Free SCS-C01 Exam Braindumps

- (Exam Topic 3)
A corporation is preparing to acquire several companies. A Security Engineer must design a solution to ensure that newly acquired AWS accounts follow the corporation's security best practices. The solution should monitor each Amazon S3 bucket for unrestricted public write access and use AWS managed services.
What should the Security Engineer do to meet these requirements?

1. A. Configure Amazon Macie to continuously check the configuration of all S3 buckets.
2. B. Enable AWS Config to check the configuration of each S3 bucket.
3. C. Set up AWS Systems Manager to monitor S3 bucket policies for public write access.
4. D. Configure an Amazon EC2 instance to have an IAM role and a cron job that checks the status of all S3 buckets.

Correct Answer: C

- (Exam Topic 3)
Amazon GuardDuty has detected communications to a known command and control endpoint from a company's Amazon EC2 instance. The instance was found to be running a vulnerable version of a common web framework. The company's security operations team wants to quickly identity other compute resources with the specific version of that framework installed.
Which approach should the team take to accomplish this task?

1. A. Scan all the EC2 instances for noncompliance with AWS Confi
2. B. Use Amazon Athena to query AWS CloudTrail logs for the framework installation
3. C. Scan all the EC2 instances with the Amazon Inspector Network Reachability rules package to identity instances running a web server with RecognizedPortWithListener findings
4. D. Scan all the EC2 instances with AWS Systems Manager to identify the vulnerable version of the web framework
5. E. Scan an the EC2 instances with AWS Resource Access Manager to identify the vulnerable version of the web framework

Correct Answer: C

- (Exam Topic 1)
An application developer is using an AWS Lambda function that must use AWS KMS to perform encrypt and decrypt operations for API keys that are less than 2 KB Which key policy would allow the application to do this while granting least privilege?

1. A. Option A
2. B. Option B
3. C. Option C
4. D. Option D

Correct Answer: B

- (Exam Topic 3)

1. A. The 1AM instance profile that is attached to the EC2 instance does not allow the s3:ListBucket action to the S3 bucket in the AWS accounts.
2. B. The 1AM instance profile that is attached to the EC2 instance does not allow the s3:ListParts action to the S3 bucket in the AWS accounts.
3. C. The KMS key policy that encrypts the object in the S3 bucket does not allow the kms:ListKeys action to the EC2 instance profile ARN.
4. D. The KMS key policy that encrypts the object n the S3 bucket does not allow the kms:Decrypt a:: r to re EC2 instance profile ARN
5. E. The security group that is attached to the EC2 instance is missing an outbound rule to the S3 managed prefix list over port 443.
6. F. The security group that is attached to the EC2 instance is missing an inbound rule from the S3 managed prefix list over port 443.

Correct Answer: ACD

- (Exam Topic 1)
A Security Engineer discovered a vulnerability in an application running on Amazon ECS. The vulnerability allowed attackers to install malicious code. Analysis of the code shows it exfiltrates data on port 5353 in batches at random time intervals.
While the code of the containers is being patched, how can Engineers quickly identify all compromised hosts and stop the egress of data on port 5353?

1. A. Enable AWS Shield Advanced and AWS WA
2. B. Configure an AWS WAF custom filter for egress traffic on port 5353
3. C. Enable Amazon Inspector on Amazon ECS and configure a custom assessment to evaluate containers that have port 5353 ope
4. D. Update the NACLs to block port 5353 outbound.
5. E. Create an Amazon CloudWatch custom metric on the VPC Flow Logs identifying egress traffic on port 5353. Update the NACLs to block port 5353 outbound.
6. F. Use Amazon Athena to query AWS CloudTrail logs in Amazon S3 and look for any traffic on port 5353. Update the security groups to block port 5353 outbound.

Correct Answer: C