• Home
  • Articles
  • [Oct 05, 2023] Get Free Updates Up to 365 days On Developing SCS-C01 Braindumps [Q231-Q251]

[Oct 05, 2023] Get Free Updates Up to 365 days On Developing SCS-C01 Braindumps [Q231-Q251]

Share

[Oct 05, 2023] Get Free Updates Up to 365 days On Developing SCS-C01 Braindumps

Best Quality Amazon SCS-C01 Exam Questions


How to Prepare For Amazon AWS-Security-Specialty: AWS Certified Security - Specialty Exam

Preparation Guide for Amazon AWS-Security-Specialty: AWS Certified Security - Specialty Exam

Introduction

Amazon Web Services (AWS) is a subsidiary of Amazon providing on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered pay-as-you-go basis. AWS certification is a level of Amazon Web Services cloud expertise that an IT professional obtains after passing one or more exams offered by AWS.

IT pros gain AWS certifications to demonstrate and validate technical cloud knowledge and skills. AWS provides different certification exams for cloud engineers, administrators, and architects. AWS certification lasts for two years, and IT pros can recertify their specific certification after it expires. There are hundreds of testing centers around the world in which to take the AWS certified security - specialty practice exams.

AWS Certification validates cloud expertise to help professionals highlight in-demand skills and organizations build effective, innovative teams for cloud initiatives using AWS. Whether you're a cloud expert or transitioning from on-premise solutions, this certification gives you a firm base to build your cloud computing knowledge and prepare you to delve into more technical aspects of AWS.

This guide provides a detailed overview of the AWS Solutions Architect Professional certification including all sorts of prerequisites for the exam, the exam format, topics covered, exam difficulty and preparation methods, and the target audience profile. Therefore, we design various AWS certified security - specialty exam dumps pdf of AWS Accredited Developer professional questions while we understand student specifications. Our items, like the study guide, help students complete examinations.

 

NEW QUESTION # 231
An IAM user with fill EC2 permissions could bot start an Amazon EC2 instance after it was stopped for a maintenance task. Upon starting the instance, the instance state would change to "Pending", but after a few seconds, it would switch back to "Stopped".
An inspection revealed that the instance has attached Amazon EBS volumes that were encrypted by using a Customer Master Key (CMK). When these encrypted volumes were detached, the IAM user was able to start the EC2 instances.
The IAM user policy is as follows:

What additional items need to be added to the IAM user policy? (Choose two.) kms:GenerateDataKey

  • A. kms:Decrypt
  • B. "Bool": {
    "kms:GrantIsForAWSResource": true
    }
    }
  • C. "Bool": {
    "kms:ViaService": "ec2.us-west-2.amazonaws.com"
    }
    }
    "Condition": {
  • D. kms:CreateGrant
  • E. "Condition": {

Answer: A,C


NEW QUESTION # 232
A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances . The application will store highly sensitive user data in Amazon RDS tables The application must
* Include migration to a different AWS Region in the application disaster recovery plan.
* Provide a full audit trail of encryption key administration events
* Allow only company administrators to administer keys.
* Protect data at rest using application layer encryption
A Security Engineer is evaluating options for encryption key management Why should the Security Engineer choose AWS CloudHSM over AWS KMS for encryption key management in this situation?

  • A. CloudHSM provides the ability to copy keys to a different Region, whereas AWS KMS does not
  • B. The key administration event logging generated by CloudHSM is significantly more extensive than AWS KMS.
  • C. CloudHSM ensures that only company support staff can administer encryption keys, whereas AWS KMS allows AWS staff to administer keys
  • D. The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by AWS KMS

Answer: C


NEW QUESTION # 233
During a recent security audit, it was discovered that multiple teams in a large organization have placed restricted data in multiple Amazon S3 buckets, and the data may have been exposed. The auditor has requested that the organization identify all possible objects that contain personally identifiable information (PII) and then determine whether this information has been accessed.
What solution will allow the Security team to complete this request?

  • A. Enable Amazon Inspector on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, query the S3 bucket logs by using Athena for GET operations.
  • B. Enable Amazon Macie on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, use the research function for auditing AWS CloudTrail logs and S3 bucket logs for GET operations.
  • C. Enable Amazon GuardDuty and enable the PII rule set on the S3 buckets that were impacted, then perform data classification. Using the PII findings report from GuardDuty, query the S3 bucket logs by using Athena for GET operations.
  • D. Using Amazon Athena, query the impacted S3 buckets by using the PII query identifier function. Then, create a new Amazon CloudWatch metric for Amazon S3 object access to alert when the objects are accessed.

Answer: B


NEW QUESTION # 234
A company created an AWS account for its developers to use for testing and learning purposes Because MM account will be shared among multiple teams of developers, the company wants to restrict the ability to stop and terminate Amazon EC2 instances so that a team can perform these actions only on the instances it owns.
Developers were Instructed to tag al their instances with a Team tag key and use the team name in the tag value One of the first teams to use this account is Business Intelligence A security engineer needs to develop a highly scalable solution for providing developers with access to the appropriate resources within the account The security engineer has already created individual 1AM roles for each team.
Which additional configuration steps should the security engineer take to complete the task?

  • A. For each team, create an AM policy similar to the one that fellows Populate the ec2: ResourceTag/Team condition key with a proper team name Attach resulting policies to the corresponding 1AM roles.
  • B. For each team create an 1AM policy similar to the one that follows Populate the aws TagKeys/Team condition key with a proper team name. Attach the resuming policies to the corresponding 1AM roles.
  • C. Tag each 1AM role with a Team lag key. and use the team name in the tag value. Create an 1AM policy similar to the one that follows, and attach 4 to all the 1AM roles used by developers.
  • D. Tag each IAM role with the Team key, and use the team name in the tag value. Create an IAM policy similar to the one that follows, and it to all the IAM roles used by developers.

Answer: A


NEW QUESTION # 235
A company needs a security engineer to implement a scalable solution for multi-account authentication and authorization. The solution should not introduce additional user-managed architectural components. Native IAM features should be used as much as possible The security engineer has set up IAM Organizations w1th all features activated and IAM SSO enabled.
Which additional steps should the security engineer take to complete the task?

  • A. Use AD Connector to create users and groups for all employees that require access to IAM accounts.
    Assign AD Connector groups to IAM accounts and link to the IAM roles in accordance with the employees'job functions and access requirements Instruct employees to access IAM accounts by using the IAM Directory Service user portal.
  • B. Use an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts. Assign groups to IAM accounts and link to permission sets in accordance with the employees'job functions and access requirements. Instruct employees to access IAM accounts by using the IAM SSO user portal.
  • C. Use IAM Directory Service tor Microsoft Active Directory to create users and groups for all employees that require access to IAM accounts Enable IAM Management Console access in the created directory and specify IAM SSO as a source cl information tor integrated accounts and permission sets. Instruct employees to access IAM accounts by using the IAM Directory Service user portal.
  • D. Use an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts. Link IAM SSO groups to the IAM users present in all accounts to inherit existing permissions. Instruct employees to access IAM accounts by using the IAM SSO user portal.

Answer: B


NEW QUESTION # 236
An Amazon EC2 instance is denied access to a newly created AWS KMS CMK used for decrypt actions. The environment has the following configuration:
The instance is allowed the kms:Decrypt action in its IAM role for all resources The AWS KMS CMK status is set to enabled The instance can communicate with the KMS API using a configured VPC endpoint What is causing the issue?

  • A. The KMS CMK key policy that enables IAM user permissions is missing
  • B. The kms:GenerateDataKey permission is missing from the EC2 instance's IAM role
  • C. The kms:Encrypt permission is missing from the EC2 IAM role
  • D. The ARN tag on the CMK contains the EC2 instance's ID instead of the instance's ARN

Answer: B

Explanation:
In a key policy, you use "*" for the resource, which means "this CMK." A key policy applies only to the CMK it is attached to References:


NEW QUESTION # 237
Which of the following is not a best practice for carrying out a security audit?
Please select:

  • A. Conduct an audit on a yearly basis
  • B. Conduct an audit if you ever suspect that an unauthorized person might have accessed your account
  • C. Whenever there are changes in your organization
  • D. Conduct an audit if application instances have been added to your account

Answer: A

Explanation:
A year's time is generally too long a gap for conducting security audits The AWS Documentation mentions the following You should audit your security configuration in the following situations:
On a periodic basis.
If there are changes in your organization, such as people leaving.
If you have stopped using one or more individual AWS services. This is important for removing permissions that users in your account no longer need.
If you've added or removed software in your accounts, such as applications on Amazon EC2 instances, AWS OpsWor stacks, AWS CloudFormation templates, etc.
If you ever suspect that an unauthorized person might have accessed your account.
Option B, C and D are all the right ways and recommended best practices when it comes to conducting audits For more information on Security Audit guideline, please visit the below URL:
https://docs.aws.amazon.com/eeneral/latest/gr/aws-security-audit-euide.html The correct answer is: Conduct an audit on a yearly basis Submit your Feedback/Queries to our Experts


NEW QUESTION # 238
A large government organization is moving to the cloud and has specific encryption requirements. The first workload to move requires that a customer's data be immediately destroyed when the customer makes that request.
Management has asked the security team to provide a solution that will securely store the data, allow only authorized applications to perform encryption and decryption and allow for immediate destruction of the data Which solution will meet these requirements?

  • A. Use AWS Key Management Service (AWS KMS) and the AWS Encryption SDK to generate and store a data encryption key for each customer.
  • B. Use AWS Secrets Manager and an AWS SDK to create a unique secret for the customer-specific data
  • C. Use AWS Key Management Service (AWS KMS) with service-managed keys to generate and store customer-specific data encryption keys
  • D. Use AWS Key Management Service (AWS KMS) and create an AWS CloudHSM custom key store Use CloudHSM to generate and store a new CMK for each customer.

Answer: B


NEW QUESTION # 239
A company has a requirement to create a DynamoDB table. The company's software architect has provided the following CLI command for the DynamoDB table

Which of the following has been taken of from a security perspective from the above command?
Please select:

  • A. The above command ensures data encryption in transit for the Customer table
  • B. The right throughput has been specified from a security perspective
  • C. The above command ensures data encryption at rest for the Customer table
  • D. Since the ID is hashed, it ensures security of the underlying table.

Answer: C

Explanation:
The above command with the "-sse-specification Enabled=true" parameter ensures that the data for the DynamoDB table is encrypted at rest.
Options A,C and D are all invalid because this command is specifically used to ensure data encryption at rest
For more information on DynamoDB encryption, please visit the URL:
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html
The correct answer is: The above command ensures data encryption at rest for the Customer table


NEW QUESTION # 240
Your company has a set of EC2 Instances defined in AWS. These Ec2 Instances have strict security groups attached to them. You need to ensure that changes to the Security groups are noted and acted on accordingly.
How can you achieve this?
Please select:

  • A. Use AWS inspector to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS f the notification.
  • B. Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.
  • C. Use Cloudwatch metrics to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.
  • D. Use Cloudwatch logs to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.

Answer: B

Explanation:
Explanation
The below diagram from an AWS blog shows how security groups can be monitored

Option A is invalid because you need to use Cloudwatch Events to check for chan, Option B is invalid because you need to use Cloudwatch Events to check for chang Option C is invalid because AWS inspector is not used to monitor the activity on Security Groups For more information on monitoring security groups, please visit the below URL:
Ihttpsy/aws.amazon.com/blogs/security/how-to-automatically-revert-and-receive-notifications-about-changes-to-
'pc-security-groups/
The correct answer is: Use Cloudwatch events to be triggered for any changes to the Security Groups.
Configure the Lambda function for email notification as well.
Submit your Feedback/Queries to our Experts


NEW QUESTION # 241
A company has several Customer Master Keys (CMK), some of which have imported key material. Each CMK must be rotated annually.
What two methods can the security team use to rotate each key? Select 2 answers from the options given below Please select:

  • A. Enable automatic key rotation for a CMK
  • B. Import new key material to a new CMK; Point the key alias to the new CMK.
  • C. Use the CLI or console to explicitly rotate an existing CMK
  • D. Delete an existing CMK and a new default CMK will be created.
  • E. Import new key material to an existing CMK

Answer: A,B

Explanation:
Explanation
The AWS Documentation mentions the following
Automatic key rotation is available for all customer managed CMKs with KMS-generated key material. It is not available for CMKs that have imported key material (the value of the Origin field is External), but you can rotate these CMKs manually.
Rotating Keys Manually
You might want to create a newCMKand use it in place of a current CMK instead of enabling automatic key rotation. When the new CMK has different cryptographic material than the current CMK, using the new CMK has the same effect as changing the backing key in an existing CMK. The process of replacing one CMK with another is known as manual key rotation.
When you begin using the new CMK, be sure to keep the original CMK enabled so that AWS KMS can decrypt data that the original CMK encrypted. When decrypting data, KMS identifies the CMK that was used to encrypt the data, and it uses the sam CMK to decrypt the data. As long as you keep both the original and new CMKs enabled, AWS KMS can decrypt any data that was encrypted by either CMK.
Option B is invalid because you also need to point the key alias to the new key Option C is invalid because existing CMK keys cannot be rotated as they are Option E is invalid because deleting existing keys will not guarantee the creation of a new default CMK key For more information on Key rotation please see the below Link:
https://docs.aws.amazon.com/kms/latest/developereuide/rotate-keys.html
The correct answers are: Enable automatic key rotation for a CMK, Import new key material to a new CMK; Point the key alias to the new CMK.
Submit your Feedback/Queries to our Experts


