Best Quality SCS-C01 Exam Questions Amazon Test To Gain Brilliante Result! [Q224-Q244]

Best Quality SCS-C01 Exam Questions  Amazon Test To Gain Brilliante Result!

Preparations of SCS-C01 Exam 2021 AWS Certified Security Unlimited 485 Questions

NEW QUESTION 224
You need to establish a secure backup and archiving solution for your company, using AWS. Documents should be immediately accessible for three months and available for five years for compliance reasons. Which AWS service fulfills these requirements in the most cost-effective way? Choose the correct answer:
Please select:

• A. Use Storage Gateway to store data to S3 and use lifecycle policies to move the data into Redshift for long-term archiving.
• B. Upload the data on EBS, use lifecycle policies to move EBS snapshots into S3 and later into Glacier for long-term archiving.
• C. Upload data to S3 and use lifecycle policies to move the data into Glacier for long-term archiving.
• D. Use Direct Connect to upload data to S3 and use 1AM policies to move the data into Glacier for long-term archiving.

Answer: C

Explanation:
Explanation
amazon Glacier is a secure, durable, and extremely low-cost cloud storage service for data archiving and long-term backup. Customers can reliably store large or small amounts of data for as little as $0,004 per gigabyte per month, a significant savings compared to on-premises solutions.
With Amazon lifecycle policies you can create transition actions in which you define when objects transition to another Amazon S3 storage class. For example, you may choose to transition objects to the STANDARDJA (IA, for infrequent access) storage class 30 days after creation, or archive objects to the GLACIER storage class one year after creation.
Option B is invalid because lifecycle policies are not available for EBS volumes Option C is invalid because 1AM policies cannot be used to move data to Glacier Option D is invalid because lifecycle policies is not used to move data to Redshif For more information on S3 lifecycle policies, please visit the URL:
http://docs.aws.amazon.com/AmazonS3/latest/dev/obiect-lifecycle-mgmt.html The correct answer is: Upload data to S3 and use lifecycle policies to move the data into Glacier for long-term archiving.
Submit your Feedback/Queries to our Experts

 

NEW QUESTION 225
A company has a requirement to create a DynamoDB table. The company's software architect has provided the following CLI command for the DynamoDB table

Which of the following has been taken of from a security perspective from the above command?
Please select:

• A. Since the ID is hashed, it ensures security of the underlying table.
• B. The above command ensures data encryption at rest for the Customer table
• C. The above command ensures data encryption in transit for the Customer table
• D. The right throughput has been specified from a security perspective

Answer: B

Explanation:
Explanation
The above command with the "-sse-specification Enabled=true" parameter ensures that the data for the DynamoDB table is encrypted at rest.
Options A,C and D are all invalid because this command is specifically used to ensure data encryption at rest For more information on DynamoDB encryption, please visit the URL:
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html The correct answer is: The above command ensures data encryption at rest for the Customer table

 

NEW QUESTION 226
Developers in an organization have moved from a standard application deployment to containers. The Security Engineer is tasked with ensuring that the containers are secure. Which strategies will reduce the attack surface and enhance the security of the containers? (Select TWO.)

• A. Segregate containers by host, function, and data classification.
• B. Enable container breakout at the host kernel.
• C. Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries.
• D. Use the containers to automate security deployments.
• E. Use Docker Notary framework to sign task definitions.

Answer: A,D

 

NEW QUESTION 227
A user has enabled versioning on an S3 bucket. The user is using server side encryption for data at Rest. If the user is supplying his own keys for encryption SSE-C, which of the below mentioned statements is true?
Please select:

• A. It is possible to have different encryption keys for different versions of the same object
• B. The SSE-C does not work when versioning is enabled
• C. AWS S3 does not allow the user to upload his own keys for server side encryption
• D. The user should use the same encryption key for all versions of the same object

Answer: A

Explanation:
.anaging your own encryption keys, y
You can encrypt the object and send it across to S3
Option A is invalid because ideally you should use different encryption keys Option C is invalid because you can use you own encryption keys Option D is invalid because encryption works even if versioning is enabled For more information on client side encryption please visit the below Link:
""Keys.html
https://docs.aws.ama2on.com/AmazonS3/latest/dev/UsingClientSideEncryption.html The correct answer is: It is possible to have different encryption keys for different versions of the same object Submit your Feedback/Queries to our Experts

