• Home
  • Articles
  • Latest [Oct 27, 2023] Realistic Verified SCS-C01 Dumps [Q92-Q108]

Latest [Oct 27, 2023] Realistic Verified SCS-C01 Dumps [Q92-Q108]

Share

Latest [Oct 27, 2023] Realistic Verified SCS-C01 Dumps

Pass Amazon SCS-C01 Exam Updated 592 Questions

NEW QUESTION # 92
A Systems Engineer has been tasked with configuring outbound mail through Simple Email Service (SES) and requires compliance with current TLS standards.
The mail application should be configured to connect to which of the following endpoints and corresponding ports?

  • A. email-pop3.us-east-1.amazonaws.com over port 995
  • B. email.us-east-1.amazonaws.com over port 8080
  • C. email-imap.us-east-1.amazonaws.com over port 993
  • D. email-smtp.us-east-1.amazonaws.com over port 587

Answer: D


NEW QUESTION # 93
Which of the following is the correct sequence of how KMS manages the keys when used along with the Redshift cluster service Please select:

  • A. The master keys encrypts the database key. The database key encrypts the data encryption keys.
  • B. The master keys encrypts the cluster key, database key and data encryption keys
  • C. The master keys encrypts the cluster key. The cluster key encrypts the database key. The database key encrypts the data encryption keys.
  • D. The master keys encrypts the data encryption keys. The data encryption keys encrypts the database key

Answer: C

Explanation:
This is mentioned in the AWS Documentation
Amazon Redshift uses a four-tier, key-based architecture for encryption. The architecture consists of data encryption keys, a database key, a cluster key, and a master key.
Data encryption keys encrypt data blocks in the cluster. Each data block is assigned a randomly-generated AES-256 key. These keys are encrypted by using the database key for the cluster.
The database key encrypts data encryption keys in the cluster. The database key is a randomly-generated AES-256 key. It is stored on disk in a separate network from the Amazon Redshift cluster and passed to the cluster across a secure channel.
The cluster key encrypts the database key for the Amazon Redshift cluster.
Option B is incorrect because the master key encrypts the cluster key and not the database key Option C is incorrect because the master key encrypts the cluster key and not the data encryption keys Option D is incorrect because the master key encrypts the cluster key only For more information on how keys are used in Redshift, please visit the following URL:
https://docs.aws.amazon.com/kms/latest/developereuide/services-redshift.html The correct answer is: The master keys encrypts the cluster key. The cluster key encrypts the database key. The database key encrypts the data encryption keys.
Submit your Feedback/Queries to our Experts


NEW QUESTION # 94
An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK. Which combination of configuration steps will allow the application to access the secrets via the API?
Select 2 answers from the options below
Please select:

  • A. Add the SSM service role as a trusted service to the EC2 instance role.
  • B. Add permission to read the SSM parameter to the EC2 instance role. .
  • C. Add permission to use the KMS key to decrypt to the SSM service role.
  • D. Add the EC2 instance role as a trusted service to the SSM service role.
  • E. Add permission to use the KMS key to decrypt to the EC2 instance role

Answer: B,E

Explanation:
Explanation
The below example policy from the AWS Documentation is required to be given to the EC2 Instance in order to read a secure string from AWS KMS. Permissions need to be given to the Get Parameter API and the KMS API call to decrypt the secret.

Option A is invalid because roles can be attached to EC2 and not EC2 roles to SSM Option B is invalid because the KMS key does not need to decrypt the SSM service role.
Option E is invalid because this configuration is valid For more information on the parameter store, please visit the below URL:
https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.htmll The correct answers are: Add permission to read the SSM parameter to the EC2 instance role., Add permission to use the KMS key to decrypt to the EC2 instance role Submit your Feedback/Queries to our Experts


NEW QUESTION # 95
A convoys data lake uses Amazon S3 and Amazon Athen
a. The company's security engineer has been asked to design an encryption solution that meets the company's data protection requirements. The encryption solution must work with Amazon S3 and keys managed by the company. The encryption solution must be protected in a hardware security module that is validated id Federal information Processing Standards (FPS) 140-2 Level 3.
Which solution meets these requirements?

  • A. Use an AWS KMS customer-managed key with the bring your own key (BYOK) feature to import a key stored in AWS CloudHSM
  • B. Use an AWS KMS customer-managed key that is backed by a custom key store using AWS CloudHSM
  • C. Use AWS CloudHSM to store the keys and perform cryptographic operations Save the encrypted text in Amazon S3
  • D. Use client-side encryption with an AWS KMS customer-managed key implemented with the AWS Encryption SDK

Answer: C


NEW QUESTION # 96
A System Administrator is unable to start an Amazon EC2 instance in the eu-west-1 Region using an IAM role The same System Administrator is able to start an EC2 instance in the eu-west-2 and eu-west-3 Regions. The AWSSystemAdministrator access policy attached to the System Administrator IAM role allows unconditional access to all AWS services and resources within the account Which configuration caused this issue?
A) An SCP is attached to the account with the following permission statement:

B)
A permission boundary policy is attached to the System Administrator role with the following permission statement:

C)
A permission boundary is attached to the System Administrator role with the following permission statement:

D)
An SCP is attached to the account with the following statement:

  • A. Option A
  • B. Option D
  • C. Option C
  • D. Option B

Answer: D


NEW QUESTION # 97
Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which three IAM best practices should you consider implementing?
Please select:

  • A. Create individual IAM users
  • B. Ensure all users have been assigned and dre frequently rotating a password, access ID/secret key, and X.509 certificate
  • C. Configure MFA on the root account and for privileged IAM users
  • D. Assign IAM users and groups configured with policies granting least privilege access

Answer: A,C,D

Explanation:
When you go to the security dashboard, the security status will show the best practices for initiating the first level of security.

Option D is invalid because as per the dashboard, this is not part of the security recommendation For more information on best security practices please visit the URL:
https://aws.amazon.com/whitepapers/aws-security-best-practices;
The correct answers are: Create individual IAM users, Configure MFA on the root account and for privileged IAM users. Assign IAM users and groups configured with policies granting least privilege access Submit your Feedback/Queries to our Experts


NEW QUESTION # 98
A company's Developers plan to migrate their on-premises applications to Amazon EC2 instances running Amazon Linux AMIs. The applications are accessed by a group of partner companies The Security Engineer needs to implement the following host-based security measures for these instances:
* Block traffic from documented known bad IP addresses
* Detect known software vulnerabilities and CIS Benchmarks compliance.
Which solution addresses these requirements?

  • A. Launch the EC2 instances with an IAM role attached. Include a user data script that uses the IAM CLI to retrieve the list of bad IP addresses from IAM Secrets Manager and uploads it as a threat list in Amazon GuardDuty Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance
  • B. Launch the EC2 instances with an IAM role attached Include a user data script that uses the IAM CLl to create NACLs blocking ingress traffic from the known bad IP addresses in the EC2 instance's subnets Use IAM Systems Manager to scan the instances for known software vulnerabilities, and IAM Trusted Advisor to check instances for CIS Benchmarks compliance
  • C. Launch the EC2 instances with an IAM role attached Include a user data script that creates a cron job to periodically retrieve the list of bad IP addresses from Amazon S3, and configures iptabies on the instances blocking the list of bad IP addresses Use Amazon inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.
  • D. Launch the EC2 instances with an IAM role attached Include a user data script that uses the IAM CLl to create and attach security groups that only allow an allow listed source IP address range inbound. Use Amazon Inspector to scan the instances for known software vulnerabilities, and IAM Trusted Advisor to check instances for CIS Benchmarks compliance

Answer: C


NEW QUESTION # 99
A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code In the company's source code repository
A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates. The solution must also minimize administrate overhead
Which solution meets these requirements?

