Released the latest Amazon SCS-C01 exam dumps! You can get SCS-C01 VCE dumps and SCS-C01 PDF dumps from Pass4itsure, (including the latest SCS-C01 exam questions), which will ensure that your SCS-C01 exam is 100% passed! Pass4itsure SCS-C01 dumps VCE and PDF — https://www.pass4itsure.com/aws-certified-security-specialty.html Updated!
Latest Amazon AWS Certified Specialty SCS-C01 exam practice test
QUESTION 1
Which of the following is not a best practice for carrying out a security audit? Please select:
A. Conduct an audit on a yearly basis
B. Conduct an audit if application instances have been added to your account
C. Conduct an audit if you ever suspect that an unauthorized person might have accessed your account
D. Whenever there are changes in your organization
Correct Answer: A
A year\\’s time is generally too long a gap for conducting security audits
The AWS Documentation mentions the following
You should audit your security configuration in the following situations:
On a periodic basis.
If there are changes in your organization, such as people leaving.
If you have stopped using one or more individual AWS services. This is important for removing permissions that users in
your account no longer needs.
If you\\’ve added or removed software in your accounts, such as applications on Amazon EC2 instances, AWS OpsWor
stacks, AWS CloudFormation templates, etc.
If you ever suspect that an unauthorized person might have accessed your account.
Options B, C, and D are all the right ways and recommended best practices when it comes to conducting audits For more
information on Security Audit guideline, please visit the below URL:
https://docs.aws.amazon.com/eeneral/latest/gr/aws-security-audit-euide.html
The correct answer is: Conduct an audit on a yearly basis Submit your Feedback/Queries to our Experts
QUESTION 2
Your company has a hybrid environment, with on-premise servers and servers hosted in the AWS cloud. They are
planning to use the Systems Manager for patching servers. Which of the following is a pre-requisite for this to work;
Please select:
A. Ensure that the on-premise servers are running on Hyper-V.
B. Ensure that a 1 AM service role is created
C. Ensure that a 1 AM User is created
D. Ensure that a 1 AM Group is created for the on-premise servers
Correct Answer: B
You need to ensure that a 1 AM service role is created for allowing the on-premise servers to communicate with the
AWS Systems Manager. Option A is incorrect since it is not necessary that servers should only be running Hyper-V
Options C and D are incorrect since it is not necessary that 1 AM users and groups are created For more information on
the Systems Manager role please refer to the below URL: com/systems-rnanaeer/latest/usereuide/sysman-! The correct
answer is: Ensure that a 1 AM service role is created Submit your Feedback/Queries to our Experts
QUESTION 3
A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements:
Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail
Which of the following meet these security requirements? (Choose three.)
A. Specify “aws:SecureTransport”: “true” within a condition in the S3 bucket policy.
B. Enable a security group for the S3 bucket that allows port 443, but not port 80.
C. Set up default encryption for the S3 bucket.
D. Enable Amazon CloudWatch Logs for the AWS account.
E. Enable API logging of data events for all S3 objects.
F. Enable S3 object versioning for the S3 bucket.
Correct Answer: ACD
QUESTION 4
A Development team has asked for help configuring the IAM roles and policies in a new AWS account. The team using
the account expects to have hundreds of master keys and therefore does not want to manage access control for
customer master keys (CMKs).
Which of the following will allow the team to manage AWS KMS permissions in IAM without the complexity of editing
individual key policies?
A. The account\\’s CMK key policy must allow the account\\’s IAM roles to perform KMS EnableKey.
B. Newly created CMKs must have a key policy that allows the root principal to perform all actions.
C. Newly created CMKs must allow the root principal to perform the kms CreateGrant API operation.
D. Newly created CMKs must mirror the IAM policy of the KMS key administrator.
Correct Answer: D
QUESTION 5
During a security event, it is discovered that some Amazon EC2 instances have not been sending Amazon CloudWatch
logs.
Which steps can the Security Engineer take to troubleshoot this issue? (Select two.)
