[Mar 11, 2024] SCS-C01 Dumps Full Questions - Exam Study Guide [Q259-Q279]

[Mar 11, 2024] SCS-C01 Dumps Full Questions - Exam Study Guide

AWS Certified Security Free Certification Exam Material from PassCollection with 592 Questions

AWS Security Specialty Exam Syllabus Topics:

Section	Objectives
Incident Response - 12%
Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys.	- Given an AWS Abuse report about an EC2 instance, securely isolate the instance as part of a forensic investigation. - Analyze logs relevant to a reported instance to verify a breach, and collect relevant data. - Capture a memory dump from a suspected instance for later deep analysis or for legal compliance reasons.
Verify that the Incident Response plan includes relevant AWS services.	- Determine if changes to baseline security configuration have been made. - Determine if list omits services, processes, or procedures which facilitate Incident Response. - Recommend services, processes, procedures to remediate gaps.
Evaluate the configuration of automated alerting, and execute possible remediation of security related incidents and emerging issues.	- Automate evaluation of conformance with rules for new/changed/removed resources. - Apply rule-based alerts for common infrastructure misconfigurations. - Review previous security incidents and recommend improvements to existing systems.
Logging and Monitoring - 20%
Design and implement security monitoring and alerting.	- Analyze architecture and identify monitoring requirements and sources for monitoring statistics. - Analyze architecture to determine which AWS services can be used to automate monitoring and alerting. - Analyze the requirements for custom application monitoring, and determine how this could be achieved. - Set up automated tools/scripts to perform regular audits.
Troubleshoot security monitoring and alerting.	- Given an occurrence of a known event without the expected alerting, analyze the service functionality and configuration and remediate. - Given an occurrence of a known event without the expected alerting, analyze the permissions and remediate. - Given a custom application which is not reporting its statistics, analyze the configuration and remediate. - Review audit trails of system and user activity.
Design and implement a logging solution.	- Analyze architecture and identify logging requirements and sources for log ingestion. - Analyze requirements and implement durable and secure log storage according to AWS best practices. - Analyze architecture to determine which AWS services can be used to automate log ingestion and analysis.
Troubleshoot logging solutions.	- Given the absence of logs, determine the incorrect configuration and define remediation steps. - Analyze logging access permissions to determine incorrect configuration and define remediation steps. - Based on the security policy requirements, determine the correct log level, type, and sources.
Infrastructure Security - 26%
Design edge security on AWS.	- For a given workload, assess and limit the attack surface. - Reduce blast radius (e.g. by distributing applications across accounts and regions). - Choose appropriate AWS and/or third-party edge services such as WAF, CloudFront and Route 53 to protect against DDoS or filter application-level attacks. - Given a set of edge protection requirements for an application, evaluate the mechanisms to prevent and detect intrusions for compliance and recommend required changes. - Test WAF rules to ensure they block malicious traffic.
Design and implement a secure network infrastructure.	- Disable any unnecessary network ports and protocols. - Given a set of edge protection requirements, evaluate the security groups and NACLs of an application for compliance and recommend required changes. - Given security requirements, decide on network segmentation (e.g. security groups and NACLs) that allow the minimum ingress/egress access required. - Determine the use case for VPN or Direct Connect. - Determine the use case for enabling VPC Flow Logs. - Given a description of the network infrastructure for a VPC, analyze the use of subnets and gateways for secure operation.
Troubleshoot a secure network infrastructure.	- Determine where network traffic flow is being denied. - Given a configuration, confirm security groups and NACLs have been implemented correctly.
Design and implement host-based security.	- Given security requirements, install and configure host-based protections including Inspector, SSM. - Decide when to use host-based firewall like iptables. - Recommend methods for host hardening and monitoring.
Identity and Access Management - 20%
Design and implement a scalable authorization and authentication system to access AWS resources.	- Given a description of a workload, analyze the access control configuration for AWS services and make recommendations that reduce risk. - Given a description how an organization manages their AWS accounts, verify security of their root user. - Given your organization’s compliance requirements, determine when to apply user policies and resource policies. - Within an organization’s policy, determine when to federate a directory services to IAM. - Design a scalable authorization model that includes users, groups, roles, and policies. - Identify and restrict individual users of data and AWS resources. - Review policies to establish that users/systems are restricted from performing functions beyond their responsibility, and also enforce proper separation of duties.
Troubleshoot an authorization and authentication system to access AWS resources.	- Investigate a user’s inability to access S3 bucket contents. - Investigate a user’s inability to switch roles to a different account. - Investigate an Amazon EC2 instance’s inability to access a given AWS resource.
Data Protection - 22%
Design and implement key management and use.	- Analyze a given scenario to determine an appropriate key management solution. - Given a set of data protection requirements, evaluate key usage and recommend required changes. - Determine and control the blast radius of a key compromise event and design a solution to contain the same.
Troubleshoot key management.	- Break down the difference between a KMS key grant and IAM policy. - Deduce the precedence given different conflicting policies for a given key. - Determine when and how to revoke permissions for a user or service in the event of a compromise.

