Released the latest Amazon SCS-C01 exam dumps! You can get SCS-C01 VCE dumps and SCS-C01 PDF dumps from Pass4itsure, (including the latest SCS-C01 exam questions), which will ensure that your SCS-C01 exam is 100% passed! Pass4itsure SCS-C01 dumps VCE and PDF — https://www.pass4itsure.com/aws-certified-security-specialty.html Updated!
Amazon SCS-C01 Exam Dumps
[100% free] Amazon SCS-C01 pdf dumps https://drive.google.com/file/d/1fWBhawP1yg036jwuwbR1bPb7UTQSV_WX/view?usp=sharing
Amazon AWS Certified Specialty SCS-C01 Practice Test 1-13
QUESTION 1
You have a set of Keys defined using the AWS KMS service. You want to stop using a couple of keys , but are not sure
of which services are currently using the keys. Which of the following would be a safe option to stop using the keys from
further usage.
Please select:
A. Delete the keys since anyway there is a 7 day waiting period before deletion
B. Disable the keys
C. Set an alias for the key
D. Change the key material for the key
Correct Answer: B
Option A is invalid because once you schedule the deletion and waiting period ends, you cannot come back from the
deletion process. Option C and D are invalid because these will not check to see if the keys are being used or not The
AWS Documentation mentions the following Deleting a customer master key (CMK) in AWS Key Management Service
(AWS KMS) is destructive and potentially dangerous. It deletes the key material and all metadata associated with the
CMK, and is irreversible. After a CMK is deleted
you can no longer decrypt the data that was encrypted under that CMK, which means that data becomes unrecoverable.
You should delete a CMK only when you are sure that you don\\’t need to use it anymore. If you are not sure, consider
disabling the CMK instead of deleting it. You can re-enable a disabled CMK if you need to use it again later, but you
cannot recover a deleted CMK. For more information on deleting keys from KMS, please visit the below URL:
https://docs.aws.amazon.com/kms/latest/developereuide/deleting-keys.html The correct answer is: Disable the keys
Submit your Feedback/Queries to our Experts
QUESTION 2
A Lambda function reads metadata from an S3 object and stores the metadata in a DynamoDB table. The function is
triggered whenever an object is stored within the S3 bucket.
How should the Lambda function be given access to the DynamoDB table?
Please select:
A. Create a VPC endpoint for DynamoDB within a VPC. Configure the Lambda function to access resources in the
VPC.
B. Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the poll
to the DynamoDB table.
C. Create an 1AM user with permissions to write to the DynamoDB table. Store an access key for that user in the
Lambda environment variables.
D. Create an 1AM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda
function.
Correct Answer: D
The ideal way is to create an 1AM role which has the required permissions and then associate it with the Lambda
function
The AWS Documentation additionally mentions the following
Each Lambda function has an 1AM role (execution role) associated with it. You specify the 1AM role when you create
your Lambda function. Permissions you grant to this role determine what AWS Lambda can do when it assumes the
role.
There are two types of permissions that you grant to the 1AM role:
If your Lambda function code accesses other AWS resources, such as to read an object from an S3 bucket or write logs
to CloudWatch Logs, you need to grant permissions for relevant Amazon S3 and CloudWatch actions to the role. If the
event source is stream-based (Amazon Kinesis Data Streams and DynamoDB streams), AWS Lambda polls these
streams on your behalf. AWS Lambda needs permissions to poll the stream and read new records on the stream so you
need
to grant the relevant permissions to this role.
Option A is invalid because the VPC endpoint allows access instances in a private subnet to access DynamoDB
Option B is invalid because resources policies are present for resources such as S3 and KMS, but not AWS Lambda
Option C is invalid because AWS Roles should be used and not 1AM Users
For more information on the Lambda permission model, please visit the below URL:
https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html
The correct answer is: Create an 1AM service role with permissions to write to the DynamoDB table.
Associate that role with the Lambda function.
Submit your Feedback/Queries to our Exp
QUESTION 3
A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data from production
host running inside AWS (Account 1). The threat was documented as follows:
Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials for an AWS
account (Account 2) they control and uploading data to an Amazon S3 bucket within their control.
Server X has outbound internet access configured via a proxy server. Legitimate access to S3 is required so that the
application can upload encrypted files to an S3 bucket. Server X is currently using an IAM instance role. The proxy
server is
not able to inspect any of the server communication due to TLS encryption.
Which of the following options will mitigate the threat? (Choose two.)
A. Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.
B. Block outbound access to public S3 endpoints on the proxy server.
C. Configure Network ACLs on Server X to deny access to S3 endpoints.
D. Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated
with the application server.
E. Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted
application config file.
Correct Answer: AC
QUESTION 4
Your development team has started using AWS resources for development purposes. The AWS account has just been
created. Your IT Security team is worried about possible leakage of AWS keys. What is the first level of measure that
should be taken to protect the AWS account.
Please select:
A. Delete the AWS keys for the root account
B. Create 1AM Groups
C. Create 1AM Roles
D. Restrict access using 1AM policies
Correct Answer: A
QUESTION 5
A Security Architect is evaluating managed solutions for storage of encryption keys. The requirements are:
-Storage is accessible by using only VPCs.
-Service has tamper-evident controls.
-Access logging is enabled.
-Storage has high availability.
Which of the following services meets these requirements?
A. Amazon S3 with default encryption
B. AWS CloudHSM
C. Amazon DynamoDB with server-side encryption
D. AWS Systems Manager Parameter Store
Correct Answer: B
QUESTION 6
A company has a customer master key (CMK) with imported key materials. Company policy requires that all encryption
keys must be rotated every year. What can be done to implement the above policy?
A. Enable automatic key rotation annually for the CMK.
B. Use AWS Command Line Interface to create an AWS Lambda function to rotate the existing CMK annually.
C. Import new key material to the existing CMK and manually rotate the CMK.
D. Create a new CMK, import new key material to it, and point the key alias to the new CMK.
Correct Answer: D
QUESTION 7
An organization wants to deploy a three-tier web application whereby the application servers run on Amazon EC2
instances. These EC2 instances need access to credentials that they will use to authenticate their SQL connections to
an
Amazon RDS DB instance. Also, AWS Lambda functions must issue queries to the RDS database by using the same
database credentials.
The credentials must be stored so that the EC2 instances and the Lambda functions can access them. No other access
is allowed. The access logs must record when the credentials were accessed and by whom.
What should the Security Engineer do to meet these requirements?
A. Store the database credentials in AWS Key Management Service (AWS KMS). Create an IAM role with access to
AWS KMS by using the EC2 and Lambda service principals in the role\\’s trust policy. Add the role to an EC2 instance
profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.
B. Store the database credentials in AWS KMS. Create an IAM role with access to KMS by using the EC2 and Lambda
service principals in the role\\’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the
EC2 instances and the Lambda function.
C. Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by
using the EC2 and Lambda service principals in the role\\’s trust policy. Add the role to an EC2 instance profile. Attach
the instance profile to the EC2 instances and the Lambda function.
D. Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by
using the EC2 and Lambda service principals in the role\\’s trust policy. Add the role to an EC2 instance profile. Attach
the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.
Correct Answer: D
QUESTION 8
An organization has launched 5 instances: 2 for production and 3 for testing. The organization wants that one particular
group of 1AM users should only access the test instances and not the production ones. How can the organization set that as a part of the policy?
Please select:
A. Launch the test and production instances in separate regions and allow region wise access to the group
B. Define the 1AM policy which allows access based on the instance ID
C. Create an 1AM policy with a condition which allows access to only small instances
D. Define the tags on the test and production servers and add a condition to the 1AM policy which allows access to
specification tags
Correct Answer: D
Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment.
This is useful when you have many resources of the same type — you can quickly identify a specific resource based on
the tags you\\’ve assigned to it Option A is invalid because this is not a recommended practices Option B is invalid
because this is an overhead to maintain this in policies Option C is invalid because the instance type will not resolve the
requirement For information on resource tagging, please visit the below URL:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Usine_Tags.htmll The correct answer is: Define the tags on the
test and production servers and add a condition to the 1AM policy which allows access to specific tags Submit your
Feedback/Queries to our Experts
QUESTION 9
An application has been built with Amazon EC2 instances that retrieve messages from Amazon SQS. Recently, IAM
changes were made and the instances can no longer retrieve messages.
What actions should be taken to troubleshoot the issue while maintaining least privilege. (Select two.)
A. Configure and assign an MFA device to the role used by the instances.
B. Verify that the SQS resource policy does not explicitly deny access to the role used by the instances.
C. Verify that the access key attached to the role used by the instances is active.
D. Attach the AmazonSQSFullAccess managed policy to the role used by the instances.
E. Verify that the role attached to the instances contains policies that allow access to the queue.
Correct Answer: CE
QUESTION 10
You have a web site that is sitting behind AWS Cloudfront. You need to protect the web site against threats such as
SQL injection and Cross site scripting attacks. Which of the following service can help in such a scenario Please select:
A. AWS Trusted Advisor
B. AWS WAF
C. AWS Inspector
D. AWS Config
Correct Answer: B
The AWS Documentation mentions the following
AWS WAF is a web application firewall that helps detect and block malicious web requests targeted at your web
applications. AWS WAF allows you to create rules that can help protect against common web exploits like SQL injection
and
cross-site scripting. With AWS WAF you first identify the resource (either an Amazon CloudFront distribution or an
Application Load Balancer) that you need to protect.
Option A is invalid because this will only give advise on how you can better the security in your AWS account but not
protect against threats mentioned in the question.
Option C is invalid because this can be used to scan EC2 Instances for vulnerabilities but not protect against threats
mentioned in the question.
Option D is invalid because this can be used to check config changes but not protect against threats mentioned in the
quest For more information on AWS WAF, please visit the following URL:
https://aws.amazon.com/waf/details;
The correct answer is: AWS WAF
Submit your Feedback/Queries to our Experts
QUESTION 11
For compliance reasons, a Security Engineer must produce a weekly report that lists any instance that does not have
the latest approved patches applied. The Engineer must also ensure that no system goes more than 30 days without the
latest approved updates being applied.
What would be the MOST efficient way to achieve these goals?
A. Use Amazon Inspector to determine which systems do not have the latest patches applied, and after 30 days,
redeploy those instances with the latest AMI version.
B. Configure Amazon EC2 Systems Manager to report on instance patch compliance, and enforce updates during the
defined maintenance windows.
C. Examine AWS CloudTrail logs to determine whether any instances have not restarted in the last 30 days, and
redeploy those instances.
D. Update the AMIs with the latest approved patches, and redeploy each instance during the defined maintenance
window.
Correct Answer: D
QUESTION 12
Your IT Security team has identified a number of vulnerabilities across critical EC2 Instances in the company\\’s AWS Account. Which would be the easiest way to ensure these vulnerabilities are remediated?
Please select:
A. Create AWS Lambda functions to download the updates and patch the servers.
B. Use AWS CLI commands to download the updates and patch the servers.
C. Use AWS inspector to patch the servers
D. Use AWS Systems Manager to patch the servers
Correct Answer: D
The AWS Documentation mentions the following You can quickly remediate patch and association compliance issues
by using Systems Manager Run Command. You can tat either instance IDs or Amazon EC2 tags and execute the AWSRefreshAssociation document or the AWSRunPatchBaseline document. If refreshing the association or re-running the patch baseline fails to resolve the
compliance issue, then you need to investigate your associations, patch baselines, or instance configurations to
understand why the Run Command executions did not resolve the problem Options A and B are invalid because even
though this is possible, still from a maintenance perspective it would be difficult to maintain the Lambda functions Option
C is invalid because this service cannot be used to patch servers For more information on using Systems Manager for
compliance remediation please visit the below Link: https://docs.aws.amazon.com/systemsmanaeer/latest/usereuide/sysman-compliance-fixing.html The correct answer is: Use AWS Systems Manager to patch
the servers Submit your Feedback/Queries to our Experts
QUESTION 13
A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16.
The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet with port 80
and a Database server in the private subnet with port 3306. The user is configuring a security group for the public
subnet (WebSecGrp) and the private subnet (DBSecGrp). which of the below mentioned entries is required in the
private subnet database security group DBSecGrp?
Please select:
A. Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.
B. Allow Inbound on port 3306 from source 20.0.0.0/16
C. Allow Outbound on port 3306 for Destination Web Server Security Group WebSecGrp.
D. Allow Outbound on port 80 for Destination NAT Instance IP
Correct Answer: A
Since the Web server needs to talk to the database server on port 3306 that means that the database server should
allow incoming traffic on port 3306. The below table from the aws documentation shows how the security groups should
be set up.
C:\Users\wk\Desktop\mudassar\Untitled.jpg
Option B is invalid because you need to allow incoming access for the database server from the WebSecGrp security
group.
Options C and D are invalid because you need to allow Outbound traffic and not inbound traffic For more information on
security groups please visit the below Link:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC
Scenario2.html
The correct answer is: Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.
Submit your Feedback/Queries to our Experts
Pass4itsure Discount Code 2020
Please read the picture carefully to get 12% off!
P.S.
Passing the Amazon SCS-C01 exam is no more dream. Free share all the resources: Latest SCS-C01 practice questions, latest SCS-C01 pdf dumps, SCS-C01 exam video learning. Visit https://www.pass4itsure.com/aws-certified-security-specialty.html exam dumps with the latest questions.