NEW QUESTION # 242
A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)

  • A. Open a support case with the IAM Security team and ask them to remove the malicious code from the affected instance
  • B. Respond to the notification and list the actions that have been taken to address the incident
  • C. Delete the identified compromised instances and delete any associated resources that the Security team did not create.
  • D. Delete all IAM users and resources in the account
  • E. Detach the internet gateway from the VPC remove aft rules that contain 0.0.0.0V0 from the security groups, and create a NACL rule to deny all traffic Inbound from the internet

Answer: C,E


NEW QUESTION # 243
A web application runs in a VPC on EC2 instances behind an ELB Application Load Balancer. The application stores data in an RDS MySQL DB instance. A Linux bastion host is used to apply schema updates to the database - administrators connect to the host via SSH from a corporate workstation. The following security groups are applied to the infrastructure-
* sgLB - associated with the ELB
* sgWeb - associated with the EC2 instances.
* sgDB - associated with the database
* sgBastion - associated with the bastion host Which security group configuration will allow the application to be secure and functional?
Please select:

  • A. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0
    sgWeb :allow port 80 and 443 traffic from sgLB
    sgDB :allow port 3306 traffic from sgWeb and sgBastion
    sgBastion: allow port 22 traffic from the VPC IP address range
  • B. sgLB :aIlow port 80 and 443 traffic from 0.0.0.0/0
    sgWeb :allow port 80 and 443 traffic from sgLB
    sgDB :allow port 3306 traffic from sgWeb and sgLB
    sgBastion: allow port 22 traffic from the VPC IP address range
  • C. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0
    sgWeb :allow port 80 and 443 traffic from 0.0.0.0/0
    sgDB :allow port 3306 traffic from sgWeb and sgBastion
    sgBastion: allow port 22 traffic from the corporate IP address range
  • D. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0
    sgWeb :allow port 80 and 443 traffic from sgLB
    sgDB :allow port 3306 traffic from sgWeb and sgBastion
    sgBastion: allow port 22 traffic from the corporate IP address range

Answer: D

Explanation:
The Load Balancer should accept traffic on ow port 80 and 443 traffic from 0.0.0.0/0 The backend EC2 Instances should accept traffic from the Load Balancer The database should allow traffic from the Web server And the Bastion host should only allow traffic from a specific corporate IP address range Option A is incorrect because the Web group should only allow traffic from the Load balancer For more information on AWS Security Groups, please refer to below URL:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usins-network-security.html
The correct answer is: sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLB sgDB :allow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the corporate IP address range Submit your Feedback/Queries to our Experts


NEW QUESTION # 244
A Development team has asked for help configuring the IAM roles and policies in a new AWS account. The team using the account expects to have hundreds of master keys and therefore does not want to manage access control for customer master keys (CMKs).
Which of the following will allow the team to manage AWS KMS permissions in IAM without the complexity of editing individual key policies?

  • A. Newly created CMKs must mirror the IAM policy of the KMS key administrator.
  • B. Newly created CMKs must have a key policy that allows the root principal to perform all actions.
  • C. The account's CMK key policy must allow the account's IAM roles to perform KMS EnableKey.
  • D. Newly created CMKs must allow the root principal to perform the kms CreateGrant API operation.

Answer: A


NEW QUESTION # 245
The AWS Systems Manager Parameter Store is being used to store database passwords used by an AWS Lambda function. Because this is sensitive data, the parameters are stored as type SecureString and protected by an AWS KMS key that allows access through IAM. When the function executes, this parameter cannot be retrieved as the result of an access denied error.
Which of the following actions will resolve the access denied error?

  • A. Add lambda.amazonaws.com as a trusted entity on the IAM role that the Lambda function uses.
  • B. Update the Lambda configuration to launch the function in a VPC.
  • C. Update the ssm.amazonaws.com principal in the KMS key policy to allow kms: Decrypt.
  • D. Add a policy to the role that the Lambda function uses, allowing kms: Decrypt for the KMS key.

Answer: C

Explanation:
Explanation/Reference: https://aws.amazon.com/blogs/compute/sharing-secrets-with-aws-lambda-using-aws-systems- manager-parameter-store/


NEW QUESTION # 246
A Security Administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has enabled it for all feature sets, including consolidated billing. The top-level account is used for billing and administrative purposes, not for operational AWS resource purposes.
How can the Administrator restrict usage of member root user accounts across the organization?

  • A. Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU.
  • B. Configure AWS CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric filter for RootAccountUsage.
  • C. Configure IAM user policies to restrict root account capabilities for each Organizations member account.
  • D. Disable the use of the root user account at the organizational root. Enable multi-factor authentication of the root user account for each organizational member account.

Answer: A

Explanation:
Explanation/Reference:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_about-scps.html


NEW QUESTION # 247
The Information Technology department has stopped using Classic Load Balancers and switched to Application Load Balancers to save costs. After the switch, some users on older devices are no longer able to connect to the website.
What is causing this situation?

  • A. The cipher suites on the Application Load Balancers are blocking connections.
  • B. Application Load Balancers do not support older web browsers.
  • C. The intermediate certificate is installed within the Application Load Balancer.
  • D. The Perfect Forward Secrecy settings are not configured correctly.

Answer: C


NEW QUESTION # 248
A company's Security Engineer is copying all application logs to centralized Amazon S3 buckets. Currently, each of the company's application is in its own AWS account, and logs are pushed into S3 buckets associated with each account. The Engineer will deploy an AWS Lambda function into each account that copies the relevant log files to the centralized S3 bucket.
The Security Engineer is unable to access the log files in the centralized S3 bucket. The Engineer's IAM user policy from the centralized account looks like this:

The centralized S3 bucket policy looks like this:

Why is the Security Engineer unable to access the log files?

  • A. The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level.
  • B. The Security Engineer's IAM policy does not grant permissions to read objects in the S3 bucket.
  • C. The object ACLs are not being updated to allow the users within the centralized account to access the objects.
  • D. The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.

Answer: A


NEW QUESTION # 249
A security engineer needs to configure monitoring and auditing for AWS Lambda.
Which combination of actions using AWS services should the security engineer take to accomplish this goal? (Select TWO.)

  • A. Use Amazon Inspector to automatically monitor for vulnerabilities and perform governance, compliance, operational, and risk auditing for Lambda.
  • B. Use AWS Resource Access Manager to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.
  • C. Use AWS Config to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.
  • D. Use Amazon Macie to discover, classify, and protect sensitive data being executed inside the Lambda function.
  • E. Use AWS CloudTrail to implement governance, compliance, operational, and risk auditing for Lambda.

Answer: C,E


NEW QUESTION # 250
Your team is experimenting with the API gateway service for an application. There is a need to implement a custom module which can be used for authentication/authorization for calls made to the API gateway. How can this be achieved?
Please select:

  • A. Use CORS on the API gateway
  • B. Use the request parameters for authorization
  • C. Use a Lambda authorizer
  • D. Use the gateway authorizer

Answer: C

Explanation:
Explanation
The AWS Documentation mentions the following
An Amazon API Gateway Lambda authorizer (formerly known as a custom authorize?) is a Lambda function that you provide to control access to your API methods. A Lambda authorizer uses bearer token authentication strategies, such as OAuth or SAML. It can also use information described by headers, paths, query strings, stage variables, or context variables request parameters.
Options A,C and D are invalid because these cannot be used if you need a custom authentication/authorization for calls made to the API gateway For more information on using the API gateway Lambda authorizer please visit the URL:
https://docs.aws.amazon.com/apisateway/latest/developerguide/apieateway-use-lambda-authorizer.htmll The correct answer is: Use a Lambda authorizer Submit your Feedback/Queries to our Experts


NEW QUESTION # 251
......

Amazon Exam Practice Test To Gain Brilliante Result: https://pass4sure.dumps4pdf.com/SCS-C01-valid-braindumps.html

Related Articles

more
Amazon SCS-C01 Certification Practice Exam

Dumps4PDF ensure you get IT certification easily; you just need to use your spare time to practice the latest dumps pdf and remember the key points of exam dumps.

Latest Pass Dumps PDF

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 Dumps4PDF NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy