Free SCS-C01 Exam Braindumps

- (Exam Topic 1)
A company uses SAML federation with AWS Identity and Access Management (IAM) to provide internal users with SSO for their AWS accounts. The company's identity provider certificate was rotated as part of its normal lifecycle. Shortly after, users started receiving the following error when attempting to log in:
"Error: Response Signature Invalid (Service: AWSSecuntyTokenService; Status Code: 400; Error Code: InvalidldentltyToken)"
A security engineer needs to address the immediate issue and ensure that it will not occur again. Which combination of steps should the security engineer take to accomplish this? (Select TWO.)

1. A. Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entit
2. B. Upload the new metadata file to the new IAM identity provider entity.
3. C. During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provide
4. D. Generate a new metadata file and upload it to the IAM identity provider entit
5. E. Perform automated or manual rotation of the certificate when required.
6. F. Download a new copy of the SAML metadata file from the identity provider Upload the new metadata to the IAM identity provider entity configured for the SAML integration in question.
7. G. During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provide
8. H. Generate a new copy of the metadata file and create a new IAM identity provider entit
9. I. Upload the metadata file to the new IAM identity provider entit
10. J. Performautomated or manual rotation of the certificate when required.
11. K. Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entit
12. L. Upload the new metadata file to the new IAM identity provider entit
13. M. Update the identity provider configurations to pass a new IAM identity provider entity name in the SAML assertion.

Correct Answer: AD

- (Exam Topic 3)
A company's cloud operations team is responsible for building effective security for AWS cross-account access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows:

Which recommendations should the security engineer make to resolve this issue? (Select TWO.)

1. A. Ask the developers to change their password and use a different web browser.
2. B. Ensure that developers are using multi-factor authentication (MFA) when they log in to their developer account as the developer role.
3. C. Modify the production account ReadS3 role policy to allow the PutBucketPolicy action on the productionapp S3 bucket.
4. D. Update the trust relationship policy on the production account S3 role to allow the account number of the developer account.
5. E. Update the developer group permissions in the developer account to allow access to the productionapp S3 bucket.

Correct Answer: AD

- (Exam Topic 3)
A company maintains an open-source application that is hosted on a public GitHub repository. While creating a new commit to the repository, an engineer uploaded their AWS access key and secret access key. The engineer reported the mistake to a manager, and the manager immediately disabled the access key.
The company needs to assess the impact of the exposed access key. A security engineer must recommend a solution that requires the least possible managerial overhead.
Which solution meets these requirements?

1. A. Analyze an AWS Identity and Access Management (1AM) use report from AWS Trusted Advisor to see when the access key was last used.
2. B. Analyze Amazon CloudWatch Logs for activity by searching for the access key.
3. C. Analyze VPC flow logs for activity by searching for the access key
4. D. Analyze a credential report in AWS Identity and Access Management (1AM) to see when the access key was last used.

Correct Answer: A

- (Exam Topic 1)
An external Auditor finds that a company's user passwords have no minimum length. The company is currently using two identity providers:
• AWS IAM federated with on-premises Active Directory
• Amazon Cognito user pools to accessing an AWS Cloud application developed by the company Which combination o1 actions should the Security Engineer take to solve this issue? (Select TWO.)

1. A. Update the password length policy In the on-premises Active Directory configuration.
2. B. Update the password length policy In the IAM configuration.
3. C. Enforce an IAM policy In Amazon Cognito and AWS IAM with a minimum password length condition.
4. D. Update the password length policy in the Amazon Cognito configuration.
5. E. Create an SCP with AWS Organizations that enforces a minimum password length for AWS IAM and Amazon Cognito.

Correct Answer: AD

- (Exam Topic 2)
A company has deployed a custom DNS server in AWS. The Security Engineer wants to ensure that Amazon EC2 instances cannot use the Amazon-provided DNS.
How can the Security Engineer block access to the Amazon-provided DNS in the VPC?

1. A. Deny access to the Amazon DNS IP within all security groups.
2. B. Add a rule to all network access control lists that deny access to the Amazon DNS IP.
3. C. Add a route to all route tables that black holes traffic to the Amazon DNS IP.
4. D. Disable DNS resolution within the VPC configuration.

Correct Answer: D
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html