 

NEW QUESTION # 259
A recent security audit identified that a company's application team injects database credentials into the environment variables of an AWS Fargate task. The company's security policy mandates that all sensitive data be encrypted at rest and in transit.
When combination of actions should the security team take to make the application compliant within the security policy? (Select THREE)

• A. Create an AWS Secrets Manager secret and specify the key/value pairs to be stored in this secret
• B. Option E
• C. Option D
• D. Option C
• E. Modify the application to pull credentials from the AWS Secrets Manager secret instead of the environment variables.
• F. Add the following statement to the container instance IAM role policy E) Add the following statement to the execution role policy.
• G. Log in to the AWS Fargate instance, create a script to read the secret value from AWS Secret Manager, and inject the environment variables. Ask the application team to redeploy the application.
• H. Option A
• I. Option F
• J. Option B
• K. Store the credentials securely in a file in an Amazon S3 bucket with restricted access to the application team IAM role Ask the application team to read the credentials from the S3 object instead

Answer: A,G,H

NEW QUESTION # 260
What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account?
(Choose two.)

• A. Enable multi-factor authentication for the AWS IAM users with the AdministratorAccess managed policy attached to them
• B. Use the AWS account root user access keys instead of the AWS Management Console
• C. Do not create access keys for the AWS account root user; instead, create AWS IAM users
• D. Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days
• E. Enable multi-factor authentication for the AWS account root user

Answer: A,D

NEW QUESTION # 261
An Incident Response team is investigating an AWS access key leak that resulted in Amazon EC2 instances being launched. The company did not discover the incident until many months later The Director of Information Security wants to implement new controls that will alert when similar incidents happen in the future Which controls should the company implement to achieve this? {Select TWO.)

• A. Add the following bucket policy to the company's AWS CloudTrail bucket to prevent log tampering
  {
  "Version": "2012-10-17-,
  "Statement": {
  "Effect": "Deny",
  "Action": "s3:PutObject",
  "Principal": "-",
  "Resource": "arn:aws:s3:::cloudtrail/AWSLogs/111122223333/*"
  }
  }
  Create an Amazon S3 data event for an PutObject attempts, which sends notifications to an Amazon SNS topic.
• B. Enable VPC Flow Logs in all VPCs Create a scheduled AWS Lambda function that downloads and parses the logs, and sends an Amazon SNS notification for violations.
• C. Use AWS CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3 bucket to receive all the CloudTrail log files
• D. Create a Security Auditor role with permissions to access Amazon CloudWatch Logs m all Regions Ship the logs to an Amazon S3 bucket and make a lifecycle policy to ship the logs to Amazon S3 Glacier.
• E. Verify that Amazon GuardDuty is enabled in all Regions, and create an Amazon CloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as the rule's target

Answer: B,E

NEW QUESTION # 262
You are trying to use the AWS Systems Manager run command on a set of Instances. The run command on a set of Instances. What can you do to diagnose the issue? Choose 2 answers from the options given Please select:

• A. Check the /var/log/amazon/ssm/errors.log file
• B. Ensure the right AMI is used for the Instance
• C. Ensure that the SSM agent is running on the target machine
• D. Ensure the security groups allow outbound communication for the instance The AWS Documentation mentions the following If you experience problems executing commands using Run Command, there might be a problem with the SSM Agent. Use the following information to help you troubleshoot the agent View Agent Logs The SSM Agent logs information in the following files. The information in these files can help you troubleshoot problems.

Answer: A,C

Explanation:
On Windows
%PROGRAMDATA%\Amazon\SSM\Logs\amazon-ssm-agent.log
%PROGRAMDATA%\Amazon\SSM\Logs\error.log
The default filename of the seelog is seelog-xml.template. If you modify a seelog, you must rename the file to seelog.xml.
On Linux
/var/log/amazon/ssm/amazon-ssm-agentlog /var/log/amazon/ssm/errors.log
Option C is invalid because the right AMI has nothing to do with the issues. The agent which is used to execute run commands can run on a variety of AMI'S Option D is invalid because security groups does not come into the picture with the communication between the agent and the SSM service For more information on troubleshooting AWS SSM, please visit the following URL:
https://docs.aws.amazon.com/systems-manaeer/latest/userguide/troubleshootine-remote-commands.htmll The correct answers are: Ensure that the SSM agent is running on the target machine. Check the /var/log/amazon/ssm/errors.log file Submit your Feedback/Queries to our Experts

NEW QUESTION # 263
An organization is using IAM CloudTrail, Amazon CloudWatch Logs, and Amazon CloudWatch to send alerts when new access keys are created. However, the alerts are no longer appearing in the Security Operations mail box.
Which of the following actions would resolve this issue?

• A. In CloudTrail, verify that the trail logging bucket has a log prefix configured.
• B. In Amazon SNS, determine whether the "Account spend limit" has been reached for this alert.
• C. In CloudWatch, verify that the alarm threshold "consecutive periods" value is equal to, or greater than 1.
• D. In SNS, ensure that the subscription used by these alerts has not been deleted.

Answer: D

NEW QUESTION # 264
A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2 instances.
The company security policy states that application logs for the reporting service must be centrally collected.
What is the MOST efficient way to meet these requirements?

• A. Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync.
• B. Enable AWS CloudTrail logging for the AWS account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail.
• C. Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.
• D. Write an AWS Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket.

Answer: C

Explanation:
Explanation/Reference:
https://aws.amazon.com/blogs/devops/new-how-to-better-monitor-your-custom-application-metrics-using- amazon-cloudwatch-agent/

NEW QUESTION # 265
An AWS account administrator created an IAM group and applied the following managed policy to require that each individual user authenticate using multi-factor authentication:

After implementing the policy, the administrator receives reports that users are unable to perform Amazon EC2 commands using the AWS CLI. What should the administrator do to resolve this problem while still enforcing multi-factor authentication?

• A. Create a role and enforce multi-factor authentication in the role trust policy Instruct users to run the sts assume-role CLI command and pass --serial-number and -token-code parameters Store the resulting values in environment variables. Add sts:AssumeRole to NotAction in the policy.
• B. Instruct users to run the aws sts get-session-token CLI command and pass the multi-factor authentication -serial-number and -token-code parameters. Use these resulting values to make API/CLI calls
• C. Implement federated API/CLI access using SAML 2.0, then configure the identity provider to enforce multi-factor authentication.
• D. Change the value of aws MultiFactorAuthPresent to true.

Answer: B

NEW QUESTION # 266
A Security Engineer is working with a Product team building a web application on AWS. The application uses Amazon S3 to host the static content, Amazon API Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider.
Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)

• A. Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.
• B. Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.
• C. Configure an Amazon Cognito identity pool to integrate with social login providers.
• D. Update DynamoDB to store the user email addresses and passwords.
• E. Create a custom authorization service using AWS Lambda.
• F. Update API Gateway to use a COGNITO_USER_POOLS authorizer.

Answer: A,D,E

NEW QUESTION # 267
A company maintains an open-source application that is hosted on a public GitHub repository. While creating a new commit to the repository, an engineer uploaded their AWS access key and secret access key. The engineer reported the mistake to a manager, and the manager immediately disabled the access key.
The company needs to assess the impact of the exposed access key. A security engineer must recommend a solution that requires the least possible managerial overhead.
Which solution meets these requirements?

• A. Analyze an AWS Identity and Access Management (1AM) use report from AWS Trusted Advisor to see when the access key was last used.
• B. Analyze VPC flow logs for activity by searching for the access key
• C. Analyze a credential report in AWS Identity and Access Management (1AM) to see when the access key was last used.
• D. Analyze Amazon CloudWatch Logs for activity by searching for the access key.

Answer: A

NEW QUESTION # 268
A Security Engineer is asked to update an AWS CloudTrail log file prefix for an existing trail. When attempting to save the change in the CloudTrail console, the Security Engineer receives the following error message:
"There is a problem with the bucket policy."
What will enable the Security Engineer to save the change?

• A. Create a new trail with the updated log file prefix, and then delete the original trail. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.
• B. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.
• C. Update the existing bucket policy in the Amazon S3 console to allow the Security Engineer's Principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console.
• D. Update the existing bucket policy in the Amazon S3 console to allow the Security Engineer's Principal to perform PutBucketPolicy, and then update the log file prefix in the CloudTrail console.

Answer: B

Explanation:
Explanation/Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for- cloudtrail.html

NEW QUESTION # 269
A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances . The application will store highly sensitive user data in Amazon RDS tables The application must
* Include migration to a different AWS Region in the application disaster recovery plan.
* Provide a full audit trail of encryption key administration events
* Allow only company administrators to administer keys.
* Protect data at rest using application layer encryption
A Security Engineer is evaluating options for encryption key management Why should the Security Engineer choose AWS CloudHSM over AWS KMS for encryption key management in this situation?

• A. CloudHSM provides the ability to copy keys to a different Region, whereas AWS KMS does not
• B. The key administration event logging generated by CloudHSM is significantly more extensive than AWS KMS.
• C. CloudHSM ensures that only company support staff can administer encryption keys, whereas AWS KMS allows AWS staff to administer keys
• D. The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by AWS KMS

Answer: C

NEW QUESTION # 270
An organization has launched 5 instances: 2 for production and 3 for testing. The organization wants that one particular group of 1AM users should only access the test instances and not the production ones. How can the organization set that as a part of the policy?
Please select:

• A. Launch the test and production instances in separate regions and allow region wise access to the group
• B. Create an 1AM policy with a condition which allows access to only small instances
• C. Define the 1AM policy which allows access based on the instance ID
• D. Define the tags on the test and production servers and add a condition to the 1AM policy which allows access to specification tags

Answer: D

Explanation:
Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type - you can quickly identify a specific resource based on the tags you've assigned to it Option A is invalid because this is not a recommended practices Option B is invalid because this is an overhead to maintain this in policies Option C is invalid because the instance type will not resolve the requirement For information on resource tagging, please visit the below URL:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Usine_Tags.htmll
The correct answer is: Define the tags on the test and production servers and add a condition to the 1AM policy which allows access to specific tags Submit your Feedback/Queries to our Experts

NEW QUESTION # 271
A Security Engineer for a large company is managing a data processing application used by 1,500 subsidiary companies. The parent and subsidiary companies all use AWS. The application uses TCP port 443 and runs on Amazon EC2 behind a Network Load Balancer (NLB). For compliance reasons, the application should only be accessible to the subsidiaries and should not be available on the public internet. To meet the compliance requirements for restricted access, the Engineer has received the public and private CIDR block ranges for each subsidiary.
What solution should the Engineer use to implement the appropriate access restrictions for the application?

• A. Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.
• B. Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group to the NLB. Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group.
• C. Create a NACL to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the NACL to both the NLB and EC2 instances
• D. Create an AWS PrivateLink endpoint service in the parent company account attached to the NLB. Create an AWS security group for the instances to allow access on TCP port 443 from the AWS PrivateLink endpoint.
  Use AWS PrivateLink interface endpoints in the 1,500 subsidiary AWS accounts to connect to the data processing application.

Answer: D

NEW QUESTION # 272
A company is planning on using AWS for hosting their applications. They want complete separation and isolation of their production , testing and development environments. Which of the following is an ideal way to design such a setup?
Please select:

• A. Use separate IAM Roles for each of the environments
• B. Use separate IAM Policies for each of the environments
• C. Use separate AWS accounts for each of the environments
• D. Use separate VPCs for each of the environments

Answer: C

Explanation:
A recommendation from the AWS Security Best practices highlights this as well

option A is partially valid, you can segregate resources, but a best practise is to have multiple accounts for this setup.
Options B and C are invalid because from a maintenance perspective this could become very difficult For more information on the Security Best practices, please visit the following URL:
https://dl.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf The correct answer is: Use separate AWS accounts for each of the environments Submit your Feedback/Queries to our Experts

NEW QUESTION # 273
A windows machine in one VPC needs to join the AD domain in another VPC. VPC Peering has been established. But the domain join is not working. What is the other step that needs to be followed to ensure that the AD domain join can work as intended Please select:

• A. Ensure the security groups for the AD hosted subnet has the right rule for relevant subnets
• B. Ensure that the AD is placed in a public subnet
• C. Change the VPC peering connection to a VPN connection
• D. Change the VPC peering connection to a Direct Connect connection

Answer: A

Explanation:
Explanation
In addition to VPC peering and setting the right route tables, the security groups for the AD EC2 instance needs to ensure the right rules are put in place for allowing incoming traffic.
Option A and B is invalid because changing the connection type will not help. This is a problem with the Security Groups.
Option D is invalid since the AD should not be placed in a public subnet For more information on allowing ingress traffic for AD, please visit the following url
|https://docs.IAM.amazon.com/quickstart/latest/active-directory-ds/ingress.html| The correct answer is: Ensure the security groups for the AD hosted subnet has the right rule for relevant subnets Submit your Feedback/Queries to our Experts

NEW QUESTION # 274
A Security Engineer discovers that developers have been adding rules to security groups that allow SSH and RDP traffic from 0.0.0.0/0 instead of the organization firewall IP.
What is the most efficient way to remediate the risk of this activity?

• A. Use AWS Config rules to detect 0.0.0.0/0 and invoke an AWS Lambda function to update the security group with the organization's firewall IP.
• B. Use network access control lists to block source IP addresses matching 0.0.0.0/0.
• C. Delete the internet gateway associated with the VPC.
• D. Use a host-based firewall to prevent access from all but the organization's firewall IP.

Answer: B

NEW QUESTION # 275
A company has multiple AWS accounts that are part of AW5 Organizations. The company's Security team wants to ensure that even those Administrators with full access to the company's AWS accounts are unable to access the company's Amazon S3 buckets
How should this be accomplished?

• A. Create a VPC endpoint for Amazon S3 and deny statements for access to Amazon S3
• B. Use an S3 bucket policy
• C. UseSCPs
• D. Add a permissions boundary to deny access to Amazon S3 and attach it to all roles

Answer: C

NEW QUESTION # 276
A System Administrator is unable to start an Amazon EC2 instance in the eu-west-1 Region using an IAM role The same System Administrator is able to start an EC2 instance in the eu-west-2 and eu-west-3 Regions. The AWSSystemAdministrator access policy attached to the System Administrator IAM role allows unconditional access to all AWS services and resources within the account Which configuration caused this issue?
A) An SCP is attached to the account with the following permission statement:

B)
A permission boundary policy is attached to the System Administrator role with the following permission statement:

C)
A permission boundary is attached to the System Administrator role with the following permission statement:

D)
An SCP is attached to the account with the following statement:

• A. Option D
• B. Option C
• C. Option B
• D. Option A

Answer: C

NEW QUESTION # 277
Your application currently uses customer keys which are generated via IAM KMS in the US east region. You now want to use the same set of keys from the EU-Central region. How can this be accomplished?
Please select:

• A. This is not possible since keys from KMS are region specific
• B. Export the key from the US east region and import them into the EU-Central region
• C. Use the backing key from the US east region and use it in the EU-Central region
• D. Use key rotation and rotate the existing keys to the EU-Central region

Answer: A

Explanation:
Explanation
Option A is invalid because keys cannot be exported and imported across regions.
Option B is invalid because key rotation cannot be used to export keys
Option C is invalid because the backing key cannot be used to export keys This is mentioned in the IAM documentation What geographic region are my keys stored in?
Keys are only stored and used in the region in which they are created. They cannot be transferred to another region. For example; keys created in the EU-Central (Frankfurt) region are only stored and used within the EU-Central (Frankfurt) region For more information on KMS please visit the following URL:
https://IAM.amazon.com/kms/faqs/
The correct answer is: This is not possible since keys from KMS are region specific Submit your Feedback/Queries to our Experts

NEW QUESTION # 278
A company has multiple Amazon S3 buckets encrypted with customer-managed CMKs Due to regulatory requirements the keys must be rotated every year. The company's Security Engineer has enabled automatic key rotation for the CMKs; however the company wants to verity that the rotation has occurred.
What should the Security Engineer do to accomplish this?

• A. Monitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events
• B. Using the IAM CLI. run the IAM kms gel-key-relation-status operation with the --key-id parameter to check the CMK rotation date
• C. Filter IAM CloudTrail logs for KeyRotaton events
• D. Use Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filter Generate New Key events

Answer: B

NEW QUESTION # 279
......

Amazon SCS-C01 certification exam consists of 65 multiple-choice and multiple-response questions, which must be completed within 170 minutes. SCS-C01 exam is available in multiple languages, including English, Japanese, Korean, and Simplified Chinese. AWS Certified Security - Specialty certification exam requires a passing score of 750 out of 1000. Candidates who pass the exam will receive an AWS Certified Security - Specialty certificate that is valid for three years.

 

Dumps Brief Outline Of The SCS-C01 Exam: https://examtests.passcollection.com/SCS-C01-valid-vce-dumps.html