  • A. Use AWS Secrets Manager to store database credentials. Use an 1AM inline policy for ECS tasks to restrict access to database credentials to specific containers only.
  • B. Use the AWS Systems Manager Parameter Store to generate database credentials. Use an 1AM profile for ECS tasks to restrict access to database credentials to specific containers only.
  • C. Use AWS Secrets Manager to store database credentials. Use 1AM roles for ECS tasks to restrict access to database credentials to specific containers only.
  • D. Use the AWS Systems Manager Parameter Store to store database credentials. Use 1AM roles for ECS tasks to restrict access to database credentials lo specific containers only

Answer: C


NEW QUESTION # 100
To meet regulatory requirements, a Security Engineer needs to implement an IAM policy that restricts the use of AWS services to the us-east-1 Region.
What policy should the Engineer implement?

  • A.
  • B.
  • C.
  • D.

Answer: C


NEW QUESTION # 101
You have a set of 100 EC2 Instances in an IAM account. You need to ensure that all of these instances are patched and kept to date. All of the instances are in a private subnet. How can you achieve this. Choose 2 answers from the options given below Please select:

  • A. Ensure a NAT gateway is present to download the updates
  • B. Use the Systems Manager to patch the instances
  • C. Ensure an internet gateway is present to download the updates
  • D. Use the IAM inspector to patch the updates

Answer: A,B

Explanation:
Option C is invalid because the instances need to remain in the private:
Option D is invalid because IAM inspector can only detect the patches
One of the IAM Blogs mentions how patching of Linux servers can be accomplished. Below is the diagram representation of the architecture setup

For more information on patching Linux workloads in IAM, please refer to the Lin.
https://IAM.amazon.com/blogs/security/how-to-patch-linux-workloads-on-IAMj The correct answers are: Ensure a NAT gateway is present to download the updates. Use the Systems Manager to patch the instances Submit your Feedback/Queries to our Experts


NEW QUESTION # 102
The CFO of a company wants to allow one of his employees to view only the AWS usage report page. Which of the below mentioned IAM policy statements allows the user to have access to the AWS usage report page?
Please select:

  • A. "Effect": "Allow", "Action": ["AccountUsage], "Resource": "*"
  • B. "Effect": "Allow", "Action": ["aws-portal: ViewBilling"], "Resource": "*"
  • C. "Effect": "Allow". "Action": ["Describe"], "Resource": "Billing"
  • D. "Effect': "Allow", "Action": ["aws-portal:ViewUsage"," aws-portal:ViewBilling"], "Resource": "*"

Answer: D

Explanation:
Explanation
the aws documentation, below is the access required for a user to access the Usage reports page and as per this, Option C is the right answer.


NEW QUESTION # 103
A company has decided to use encryption in its AWS account to secure the objects in Amazon S3 using server- side encryption. Object sizes range from 16,000 B to 5 MB. The requirements are as follows:
* The key material must be generated and stored in a certified Federal Information Processing Standard (FIPS) 140-2 Level 3 machine.
* The key material must be available in multiple Regions.
Which option meets these requirements?

  • A. Use AWS CloudHSM to generate the key material and backup keys across Regions. Use the Java Cryptography Extension (JCE) and Public Key Cryptography Standards #11 (PKCS #11) encryption libraries to encrypt and decrypt the data.
  • B. Use an AWS KMS customer managed key and store the key material in AWS with replication across Regions.
  • C. Use an AWS KMS custom key store backed by AWS CloudHSM clusters, and copy backups across Regions.
  • D. Use an AWS customer managed key, import the key material into AWS KMS using in-house AWS CloudHSM, and store the key material securely in Amazon S3.

Answer: C


NEW QUESTION # 104
A company deployed Amazon GuardDuty In the us-east-1 Region. The company wants all DNS logs that relate to the company's Amazon EC2 instances to be inspected. What should a security engineer do to ensure that the EC2 instances are logged?

  • A. Use IPv6 addresses that are configured for hostnames.
  • B. Use IAM DNS resolvers for all EC2 instances.
  • C. Configure external DNS resolvers as internal resolvers that are visible only to IAM.
  • D. Configure a third-party DNS resolver with logging for all EC2 instances.

Answer: B


NEW QUESTION # 105
Your company has a hybrid environment, with on-premise servers and servers hosted in the IAM cloud. They are planning to use the Systems Manager for patching servers. Which of the following is a pre-requisite for this to work; Please select:

  • A. Ensure that an IAM User is created
  • B. Ensure that an IAM Group is created for the on-premise servers
  • C. Ensure that an IAM service role is created
  • D. Ensure that the on-premise servers are running on Hyper-V.

Answer: C

Explanation:
Explanation
You need to ensure that an IAM service role is created for allowing the on-premise servers to communicate with the IAM Systems Manager.
Option A is incorrect since it is not necessary that servers should only be running Hyper-V Options C and D are incorrect since it is not necessary that IAM users and groups are created For more information on the Systems Manager role please refer to the below URL:
com/systems-rnanaeer/latest/usereuide/sysman-!
The correct answer is: Ensure that an IAM service role is created
Submit your Feedback/Queries to our Experts


NEW QUESTION # 106
A customer has an instance hosted in the AWS Public Cloud. The VPC and subnet used to host the Instance have been created with the default settings for the Network Access Control Lists. They need to provide an IT Administrator secure access to the underlying instance. How can this be accomplished.
Please select:

  • A. Ensure the Network Access Control Lists allow Outbound SSH traffic from the IT Administrator's Workstation
  • B. Ensure the Network Access Control Lists allow Inbound SSH traffic from the IT Administrator's Workstation
  • C. Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation
  • D. Ensure that the security group allows Outbound SSH traffic from the IT Administrator's Workstation

Answer: C

Explanation:
Explanation
Options A & B are invalid as default NACL rule will allow all inbound and outbound traffic.
The requirement is that the IT administrator should be able to access this EC2 instance from his workstation.
For that we need to enable the Security Group of EC2 instance to allow traffic from the IT administrator's workstation. Hence option C is correct.
Option D is incorrect as we need to enable the Inbound SSH traffic on the EC2 instance Security Group since the traffic originate' , from the IT admin's workstation.
The correct answer is: Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation Submit your Feedback/Queries to our Experts


NEW QUESTION # 107
You want to ensure that you keep a check on the Active EBS Volumes, Active snapshots and Elastic IP addresses you use so that you don't go beyond the service limit. Which of the below services can help in this regard?
Please select:

  • A. AWS Trusted Advisor
  • B. AWS EC2
  • C. AWS SNS
  • D. AWS Cloudwatch

Answer: A

Explanation:
Explanation
Below is a snapshot of the service limits that the Trusted Advisor can monitor

Option A is invalid because even though you can monitor resources, it cannot be checked against the service limit.
Option B is invalid because this is the Elastic Compute cloud service Option D is invalid because it can be send notification but not check on service limit For more information on the Trusted Advisor monitoring, please visit the below URL:
https://aws.amazon.com/premiumsupport/ta-faqs>
The correct answer is: AWS Trusted Advisor
Submit your Feedback/Queries to our Experts


NEW QUESTION # 108
......


Amazon SCS-C01 exam, also known as the AWS Certified Security - Specialty exam, is an important certification for professionals who work with Amazon Web Services (AWS). AWS Certified Security - Specialty certification is designed to validate the skills and knowledge required to secure AWS environments, including best practices for data protection, incident response, and compliance management.


Amazon SCS-C01 certification exam is a valuable credential for security professionals who want to demonstrate their expertise in securing AWS workloads. Earning this certification can help professionals advance their careers in the IT security field, and can also help organizations ensure that their AWS workloads are secure and protected.

 

Get 2023 Updated Free Amazon SCS-C01 Exam Questions and Answer: https://torrentvce.pass4guide.com/SCS-C01-dumps-questions.html

Related Articles

more
Amazon SCS-C01 Certification Practice Exam