SCS-C01 Exam Dumps - Try Best SCS-C01 Exam Questions from Training Expert BootcampPDF [Q276-Q301]

SCS-C01 Exam Dumps - Try Best SCS-C01 Exam Questions from Training Expert BootcampPDF

Practice Examples and Dumps & Tips for 2024 Latest SCS-C01 Valid Tests Dumps

Amazon SCS-C01 (AWS Certified Security - Specialty) Certification Exam is a sought-after certification for professionals who want to demonstrate their expertise in securing applications and data on the AWS platform. AWS Certified Security - Specialty certification exam is designed for individuals who have a deep understanding of AWS security services and best practices for securing AWS workloads. SCS-C01 exam validates the skills and knowledge required to design, implement, and maintain secure and scalable solutions on AWS.

 

NEW QUESTION # 276
A company has multiple VPCs in their account that are peered, as shown in the diagram. A Security Engineer wants to perform penetration tests of the Amazon EC2 instances in all three VPCs.
How can this be accomplished? (Choose two.)

• A. Deploy a pre-authorized scanning engine from the Marketplace into each VPC, and scan instances in each VPC from the scanning engine in that VPC. Do not complete the penetration test request form.
• B. Deploy a pre-authorized scanning engine from the AWS Marketplace into VPC B, and use it to scan instances in all three VPCs. Do not complete the penetration test request form.
• C. Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Complete the penetration test request form for all three VPCs.
• D. Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Do not complete the penetration test request form.
• E. Create a VPN connection from the data center to VPC A. Use an on-premises scanning engine to scan the instances in all three VPCs. Complete the penetration test request form for all three VPCs.

Answer: C,E

NEW QUESTION # 277
An application running on EC2 instances in a VPC must access sensitive data in the data center. The access must be encrypted in transit and have consistent low latency. Which hybrid architecture will meet these requirements?
Please select:

• A. Expose the data with a public HTTPS endpoint.
• B. A VPN between the VPC and the data center.
• C. A Direct Connect connection between the VPC and data center
• D. A VPN between the VPC and the data center over a Direct Connect connection

Answer: D

Explanation:
Since this is required over a consistency low latency connection, you should use Direct Connect. For encryption, you can make use of a VPN Option A is invalid because exposing an HTTPS endpoint will not help all traffic to flow between a VPC and the data center.
Option C is invalid because low latency is a key requirement
Option D is invalid because only Direct Connect will not suffice
For more information on the connection options please see the below Link:
https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpn-connection-sharint The correct answer is: A VPN between the VPC and the data center over a Direct Connect connection Submit your Feedback/Queries to our Experts

NEW QUESTION # 278
An application outputs logs to a text file. The logs must be continuously monitored for security incidents.
Which design will meet the requirements with MINIMUM effort?

• A. Install and configure the Amazon CloudWatch Logs agent on the application's EC2 instance. Create a CloudWatch metric filter to monitor the application logs. Set up CloudWatch alerts based on the metrics.
• B. Create a file watcher that copies data to Amazon Kinesis when the application writes to the log file. Have Kinesis trigger a Lambda function to update Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
• C. Create a scheduled process to copy the application log files to AWS CloudTrail. Use S3 events to trigger Lambda functions that update CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
• D. Create a scheduled process to copy the component's logs into Amazon S3. Use S3 events to trigger a Lambda function that updates Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.

Answer: A

Explanation:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html

NEW QUESTION # 279
A Security Engineer has launched multiple Amazon EC2 instances from a private AMI using an AWS CloudFormation template. The Engineer notices instances terminating right after they are launched.
What could be causing these terminations?

• A. The IAM user launching those instances is missing ec2:RunInstances permissions
• B. AWS currently does not have sufficient capacity in the Region
• C. The AMI used was encrypted and the IAM user does not have the required AWS KMS permissions
• D. The instance profile used with the EC2 instances is unable to query instance metadata

Answer: C

Explanation:
Explanation/Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/troubleshooting-launch.html

NEW QUESTION # 280
A Systems Administrator has written the following Amazon S3 bucket policy designed to allow access to an S3 bucket for only an authorized IAM IAM user from the IP address range 10.10.10.0/24:

When trying to download an object from the S3 bucket from 10.10.10.40, the IAM user receives an access denied message.
What does the Administrator need to change to grant access to the user?

• A. Change the "Resource" from "arn: IAM:s3:::Bucket" to "arn:IAM:s3:::Bucket/*".
• B. Change the "Action" from ["s3:*"] to ["s3:GetObject", "s3:ListBucket"]
• C. Change the "Version" from "2012-10-17" to the last revised date of the policy
• D. Change the "Principal" from "*" to {IAM:"arn:IAM:iam: : account-number: user/username"}

Answer: A

NEW QUESTION # 281
A Systems Engineer has been tasked with configuring outbound mail through Simple Email Service (SES) and requires compliance with current TLS standards.
The mail application should be configured to connect to which of the following endpoints and corresponding ports?

• A. email-smtp.us-east-1.amazonaws.com over port 587
• B. email.us-east-1.amazonaws.com over port 8080
• C. email-imap.us-east-1.amazonaws.com over port 993
• D. email-pop3.us-east-1.amazonaws.com over port 995

Answer: A

Explanation:
Explanation/Reference: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-connect.html

NEW QUESTION # 282
An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK. Which combination of configuration steps will allow the application to access the secrets via the API?
Select 2 answers from the options below
Please select:

• A. Add permission to use the KMS key to decrypt to the SSM service role.
• B. Add the EC2 instance role as a trusted service to the SSM service role.
• C. Add permission to use the KMS key to decrypt to the EC2 instance role
• D. Add permission to read the SSM parameter to the EC2 instance role. .
• E. Add the SSM service role as a trusted service to the EC2 instance role.

Answer: C,D

Explanation:
Explanation
The below example policy from the AWS Documentation is required to be given to the EC2 Instance in order to read a secure string from AWS KMS. Permissions need to be given to the Get Parameter API and the KMS API call to decrypt the secret.

Option A is invalid because roles can be attached to EC2 and not EC2 roles to SSM Option B is invalid because the KMS key does not need to decrypt the SSM service role.
Option E is invalid because this configuration is valid For more information on the parameter store, please visit the below URL:
https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.htmll The correct answers are: Add permission to read the SSM parameter to the EC2 instance role., Add permission to use the KMS key to decrypt to the EC2 instance role Submit your Feedback/Queries to our Experts

NEW QUESTION # 283
An organization has three applications running on IAM, each accessing the same data on Amazon S3. The data on Amazon S3 is server-side encrypted by using an IAM KMS Customer Master Key (CMK).
What is the recommended method to ensure that each application has its own programmatic access control permissions on the KMS CMK?

• A. Have each application use a grant on the KMS CMK to add or remove specific access controls on the KMS CMK.
• B. Change the key policy permissions associated with the KMS CMK for each application when it must access the data in Amazon S3.
• C. Have each application use an IAM policy in a user context to have specific access permissions on the KMS CMK.
• D. Have each application assume an IAM role that provides permissions to use the IAM Certificate Manager CMK.

Answer: A

NEW QUESTION # 284
You have a bucket and a VPC defined in AWS. You need to ensure that the bucket can only be accessed by the VPC endpoint. How can you accomplish this?
Please select:

• A. Modify the security groups for the VPC to allow access to the 53 bucket
• B. Modify the IAM Policy for the bucket to allow access for the VPC endpoint
• C. Modify the bucket Policy for the bucket to allow access for the VPC endpoint
• D. Modify the route tables to allow access for the VPC endpoint

Answer: C

Explanation:
This is mentioned in the AWS Documentation
Restricting Access to a Specific VPC Endpoint
The following is an example of an S3 bucket policy that restricts access to a specific bucket, examplebucket only from the VPC endpoint with the ID vpce-la2b3c4d. The policy denies all access to the bucket if the specified endpoint is not being used. The aws:sourceVpce condition is used to the specify the endpoint. The aws:sourceVpce condition does not require an ARN for the VPC endpoint resource, only the VPC endpoint ID. For more information about using conditions in a policy, see Specifying Conditions in a Policy.

Options A and B are incorrect because using Security Groups nor route tables will help to allow access specifically for that bucke via the VPC endpoint Here you specifically need to ensure the bucket policy is changed.
Option C is incorrect because it is the bucket policy that needs to be changed and not the IAM policy.
For more information on example bucket policies for VPC endpoints, please refer to below URL:
* https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html The correct answer is: Modify the bucket Policy for the bucket to allow access for the VPC endpoint Submit your Feedback/Queries to our Experts

NEW QUESTION # 285
A security engineer needs to configure monitoring and auditing for AWS Lambda.
Which combination of actions using AWS services should the security engineer take to accomplish this goal? (Select TWO.)

• A. Use AWS CloudTrail to implement governance, compliance, operational, and risk auditing for Lambda.
• B. Use Amazon Inspector to automatically monitor for vulnerabilities and perform governance, compliance, operational, and risk auditing for Lambda.
• C. Use AWS Resource Access Manager to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.
• D. Use Amazon Macie to discover, classify, and protect sensitive data being executed inside the Lambda function.
• E. Use AWS Config to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.

Answer: A,E

NEW QUESTION # 286
Compliance requirements state that all communications between company on-premises hosts and EC2 instances be encrypted in transit. Hosts use custom proprietary protocols for their communication, and EC2 instances need to be fronted by a load balancer for increased availability.
Which of the following solutions will meet these requirements?

• A. Offload SSL termination onto an SSL listener on a Classic Load Balancer, and use a TCP connection between the load balancer and the EC2 instances.
• B. Route all traffic through a TCP listener on a Classic Load Balancer, and terminate the TLS connection on the EC2 instances.
• C. Offload SSL termination onto an SSL listener using an Application Load Balancer, and re-spawn and SSL connection between the load balancer and the EC2 instances.
• D. Create an HTTPS listener using an Application Load Balancer, and route all of the communication through that load balancer.

Answer: B

NEW QUESTION # 287
A web application runs in a VPC on EC2 instances behind an ELB Application Load Balancer. The application stores data in an RDS MySQL DB instance. A Linux bastion host is used to apply schema updates to the database - administrators connect to the host via SSH from a corporate workstation. The following security groups are applied to the infrastructure-
* sgLB - associated with the ELB
* sgWeb - associated with the EC2 instances.
* sgDB - associated with the database
* sgBastion - associated with the bastion host Which security group configuration will allow the application to be secure and functional?
Please select:

• A. sgLB :aIlow port 80 and 443 traffic from 0.0.0.0/0
  sgWeb :allow port 80 and 443 traffic from sgLB
  sgDB :allow port 3306 traffic from sgWeb and sgLB
  sgBastion: allow port 22 traffic from the VPC IP address range
• B. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0
  sgWeb :allow port 80 and 443 traffic from sgLB
  sgDB :allow port 3306 traffic from sgWeb and sgBastion
  sgBastion: allow port 22 traffic from the VPC IP address range
• C. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0
  sgWeb :allow port 80 and 443 traffic from 0.0.0.0/0
  sgDB :allow port 3306 traffic from sgWeb and sgBastion
  sgBastion: allow port 22 traffic from the corporate IP address range
• D. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0
  sgWeb :allow port 80 and 443 traffic from sgLB
  sgDB :allow port 3306 traffic from sgWeb and sgBastion
  sgBastion: allow port 22 traffic from the corporate IP address range

Answer: D

Explanation:
The Load Balancer should accept traffic on ow port 80 and 443 traffic from 0.0.0.0/0 The backend EC2 Instances should accept traffic from the Load Balancer The database should allow traffic from the Web server And the Bastion host should only allow traffic from a specific corporate IP address range Option A is incorrect because the Web group should only allow traffic from the Load balancer For more information on IAM Security Groups, please refer to below URL:
https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/usins-network-security.htmll The correct answer is: sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLB sgDB :allow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the corporate IP address range Submit your Feedback/Queries to our Experts

NEW QUESTION # 288
You have just developed a new mobile application that handles analytics workloads on large scale datasets that are stored on Amazon Redshift. Consequently, the application needs to access Amazon Redshift tables. Which of the belov methods would be the best both practically and security-wise, to access the tables? Choose the correct answer from the options below
Please select:

• A. Use roles that allow a web identity federated user to assume a role that allows access to the Redshift table by providing temporary credentials.
• B. Create an HSM client certificate in Redshift and authenticate using this certificate.
• C. Create a Redshift read-only access policy in IAM and embed those credentials in the application.
• D. Create an IAM user and generate encryption keys for that user. Create a policy for Redshift read-only access. Embed th keys in the application.

Answer: A

Explanation:
The AWS Documentation mentions the following
"When you write such an app, you'll make requests to AWS services that must be signed with an AWS access key. However, we strongly recommend that you do not embed or distribute long-term AWS credentials with apps that a user downloads t device, even in an encrypted store. Instead, build your app so that it requests temporary AWS security credentials dynamica when needed using web identify federation. The supplied temporary credentials map to an AWS role that has only the permissioi needed to perform the tasks required by the mobile app".
Option A.B and C are all automatically incorrect because you need to use IAM Roles for Secure access to services For more information on web identity federation please refer to the below Link:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html
The correct answer is: Use roles that allow a web identity federated user to assume a role that allows access to the RedShift table by providing temporary credentials.
Submit your Feedback/Queries to our Experts

NEW QUESTION # 289
A company has contracted with a third party to audit several IAM accounts. To enable the audit, cross-account IAM roles have been created in each account targeted for audit. The Auditor is having trouble accessing some of the accounts.
Which of the following may be causing this problem? (Choose three.)

• A. The secret key used by the Auditor is missing or incorrect.
• B. The role ARN used by the Auditor is missing or incorrect.
• C. The external ID used by the Auditor is missing or incorrect.
• D. The Auditor has not been granted sts:AssumeRole for the role in the destination account.
• E. The Auditor is using the incorrect password.
• F. The Amazon EC2 role used by the Auditor must be set to the destination account role.

Answer: B,C,D

Explanation:
Explanation
Using IAM to grant access to a Third-Party Account 1) Create a role to provide access to the require resources
1.1) Create a role policy that specifies the IAM Account ID to be accessed, "sts:AssumeRole" as action, and
"sts:ExternalID" as condition 1.2) Create a role using the role policy just created 1.3) Assign a resouce policy to the role. This will provide permission to access resource ARNs to the auditor 2) Repeat steps 1 and 2 on all IAM accounts 3) The auditor connects to the IAM account IAM Security Token Service (STS). The auditor must provide its ExternalID from step 1.2, the ARN of the role he is trying to assume from step 1.3, sts:ExternalID 4) STS provide the auditor with temporary credentials that provides the role access from step 1
https://docs.IAM.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
https://IAM.amazon.com/blogs/security/how-to-audit-cross-account-roles-using-IAM-cloudtrail-and-amazon-clo

NEW QUESTION # 290
A company is building a data processing application mat uses AWS Lambda functions. The application's Lambda functions need to communicate with an Amazon RDS OB instance that is deployed within a VPC in the same AWS account Which solution meets these requirements in the MOST secure way?

• A. Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group
• B. Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups
• C. Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region
• D. Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0.0.0.0/0

Answer: A

Explanation:
Explanation
This solution ensures that the Lambda functions are deployed inside the VPC and can communicate with the Amazon RDS DB instance securely. The security group attached to the Lambda functions only allows outbound traffic to the VPC CIDR range, and the DB instance security group only allows traffic from the Lambda security group. This solution ensures that the Lambda functions can communicate with the DB instance securely and that the DB instance is not exposed to the public internet.

NEW QUESTION # 291
An Amazon EC2 instance is part of an EC2 Auto Scaling group that is behind an Application Load Balancer (ALB). It is suspected that the EC2 instance has been compromised.
Which steps should be taken to investigate the suspected compromise? (Choose three.)

• A. De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.
• B. Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.
• C. Add a rule to an IAM WAF to block access to the EC2 instance.
• D. Detach the elastic network interface from the EC2 instance.
• E. Disable any Amazon Route 53 health checks associated with the EC2 instance.
• F. Attach a security group that has restrictive ingress and egress rules to the EC2 instance.

Answer: A,B,F

Explanation:
Explanation
https://d1.IAMstatic.com/whitepapers/IAM_security_incident_response.pdf

NEW QUESTION # 292
A company's security engineer has been asked to monitor and report all AWS account root user activities.
Which of the following would enable the security engineer to monitor and report all root user activities? (Choose two.)

• A. Configuring AWS Trusted Advisor to send an email to the security team when the root user logs in to the console
• B. Using Amazon SNS to notify the target group
• C. Configuring Amazon Inspector to scan the AWS account for any root user activity
• D. Configuring AWS Organizations to monitor root user API calls on the paying account
• E. Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported

Answer: B,E

NEW QUESTION # 293
You are building a large-scale confidential documentation web server on AWSand all of the documentation for it will be stored on S3. One of the requirements is that it cannot be publicly accessible from S3 directly, and you will need to use Cloud Front to accomplish this. Which of the methods listed below would satisfy the requirements as outlined? Choose an answer from the options below Please select:

• A. Create an Identity and Access Management (1AM) user for CloudFront and grant access to the objects in your S3 bucket to that 1AM User.
• B. Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAl.
• C. Create an S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).
• D. Create individual policies for each bucket the documents are stored in and in that policy grant access to only CloudFront.

Answer: B

Explanation:
Explanation
If you want to use CloudFront signed URLs or signed cookies to provide access to objects in your Amazon S3 bucket you probably also want to prevent users from accessing your Amazon S3 objects using Amazon S3 URLs. If users access your objects directly in Amazon S3, they bypass the controls provided by CloudFront signed URLs or signed cookies, for example, control over the date and time that a user can no longer access your content and control over which IP addresses can be used to access content. In addition, if user's access objects both through CloudFront and directly by using Amazon S3 URLs, CloudFront ace logs are less useful because they're incomplete.
Option A is invalid because you need to create a Origin Access Identity for Cloudfront and not an 1AM user Option C and D are invalid because using policies will not help fulfil the requirement For more information on Origin Access Identity please see the below Link:
http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restrictine-access-to-s3.
The correct answer is: Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.
(
Submit your Feedback/Queries to our Experts

NEW QUESTION # 294
A city is implementing an election results reporting website that will use Amazon CloudFront. The website runs on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group.
Election results are updated hourly and are stored as .pdf files in an Amazon S3 bucket. A security engineer needs to ensure that all external access to the website goes through CloudFront.
Which solution meets these requirements?

• A. Create an IAM role that allows CloudFront to access the specific S3 bucket. Modify the S3 bucket policy to allow only the new IAM role to access its contents. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB.
• B. Create an origin access identity (OAI) in CloudFront. Modify the S3 bucket policy to allow only the new OAI to access the bucket contents. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB.
• C. Create an origin access identity (OAI) in CloudFront. Modify the S3 bucket policy to allow only the new OAI to access the bucket contents. Associate the ALB with a security group that allows only incoming traffic from the CloudFront service to communicate with the ALB.
• D. Create an IAM role that allows CloudFront to access the specific S3 bucket. Modify the S3 bucket policy to allow only the new IAM role to access its contents. Associate the ALB with a security group that allows only incoming traffic from the CloudFront service to communicate with the ALB.

Answer: B

NEW QUESTION # 295
A company manages multiple AWS accounts using AWS Organizations. The company's security team notices that some member accounts are not sending AWS CloudTrail logs to a centralized Amazon S3 logging bucket.
The security team wants to ensure there is at least one trail configured for all existing accounts and for any account that is created in the future.
Which set of actions should the security team implement to accomplish this?

• A. Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.
• B. Create an SCP to deny the cloudtrail:Delete* and cloudtrail:Stop* actions. Apply the SCP to all accounts.
• C. Edit the existing trail in the Organizations master account and apply it to the organization.
• D. Deploy an AWS Lambda function in every account to check if there is an existing trail and create a new trail, if needed.

Answer: C

NEW QUESTION # 296
An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs a network port scan against other instances in the VPC. When the Security team performs its own internal tests in a separate account by using pre-approved third-party scanners from the AWS Marketplace, the Security team also then receives multiple Amazon GuardDuty events from Amazon CloudWatch alerting on its test activities.
How can the Security team suppress alerts about authorized security tests while still receiving alerts about the unauthorized activity?

• A. Grant the Security team's EC2 instances a role with permissions to call Amazon GuardDuty API operations.
• B. Install the Amazon Inspector agent on the EC2 instances that the Security team uses.
• C. Add the Elastic IP addresses of the Security team's EC2 instances to a trusted IP list in Amazon GuardDuty.
• D. Use a filter in AWS CloudTrail to exclude the IP addresses of the Security team's EC2 instances.

Answer: B

NEW QUESTION # 297
A company is deploying a new web application on IAM. Based on their other web applications, they anticipate being the target of frequent DDoS attacks. Which steps can the company use to protect their application? Select 2 answers from the options given below.
Please select:

• A. Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic.
• B. Enable GuardDuty to block malicious traffic from reaching the application
• C. Use CloudFront and IAM WAF to prevent malicious traffic from reaching the application
• D. Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious traffic.
• E. Associate the EC2 instances with a security group that blocks traffic from blacklisted IP addresses.

Answer: A,C

Explanation:
The below diagram from IAM shows the best case scenario for avoiding DDos attacks using services such as IAM Cloudfro WAF, ELB and Autoscaling

Option A is invalid because by default security groups don't allow access Option C is invalid because IAM Inspector cannot be used to examine traffic Option E is invalid because this can be used for attacks on EC2 Instances but not against DDos attacks on the entire application For more information on DDos mitigation from IAM, please visit the below URL:
https://IAM.amazon.com/answers/networking/IAM-ddos-attack-mitieationi
The correct answers are: Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic., Use CloudFront and IAM WAF to prevent malicious traffic from reaching the application Submit your Feedback/Queries to our Experts

NEW QUESTION # 298
A company has a set of EC2 instances hosted in AWS. These instances have EBS volumes for storing critical information. There is a business continuity requirement and in order to boost the agility of the business and to ensure data durability which of the following options are not required.
Please select:

• A. Use EBS Snapshots
• B. Use EBS volume replication
• C. Use lifecycle policies for the EBS volumes
• D. Use EBS volume encryption

Answer: B,D

Explanation:
Explanation
Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations as part of normal operation of those services and at no additional charge. However, Amazon EBS replication is stored within the same availability zone, not across multiple zones; therefore, it is highly recommended that you conduct regular snapshots to Amazon S3 for long-term data durability.
You can use Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes.
With lifecycle management, you can be sure that snapshots are cleaned up regularly and keep costs under control.
EBS Lifecycle Policies
A lifecycle policy consists of these core settings:
* Resource type-The AWS resource managed by the policy, in this case, EBS volumes.
* Target tag-The tag that must be associated with an EBS volume for it to be managed by the policy.
* Schedule-Defines how often to create snapshots and the maximum number of snapshots to keep. Snapshot creation starts within an hour of the specified start time. If creating a new snapshot exceeds the maximum number of snapshots to keep for the volume, the oldest snapshot is deleted.
Option C is correct. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. But it does not have an explicit feature like that.
Option D is correct Encryption does not ensure data durability
For information on security for Compute Resources, please visit the below URL
https://d1.awsstatic.com/whitepapers/Security/Security Compute Services Whitepaper.pdl The correct answers are: Use EBS volume replication. Use EBS volume encryption Submit your Feedback/Queries to our Experts

NEW QUESTION # 299
A company Is trying to replace its on-premises bastion hosts used to access on-premises Linux servers with AWS Systems Manager Session Manager. A security engineer has installed the Systems Manager Agent on all servers. The security engineer verifies that the agent is running on all the servers, but Session Manager cannot connect to them. The security engineer needs to perform verification steps before Session Manager will work on the servers.
Which combination of steps should the security engineer perform? (Select THREE.)

• A. Create a managed-instance activation for the on-premises servers.
• B. Reconfigure the Systems Manager Agent with the activation code and ID.
• C. Enable the advanced-instances tier in Systems Manager.
• D. Open inbound port 22 to 0 0.0.0/0 on all Linux servers.
• E. Initiate an inventory collection with Systems Manager on the on-premises servers
• F. Assign an IAM role to all of the on-premises servers.

Answer: A,E,F

NEW QUESTION # 300
You have a set of application , database and web servers hosted in IAM. The web servers are placed behind an ELB. There are separate security groups for the application, database and web servers. The network security groups have been defined accordingly. There is an issue with the communication between the application and database servers. In order to troubleshoot the issue between just the application and database server, what is the ideal set of MINIMAL steps you would take?
Please select:

• A. Check the Outbound security rules for the database security group I Check the inbound security rules for the application security group
• B. Check the Outbound security rules for the database security group
  Check the both the Inbound and Outbound security rules for the application security group
• C. Check the both the Inbound and Outbound security rules for the database security group Check the inbound security rules for the application security group
• D. Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group

Answer: D

Explanation:
Explanation
Here since the communication would be established inward to the database server and outward from the application server, you need to ensure that just the Outbound rules for application server security groups are checked. And then just the Inbound rules for database server security groups are checked.
Option B can't be the correct answer. It says that we need to check the outbound security group which is not needed.
We need to check the inbound for DB SG and outbound of Application SG. Because, this two group need to communicate with each other to function properly.
Option C is invalid because you don't need to check for Outbound security rules for the database security group Option D is invalid because you don't need to check for Inbound security rules for the application security group For more information on Security Groups, please refer to below URL:
The correct answer is: Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group Submit your Feedback/Queries to our Experts

NEW QUESTION # 301
......

Latest 100% Passing Guarantee - Brilliant SCS-C01 Exam Questions PDF: https://www.bootcamppdf.com/SCS-C01_exam-dumps.html

SCS-C01 Certification – Valid Exam Dumps Questions Study Guide: https://drive.google.com/open?id=1yw-6YXI83cq4oJqVHyH8Obq5NR7DFoVe