The Engineer's IAM user policy from the centralized account looks like this:

The centralized S3 bucket policy looks like this:

Why is the Security Engineer unable to access the log files?

• A. The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.
• B. The object ACLs are not being updated to allow the users within the centralized account to access the objects.
• C. The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level.
• D. The Security Engineer's IAM policy does not grant permissions to read objects in the S3 bucket.

Answer: C

 

NEW QUESTION 232
Your company has a requirement to work with a DynamoDB table. There is a security mandate that all data should be encrypted at rest. What is the easiest way to accomplish this for DynamoDB.
Please select:

• A. Use S3 buckets to encrypt the data before sending it to DynamoDB
• B. Encrypt the DynamoDB table using KMS during its creation
• C. Use the AWS SDK to encrypt the data before sending it to the DynamoDB table
• D. Encrypt the table using AWS KMS after it is created

Answer: B

Explanation:
Explanation
The most easiest option is to enable encryption when the DynamoDB table is created.
The AWS Documentation mentions the following
Amazon DynamoDB offers fully managed encryption at rest. DynamoDB encryption at rest provides enhanced security by encrypting your data at rest using an AWS Key Management Service (AWS KMS) managed encryption key for DynamoDB. This functionality eliminates the operational burden and complexity involved in protecting sensitive data.
Option A is partially correct, you can use the AWS SDK to encrypt the data, but the easier option would be to encrypt the table before hand.
Option C is invalid because you cannot encrypt the table after it is created Option D is invalid because encryption for S3 buckets is for the objects in S3 only.
For more information on securing data at rest for DynamoDB please refer to below URL:
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.htmll The correct answer is: Encrypt the DynamoDB table using KMS during its creation Submit your Feedback/Queries to our Experts

 

NEW QUESTION 233
A company's security engineer has been asked to monitor and report all AWS account root user activities.
Which of the following would enable the security engineer to monitor and report all root user activities? (Choose two.)

• A. Using Amazon SNS to notify the target group
• B. Configuring AWS Organizations to monitor root user API calls on the paying account
• C. Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported
• D. Configuring AWS Trusted Advisor to send an email to the security team when the root user logs in to the console
• E. Configuring Amazon Inspector to scan the AWS account for any root user activity

Answer: A,C

 

NEW QUESTION 234
A Security Engineer is looking for a way to control access to data that is being encrypted under a CMK. The Engineer is also looking to use additional authenticated data (AAD) to prevent tampering with ciphertext.
Which action would provide the required functionality?

• A. Use key policies to restrict access to the appropriate IAM groups.
• B. Use kms:EncryptionContextas a condition when defining IAM policies for the CMK.
• C. Use IAM policies to restrict access to Encryptand DecryptAPI actions.
• D. Pass the key alias to AWS KMS when calling Encryptand DecryptAPI actions.

Answer: A

Explanation:
Explanation/Reference: https://docs.aws.amazon.com/crypto/latest/userguide/crypto-ug.pdf

 

NEW QUESTION 235
AWS CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected.
What initial actions should be taken to allow delivery of CloudTrail events to S3? (Select two.)

• A. Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.
• B. Verify that the S3 bucket defined in CloudTrail exists.
• C. Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs.
• D. Remove any lifecycle policies on the S3 bucket that are archiving objects to Amazon Glacier.
• E. Verify that the S3 bucket policy allow CloudTrail to write objects.

Answer: B,E

 

NEW QUESTION 236
The Security Engineer has discovered that a new application that deals with highly sensitive data is storing Amazon S3 objects with the following key pattern, which itself contains highly sensitive data.
Pattern:
"randomID_datestamp_PII.csv"
Example:
"1234567_12302017_000-00-0000 csv"
The bucket where these objects are being stored is using server-side encryption (SSE).
Which solution is the most secure and cost-effective option to protect the sensitive data?

• A. Store all sensitive objects in Binary Large Objects (BLOBS) in an encrypted Amazon RDS instance.
• B. Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes.
• C. Add an S3 bucket policy that denies the action s3:GetObject
• D. Remove the sensitive data from the object name, and store the sensitive data using S3 user-defined metadata.

Answer: B

 

NEW QUESTION 237
To meet regulatory requirements, a Security Engineer needs to implement an IAM policy that restricts the use of AWS services to the us-east-1 Region.
What policy should the Engineer implement?

• A. Option D
• B. Option A
• C. Option C
• D. Option B

Answer: D

 

NEW QUESTION 238
......

Amazon SCS-C01: AWS Certified Security - Specialty Certification Path

Exam Preparation teaches you how the exam questions should be interpreted and the longer you waste your lesson. Our Exam Preparedness: AWS Trained Solutions Architect – Technical preparation course is delivered in various formats: classroom training for learning or participating in a physical or simulated classroom with an AWS Approved Learner. Free multimedia training for learning anytime it is suitable for you. The course reviews sample questions in each subject area and how the topics tested should be understood such that incorrect answers are easier to avoid. Find the right choice for you.

Experience of the use of AWS resources in computing, networking, storage, and database AWS implementation, and operations systems hands-on insight The capacity of an AWS-based program to recognize and specify functional specifications. The ability to define which AWS programs satisfy particular technological needs. Knowledge of recommended best practices for safe and trustworthy AWS platform applications. Understanding the core architectural tenets of AWS Cloud construction. AWS global infrastructure awareness. An understanding of AWS-related network technology. understand the security characteristics and resources provided by AWS and its ties with conventional providers.

 

Try Best SCS-C01 Exam Questions from Training Expert DumpsKing: https://www.dumpsking.com/SCS-C01-testking-dumps.html

Practice Examples and Dumps & Tips for 2021 Latest SCS-C01 Valid Tests Dumps: https://drive.google.com/open?id=11Oh-FeR3x0Cc9pos4w_HqDOmW3blJnMV