Free SCS-C01 Exam Braindumps

- (Exam Topic 3)
You are designing a connectivity solution between on-premises infrastructure and Amazon VPC. Your server's on-premises will be communicating with your VPC instances. You will be establishing IPSec tunnels over the internet. Yo will be using VPN gateways and terminating the IPsec tunnels on AWS-supported customer gateways. Which of the following objectives would you achieve by implementing an IPSec tunnel as outlined above? Choose 4 answers form the options below
Please select:

1. A. End-to-end protection of data in transit
2. B. End-to-end Identity authentication
3. C. Data encryption across the internet
4. D. Protection of data in transit over the Internet
5. E. Peer identity authentication between VPN gateway and customer gateway
6. F. Data integrity protection across the Internet

Correct Answer: CDEF
IPSec is a widely adopted protocol that can be used to provide end to end protection for data

- (Exam Topic 2)
A company maintains sensitive data in an Amazon S3 bucket that must be protected using an AWS KMS CMK. The company requires that keys be rotated automatically every year.
How should the bucket be configured?

1. A. Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select an AWS-managed CMK.
2. B. Select Amazon S3-AWS KMS managed encryption keys (S3-KMS) and select a customer-managed CMK with key rotation enabled.
3. C. Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select a customer-managed CMK that has imported key material.
4. D. Select server-side encryption with AWS KMS-managed keys (SSE-KMS) and select an alias to an AWS-managed CMK.

Correct Answer: B

- (Exam Topic 3)
Your company has a set of EC2 Instances defined in AWS. They need to ensure that all traffic packets are monitored and inspected for any security threats. How can this be achieved? Choose 2 answers from the options given below
Please select:

1. A. Use a host based intrusion detection system
2. B. Use a third party firewall installed on a central EC2 instance
3. C. Use VPC Flow logs
4. D. Use Network Access control lists logging

Correct Answer: AB
If you want to inspect the packets themselves, then you need to use custom based software A diagram representation of this is given in the AWS Security best practices C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option C is invalid because VPC Flow logs cannot conduct packet inspection.
For more information on AWS Security best practices, please refer to below URL:
The correct answers are: Use a host based intrusion detection system. Use a third party firewall installed on a central EC2
Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A Solutions Architect is designing a web application that uses Amazon CloudFront, an Elastic Load Balancing Application Load Balancer, and an Auto Scaling group of Amazon EC2 instances. The load balancer and EC2 instances are in the US West (Oregon) region. It has been decided that encryption in transit is necessary by using a customer-branded domain name from the client to CloudFront and from CloudFront to the load balancer.
Assuming that AWS Certificate Manager is used, how many certificates will need to be generated?

1. A. One in the US West (Oregon) region and one in the US East (Virginia) region.
2. B. Two in the US West (Oregon) region and none in the US East (Virginia) region.
3. C. One in the US West (Oregon) region and none in the US East (Virginia) region.
4. D. Two in the US East (Virginia) region and none in the US West (Oregon) region.

Correct Answer: B

- (Exam Topic 1)
A company's development team is designing an application using AWS Lambda and Amazon Elastic Container Service (Amazon ECS). The development team needs to create IAM roles to support these systems. The company's security team wants to allow the developers to build IAM roles directly, but the security team wants to retain control over the permissions the developers can delegate to those roles. The development team needs access to more permissions than those required for the application's AWS services. The solution must minimize management overhead.
How should the security team prevent privilege escalation for both teams?

1. A. Enable AWS CloudTrai
2. B. Create a Lambda function that monitors the event history for privilege escalation events and notifies the security team.
3. C. Create a managed IAM policy for the permissions require
4. D. Reference the IAM policy as a permissions boundary within the development team's IAM role.
5. E. Enable AWS Organizations Create an SCP that allows the IAM CreateUser action but that has a condition that prevents API calls other than those required by the development team
6. F. Create an IAM policy with a deny on the IAMCreateUser action and assign the policy to the development tea
7. G. Use a ticket system to allow the developers to request new IAM roles for their application
8. H. The IAM roles will then be created by the security team.

Correct Answer: A