 

NEW QUESTION 228
An application running on EC2 instances in a VPC must access sensitive data in the data center. The access must be encrypted in transit and have consistent low latency. Which hybrid architecture will meet these requirements?
Please select:

• A. A VPN between the VPC and the data center.
• B. A Direct Connect connection between the VPC and data center
• C. Expose the data with a public HTTPS endpoint.
• D. A VPN between the VPC and the data center over a Direct Connect connection

Answer: D

Explanation:
Explanation
Since this is required over a consistency low latency connection, you should use Direct Connect. For encryption, you can make use of a VPN Option A is invalid because exposing an HTTPS endpoint will not help all traffic to flow between a VPC and the data center.
Option C is invalid because low latency is a key requirement
Option D is invalid because only Direct Connect will not suffice
For more information on the connection options please see the below Link:
https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpn-connection-sharint The correct answer is: A VPN between the VPC and the data center over a Direct Connect connection Submit your Feedback/Queries to our Experts

 

NEW QUESTION 229
A company has an AWS account and allows a third-party contractor who uses another AWS account, to assume certain 1AM roles. The company wants to ensure that IAM roles can be assumed by the contractor only if the contractor has multi-factor authentication enabled on their IAM user accounts What should the company do to accomplish this?
A)

B)

C)

D)

• A. Option A
• B. Option D
• C. Option B
• D. Option C

Answer: A

 

NEW QUESTION 230
A company has multiple VPCs in their account that are peered, as shown in the diagram. A Security Engineer wants to perform penetration tests of the Amazon EC2 instances in all three VPCs.
How can this be accomplished? (Choose two.)

• A. Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Complete the penetration test request form for all three VPCs.
• B. Deploy a pre-authorized scanning engine from the AWS Marketplace into VPC B, and use it to scan instances in all three VPCs. Do not complete the penetration test request form.
• C. Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Do not complete the penetration test request form.
• D. Create a VPN connection from the data center to VPC A. Use an on-premises scanning engine to scan the instances in all three VPCs. Complete the penetration test request form for all three VPCs.
• E. Deploy a pre-authorized scanning engine from the Marketplace into each VPC, and scan instances in each VPC from the scanning engine in that VPC. Do not complete the penetration test request form.

Answer: C,E

 

NEW QUESTION 231
The Security Engineer is managing a web application that processes highly sensitive personal information.
The application runs on Amazon EC2. The application has strict compliance requirements, which instruct
that all incoming traffic to the application is protected from common web exploits and that all outgoing
traffic from the EC2 instances is restricted to specific whitelisted URLs.
Which architecture should the Security Engineer use to meet these requirements?

• A. Use AWS Shield to scan inbound traffic for web exploits. Use VPC Flow Logs and AWS Lambda to
  restrict egress traffic to specific whitelisted URLs.
• B. Use AWS WAF to scan inbound traffic for web exploits. Use VPC Flow Logs and AWS Lambda to
  restrict egress traffic to specific whitelisted URLs.
• C. Use AWS WAF to scan inbound traffic for web exploits. Use a third-party AWS Marketplace solution to
  restrict egress traffic to specific whitelisted URLs.
• D. Use AWS Shield to scan inbound traffic for web exploits. Use a third-party AWS Marketplace solution to
  restrict egress traffic to specific whitelisted URLs.

Answer: D

 

NEW QUESTION 232
The Development team receives an error message each time the team members attempt to encrypt or decrypt a Secure String parameter from the SSM Parameter Store by using an AWS KMS customer managed key (CMK).
Which CMK-related issues could be responsible? (Choose two.)

• A. The CMK specified in the application is not enabled.
• B. The CMK specified in the application does not exist.
• C. The CMK specified in the application is currently in use.
• D. The CMK specified in the application is using an alias.
• E. The CMK specified in the application is using the CMK KeyID instead of CMK Amazon Resource Name.

Answer: A,B

Explanation:
https://docs.amazonaws.cn/en_us/kms/latest/developerguide/services-parameter-store.html

 

NEW QUESTION 233
A Security Engineer discovered a vulnerability in an application running on Amazon ECS. The vulnerability allowed attackers to install malicious code. Analysis of the code shows it exfiltrates data on port 5353 in batches at random time intervals.
While the code of the containers is being patched, how can Engineers quickly identify all compromised hosts and stop the egress of data on port 5353?

• A. Use Amazon Athena to query AWS CloudTrail logs in Amazon S3 and look for any traffic on port
  5353. Update the security groups to block port 5353 outbound.
• B. Enable AWS Shield Advanced and AWS WAF. Configure an AWS WAF custom filter for egress traffic on port 5353
• C. Create an Amazon CloudWatch custom metric on the VPC Flow Logs identifying egress traffic on port
  5353. Update the NACLs to block port 5353 outbound.
• D. Enable Amazon Inspector on Amazon ECS and configure a custom assessment to evaluate containers that have port 5353 open. Update the NACLs to block port 5353 outbound.

Answer: C

 

NEW QUESTION 234
You work as an administrator for a company. The company hosts a number of resources using AWS. There is an incident of a suspicious API activity which occurred 11 days ago. The Security Admin has asked to get the API activity from that point in time. How can this be achieved?
Please select:

• A. Search the Cloud Watch metrics to find for the suspicious activity which occurred 11 days ago
• B. Search the Cloudtrail event history on the API events which occurred 11 days ago.
• C. Search the Cloud Watch logs to find for the suspicious activity which occurred 11 days ago
• D. Use AWS Config to get the API calls which were made 11 days ago.

Answer: B

Explanation:
The Cloud Trail event history allows to view events which are recorded for 90 days. So one can use a metric filter to gather the API calls from 11 days ago.
Option A and C is invalid because Cloudwatch is used for logging and not for monitoring API activity Option D is invalid because AWSConfig is a configuration service and not for monitoring API activity For more information on AWS Cloudtrail, please visit the following URL:
https://docs.aws.amazon.com/awscloudtrail/latest/usereuide/how-cloudtrail-works.html Note:
In this question we assume that the customer has enabled cloud trail service.
AWS CloudTrail is enabled by default for ALL CUSTOMERS and will provide visibility into the past seven days of account activity without the need for you to configure a trail in the service to get started. So for an activity that happened 11 days ago to be stored in the cloud trail we need to configure the trail manually to ensure that it is stored in the events history.
* https://aws.amazon.com/blogs/aws/new-amazon-web-services-extends-cloudtrail-to-all-aws-customers/ The correct answer is: Search the Cloudtrail event history on the API events which occurred 11 days ago.

 

NEW QUESTION 235
A Security Engineer must add additional protection to a legacy web application by adding the following HTTP security headers:
-Content Security-Policy
-X-Frame-Options
-X-XSS-Protection
The Engineer does not have access to the source code of the legacy web application.
Which of the following approaches would meet this requirement?

• A. Construct an AWS WAF rule to replace existing HTTP headers with the required security headers by using regular expressions.
• B. Migrate the legacy application to an Amazon S3 static website and front it with an Amazon CloudFront distribution.
• C. Configure an Amazon Route 53 routing policy to send all web traffic that does not include the required headers to a black hole.
• D. Implement an AWS Lambda@Edge origin response function that inserts the required headers.

Answer: D

 

NEW QUESTION 236
You need to inspect the running processes on an EC2 Instance that may have a security issue. How can you achieve this in the easiest way possible. Also you need to ensure that the process does not interfere with the continuous running of the instance.
Please select:

• A. Use AWS Cloudwatch to record the processes running on the server
• B. Use AWS Cloudtrail to record the processes running on the server to an S3 bucket.
• C. Use AWS Config to see the changed process information on the server
• D. Use the SSM Run command to send the list of running processes information to an S3 bucket.

Answer: D

Explanation:
Explanation
The SSM Run command can be used to send OS specific commands to an Instance. Here you can check and see the running processes on an instance and then send the output to an S3 bucket.
Option A is invalid because this is used to record API activity and cannot be used to record running processes.
Option B is invalid because Cloudwatch is a logging and metric service and cannot be used to record running processes.
Option D is invalid because AWS Config is a configuration service and cannot be used to record running processes.
For more information on the Systems Manager Run command, please visit the following URL:
https://docs.aws.amazon.com/systems-manaEer/latest/usereuide/execute-remote-commands.htmll The correct answer is: Use the SSM Run command to send the list of running processes information to an S3 bucket. Submit your Feedback/Queries to our Experts

 

NEW QUESTION 237
Your company has mandated that all calls to the AWS KMS service be recorded. How can this be achieved?
Please select:

• A. Enable a trail in Cloudtrail
• B. Use Cloudwatch metrics
• C. Enable logging on the KMS service
• D. Enable Cloudwatch logs

Answer: A

Explanation:
The AWS Documentation states the following
AWS KMS is integrated with CloudTrail, a service that captures API calls made by or on behalf of AWS KMS in your AWS account and delivers the log files to an Amazon S3 bucket that you specify. CloudTrail captures API calls from the AWS KMS console or from the AWS KMS API. Using the information collected by CloudTrail, you can determine what request was made, the source IP address from which the request was made, who made the request when it was made, and so on.
Option A is invalid because logging is not possible in the KMS service
Option C and D are invalid because Cloudwatch cannot be used to monitor API calls For more information on logging using Cloudtrail please visit the below URL
https://docs.aws.amazon.com/kms/latest/developerguide/loeeing-usine-cloudtrail.html The correct answer is: Enable a trail in Cloudtrail Jubmit your Feedback/Queries to our Experts

 

NEW QUESTION 238
A company has several workloads running on AWS Employees are required to authenticate using on-premises ADFS and SSO to access the AWS Management Console Developers migrated an existing legacy web application to an Amazon EC2 instance Employees need to access this application from anywhere on the internet but currently, mere is no authentication system but into the application.
How should the Security Engineer implement employee-only access to this system without changing the application?

• A. Place the application behind an Application Load Balancer (ALB) Use Amazon Cognito as authentication (or the ALB Define a SAML-based Amazon Cognito user pool and connect it to ADFS implement AWS SSO in the master account and link it to ADFS as an identity provide' Define the EC2 instance as a managed resource, then apply an IAM policy on the resource
• B. Create an AWS Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2 Ensure the security group on Amazon EC2 only allows access from the Lambda function.
• C. Define an Amazon Cognito identity pool then install the connector on the Active Directory server Use the Amazon Cognito SDK on the application instance to authenticate the employees using their C. Active Directory user names and passwords

Answer: A

 

NEW QUESTION 239
Your IT Security team has advised to carry out a penetration test on the resources in their company's AWS Account. This is as part of their capability to analyze the security of the Infrastructure. What should be done first in this regard?
Please select:

• A. Submit a request to AWS Support
• B. Turn on VPC Flow Logs and carry out the penetration test
• C. Use a custom AWS Marketplace solution for conducting the penetration test This concept is given in the AWS Documentation How do I submit a penetration testing request for my AWS resources?
  Issue
  I want to run a penetration test or other simulated event on my AWS architecture. How do I get permission from AWS to do that?
  Resolution
  Before performing security testing on AWS resources, you must obtain approval from AWS. After you submit your request AWS will reply in about two business days.
  AWS might have additional questions about your test which can extend the approval process, so plan accordingly and be sure that your initial request is as detailed as possible.
  If your request is approved, you'll receive an authorization number.
  Option A.B and D are all invalid because the first step is to get prior authorization from AWS for penetration tests For more information on penetration testing, please visit the below URL
  * https://aws.amazon.com/security/penetration-testing/
  * https://aws.amazon.com/premiumsupport/knowledge-center/penetration-testing/ ( The correct answer is: Submit a request to AWS Support Submit your Feedback/Queries to our Experts
• D. Turn on Cloud trail and carry out the penetration test

Answer: A

 

NEW QUESTION 240
A Systems Engineer has been tasked with configuring outbound mail through Simple Email Service (SES) and requires compliance with current TLS standards.
The mail application should be configured to connect to which of the following endpoints and corresponding ports?

• A. email-imap.us-east-1.amazonaws.com over port 993
  https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-connect.html
• B. email.us-east-1.amazonaws.com over port 8080
• C. email-pop3.us-east-1.amazonaws.com over port 995
• D. email-smtp.us-east-1.amazonaws.com over port 587

Answer: D

 

NEW QUESTION 241
A company hosts critical data in an S3 bucket. Even though they have assigned the appropriate permissions to the bucket, they are still worried about data deletion. What measures can be taken to restrict the risk of data deletion on the bucket. Choose 2 answers from the options given below Please select:

• A. Enable versioning on the S3 bucket
• B. Enable data at rest for the objects in the bucket
• C. Enable MFA Delete in the bucket policy
• D. Enable data in transit for the objects in the bucket

Answer: A,C

Explanation:
Explanation
One of the AWS Security blogs mentions the followinj
Versioning keeps multiple versions of an object in the same bucket. When you enable it on a bucket Amazon S3 automatically adds a unique version ID to every object stored in the bucket. At that point, a simple DELETE action does not permanently delete an object version; it merely associates a delete marker with the object. If you want to permanently delete an object version, you must specify its version ID in your DELETE request.
You can add another layer of protection by enabling MFA Delete on a versioned bucket. Once you do so, you must provide your AWS accounts access keys and a valid code from the account's MFA device in order to permanently delete an object version or suspend or reactivate versioning on the bucket.
Option B is invalid because enabling encryption does not guarantee risk of data deletion.
Option D is invalid because this option does not guarantee risk of data deletion.
For more information on AWS S3 versioning and MFA please refer to the below URL:
https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/
The correct answers are: Enable versioning on the S3 bucket Enable MFA Delete in the bucket policy Submit your Feedback/Queries to our Experts

 

NEW QUESTION 242
A company is planning to run a number of Admin related scripts using the AWS Lambda service. There is a need to understand if there are any errors encountered when the script run. How can this be accomplished in the most effective manner.
Please select:

• A. Use the AWS Config service to monitor for errors
• B. Use the AWS inspector service to monitor for errors
• C. Use Cloudtrail to monitor for errors
• D. Use Cloudwatch metrics and logs to watch for errors

Answer: D

Explanation:
Explanation
The AWS Documentation mentions the following
AWS Lambda automatically monitors Lambda functions on your behalf, reporting metrics through Amazon CloudWatch. To help you troubleshoot failures in a function. Lambda logs all requests handled by your function and also automatically stores logs generated by your code through Amazon CloudWatch Logs.
Option B,C and D are all invalid because these services cannot be used to monitor for errors. I For more information on Monitoring Lambda functions, please visit the following URL:
https://docs.aws.amazon.com/lambda/latest/dg/monitorine-functions-loes.htmll The correct answer is: Use Cloudwatch metrics and logs to watch for errors Submit your Feedback/Queries to our Experts

 

NEW QUESTION 243
One of your company's EC2 Instances have been compromised. The company has strict po thorough investigation on finding the culprit for the security breach. What would you do in from the options given below.
Please select:

• A. Make sure that logs are stored securely for auditing and troubleshooting purpose
• B. Ensure that all access kevs are rotated.
• C. Ensure all passwords for all IAM users are changed
• D. Isolate the machine from the network
• E. Take a snapshot of the EBS volume

Answer: A,D,E

Explanation:
Some of the important aspects in such a situation are
1) First isolate the instance so that no further security harm can occur on other AWS resources
2) Take a snapshot of the EBS volume for further investigation. This is incase if you need to shutdown the initial instance and do a separate investigation on the data
3) Next is Option C.
This indicates that we have already got logs and we need to make sure that it is stored securely so that n unauthorised person can access it and manipulate it.
Option D and E are invalid because they could have adverse effects for the other IAM users.
For more information on adopting a security framework, please refer to below URL
https://d1 .awsstatic.com/whitepapers/compliance/NIST Cybersecurity Framework Note:
In the question we have been asked to take actions to find the culprit and to help the investigation or to further reduce the damage that has happened due to the security breach. So by keeping logs secure is one way of helping the investigation.
The correct answers are: Take a snapshot of the EBS volume. Isolate the machine from the network. Make sure that logs are stored securely for auditing and troubleshooting purpose Submit your Feedback/Queries to our Experts

 

NEW QUESTION 244
......

Focus on SCS-C01 All-in-One Exam Guide For Quick Preparation: https://www.bootcamppdf.com/SCS-C01_exam-dumps.html

SCS-C01 All-in-One Exam Guide For Quick Preparation: https://drive.google.com/open?id=1QU-ifLZxDoNmV9cuumQLr4eSOaClqGlh