Free SCS-C01 Exam Braindumps

- (Exam Topic 2)
An organization is using Amazon CloudWatch Logs with agents deployed on its Linux Amazon EC2 instances. The agent configuration files have been checked and the application log files to be pushed are configured correctly. A review has identified that logging from specific instances is missing.
Which steps should be taken to troubleshoot the issue? (Choose two.)

1. A. Use an EC2 run command to confirm that the “awslogs” service is running on all instances.
2. B. Verify that the permissions used by the agent allow creation of log groups/streams and to put log events.
3. C. Check whether any application log entries were rejected because of invalid time stamps by reviewing/var/cwlogs/rejects.log.
4. D. Check that the trust relationship grants the service “cwlogs.amazonaws.com” permission to write objects to the Amazon S3 staging bucket.
5. E. Verify that the time zone on the application servers is in UTC.

Correct Answer: AB
EC2 run command - can run scripts, install software, collect metrics and log files, manage patches and more. Bringing these two services together - can create CloudWatch Events rules that use EC2 Run Command to perform actions on EC2 instances or on-premises servers.

- (Exam Topic 2)
A pharmaceutical company has digitized versions of historical prescriptions stored on premises. The company would like to move these prescriptions to AWS and perform analytics on the data in them. Any operation with this data requires that the data be encrypted in transit and at rest.
Which application flow would meet the data protection requirements on AWS?

1. A. Digitized files -> Amazon Kinesis Data Analytics
2. B. Digitized files -> Amazon Kinesis Data Firehose -> Amazon S3 -> Amazon Athena
3. C. Digitized files -> Amazon Kinesis Data Streams -> Kinesis Client Library consumer -> Amazon S3 -> Athena
4. D. Digitized files -> Amazon Kinesis Data Firehose -> Amazon Elasticsearch

Correct Answer: B

- (Exam Topic 3)
A company has resources hosted in their AWS Account. There is a requirement to monitor all API activity for all regions. The audit needs to be applied for future regions as well. Which of the following can be used to fulfil this requirement.
Please select:

1. A. Ensure Cloudtrail for each regio
2. B. Then enable for each future region.
3. C. Ensure one Cloudtrail trail is enabled for all regions.
4. D. Create a Cloudtrail for each regio
5. E. Use Cloudformation to enable the trail for all future regions.
6. F. Create a Cloudtrail for each regio
7. G. Use AWS Config to enable the trail for all future regions.

Correct Answer: B
The AWS Documentation mentions the following
You can now turn on a trail across all regions for your AWS account. CloudTrail will deliver log files from all regions to the Amazon S3 bucket and an optional CloudWatch Logs log group you specified. Additionally, when AWS launches a new region, CloudTrail will create the same trail in the new region. As a result you will receive log files containing API activity for the new region without taking any action.
Option A and C is invalid because this would be a maintenance overhead to enable cloudtrail for every region Option D is invalid because this AWS Config cannot be used to enable trails
For more information on this feature, please visit the following URL:
https://aws.ama2on.com/about-aws/whats-new/20l5/l2/turn-on-cloudtrail-across-all-reeions-and-support-for-mul The correct answer is: Ensure one Cloudtrail trail is enabled for all regions. Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data from production host running inside AWS (Account 1). The threat was documented as follows:
Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials for an AWS account (Account 2) they control and uploading data to an Amazon S3 bucket within their control.
Server X has outbound internet access configured via a proxy server. Legitimate access to S3 is required so that the application can upload encrypted files to an S3 bucket. Server X is currently using an IAM instance role. The proxy server is not able to inspect any of the server communication due to TLS encryption.
Which of the following options will mitigate the threat? (Choose two.)

1. A. Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.
2. B. Block outbound access to public S3 endpoints on the proxy server.
3. C. Configure Network ACLs on Server X to deny access to S3 endpoints.
4. D. Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application server.
5. E. Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted application config file.

Correct Answer: AB

- (Exam Topic 1)
A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents.
A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly.
Which combination of actions would build the required solution? (Choose three.)

1. A. Configure Amazon CloudWatch Events in the production accounts to send all S3 events to the security account event bus.
2. B. Enable Amazon GuardDuty in the security accoun
3. C. and join the production accounts as members.
4. D. Configure an Amazon CloudWatch Events rule in the security account to detect S3 bucket creation or modification events.
5. E. Enable AWS Trusted Advisor and activate email notifications for an email address assigned to the security contact.
6. F. Invoke an AWS Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team.
7. G. Configure event notifications on S3 buckets for PUT; POST, and DELETE events.

Correct Answer: DEF