Free SCS-C01 Exam Braindumps

- (Exam Topic 3)
Your company makes use of S3 buckets for storing data. There is a company policy that all services should have logging enabled. How can you ensure that logging is always enabled for created S3 buckets in the AWS Account?
Please select:

1. A. Use AWS Inspector to inspect all S3 buckets and enable logging for those where it is not enabled
2. B. Use AWS Config Rules to check whether logging is enabled for buckets
3. C. Use AWS Cloudwatch metrics to check whether logging is enabled for buckets
4. D. Use AWS Cloudwatch logs to check whether logging is enabled for buckets

Correct Answer: B
This is given in the AWS Documentation as an example rule in AWS Config Example rules with triggers Example rule with configuration change trigger
* 1. You add the AWS Config managed rule, S3_BUCKET_LOGGING_ENABLED, to your account to check whether your Amazon S3 buckets have logging enabled.
* 2. The trigger type for the rule is configuration changes. AWS Config runs the evaluations for the rule when an Amazon S3 bucket is created, changed, or deleted.
* 3. When a bucket is updated, the configuration change triggers the rule and AWS Config evaluates whether the bucket is compliant against the rule.
Option A is invalid because AWS Inspector cannot be used to scan all buckets
Option C and D are invalid because Cloudwatch cannot be used to check for logging enablement for buckets. For more information on Config Rules please see the below Link:
https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html
The correct answer is: Use AWS Config Rules to check whether logging is enabled for buckets Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A company is using AWS Organizations to manage multiple AWS accounts. The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an AWS KMS CMK However when users try to access the files in the S3 bucket they get an access denied error.
What should a Security Engineer do to troubleshoot this error? (Select THREE )

1. A. Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK
2. B. Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket
3. C. Ensure the CMK was created before the S3 bucket.
4. D. Ensure the S3 block public access feature is enabled for the S3 bucket.
5. E. Ensure that automatic key rotation is disabled for the CMK
6. F. Ensure the SCPs within Organizations allow access to the S3 bucket.

Correct Answer: ABF

- (Exam Topic 1)
A convoys data lake uses Amazon S3 and Amazon Athena. The company's security engineer has been asked to design an encryption solution that meets the company's data protection requirements. The encryption solution must work with Amazon S3 and keys managed by the company. The encryption solution must be protected in a hardware security module that is validated id Federal information Processing Standards (FPS) 140-2 Level 3.
Which solution meets these requirements?

1. A. Use client-side encryption with an AWS KMS customer-managed key implemented with the AWS Encryption SDK
2. B. Use AWS CloudHSM to store the keys and perform cryptographic operations Save the encrypted text inAmazon S3
3. C. Use an AWS KMS customer-managed key that is backed by a custom key store using AWS CloudHSM
4. D. Use an AWS KMS customer-managed key with the bring your own key (BYOK) feature to import a key stored in AWS CloudHSM

Correct Answer: B

- (Exam Topic 3)
A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet with port 80 and a Database server in the private subnet with port 3306. The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). which of the below mentioned entries is required in the private subnet database security group DBSecGrp?
Please select:

1. A. Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.
2. B. Allow Inbound on port 3306 from source 20.0.0.0/16
3. C. Allow Outbound on port 3306 for Destination Web Server Security Group WebSecGrp.
4. D. Allow Outbound on port 80 for Destination NAT Instance IP

Correct Answer: A
Since the Web server needs to talk to the database server on port 3306 that means that the database server should allow incoming traffic on port 3306. The below table from the aws documentation shows how the security groups should be set up.
C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option B is invalid because you need to allow incoming access for the database server from the WebSecGrp security group.
Options C and D are invalid because you need to allow Outbound traffic and not inbound traffic For more information on security groups please visit the below Link:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC
Scenario2.html
The correct answer is: Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp. Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
Your company hosts a large section of EC2 instances in AWS. There are strict security rules governing the EC2 Instances. During a potential security breach , you need to ensure quick investigation of the underlying EC2 Instance. Which of the following service can help you quickly provision a test environment to look into the breached instance.
Please select:

1. A. AWS Cloudwatch
2. B. AWS Cloudformation
3. C. AWS Cloudtrail
4. D. AWS Config

Correct Answer: B
The AWS Security best practises mentions the following
Unique to AWS, security practitioners can use CloudFormation to quickly create a new, trusted environment in which to conduct deeper investigation. The CloudFormation template can pre-configure instances in an isolated environment that contains all the necessary tools forensic teams need to determine the cause of the incident This cuts down on the time it takes to gather necessary tools, isolates systems under examination, and ensures that the team is operating in a clean room.
Option A is incorrect since this is a logging service and cannot be used to provision a test environment Option C is incorrect since this is an API logging service and cannot be used to provision a test environment Option D is incorrect since this is a configuration service and cannot be used to provision a test environment For more information on AWS Security best practises, please refer to below URL: https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pd1
The correct answer is: AWS Cloudformation Submit your Feedback/Queries to our Experts