A. Connect to the EC2 instances that are not sending the appropriate logs and verify that the CloudWatch Logs agent is
running.
B. Log in to the AWS account and select CloudWatch Logs. Check for any monitored EC2 instances that are in the
“Alerting” state and restart them using the EC2 console.
C. Verify that the EC2 instances have a route to the public AWS API endpoints.
D. Connect to the EC2 instances that are not sending logs. Use the command prompt to verify that the right permissions
have been set for the Amazon SNS topic.
E. Verify that the network access control lists and security groups of the EC2 instances have the access to send logs
over SNMP.
Correct Answer: AB
QUESTION 6
Some highly sensitive analytics workloads are to be moved to Amazon EC2 hosts. Threat modeling has found that a risk
exists where a subnet could be maliciously or accidentally exposed to the internet. Which of the following mitigations
should be recommended?
A. Use AWS Config to detect whether an Internet Gateway is added and use an AWS Lambda function to provide auto-remediation.
B. Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses.
C. Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet.
D. move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.
Correct Answer: B
QUESTION 7
There are currently multiple applications hosted in a VPC. During monitoring, it has been noticed that multiple port scans
are coming in from a specific IP Address block. The internal security team has requested that all offending IP Addresses
be denied for the next 24 hours. Which of the following is the best method to quickly and temporarily deny access from
the specified IP Address\\’s.
Please select:
A. Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP
Address block.
B. Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.
C. Add a rule to all of the VPC Security Groups to deny access from the IP Address block.
D. Modify the Windows Firewall settings on all AMI\\’S that your organization uses in that VPC to deny access from the
IP address block.
Correct Answer: B
NaCl acts as a firewall at the subnet level of the VPC and we can deny the offending IP address block at the subnet
level using NACL rules to block the incoming traffic to the VPC instances. Since NACL rules are applied as per the Rule
numbers make sure that this rule number should take precedence over other rule numbers if there are any such rules
that will allow traffic from these IP ranges. The lowest rule number has more precedence over a rule that has a higher
number.
The AWS Documentation mentions the following as best practices for 1 AM users For extra security, enable multifactor authentication (MFA) for privileged 1 AM users (users who are allowed access to sensitive resources or APIs).
With MFA, users have a device that generates a unique authentication code (a one-time
password, or OTP). Users must provide both their normal credentials (like their user name and password) and the OTP.
The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app
on a smartphone). Options C is invalid because these options are not available Option D is invalid because there is no
root access for users For more information on 1 AM best practices, please visit the below URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html The correct answer is: Modify the Network
ACLs associated with all public subnets in the VPC to deny access from the IP Address block. omit your
Feedback/Queries to our Experts
QUESTION 8
A Security Engineer must enforce the use of only Amazon EC2, Amazon S3, Amazon RDS, Amazon DynamoDB, and
AWS STS in specific accounts. What is a scalable and efficient approach to meet this requirement?
A. Option A
B. Option B
C. Option C
D. Option D
Correct Answer: A
QUESTION 9
You need to ensure that objects in an S3 bucket are available in another region. This is because of the criticality of the
data that is hosted in the S3 bucket. How can you achieve this in the easiest way possible?
Please select:
A. Enable cross-region replication for the bucket
B. Write a script to copy the objects to another bucket in the destination region
C. Create an S3 snapshot in the destination region
D. Enable versioning which will copy the objects to the destination region
Correct Answer: A
Option B is partially correct but big maintenance overhead to create and maintain a script when the functionality is
already available in S3 Option C is invalid because snapshots are not available in S3 Option D is invalid because
versioning will not replicate objects The AWS Documentation mentions the following Cross-region replication is a bucket level configuration that enables automatic, asynchronous copying of objects across buck in different AWS Regions. For
For more information on Cross-region replication in the Simple Storage Service, please visit the below URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html The correct answer is: Enable cross-region replication for
the bucket Submit your Feedback/Queries to our Experts
QUESTION 10
A company is using a Redshift cluster to store their data warehouse. There is a requirement from the Internal IT Security
team to ensure that data gets encrypted for the Redshift database. How can this be achieved? Please select:
A. Encrypt the EBS volumes of the underlying EC2 Instances
B. Use AWS KMS Customer Default master key
C. Use SSL/TLS for encrypting the data
D. Use S3 Encryption
Correct Answer: B
The AWS Documentation mentions the following
Amazon Redshift uses a hierarchy of encryption keys to encrypt the database. You can use either AWS Key
Management Servic (AWS KMS) or a hardware security module (HSM) to manage the top-level encryption keys in this
hierarchy. The process that Amazon Redshift uses for encryption differs depending on how you manage keys. Option A
is invalid because its the cluster that needs to be encrypted Option C is invalid because this encrypts objects in transit
and not objects at rest Option D is invalid because this is used only for objects in S3 buckets For more information on
Redshift encryption, please visit the following URL: https://docs.aws.amazon.com/redshift/latest/memt/workine-with-dbencryption.html The correct answer is: Use AWS KMS Customer Default master key Submit your Feedback/Queries to our Experts
QUESTION 11
You have an EC2 instance with the following security configured:
A. ICMP inbound allowed on Security Group
B. ICMP outbound not configured on Security Group
C. ICMP inbound allowed on Network ACL
D. ICMP outbound denied on Network ACL If Flow logs are enabled for the instance, which of the following flow records
will be recorded? Choose 3 answers from the options to give below Please select:
E. An ACCEPT record for the request based on the Security Group
F. An ACCEPT record for the request based on the NACL
G. A REJECT record for the response based on the Security Group
H. A REJECT record for the response based on the NACL
Correct Answer: ABD
This example is given in the AWS documentation as well
For example, you use the ping command from your home computer (IP address is 203.0.113.12) to your instance (the
network interface\\’s private IP address is 172.31.16.139). Your security group\\’s inbound rules allow ICMP traffic and
the
outbound rules do not allow ICMP traffic, however, because security groups are stateful, the response ping from your
the instance is allowed. Your network ACL permits inbound ICMP traffic but does not permit outbound ICMP traffic.
Because
network ACLs are stateless, the response ping is dropped and will not reach your home computer. In a flow log, this is
displayed as 2 flow log records:
An ACCEPT record for the originating ping that was allowed by both the network ACL and the security group, and
therefore was allowed to reach your instance.
A REJECT record for the response ping that the network ACL denied.
Option C is invalid because the REJECT record would not be present For more information on Flow Logs, please refer
to the below URL:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-loes.html The correct answers are: An ACCEPT record
for the request based on the Security Group, An ACCEPT record for the request based on the NACL, A REJECT
record
for the response based on the NACL
Submit your Feedback/Queries to our Experts
QUESTION 12
A company wishes to enable Single Sign On (SSO) so its employees can login to the management console using their
corporate directory identity. Which steps below are required as part of the process? Select 2 answers from the options
given below.
Please select:
A. Create a Direct Connect connection between on-premise network and AWS. Use an AD connector for connecting
AWS with on-premise active directory.
B. Create 1AM policies that can be mapped to group memberships in the corporate directory.
C. Create a Lambda function to assign 1AM roles to the temporary security tokens provided to the users.
D. Create 1AM users that can be mapped to the employees\\’ corporate identities
E. Create an 1AM role that establishes a trust relationship between 1AM and the corporate directory identity provider
(IdP)
Correct Answer: AE
Create a Direct Connect connection so that corporate users can access the AWS account
Option B is incorrect because 1AM policies are not directly mapped to group memberships in the corporate directory. It
is 1AM roles which are mapped.
Option C is incorrect because Lambda functions is an incorrect option to assign roles.
Option D is incorrect because 1AM users are not directly mapped to employees\\’ corporate identities.
For more information on Direct Connect, please refer to below URL:
\\’ https://aws.amazon.com/directconnect/
From the AWS Documentation, for federated access, you also need to ensure the right policy permissions are in place
Configure permissions in AWS for your federated users
The next step is to create an 1AM role that establishes a trust relationship between 1AM and your organization\\’s IdP
that identifies your IdP as a principal (trusted entity) for purposes of federation. The role also defines what users
authenticated your organization\\’s IdP are allowed to do in AWS. You can use the 1AM console to create this role.
When you create the trust policy that indicates who can assume the role, you specify the SAML provider that you
created earlier in 1AM along with one or more SAML attributes that a user must match to be allowed to assume the role.
For example, you can specify that only users whose SAML eduPersonOrgDN value is ExampleOrg are allowed to sign
in. The role wizard automatically adds a condition to test the saml:aud attribute to make sure that the role is assumed
only for sign-in to the AWS Management Console. The trust policy for the role might look like this:
C:\Users\wk\Desktop\mudassar\Untitled.jpg
For more information on SAML federation, please refer to below URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enabli
Note:
What directories can I use with AWS SSO?
You can connect AWS SSO to Microsoft Active Directory, running either on-premises or in the AWS Cloud. AWS SSO
supports AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, and AD
Connector. AWS SSO does not support Simple AD. See AWS Directory Service Getting Started to learn more.
To connect to your on-premises directory with AD Connector, you need the following:
VPC
Set up a VPC with the following:
?At least two subnets. Each of the subnets must be in a different Availability Zone.
?The VPC must be connected to your on-premises network through a virtual private network (VPN) connection or AWS
Direct
Connect.
?The VPC must have default hardware tenancy.
?https://aws.amazon.com/single-sign-on/
?https://aws.amazon.com/single-sign-on/faqs/
?https://aws.amazon.com/bloj using-corporate-credentials/
?https://docs.aws.amazon.com/directoryservice/latest/adminThe correct answers are: Create a Direct Connect connection between on-premise network and AWS. Use an AD
connector connecting AWS with on-premise active directory.. Create an 1AM role that establishes a trust relationship
between
1AM and corporate directory identity provider (IdP)
Submit your Feedback/Queries to our Experts
QUESTION 13
A company has a few dozen application servers in private subnets behind an Elastic Load Balancer (ELB) in an AWS
Auto Scaling group. The application is accessed from the web over HTTPS. The data must always be encrypted in
transit.
The Security Engineer is worried about potential key exposure due to vulnerabilities in the application software.
Which approach will meet these requirements while protecting the external certificate during a breach?
A. Use a Network Load Balancer (NLB) to pass through traffic on port 443 from the internet to port 443 on the
instances.
B. Purchase an external certificate, and upload it to the AWS Certificate Manager (for use with the ELB) and to the
instances. Have the ELB decrypt traffic, and route and re-encrypt with the same certificate.
C. Generate an internal self-signed certificate and apply it to the instances. Use AWS Certificate Manager to generate a
new external certificate for the ELB. Have the ELB decrypt traffic, and route and re-encrypt with the internal certificate.
D. Upload a new external certificate to the load balancer. Have the ELB decrypt the traffic and forward it on port 80 to
the instances.
Correct Answer: C
You may be interested in other Amazon exam practice, click to view!
Amazon SCS-C01 dumps pdf free download
[100% free] Amazon SCS-C01 dumps pdf https://drive.google.com/file/d/1fWBhawP1yg036jwuwbR1bPb7UTQSV_WX/view?usp=sharing
Pass4itsure discount code 2020
P.S.
This is a free Amazon SCS-C01 study guide for the AWS Certified Specialty certification exam! It includes Amazon SCS-C01 pdf dumps, SCS-C01 exam video, SCS-C01 exam practice test & more free and paid resources! For more, please visit https://www.pass4itsure.com/aws-certified-security-specialty.html Q&As. Study hard and practice a lot. This will help you prepare for the SCS-C01 exam. Good luck!