• Home
  • Articles
  • [2023] SCS-C01 Dumps are Available for Instant Access [Q279-Q304]

[2023] SCS-C01 Dumps are Available for Instant Access [Q279-Q304]

Share

[2023] SCS-C01 Dumps are Available for Instant Access

Valid SCS-C01 Dumps for Helping Passing SCS-C01 Exam!


To be eligible for the Amazon SCS-C01 certification exam, candidates should have at least two years of experience in IT security, and a deep understanding of AWS security services and features. Candidates should also have experience designing and implementing secure and scalable AWS architectures, and be familiar with security best practices for AWS workloads. To prepare for the exam, candidates can take AWS training courses, read AWS documentation, and practice using AWS services in a test environment.

 

NEW QUESTION # 279
A company has been using the IAM KMS service for managing its keys. They are planning on carrying out housekeeping activities and deleting keys which are no longer in use. What are the ways that can be incorporated to see which keys are in use? Choose 2 answers from the options given below Please select:

  • A. Determine the age of the master key
  • B. See who is assigned permissions to the master key
  • C. See Cloudtrail for usage of the key
  • D. Use IAM cloudwatch events for events generated for the key

Answer: B,C

Explanation:
Explanation
The direct ways that can be used to see how the key is being used is to see the current access permissions and cloudtrail logs Option A is invalid because seeing how long ago the key was created would not determine the usage of the key Option D is invalid because Cloudtrail Event is better for seeing for events generated by the key This is also mentioned in the IAM Documentation Examining CMK Permissions to Determine the Scope of Potential Usage Determining who or what currently has access to a customer master key (CMK) might help you determine how widely the CM was used and whether it is still needed. To learn how to determine who or what currently has access to a CMK, go to Determining Access to an IAM KMS Customer Master Key.
Examining IAM CloudTrail Logs to Determine Actual Usage
IAM KMS is integrated with IAM CloudTrail, so all IAM KMS API activity is recorded in CloudTrail log files. If you have CloudTrail turned on in the region where your customer master key (CMK) is located, you can examine your CloudTrail log files to view a history of all IAM KMS API activity for a particular CMK, and thus its usage history. You might be able to use a CMK's usage history to help you determine whether or not you still need it For more information on determining the usage of CMK keys, please visit the following URL:
* https://docs.IAM.amazon.com/kms/latest/developerguide/deleting-keys-determining-usage.html The correct answers are: See who is assigned permissions to the master key. See Cloudtrail for usage of the key Submit your Feedback/Queries to our Experts


NEW QUESTION # 280
A web application runs in a VPC on EC2 instances behind an ELB Application Load Balancer. The application stores data in an RDS MySQL DB instance. A Linux bastion host is used to apply schema updates to the database - administrators connect to the host via SSH from a corporate workstation. The following security groups are applied to the infrastructure-
* sgLB - associated with the ELB
* sgWeb - associated with the EC2 instances.
* sgDB - associated with the database
* sgBastion - associated with the bastion host Which security group configuration will allow the application to be secure and functional?
Please select:

  • A. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0
    sgWeb :allow port 80 and 443 traffic from sgLB
    sgDB :allow port 3306 traffic from sgWeb and sgBastion
    sgBastion: allow port 22 traffic from the VPC IP address range
  • B. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0
    sgWeb :allow port 80 and 443 traffic from sgLB
    sgDB :al!ow port 3306 traffic from sgWeb and sgBastion
    sgBastion: allow port 22 traffic from the corporate IP address range
  • C. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0
    sgWeb :allow port 80 and 443 traffic from 0.0.0.0/0
    sgDB :allow port 3306 traffic from sgWeb and sgBastion
    sgBastion: allow port 22 traffic from the corporate IP address range
  • D. sgLB :aIlow port 80 and 443 traffic from 0.0.0.0/0
    sgWeb :allow port 80 and 443 traffic from sgLB
    sgDB :allow port 3306 traffic from sgWeb and sgLB
    sgBastion: allow port 22 traffic from the VPC IP address range

