Free SCS-C01 Exam Braindumps

- (Exam Topic 2)
A company plans to move most of its IT infrastructure to AWS. The company wants to leverage its existing on-premises Active Directory as an identity provider for AWS.
Which steps should be taken to authenticate to AWS services using the company's on-premises Active Directory? (Choose three).

1. A. Create IAM roles with permissions corresponding to each Active Directory group.
2. B. Create IAM groups with permissions corresponding to each Active Directory group.
3. C. Create a SAML provider with IAM.
4. D. Create a SAML provider with Amazon Cloud Directory.
5. E. Configure AWS as a trusted relying party for the Active Directory
6. F. Configure IAM as a trusted relying party for Amazon Cloud Directory.

Correct Answer: ACE
https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-a

- (Exam Topic 3)
A company wants to establish separate AWS Key Management Service (AWS KMS) keys to use for different AWS services. The company's security engineer created the following key policy lo allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructureDeployment 1AM role:

The security engineer recently discovered that 1AM roles other than the InfrastructureDeployment role used this key (or other services. Which change to the policy should the security engineer make to resolve these issues?

1. A. In the statement block that contains the Sid "Allow use of the key", under the "Condition" block, change StringEquals to StringLike.
2. B. In the policy document, remove the statement Dlock that contains the Sid "Enable 1AM User Permissions". Add key management policies to the KMS policy.
3. C. In the statement block that contains the Sid "Allow use of the Key", under the "Condition" block, change the Kms:ViaService value to ec2.us-east-1 .amazonaws com.
4. D. In the policy document, add a new statement block that grants the kms:Disable' permission to the security engineer's IAM role.

Correct Answer: C

- (Exam Topic 3)
A company's engineering team is developing a new application that creates AWS Key Management Service (AWS KMS) CMK grants for users immediately after a grant IS created users must be able to use the CMK tu encrypt a 512-byte payload. During load testing, a bug appears |intermittently where AccessDeniedExceptions are occasionally triggered when a user rst attempts to encrypt using the CMK
Which solution should the c0mpany‘s security specialist recommend‘?

1. A. Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.
2. B. Instruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant toke
3. C. Instruct use to use that grant token in their call to encrypt.
4. D. Instruct the engineering team to create a random name for the grant when calling the CreateGrant operatio
5. E. Return the name to the users and instruct them to provide the name as the grant token in the call to encrypt.
6. F. Instruct the engineering team to pass the grant token returned in the CreateGrant response to users.Instruct users to use that grant token in their call to encrypt.

Correct Answer: D

- (Exam Topic 3)
A company deploys a set of standard IAM roles in AWS accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented AWS Organizations SCPs to restrict access to critical security services in all company accounts.
All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and AWS Security Hub. The security engineer also must not override other permissions that are granted by 1AM policies that are defined in the accounts.
Which SCP should the security engineer attach to the root of the organization to meet these requirements?

A)

B)

C)

1. A. Option
2. B. Option
3. C. Option

Correct Answer: C

- (Exam Topic 1)
A company's Director of information Security wants a daily email report from AWS that contains recommendations for each company account to meet AWS Security best practices.
Which solution would meet these requirements?

1. A. in every AWS account, configure AWS Lambda to query me AWS Support API tor AWS Trusted Advisor security checks Send the results from Lambda to an Amazon SNS topic to send reports.
2. B. Configure Amazon GuardDuty in a master account and invite all other accounts to be managed by the master account Use GuardDuty's integration with Amazon SNS to report on findings
3. C. Use Amazon Athena and Amazon QuickSight to build reports off of AWS CloudTrail Create a daily Amazon CloudWatch trigger to run the report dally and email It using Amazon SNS
4. D. Use AWS Artifact's prebuilt reports and subscriptions Subscribe the Director of Information Security to the reports by adding the Director as the security alternate contact tor each account

Correct Answer: A