• Home
  • Articles
  • 100% Pass Your SCS-C01 Exam Dumps at First Attempt with PassLeader [Q32-Q53]

100% Pass Your SCS-C01 Exam Dumps at First Attempt with PassLeader [Q32-Q53]

Share

100% Pass Your SCS-C01 Exam Dumps at First Attempt with PassLeader

Penetration testers simulate SCS-C01 exam PDF

NEW QUESTION 32
A company has external vendors that must deliver files to the company. These vendors have cross-account that gives them permission to upload objects to one of the company's S3 buckets.
What combination of steps must the vendor follow to successfully deliver a file to the company? Select 2 answers from the options given below Please select:

  • A. Attach an 1AM role to the bucket that grants the bucket owner full permissions to the object
  • B. Encrypt the object with a KMS key controlled by the company.
  • C. Upload the file to the company's S3 bucket
  • D. Add a grant to the objects ACL giving full permissions to bucket owner.
  • E. Add a bucket policy to the bucket that grants the bucket owner full permissions to the object

Answer: C,D

Explanation:
Explanation
This scenario is given in the AWS Documentation
A bucket owner can enable other AWS accounts to upload objects. These objects are owned by the accounts that created them. The bucket owner does not own objects that were not created by the bucket owner.
Therefore, for the bucket owner to grant access to these objects, the object owner must first grant permission to the bucket owner using an object ACL. The bucket owner can then delegate those permissions via a bucket policy. In this example, the bucket owner delegates permission to users in its own account.

Option A and D are invalid because bucket ACL's are used to give grants to bucket Option C is not required since encryption is not part of the requirement For more information on this scenario please see the below Link:
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroushs-manaeing-access-example3.html
The correct answers are: Add a grant to the objects ACL giving full permissions to bucket owner., Upload the file to the company's S3 bucket Submit your Feedback/Queries to our Experts

 

NEW QUESTION 33
A Security Analyst attempted to troubleshoot the monitoring of suspicious security group changes. The Analyst was told that there is an Amazon CloudWatch alarm in place for these AWS CloudTrail log events. The Analyst tested the monitoring setup by making a configuration change to the security group but did not receive any alerts.
Which of the following troubleshooting steps should the Analyst perform?

  • A. Ensure that CloudTrail and S3 bucket access logging is enabled for the Analyst's AWS account. B. Verify that a metric filter was created and then mapped to an alarm. Check the alarm notification action.
  • B. Verify that the Analyst's account is mapped to an IAM policy that includes permissions for cloudwatch:
    GetMetricStatistics and Cloudwatch: ListMetrics.
  • C. Check the CloudWatch dashboards to ensure that there is a metric configured with an appropriate dimension for security group changes.

Answer: C

 

NEW QUESTION 34
Your IT Security department has mandated that all data on EBS volumes created for underlying EC2 Instances need to be encrypted. Which of the following can help achieve this?
Please select:

  • A. IAM Access Key
  • B. API Gateway with STS
  • C. AWS KMS API
  • D. AWS Certificate Manager

Answer: C

Explanation:
Explanation
The AWS Documentation mentions the following on AWS KMS
AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. AWS KMS is integrated with other AWS services including Amazon Elastic Block Store (Amazon EBS), Amazon Simple Storage Service (Amazon S3), Amazon Redshift Amazon Elastic Transcoder, Amazon WorkMail, Amazon Relational Database Service (Amazon RDS), and others to make it simple to encrypt your data with encryption keys that you manage Option B is incorrect - The AWS Certificate manager can be used to generate SSL certificates that can be used to encrypt traffic transit, but not at rest Option C is incorrect is again used for issuing tokens when using API gateway for traffic in transit.
Option D is used for secure access to EC2 Instances
For more information on AWS KMS, please visit the following URL:
https://docs.aws.amazon.com/kms/latest/developereuide/overview.htmll
The correct answer is: AWS KMS API
Submit your Feedback/Queries to our Experts

 

NEW QUESTION 35
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of "Sensitive," "Confidential," and "Restricted." The security solution must meet all of the following requirements:
* Each object must be encrypted using a unique key.
* Items that are stored in the "Restricted" bucket require two-factor authentication for decryption.
* AWS KMS must automatically rotate encryption keys annually.
Which of the following meets these requirements?

  • A. Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the "Restricted" key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.
  • B. Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the "Restricted" CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.
  • C. Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK.
  • D. Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket.

Answer: B

 

NEW QUESTION 36
Your company is planning on hosting an internal network in AWS. They want machines in the VPC to authenticate using private certificates. They want to minimize the work and maintenance in working with certificates. What is the ideal way to fulfil this requirement.
Please select:

  • A. Consider using AWS Access keys to generate the certificates
  • B. Consider using AWS Trusted Advisor for managing the certificates
  • C. Consider using Windows Server 2016 Certificate Manager
  • D. Consider using AWS Certificate Manager

Answer: D

Explanation:
Explanation
The AWS Documentation mentions the following
ACM is tightly linked with AWS Certificate Manager Private Certificate Authority. You can use ACM PCA to create a private certificate authority (CA) and then use ACM to issue private certificates. These are SSL/TLS
X.509 certificates that identify users, computers, applications, services, servers, and other devices internally.
Private certificates cannot be publicly trusted
Option A is partially invalid. Windows Server 2016 Certificate Manager can be used but since there is a requirement to "minimize the work and maintenance", AWS Certificate Manager should be used Option C and D are invalid because these cannot be used for managing certificates.
For more information on ACM, please visit the below URL:
https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html
The correct answer is: Consider using AWS Certificate Manager Submit your Feedback/Queries to our Experts

 

NEW QUESTION 37
A company has decided to use encryption in its AWS account to secure the objects in Amazon S3 using server-side encryption. Object sizes range from 16.000 B to 5 MB. The requirements are as follows:
* The key material must be generated and stored in a certified Federal Information Processing Standard (FIPS) 140-2 Level 3 machine.
* The key material must be available in multiple Regions.
Which option meets these requirements?

  • A. Use an AWS customer managed key, import the key material into AWS KMS using in-house AWS CloudHSM. and store the key material securely in Amazon S3.
  • B. Use an AWS KMS custom key store backed by AWS CloudHSM clusters, and copy backups across Regions
  • C. Use AWS CloudHSM to generate the key material and backup keys across Regions Use the Java Cryptography Extension (JCE) and Public Key Cryptography Standards #11 (PKCS #11) encryption libraries to encrypt and decrypt the data.
  • D. Use an AWS KMS customer managed key and store the key material in AWS with replication across Regions

Answer: C

 

NEW QUESTION 38
An Amazon S3 bucket is encrypted using an AWS KMS CMK. An IAM user is unable to download objects from the S3 bucket using the AWS Management Console; however, other users can download objects from the S3 bucket.
Which policies should the Security Engineer review and modify to resolve this issue? (Select three.)

  • A. The CMK policy
  • B. The IAM policy
  • C. The S3 bucket policy
  • D. The S3 ACL
  • E. The VPC endpoint policy

Answer: B,C,D

 

NEW QUESTION 39
Which of the following bucket policies will ensure that objects being uploaded to a bucket called 'demo' are encrypted.
Please select:

  • A.
  • B.
  • C.
  • D.

Answer: A

Explanation:
The condition of "s3:x-amz-server-side-encryption":"aws:kms" ensures that objects uploaded need to be encrypted.
Options B,C and D are invalid because you have to ensure the condition of ns3:x-amz-server-side-encryption":"aws:kms" is present For more information on AWS KMS best practices, just browse to the below URL:
https://dl.awsstatic.com/whitepapers/aws-kms-best-praaices.pdf

Submit your Feedback/Queries to our Expert

 

NEW QUESTION 40
A company has a set of resources defined in AWS. It is mandated that all API calls to the resources be monitored. Also all API calls must be stored for lookup purposes. Any log data greater than 6 months must be archived. Which of the following meets these requirements? Choose 2 answers from the options given below.
Each answer forms part of the solution.
Please select:

  • A. Enable CloudTrail logging in all accounts into Amazon Glacier
  • B. Ensure a lifecycle policy is defined on the S3 bucket to move the data to Amazon Glacier after 6 months.
  • C. Ensure a lifecycle policy is defined on the S3 bucket to move the data to EBS volumes after 6 months.
  • D. Enable CloudTrail logging in all accounts into S3 buckets

Answer: B,D

Explanation:
Explanation
Cloudtrail publishes the trail of API logs to an S3 bucket
Option B is invalid because you cannot put the logs into Glacier from CloudTrail Option C is invalid because lifecycle policies cannot be used to move data to EBS volumes For more information on Cloudtrail logging, please visit the below URL:
https://docs.aws.amazon.com/awscloudtrail/latest/usereuide/cloudtrail-find-log-files.htmll You can then use Lifecycle policies to transfer data to Amazon Glacier after 6 months For more information on S3 lifecycle policies, please visit the below URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html The correct answers are: Enable CloudTrail logging in all accounts into S3 buckets. Ensure a lifecycle policy is defined on the bucket to move the data to Amazon Glacier after 6 months.
Submit your Feedback/Queries to our Experts

 

NEW QUESTION 41
An application has been written that publishes custom metrics to Amazon CloudWatch. Recently, IAM changes have been made on the account and the metrics are no longer being reported.
Which of the following is the LEAST permissive solution that will allow the metrics to be delivered?

  • A. Add a statement to the IAM policy used by the application to allow logs:putLogEvents and logs:createLogStream
  • B. Modify the IAM role used by the application by adding the CloudWatchFullAccess managed policy.
  • C. Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData.
  • D. Add a trust relationship to the IAM role used by the application for cloudwatch.amazonaws.com.

Answer: C

 

NEW QUESTION 42
You are creating a Lambda function which will be triggered by a Cloudwatch Event. The data from these events needs to be stored in a DynamoDB table. How should the Lambda function be given access to the DynamoDB table?
Please select:

  • A. Use an 1AM role which has permissions to the DynamoDB table and attach it to the Lambda function.
  • B. Put the AWS Access keys in the Lambda function since the Lambda function by default is secure
  • C. Create a VPC endpoint for the DynamoDB table. Access the VPC endpoint from the Lambda function.
  • D. Use the AWS Access keys which has access to DynamoDB and then place it in an S3 bucket.

Answer: A

Explanation:
Explanation
AWS Lambda functions uses roles to interact with other AWS services. So use an 1AM role which has permissions to the DynamoDB table and attach it to the Lambda function.
Options A and C are all invalid because you should never use AWS keys for access.
Option D is invalid because the VPC endpoint is used for VPCs
For more information on Lambda function Permission model, please visit the URL
https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html The correct answer is: Use an 1AM role which has permissions to the DynamoDB table and attach it to the Lambda function. Submit your Feedback/Queries to our Experts

 

NEW QUESTION 43
A corporate cloud security policy states that communications between the company's VPC and KMS must travel entirely within the AWS network and not use public service endpoints.
Which combination of the following actions MOST satisfies this requirement? (Choose two.)

  • A. Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN.
  • B. Add the following condition to the AWS KMS key policy: "aws:SourceIp": "10.0.0.0/16".
  • C. Create a VPC endpoint for AWS KMS with private DNS enabled.
  • D. Add the aws:sourceVpce condition to the AWS KMS key policy referencing the company's VPC endpoint ID.
  • E. Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.

Answer: C,D

Explanation:
Explanation
Explanation
An IAM policy can deny access to KMS except through your VPC endpoint with the following condition statement:
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-0295a3caf8414c94a"
}
}
If you select the Enable Private DNS Name option, the standard AWS KMS DNS hostname (https://kms.<region>.amazonaws.com) resolves to your VPC endpoint.

 

NEW QUESTION 44
Your company has an external web site. This web site needs to access the objects in an S3 bucket. Which of the following would allow the web site to access the objects in the most secure manner?
Please select:

  • A. Use the aws:Referer key in the condition clause for the bucket policy
  • B. Grant a role that can be assumed by the web site
  • C. Grant public access for the bucket via the bucket policy
  • D. Use the aws:sites key in the condition clause for the bucket policy

Answer: A

Explanation:
An example of this is given intheAWS Documentatioi
Restricting Access to a Specific HTTP Referrer
Suppose you have a website with domain name (www.example.com or example.com) with links to photos and videos stored in your S3 bucket examplebucket. By default, all the S3 resources are private, so only the AWS account that created the resources can access them. To allow read access to these objects from your website, you can add a bucket policy that allows s3:GetObject permission with a condition, using the aws:referer key, that the get request must originate from specific webpages. The following policy specifies the StringLike condition with the aws:Referer condition key.

Option A is invalid because giving public access is not a secure way to provide access Option C is invalid because aws:sites is not a valid condition key Option D is invalid because 1AM roles will not be assigned to web sites For more information on example bucket policies please visit the below Link:
1 https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html The correct answer is: Use the aws:Referer key in the condition clause for the bucket policy Submit your Feedback/Queries to our Experts

 

NEW QUESTION 45
A Security Engineer launches two Amazon EC2 instances in the same Amazon VPC but in separate Availability Zones. Each instance has a public IP address and is able to connect to external hosts on the internet. The two instances are able to communicate with each other by using their private IP addresses, but they are not able to communicate with each other when using their public IP addresses.
Which action should the Security Engineer take to allow communication over the public IP addresses?

  • A. Add the public IP addresses to the ingress rules of the instance security groups.
  • B. Add 0.0.0.0/0 to the egress rules of the instance security groups.
  • C. Associate the instances to the same security groups.
  • D. Add the instance IDs to the ingress rules of the instance security groups.

Answer: A

Explanation:
Explanation
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html#sg-rules-other-ins

 

NEW QUESTION 46
You have setup a set of applications across 2 VPC's. You have also setup VPC Peering. The applications are still not able to communicate across the Peering connection. Which network troubleshooting steps should be taken to resolve the issue?
Please select:

  • A. Check the Route tables for the VPC's
  • B. Check to see if the VPC has a NAT gateway attached.
  • C. Ensure the applications are hosted in a public subnet
  • D. Check to see if the VPC has an Internet gateway attached.

Answer: A

Explanation:
Explanation
After the VPC peering connection is established, you need to ensure that the route tables are modified to ensure traffic can between the VPCs Option A ,B and C are invalid because allowing access the Internet gateway and usage of public subnets can help for Inter, access, but not for VPC Peering.
For more information on VPC peering routing, please visit the below URL:
com/AmazonVPC/latest/Peeri
The correct answer is: Check the Route tables for the VPCs Submit your Feedback/Queries to our Experts

 

NEW QUESTION 47
Your company use AWS KMS for management of its customer keys. From time to time, there is a requirement to delete existing keys as part of housekeeping activities. What can be done during the deletion process to verify that the key is no longer being used.
Please select:

  • A. Use CloudTrail to see if any KMS API request has been issued against existing keys
  • B. Rotate the keys once before deletion to see if other services are using the keys
  • C. Change the 1AM policy for the keys to see if other services are using the keys
  • D. Use Key policies to see the access level for the keys

Answer: A

Explanation:
Explanation
The AWS lentation mentions the following
You can use a combination of AWS CloudTrail, Amazon CloudWatch Logs, and Amazon Simple Notification Service (Amazon SNS) to create an alarm that notifies you of AWS KMS API requests that attempt to use a customer master key (CMK) that is pending deletion. If you receive a notification from such an alarm, you might want to cancel deletion of the CMK to give yourself more time to determine whether you want to delete it Options B and D are incorrect because Key policies nor 1AM policies can be used to check if the keys are being used.
Option C is incorrect since rotation will not help you check if the keys are being used.
For more information on deleting keys, please refer to below URL:
https://docs.aws.amazon.com/kms/latest/developereuide/deletine-keys-creatine-cloudwatch-alarm.html The correct answer is: Use CloudTrail to see if any KMS API request has been issued against existing keys Submit your Feedback/Queries to our Experts

 

NEW QUESTION 48
Your company has a hybrid environment, with on-premise servers and servers hosted in the AWS cloud. They are planning to use the Systems Manager for patching servers. Which of the following is a pre-requisite for this to work; Please select:

  • A. Ensure that an 1AM Group is created for the on-premise servers
  • B. Ensure that the on-premise servers are running on Hyper-V.
  • C. Ensure that an 1AM service role is created
  • D. Ensure that an 1AM User is created

Answer: C

Explanation:
You need to ensure that an 1AM service role is created for allowing the on-premise servers to communicate with the AWS Systems Manager.
Option A is incorrect since it is not necessary that servers should only be running Hyper-V Options C and D are incorrect since it is not necessary that 1AM users and groups are created For more information on the Systems Manager role please refer to the below URL:
.com/systems-rnanaeer/latest/usereuide/sysman-!
The correct answer is: Ensure that an 1AM service role is created
Submit your Feedback/Queries to our Experts

 

NEW QUESTION 49
An employee accidentally exposed an AWS access key and secret access key during a public presentation. The company Security Engineer immediately disabled the key.
How can the Engineer assess the impact of the key exposure and ensure that the credentials were not misused? (Choose two.)

  • A. Download and analyze a credential report from IAM.
  • B. Analyze the resource inventory in AWS Config for IAM user activity.
  • C. Download and analyze the IAM Use report from AWS Trusted Advisor.
  • D. Analyze AWS CloudTrail for activity.
  • E. Analyze Amazon CloudWatch Logs for activity.

Answer: A,D

Explanation:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html

 

NEW QUESTION 50
Your company has many AWS accounts defined and all are managed via AWS Organizations. One AWS account has a S3 bucket that has critical data. How can we ensure that all the users in the AWS organisation have access to this bucket?
Please select:

  • A. Ensure the bucket policy has a condition which involves aws:PrincipaliD
  • B. Ensure the bucket policy has a condition which involves aws:AccountNumber
  • C. Ensure the bucket policy has a condition which involves aws:PrincipalOrglD
  • D. Ensure the bucket policy has a condition which involves aws:OrglD

Answer: C

 

NEW QUESTION 51
An employee accidentally exposed an AWS access key and secret access key during a public presentation. The company Security Engineer immediately disabled the key.
How can the Engineer assess the impact of the key exposure and ensure that the credentials were not misused?
(Choose two.)

  • A. Download and analyze a credential report from IAM.
  • B. Analyze the resource inventory in AWS Config for IAM user activity.
  • C. Download and analyze the IAM Use report from AWS Trusted Advisor.
  • D. Analyze AWS CloudTrail for activity.
  • E. Analyze Amazon CloudWatch Logs for activity.

Answer: A,D

 

NEW QUESTION 52
A company stores data on an Amazon EBS volume attached to an Amazon EC2 instance. The data is asynchronously replicated to an Amazon S3 bucket. Both the EBS volume and the S3 bucket are encrypted with the same AWS KMS Customer Master Key (CMK). A former employee scheduled a deletion of that CMK before leaving the company.
The company's Developer Operations department learns about this only after the CMK has been deleted.
Which steps must be taken to address this situation?

  • A. Copy the data directly from the EBS encrypted volume before the volume is detached from the EC2 instance.
  • B. Make a request to AWS Support to restore the deleted CMK, and use it to recover the data.
  • C. Recover the data from the EBS encrypted volume using an earlier version of the KMS backing key.
  • D. Make a request to AWS Support to recover the S3 encrypted data.

Answer: D

 

NEW QUESTION 53
......

All SCS-C01 Dumps and Training Courses: https://www.passleader.top/Amazon/SCS-C01-exam-braindumps.html

Help candidates to study and pass the AWS Certified Security - Specialty Exams hassle-free: https://drive.google.com/open?id=1t4RYL0cj52HRGAJKGgIsPjJR4wEwMFvW

Related Articles

more
Amazon SCS-C01 Certification Practice Exam