Practice Exams:

Free SCS-C01 Exam Braindumps

Pass your AWS Certified Security- Specialty exam with these free Questions and Answers

Page 16 of 118
PDF with 589 Questions
QUESTION 71

- (Exam Topic 1)
A company's Developers plan to migrate their on-premises applications to Amazon EC2 instances running Amazon Linux AMIs. The applications are accessed by a group of partner companies The Security Engineer needs to implement the following host-based security measures for these instances:
• Block traffic from documented known bad IP addresses
• Detect known software vulnerabilities and CIS Benchmarks compliance. Which solution addresses these requirements?

  1. A. Launch the EC2 instances with an IAM role attache
  2. B. Include a user data script that uses the AWS CLI to retrieve the list of bad IP addresses from AWS Secrets Manager and uploads it as a threat list in Amazon GuardDuty Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance
  3. C. Launch the EC2 instances with an IAM role attached Include a user data script that uses the AWS CLl to create NACLs blocking ingress traffic from the known bad IP addresses in the EC2 instance's subnets Use AWS Systems Manager to scan the instances for known software vulnerabilities, and AWS Trusted Advisor to check instances for CIS Benchmarks compliance
  4. D. Launch the EC2 instances with an IAM role attached Include a user data script that uses the AWS CLl to create and attach security groups that only allow an allow listed source IP address range inboun
  5. E. Use Amazon Inspector to scan the instances for known software vulnerabilities, and AWS Trusted Advisor to check instances for CIS Benchmarks compliance
  6. F. Launch the EC2 instances with an IAM role attached Include a user data script that creates a cron job to periodically retrieve the list of bad IP addresses from Amazon S3, and configures iptabies on the instances blocking the list of bad IP addresses Use Amazon inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.

Correct Answer: D

QUESTION 72

- (Exam Topic 1)
A company uses multiple AWS accounts managed with AWS Organizations Security engineers have created a standard set of security groups for all these accounts. The security policy requires that these security groups be used for all applications and delegates modification authority to the security team only.
A recent security audit found that the security groups are inconsistency implemented across accounts and that unauthorized changes have been made to the security groups. A security engineer needs to recommend a solution to improve consistency and to prevent unauthorized changes in the individual accounts in the future.
Which solution should the security engineer recommend?

  1. A. Use AWS Resource Access Manager to create shared resources for each requited security group and apply an IAM policy that permits read-only access to the security groups only.
  2. B. Create an AWS CloudFormation template that creates the required security groups Execute the template as part of configuring new accounts Enable Amazon Simple Notification Service (Amazon SNS) notifications when changes occur
  3. C. Use AWS Firewall Manager to create a security group policy, enable the policy feature to identify and revert local changes, and enable automatic remediation
  4. D. Use AWS Control Tower to edit the account factory template to enable the snare security groups option Apply an SCP to the OU or individual accounts that prohibits security group modifications from local account users

Correct Answer: B

QUESTION 73

- (Exam Topic 2)
An organization wants to deploy a three-tier web application whereby the application servers run on Amazon EC2 instances. These EC2 instances need access to credentials that they will use to authenticate their SQL connections to an Amazon RDS DB instance. Also, AWS Lambda functions must issue queries to the RDS database by using the same database credentials.
The credentials must be stored so that the EC2 instances and the Lambda functions can access them. No other access is allowed. The access logs must record when the credentials were accessed and by whom.
What should the Security Engineer do to meet these requirements?

  1. A. Store the database credentials in AWS Key Management Service (AWS KMS). Create an IAM role with access to AWS KMS by using the EC2 and Lambda service principals in the role’s trust polic
  2. B. Add the role to an EC2 instance profil
  3. C. Attach the instance profile to the EC2 instance
  4. D. Set up Lambda to use the new role for execution.
  5. E. Store the database credentials in AWS KM
  6. F. Create an IAM role with access to KMS by using the EC2 and Lambda service principals in the role’s trust polic
  7. G. Add the role to an EC2 instance profil
  8. H. Attach the instance profile to the EC2 instances and the Lambda function.
  9. I. Store the database credentials in AWS Secrets Manage
  10. J. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role’s trust polic
  11. K. Add the role to an EC2 instance profil
  12. L. Attach the instance profile to the EC2 instances and the Lambda function.
  13. M. Store the database credentials in AWS Secrets Manage
  14. N. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role’s trust polic
  15. O. Add the role to an EC2 instance profil
  16. P. Attach the instance profile to the EC2 instance
  17. Q. Set up Lambda to use the new role for execution.

Correct Answer: D

QUESTION 74

- (Exam Topic 3)
Your company has confidential documents stored in the simple storage service. Due to compliance requirements, you have to ensure that the data in the S3 bucket is available in a different geographical location. As an architect what is the change you would make to comply with this requirement.
Please select:

  1. A. Apply Multi-AZ for the underlying 53 bucket
  2. B. Copy the data to an EBS Volume in another Region
  3. C. Create a snapshot of the S3 bucket and copy it to another region
  4. D. Enable Cross region replication for the S3 bucket

Correct Answer: D
This is mentioned clearly as a use case for S3 cross-region replication
You might configure cross-region replication on a bucket for various reasons, including the following:
• Compliance requirements - Although, by default Amazon S3 stores your data across multiple geographically distant Availability Zones, compliance requirements might dictate that you store data at even further distances. Cross-region replication allows you to replicate data between distant AWS Regions to satisfy these compliance requirements.
Option A is invalid because Multi-AZ cannot be used to S3 buckets
Option B is invalid because copying it to an EBS volume is not a recommended practice Option C is invalid because creating snapshots is not possible in S3
For more information on S3 cross-region replication, please visit the following URL: https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.htmll
The correct answer is: Enable Cross region replication for the S3 bucket Submit your Feedback/Queries to our Experts

QUESTION 75

- (Exam Topic 1)
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?

  1. A. Add a rule to the Application Load Balancer to route the traffic originating from the IP address in question and show a static webpage.
  2. B. Implement a rate-based rule with AWS WAF
  3. C. Use AWS Shield to limit the originating traffic hit rate.
  4. D. Implement the GeoLocation feature in Amazon Route 53.

Correct Answer: C

Page 16 of 118
PDF with 589 Questions

Post your Comments and Discuss Amazon-Web-Services SCS-C01 exam with other Community members: