Practice Exams:

Free SCS-C01 Exam Braindumps

Pass your AWS Certified Security- Specialty exam with these free Questions and Answers

Page 29 of 118
PDF with 589 Questions
QUESTION 136

- (Exam Topic 2)
A Developer’s laptop was stolen. The laptop was not encrypted, and it contained the SSH key used to access multiple Amazon EC2 instances. A Security Engineer has verified that the key has not been used, and has blocked port 22 to all EC2 instances while developing a response plan.
How can the Security Engineer further protect currently running instances?

  1. A. Delete the key-pair key from the EC2 console, then create a new key pair.
  2. B. Use the modify-instance-attribute API to change the key on any EC2 instance that is using the key.
  3. C. Use the EC2 RunCommand to modify the authorized_keys file on any EC2 instance that is using the key.
  4. D. Update the key pair in any AMI used to launch the EC2 instances, then restart the EC2 instances.

Correct Answer: C

QUESTION 137

- (Exam Topic 1)
An application running on Amazon EC2 instances generates log files in a folder on a Linux file system. The instances block access to the console and file transfer utilities, such as Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP). The Application Support team wants to automatically monitor the application log files so the team can set up notifications in the future.
A Security Engineer must design a solution that meets the following requirements:
• Make the log files available through an AWS managed service.
• Allow for automatic monitoring of the logs.
• Provide an Interlace for analyzing logs.
• Minimize effort.
Which approach meets these requirements^

  1. A. Modify the application to use the AWS SD
  2. B. Write the application logs lo an Amazon S3 bucket
  3. C. install the unified Amazon CloudWatch agent on the instances Configure the agent to collect the application log dies on the EC2 tile system and send them to Amazon CloudWatch Logs
  4. D. Install AWS Systems Manager Agent on the instances Configure an automation document to copy the application log files to AWS DeepLens
  5. E. Install Amazon Kinesis Agent on the instances Stream the application log files to Amazon Kinesis Data Firehose and sot the destination to Amazon Elasticsearch Service

Correct Answer: D

QUESTION 138

- (Exam Topic 2)
A company has a forensic logging use case whereby several hundred applications running on Docker on EC2 need to send logs to a central location. The Security Engineer must create a logging solution that is able to perform real-time analytics on the log files, grants the ability to replay events, and persists data.
Which AWS Services, together, can satisfy this use case? (Select two.)

  1. A. Amazon Elasticsearch
  2. B. Amazon Kinesis
  3. C. Amazon SQS
  4. D. Amazon CloudWatch
  5. E. Amazon Athena

Correct Answer: AB
https://docs.aws.amazon.com/whitepapers/latest/aws-overview/analytics.html#amazon-athena

QUESTION 139

- (Exam Topic 3)
Your company has defined a set of S3 buckets in AWS. They need to monitor the S3 buckets and know the source IP address and the person who make requests to the S3 bucket. How can this be achieved?
Please select:

  1. A. Enable VPC flow logs to know the source IP addresses
  2. B. Monitor the S3 API calls by using Cloudtrail logging
  3. C. Monitor the S3 API calls by using Cloudwatch logging
  4. D. Enable AWS Inspector for the S3 bucket

Correct Answer: B
The AWS Documentation mentions the following
Amazon S3 is integrated with AWS CloudTrail. CloudTrail is a service that captures specific API calls made to Amazon S3 from your AWS account and delivers the log files to an Amazon S3 bucket that you specify. It captures API calls made from the Amazon S3 console or from the Amazon S3 API.
Using the information collected by CloudTrail, you can determine what request was made to Amazon S3, the source IP address from which the request was made, who made the request when it was made, and so on Options A,C and D are invalid because these services cannot be used to get the source IP address of the calls to S3 buckets
For more information on Cloudtrail logging, please refer to the below Link: https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logeins.htmll
The correct answer is: Monitor the S3 API calls by using Cloudtrail logging Submit your Feedback/Queries to our Experts

QUESTION 140

- (Exam Topic 3)
Which of the following bucket policies will ensure that objects being uploaded to a bucket called 'demo' are encrypted.
Please select:

  1. A. C:\Users\wk\Desktop\mudassar\Untitled.jpgSCS-C01 dumps exhibit
  2. B. C:\Users\wk\Desktop\mudassar\Untitled.jpgSCS-C01 dumps exhibit
  3. C. C:\Users\wk\Desktop\mudassar\Untitled.jpgSCS-C01 dumps exhibit
  4. D. C:\Users\wk\Desktop\mudassar\Untitled.jpgSCS-C01 dumps exhibit

Correct Answer: A
The condition of "s3:x-amz-server-side-encryption":"aws:kms" ensures that objects uploaded need to be encrypted.
Options B,C and D are invalid because you have to ensure the condition of ns3:x-amz-server-side-encryption":"aws:kms" is present
For more information on AWS KMS best practices, just browse to the below URL: https://dl.awsstatic.com/whitepapers/aws-kms-best-praaices.pdf
SCS-C01 dumps exhibit
C:\Users\wk\Desktop\mudassar\Untitled.jpg
Submit your Feedback/Queries to our Expert

Page 29 of 118
PDF with 589 Questions

Post your Comments and Discuss Amazon-Web-Services SCS-C01 exam with other Community members: