Free SCS-C01 Exam Braindumps

- (Exam Topic 1)
A Security Engineer launches two Amazon EC2 instances in the same Amazon VPC but in separate Availability Zones. Each instance has a public IP address and is able to connect to external hosts on the internet. The two instances are able to communicate with each other by using their private IP addresses, but they are not able to communicate with each other when using their public IP addresses.
Which action should the Security Engineer take to allow communication over the public IP addresses?

1. A. Associate the instances to the same security groups.
2. B. Add 0.0.0.0/0 to the egress rules of the instance security groups.
3. C. Add the instance IDs to the ingress rules of the instance security groups.
4. D. Add the public IP addresses to the ingress rules of the instance security groups.

Correct Answer: D
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html#sg-rules-other-ins

- (Exam Topic 1)
A company has a website with an Amazon CloudFront HTTPS distribution, an Application Load Balancer (ALB) with multiple web instances for dynamic website content, and an Amazon S3 bucket for static website content. The company's security engineer recently updated the website security requirements:
• HTTPS needs to be enforced for all data in transit with specific ciphers.
• The CloudFront distribution needs to be accessible from the internet only. Which solution will meet these requirements?

1. A. Set up an S3 bucket policy with the awssecuretransport key Configure the CloudFront origin access identity (OAI) with the S3 bucket Configure CloudFront to use specific cipher
2. B. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers Link the ALB with AWS WAF to allow access from the CloudFront IP ranges.
3. C. Set up an S3 bucket policy with the aws:securetransport ke
4. D. Configure the CloudFront origin access identity (OAI) with the S3 bucke
5. E. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers.
6. F. Modify the CloudFront distribution to use AWS WA
7. G. Force HTTPS on the S3 bucket with specific ciphers in the bucket polic
8. H. Configure an HTTPS listener only for the AL
9. I. Set up a security group to limit access to the ALB from the CloudFront IP ranges
10. J. Modify the CloudFront distribution to use the ALB as the origi
11. K. Enforce an HTTPS listener on the AL
12. L. Create a path-based routing rule on the ALB with proxies that connect lo Amazon S3. Create a bucket policy to allow access from these proxies only.A company Is trying to replace its on-premises bastion hosts used to access on-premises Linux servers with AWS Systems Manager Session Manage
13. M. A security engineer has installed the Systems Manager Agent on all server
14. N. The security engineer verifies that the agent is running on all the servers, but Session Manager cannot connect to the
15. O. The security engineer needs to perform verification steps before Session Manager will work on the servers.Which combination of steps should the security engineer perform? (Select THREE.)
16. P. Open inbound port 22 to 0 0.0.0/0 on all Linux servers.
17. Q. Enable the advanced-instances tier in Systems Manager.
18. R. Create a managed-instance activation for the on-premises servers.
19. S. Reconfigure the Systems Manager Agent with the activation code and ID.
20. T. Assign an IAM role to all of the on-premises servers.
21. . Initiate an inventory collection with Systems Manager on the on-premises servers

Correct Answer: CEF

- (Exam Topic 1)
A global company must mitigate and respond to DDoS attacks at Layers 3, 4 and 7 All of the company's AWS applications are serverless with static content hosted on Amazon S3 using Amazon CloudFront and Amazon Route 53
Which solution will meet these requirements?

1. A. Use AWS WAF with an upgrade to the AWS Business support plan
2. B. Use AWS Certificate Manager with an Application Load Balancer configured with an origin access identity
3. C. Use AWS Shield Advanced
4. D. Use AWS WAF to protect AWS Lambda functions encrypted with AWS KMS and a NACL restricting all Ingress traffic

Correct Answer: C

- (Exam Topic 1)
A Security Engineer has been asked to troubleshoot inbound connectivity to a web server. This single web server is not receiving inbound connections from the internet, whereas all other web servers are functioning properly.
The architecture includes network ACLs, security groups, and a virtual security appliance. In addition, the Development team has implemented Application Load Balancers (ALBs) to distribute the load across all web servers. It is a requirement that traffic between the web servers and the internet flow through the virtual
security appliance.
The Security Engineer has verified the following:
* 1. The rule set in the Security Groups is correct
* 2. The rule set in the network ACLs is correct
* 3. The rule set in the virtual appliance is correct
Which of the following are other valid items to troubleshoot in this scenario? (Choose two.)

1. A. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway.
2. B. Verify which Security Group is applied to the particular web server’s elastic network interface (ENI).
3. C. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance.
4. D. Verify the registered targets in the ALB.
5. E. Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.

Correct Answer: CD
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html

- (Exam Topic 1)
A company has the software development teams that are creating applications that store sensitive data in Amazon S3 Each team's data must always be separate. The company's security team must design a data encryption strategy for both teams that provides the ability to audit key usage. The solution must also minimize operational overhead
what should me security team recommend?

1. A. Tell the application teams to use two different S3 buckets with separate AWS Key Management Service (AWS KMS) AWS managed CMKs Limit the key process to allow encryption and decryption of the CMKs to their respective teams onl
2. B. Force the teams to use encryption context to encrypt and decrypt
3. C. Tell the application teams to use two different S3 buckets with a single AWS Key Management Service (AWS KMS) AWS managed CMK Limit the key policy to allow encryption and decryption of the CMK onl
4. D. Do not allow the teams to use encryption context to encrypt and decrypt
5. E. Tell the application teams to use two different S3 buckets with separate AWS Key Management Service (AWS KMS) customer managed CMKs Limit the key policies to allow encryption and decryption of the CMKs to their respective teams only Force the teams to use encryption context to encrypt and decrypt
6. F. Tell the application teams to use two different S3 buckets with a single AWS Key Management Service (AWS KMS) customer managed CMK Limit the key policy to allow encryption and decryption of the CMK only Do not allow the teams to use encryption context to encrypt and decrypt

Correct Answer: A