Answer: B

Explanation:
Explanation
The Load Balancer should accept traffic on ow port 80 and 443 traffic from 0.0.0.0/0 The backend EC2 Instances should accept traffic from the Load Balancer The database should allow traffic from the Web server And the Bastion host should only allow traffic from a specific corporate IP address range Option A is incorrect because the Web group should only allow traffic from the Load balancer For more information on AWS Security Groups, please refer to below URL:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usins-network-security.htmll The correct answer is: sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLB sgDB :allow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the corporate IP address range Submit your Feedback/Queries to our Experts


NEW QUESTION # 281
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of "Sensitive," "Confidential," and "Restricted." The security solution must meet all of the following requirements:
* Each object must be encrypted using a unique key.
* Items that are stored in the "Restricted" bucket require two-factor authentication for decryption.
* AWS KMS must automatically rotate encryption keys annually.
Which of the following meets these requirements?

  • A. Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the "Restricted" key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.
  • B. Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK.
  • C. Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the "Restricted" CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.
  • D. Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket.

Answer: C


NEW QUESTION # 282
A company maintains sensitive data in an Amazon S3 bucket that must be protected using an AWS KMS CMK. The company requires that keys be rotated automatically every year.
How should the bucket be configured?

  • A. Select server-side encryption with AWS KMS-managed keys (SSE-KMS) and select an alias to an AWS- managed CMK.
  • B. Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select a customer-managed CMK that has imported key material.
  • C. Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select an AWS-managed CMK.
  • D. Select Amazon S3-AWS KMS managed encryption keys (S3-KMS) and select a customer-managed CMK with key rotation enabled.

Answer: D

Explanation:
Explanation/Reference: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html


NEW QUESTION # 283
The Security Engineer has discovered that a new application that deals with highly sensitive data is storing Amazon S3 objects with the following key pattern, which itself contains highly sensitive data.
Pattern:
"randomID_datestamp_PII.csv"
Example:
"1234567_12302017_000-00-0000 csv"
The bucket where these objects are being stored is using server-side encryption (SSE).
Which solution is the most secure and cost-effective option to protect the sensitive data?

  • A. Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes.
  • B. Add an S3 bucket policy that denies the action s3:GetObject
  • C. Store all sensitive objects in Binary Large Objects (BLOBS) in an encrypted Amazon RDS instance.
  • D. Remove the sensitive data from the object name, and store the sensitive data using S3 user-defined metadata.

Answer: A

Explanation:
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html https://aws.amazon.com/blogs/database/best-practices-for-securing-sensitive-data-in-aws-data-stores/


NEW QUESTION # 284
A developer 15 building a serverless application hosted on IAM that uses Amazon Redshift in a data store. The application has separate modules for read/write and read-only functionality. The modules need their own database users tor compliance reasons.
Which combination of steps should a security engineer implement to grant appropriate access' (Select TWO )

  • A. Configure an IAM policy for each module Specify the ARN of an IAM user that allows the GetClusterCredentials API call
  • B. Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write
  • C. Configure cluster security groups for each application module to control access to database users that are required for read-only and read/write.
  • D. Create focal database users for each module
  • E. Configure an IAM poky for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call

Answer: A,C


NEW QUESTION # 285
A company requires that data stored in IAM be encrypted at rest. Which of the following approaches achieve this requirement? Select 2 answers from the options given below.
Please select:

  • A. When storing data in S3, enable server-side encryption.
  • B. When storing data in Amazon S3, use object versioning and MFA Delete.
  • C. When storing data in Amazon EBS, use only EBS-optimized Amazon EC2 instances.
  • D. When storing data in EBS, encrypt the volume by using IAM KMS.
  • E. When storing data in Amazon EC2 Instance Store, encrypt the volume by using KMS.

Answer: A,D

Explanation:
Explanation
The IAM Documentation mentions the following
To create an encrypted Amazon EBS volume, select the appropriate box in the Amazon EBS section of the Amazon EC2 console. You can use a custom customer master key (CMK) by choosing one from the list that appears below the encryption box. If you do not specify a custom CMK, Amazon EBS uses the IAM-managed CMK for Amazon EBS in your account. If there is no IAM-managed CMK for Amazon EBS in your account, Amazon EBS creates one.
Data protection refers to protecting data while in-transit (as it travels to and from Amazon S3) and at rest (while it is stored on disks in Amazon S3 data centers). You can protect data in transit by using SSL or by using client-side encryption. You have the following options of protecting data at rest in Amazon S3.
* Use Server-Side Encryption - You request Amazon S3 to encrypt your object before saving it on disks in its data centers and decrypt it when you download the objects.
* Use Client-Side Encryption - You can encrypt data client-side and upload the encrypted data to Amazon S3.
In this case, you manage the encryption process, the encryption keys, and related tools.
Option A is invalid because using EBS-optimized Amazon EC2 instances alone will not guarantee protection of instances at rest. Option C is invalid because this will not encrypt data at rest for S3 objects. Option D is invalid because you don't store data in Instance store. For more information on EBS encryption, please visit the below URL:
https://docs.IAM.amazon.com/kms/latest/developerguide/services-ebs.html For more information on S3 encryption, please visit the below URL:
https://docs.IAM.amazon.com/AmazonS3/latest/dev/UsinEEncryption.html
The correct answers are: When storing data in EBS, encrypt the volume by using IAM KMS. When storing data in S3, enable server-side encryption.
Submit your Feedback/Queries to our Experts


NEW QUESTION # 286
A company is using a Redshift cluster to store their data warehouse. There is a requirement from the Internal IT Security team to ensure that data gets encrypted for the Redshift database. How can this be achieved?
Please select:

  • A. Use S3 Encryption
  • B. Use SSL/TLS for encrypting the data
  • C. Encrypt the EBS volumes of the underlying EC2 Instances
  • D. Use IAM KMS Customer Default master key

Answer: D

Explanation:
Explanation
The IAM Documentation mentions the following
Amazon Redshift uses a hierarchy of encryption keys to encrypt the database. You can use either IAM Key Management Servic (IAM KMS) or a hardware security module (HSM) to manage the top-level encryption keys in this hierarchy. The process that Amazon Redshift uses for encryption differs depending on how you manage keys.
Option A is invalid because its the cluster that needs to be encrypted
Option C is invalid because this encrypts objects in transit and not objects at rest Option D is invalid because this is used only for objects in S3 buckets For more information on Redshift encryption, please visit the following URL:
https://docs.IAM.amazon.com/redshift/latest/memt/workine-with-db-encryption.htmll The correct answer is: Use IAM KMS Customer Default master key Submit your Feedback/Queries to our Experts


NEW QUESTION # 287
A company requires that IP packet data be inspected for invalid or malicious content.
Which of the following approaches achieve this requirement? (Choose two.)

  • A. Configure a proxy solution on Amazon EC2 and route all outbound VPC traffic through it. Perform inspection within proxy software on the EC2 instance.
  • B. Configure the host-based agent on each EC2 instance within the VPC. Perform inspection within the host-based agent.
  • C. Configure the CloudWatch Logs agent on each EC2 instance within the VPC. Perform inspection from the log data within CloudWatch Logs.
  • D. Configure Elastic Load Balancing (ELB) access logs. Perform inspection from the log data within the ELB access log files.
  • E. Enable VPC Flow Logs for all subnets in the VPC. Perform inspection from the Flow Log data within Amazon CloudWatch Logs.

Answer: A,B

Explanation:
Explanation
"EC2 Instance IDS/IPS solutions offer key features to help protect your EC2 instances. This includes alerting administrators of malicious activity and policy violations, as well as identifying and taking action against attacks. You can use AWS services and third party IDS/IPS solutions offered in AWS Marketplace to stay one step ahead of potential attackers."


NEW QUESTION # 288
A company has an existing AWS account and a set of critical resources hosted in that account. The employee who was in-charge of the root account has left the company. What must be now done to secure the account.
Choose 3 answers from the options given below.
Please select:

  • A. Change the password for the root account
  • B. Change the access keys for all IAM users.
  • C. Confirm MFAtoa secure device
  • D. Change the password for all IAM users
  • E. Delete the access keys for the root account
  • F. Delete all custom created IAM policies

Answer: A,C,E

Explanation:
Explanation
Now if the root account has a chance to be compromised, then you have to carry out the below steps
1. Delete the access keys for the root account
2. Confirm MFA to a secure device
3. Change the password for the root account
This will ensure the employee who has left has no change to compromise the resources in AWS.
Option A is invalid because this would hamper the working of the current IAM users Option B is invalid because this could hamper the current working of services in your AWS account Option F is invalid because this would hamper the working of the current IAM users For more information on IAM root user, please visit the following URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id root-user.html
The correct answers are: Delete the access keys for the root account Confirm MFA to a secure device. Change the password for the root account Submit Your Feedback/Queries to our Experts


NEW QUESTION # 289
Your developer is using the KMS service and an assigned key in their Java program. They get the below error when running the code arn:aws:iam::113745388712:user/UserB is not authorized to perform: kms:DescribeKey Which of the following could help resolve the issue?
Please select:

  • A. Ensure that UserB is given the right permissions in the Key policy
  • B. Ensure that UserB is given the right permissions in the Bucket policy
  • C. Ensure that UserB is given the right IAM role to access the key
  • D. Ensure that UserB is given the right permissions in the IAM policy

Answer: A

Explanation:
You need to ensure that UserB is given access via the Key policy for the Key

Option is invalid because you don't assign roles to 1AM users
For more information on Key policies please visit the below Link:
https://docs.aws.amazon.com/kms/latest/developerguide/key-poli
The correct answer is: Ensure that UserB is given the right permissions in the Key policy


NEW QUESTION # 290
To meet regulatory requirements, a Security Engineer needs to implement an IAM policy that restricts the use of AWS services to the us-east-1 Region.
What policy should the Engineer implement?



  • A. Option C
  • B. Option B
  • C. Option D
  • D. Option A

Answer: D


NEW QUESTION # 291
A Security Administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has enabled it for all feature sets, including consolidated billing. The top-level account is used for billing and administrative purposes, not for operational AWS resource purposes.
How can the Administrator restrict usage of member root user accounts across the organization?

  • A. Configure AWS CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric filter for RootAccountUsage.
  • B. Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU.
  • C. Configure IAM user policies to restrict root account capabilities for each Organizations member account.
  • D. Disable the use of the root user account at the organizational root. Enable multi-factor authentication of the root user account for each organizational member account.

Answer: B

Explanation:
Explanation/Reference:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_about-scps.html


NEW QUESTION # 292
A company's database developer has just migrated an Amazon RDS database credential to be stored and managed by AWS Secrets Manager. The developer has also enabled rotation of the credential within the Secrets Manager console and set the rotation to change every 30 days.
After a short period of time, a number of existing applications have failed with authentication errors.
What is the MOST likely cause of the authentication errors?

  • A. Enabling rotation in Secrets Manager causes the secret to rotate immediately, and the applications are using the earlier credential.
  • B. The Secrets Manager IAM policy does not allow access for the applications.
  • C. Migrating the credential to RDS requires that all access come through requests to the Secrets Manager.
  • D. The Secrets Manager IAM policy does not allow access to the RDS database.

Answer: C


NEW QUESTION # 293
A Security Engineer has created an Amazon CloudWatch event that invokes an AWS Lambda function
daily. The Lambda function runs an Amazon Athena query that checks AWS CloudTrail logs in Amazon S3
to detect whether any IAM user accounts or credentials have been created in the past 30 days. The results
of the Athena query are created in the same S3 bucket. The Engineer runs a test execution of the Lambda
function via the AWS Console, and the function runs successfully.
After several minutes, the Engineer finds that his Athena query has failed with the error message:
"Insufficient Permissions". The IAM permissions of the Security Engineer and the Lambda function are
shown below:
Security Engineer

Lambda function execution role

What is causing the error?

  • A. The Security Engineer does not have permissions to start the Athena query execution.
  • B. The Lambda function does not have permissions to access the CloudTrail S3 bucket.
  • C. The Lambda function does not have permissions to start the Athena query execution.
  • D. The Athena service does not support invocation through Lambda.

Answer: A


NEW QUESTION # 294
A company is using a Redshift cluster to store their data warehouse. There is a requirement from the Internal IT Security team to ensure that data gets encrypted for the Redshift database. How can this be achieved?
Please select:

  • A. Use AWS KMS Customer Default master key
  • B. Use S3 Encryption
  • C. Use SSL/TLS for encrypting the data
  • D. Encrypt the EBS volumes of the underlying EC2 Instances

Answer: A

Explanation:
Explanation
The AWS Documentation mentions the following
Amazon Redshift uses a hierarchy of encryption keys to encrypt the database. You can use either AWS Key Management Servic (AWS KMS) or a hardware security module (HSM) to manage the top-level encryption keys in this hierarchy. The process that Amazon Redshift uses for encryption differs depending on how you manage keys.
Option A is invalid because its the cluster that needs to be encrypted
Option C is invalid because this encrypts objects in transit and not objects at rest Option D is invalid because this is used only for objects in S3 buckets For more information on Redshift encryption, please visit the following URL:
https://docs.aws.amazon.com/redshift/latest/memt/workine-with-db-encryption.htmll The correct answer is: Use AWS KMS Customer Default master key Submit your Feedback/Queries to our Experts


NEW QUESTION # 295
An employee keeps terminating EC2 instances on the production environment. You've determined the best way to ensure this doesn't happen is to add an extra layer of defense against terminating the instances. What is the best method to ensure the employee does not terminate the production instances? Choose the 2 correct answers from the options below Please select:

  • A. Modify the IAM policy on the user to require MFA before deleting EC2 instances and disable MFA access to the employee
  • B. Tag the instance with a production-identifying tag and modify the employees group to allow only start stop, and reboot API calls and not the terminate instance call.
  • C. Tag the instance with a production-identifying tag and add resource-level permissions to the employee user with an explicit deny on the terminate API call to instances with the production tag. <
  • D. Modify the IAM policy on the user to require MFA before deleting EC2 instances

Answer: B,C

Explanation:
Explanation
Tags enable you to categorize your IAM resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type - you can quickly identify a specific resource based on the tags you've assigned to it. Each tag consists of a key and an optional value, both of which you define Options C&D are incorrect because it will not ensure that the employee cannot terminate the instance.
For more information on tagging answer resources please refer to the below URL:
http://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/Usins_Tags.htmll
The correct answers are: Tag the instance with a production-identifying tag and add resource-level permissions to the employe user with an explicit deny on the terminate API call to instances with the production tag.. Tag the instance with a production-identifying tag and modify the employees group to allow only start stop, and reboot API calls and not the terminate instance Submit your Feedback/Queries to our Experts


NEW QUESTION # 296
You have an EC2 instance with the following security configured:
a. ICMP inbound allowed on Security Group
b. ICMP outbound not configured on Security Group
c. ICMP inbound allowed on Network ACL
d. ICMP outbound denied on Network ACL
If Flow logs is enabled for the instance, which of the following flow records will be recorded? Choose 3 answers from the options give below Please select:

  • A. A REJECT record for the response based on the NACL
  • B. An ACCEPT record for the request based on the Security Group
  • C. An ACCEPT record for the request based on the NACL
  • D. A REJECT record for the response based on the Security Group

Answer: A,B,C

Explanation:
Explanation
This example is given in the AWS documentation as well
For example, you use the ping command from your home computer (IP address is 203.0.113.12) to your instance (the network interface's private IP address is 172.31.16.139). Your security group's inbound rules allow ICMP traffic and the outbound rules do not allow ICMP traffic however, because security groups are stateful, the response ping from your instance is allowed. Your network ACL permits inbound ICMP traffic but does not permit outbound ICMP traffic. Because network ACLs are stateless, the response ping is dropped and will not reach your home computer. In a flow log, this is displayed as 2 flow log records:
An ACCEPT record for the originating ping that was allowed by both the network ACL and the security group, and therefore was allowed to reach your instance.
A REJECT record for the response ping that the network ACL denied.
Option C is invalid because the REJECT record would not be present For more information on Flow Logs, please refer to the below URL:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-loes.html
The correct answers are: An ACCEPT record for the request based on the Security Group, An ACCEPT record for the request based on the NACL, A REJECT record for the response based on the NACL Submit your Feedback/Queries to our Experts


NEW QUESTION # 297
An organization has launched 5 instances: 2 for production and 3 for testing. The organization wants that one particular group of 1AM users should only access the test instances and not the production ones. How can the organization set that as a part of the policy?
Please select:

  • A. Define the tags on the test and production servers and add a condition to the 1AM policy which allows access to specification tags
  • B. Launch the test and production instances in separate regions and allow region wise access to the group
  • C. Create an 1AM policy with a condition which allows access to only small instances
  • D. Define the 1AM policy which allows access based on the instance ID

Answer: A

Explanation:
Explanation
Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type - you can quickly identify a specific resource based on the tags you've assigned to it Option A is invalid because this is not a recommended practices Option B is invalid because this is an overhead to maintain this in policies Option C is invalid because the instance type will not resolve the requirement For information on resource tagging, please visit the below URL:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Usine_Tags.htmll
The correct answer is: Define the tags on the test and production servers and add a condition to the 1AM policy which allows access to specific tags Submit your Feedback/Queries to our Experts


NEW QUESTION # 298
You are working for a company and been allocated the task for ensuring that there is a federated authentication mechanism setup between AWS and their On-premise Active Directory. Which of the following are important steps that need to be covered in this process? Choose 2 answers from the options given below.
Please select:

  • A. Configure AWS as the relying party in Active Directory
  • B. Ensure the right match is in place for On-premise AD Groups and IAM Groups.
  • C. Ensure the right match is in place for On-premise AD Groups and IAM Roles.
  • D. Configure AWS as the relying party in Active Directory Federation services The AWS Documentation mentions some key aspects with regards to the configuration of On-premise AD with AWS One is the Groups configuration in AD Active Directory Configuration Determining how you will create and delineate your AD groups and IAM roles in AWS is crucial to how you secure access to your account and manage resources. SAML assertions to the AWS environment and the respective IAM role access will be managed through regular expression (regex) matching between your on-premises AD group name to an AWS IAM role.

Answer: C,D

Explanation:
One approach for creating the AD groups that uniquely identify the AWS IAM role mapping is by selecting a common group naming convention. For example, your AD groups would start with an identifier, for example, AWS-, as this will distinguish your AWS groups from others within the organization. Next include the 12-digitAWS account number. Finally, add the matching role name within the AWS account. Here is an example:

And next is the configuration of the relying party which is AWS
ADFS federation occurs with the participation of two parties; the identity or claims provider (in this case the owner of the identity repository - Active Directory) and the relying party, which is another application that wishes to outsource authentication to the identity provider; in this case Amazon Secure Token Service (STS). The relying party is a federation partner that is represented by a claims provider trust in the federation service.
Option B is invalid because AD groups should not be matched to IAM Groups Option C is invalid because the relying party should be configured in Active Directory Federation services For more information on the federated access, please visit the following URL:
1 https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/ The correct answers are: Ensure the right match is in place for On-premise AD Groups and IAM Roles., Configure AWS as the relying party in Active Directory Federation services Submit your Feedback/Queries to our Experts


NEW QUESTION # 299
You work as an administrator for a company. The company hosts a number of resources using AWS. There is an incident of a suspicious API activity which occurred 11 days ago. The Security Admin has asked to get the API activity from that point in time. How can this be achieved?
Please select:

  • A. Search the Cloud Watch metrics to find for the suspicious activity which occurred 11 days ago
  • B. Search the Cloudtrail event history on the API events which occurred 11 days ago.
  • C. Search the Cloud Watch logs to find for the suspicious activity which occurred 11 days ago
  • D. Use AWS Config to get the API calls which were made 11 days ago.

Answer: B

Explanation:
The Cloud Trail event history allows to view events which are recorded for 90 days. So one can use a metric filter to gather the API calls from 11 days ago.
Option A and C is invalid because Cloudwatch is used for logging and not for monitoring API activity Option D is invalid because AWSConfig is a configuration service and not for monitoring API activity For more information on AWS Cloudtrail, please visit the following URL:
https://docs.aws.amazon.com/awscloudtrail/latest/usereuide/how-cloudtrail-works.html Note:
In this question we assume that the customer has enabled cloud trail service.
AWS CloudTrail is enabled by default for ALL CUSTOMERS and will provide visibility into the past seven days of account activity without the need for you to configure a trail in the service to get started. So for an activity that happened 11 days ago to be stored in the cloud trail we need to configure the trail manually to ensure that it is stored in the events history.
* https://aws.amazon.com/blogs/aws/new-amazon-web-services-extends-cloudtrail-to-all-aws-customers/ The correct answer is: Search the Cloudtrail event history on the API events which occurred 11 days ago.


NEW QUESTION # 300
During a manual review of system logs from an Amazon Linux EC2 instance, a Security Engineer noticed that there are sudo commands that were never properly alerted or reported on the Amazon CloudWatch Logs agent
Why were there no alerts on the sudo commands?

  • A. There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs
  • B. The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.
  • C. CloudWatch Logs status is set to ON versus SECURE, which prevents it from pulling in OS security event logs
  • D. The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch

Answer: D


NEW QUESTION # 301
A company is building an application on AWS that will store sensitive Information. The company has a support team with access to the IT infrastructure, including databases. The company's security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead. The credentials must be regularly rotated.
What should the security engineer recommend?

  • A. Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in AWS Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.
  • B. Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an AWS Lambda function to rotate database credentials. Set up TLS for the connection to the database.
  • C. Set up an AWS CloudHSM cluster with AWS Key Management Service (AWS KMS) to store KMS keys. Set up Amazon RDS encryption using AWS KMS to encrypt the database. Store database credentials in the AWS Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.
  • D. Install a database on an Amazon EC2 Instance. Enable third-party disk encryption to encrypt the Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in AWS CloudHSM with automatic rotation. Set up TLS for the connection to the database.

Answer: A


NEW QUESTION # 302
A System Administrator is unable to start an Amazon EC2 instance in the eu-west-1 Region using an IAM role The same System Administrator is able to start an EC2 instance in the eu-west-2 and eu-west-3 Regions. The AWSSystemAdministrator access policy attached to the System Administrator IAM role allows unconditional access to all AWS services and resources within the account
Which configuration caused this issue?
A) An SCP is attached to the account with the following permission statement:

B)
A permission boundary policy is attached to the System Administrator role with the following permission statement:

C)
A permission boundary is attached to the System Administrator role with the following permission statement:

D)
An SCP is attached to the account with the following statement:

  • A. Option C
  • B. Option B
  • C. Option D
  • D. Option A

Answer: B


NEW QUESTION # 303
A company has a requirement to create a DynamoDB table. The company's software architect has provided the following CLI command for the DynamoDB table

Which of the following has been taken of from a security perspective from the above command?
Please select:

  • A. The above command ensures data encryption at rest for the Customer table
  • B. Since the ID is hashed, it ensures security of the underlying table.
  • C. The right throughput has been specified from a security perspective
  • D. The above command ensures data encryption in transit for the Customer table

Answer: A

Explanation:
Explanation
The above command with the "-sse-specification Enabled=true" parameter ensures that the data for the DynamoDB table is encrypted at rest.
Options A,C and D are all invalid because this command is specifically used to ensure data encryption at rest For more information on DynamoDB encryption, please visit the URL:
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html
The correct answer is: The above command ensures data encryption at rest for the Customer table


NEW QUESTION # 304
......

Updated SCS-C01 Dumps Questions For Amazon Exam: https://www.exam4tests.com/SCS-C01-valid-braindumps.html

UPDATED Amazon SCS-C01 Exam Questions & Answer: https://drive.google.com/open?id=19Wh3lpBMcjMIn5kI2HLCUx45sa_7ECYM

Related Articles

more
Amazon SCS-C01 Certification Practice Exam

Copyright © 2026 Exam4Tests NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy