Amazon exam practice test / scs-c01 dumps / scs-c01 dumps pdf / scs-c01 exam / scs-c01 exam dumps / scs-c01 exam questions / scs-c01 pdf

[2021.3] Valid Amazon AWS SCS-C01 Practice Questions Free Share From Pass4itsure

Amazon AWS SCS-C01 is difficult. But with the Pass4itsure SCS-C01 dumps https://www.pass4itsure.com/aws-certified-security-specialty.html preparation material candidate, it can be achieved easily. In SCS-C01 practice tests, you can practice on the same exam as the actual exam. If you master the tricks you gained through practice, it will be easier to achieve your target score.

Amazon AWS SCS-C01 pdf free https://drive.google.com/file/d/1JRPXuxAvU2SKyppRM8NVWT0LSCp3gArr/view?usp=sharing

Latest Amazon SCS-C01 dumps Practice test video tutorial

Latest Amazon AWS SCS-C01 practice exam questions at here:

QUESTION 1
Which technique can be used to integrate AWS IAM (Identity and Access Management) with an on-premise LDAP
(Lightweight Directory Access Protocol) directory service?
Please select: A. Use an IAM policy that references the LDAP account identifiers and the AWS credentials.
B. Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP.
C. Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials.
D. Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated.
Correct Answer: B
On the AWS Blog site the following information is present to help on this context The newly released whitepaper. Single
Sign-On: Integrating AWS, OpenLDAP, and Shibboleth, will help you integrate your existing LDAP-based user directory
with AWS. When you integrate your existing directory with AWS, your users can access AWS by using their existing
credentials. This means that your users don\\’t need to maintain yet another user name and password just to access
AWS resources. Option
A.C and D are all invalid because in this sort of configuration, you have to use SAML to enable single sign
on.
For more information on integrating AWS with LDAP for Single Sign-On, please visit the following URL:
https://aws.amazon.eom/blogs/security/new-whitepaper-sinEle-sign-on-inteErating-aws-openldap-andshibboleth/
The correct answer is: Use SAML (Security Assertion Markup Language) to enable single sign-on between
AWS and LDAP.


QUESTION 2
An application running on EC2 instances in a VPC must call an external web service via TLS (port 443). The instances
run in public subnets.
Which configurations below allow the application to function and minimize the exposure of the instances? Select 2
answers from the options given below
Please select:
A. A network ACL with a rule that allows outgoing traffic on port 443.
B. A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports
C. A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.
D. A security group with a rule that allows outgoing traffic on port 443
E. A security group with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports.
F. A security group with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.
Correct Answer: BD
Since here the traffic needs to flow outbound from the Instance to a web service on Port 443, the outbound rules on
both the Network and Security Groups need to allow outbound traffic. The Incoming traffic should be allowed on
ephemeral ports for the Operating System on the Instance to allow a connection to be established on any desired or
available port. Option A is invalid because this rule alone is not enough. You also need to ensure incoming traffic on
ephemeral ports Option C is invalid because need to ensure incoming traffic on ephemeral ports and not only port 443
Options E and F are invalid since here you are allowing additional ports on Security groups which are not required For
more information on VPC Security Groups, please visit the below URL:
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuideA/PC_SecurityGroups.htmll The correct answers are: A
network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports, A security group
with a rule that allows outgoing traffic on port 443


QUESTION 3
In response to the past DDoS attack experiences, a Security Engineer has set up an Amazon CloudFront distribution for
an Amazon S3 bucket. There is concern that some users may bypass the CloudFront distribution and access the S3
bucket directly.
What must be done to prevent users from accessing the S3 objects directly by using URLs?
A. Change the S3 bucket/object permission so that only the bucket owner has access.
B. Set up a CloudFront origin access identity (OAI), and change the S3 bucket/object permission so that only the OAI
has access.
C. Create IAM roles for CloudFront and change the S3 bucket/object permission so that only the IAM role has access.
D. Redirect S3 bucket access to the corresponding CloudFront distribution.
Correct Answer: B
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restrictingaccess-to-s3.html

QUESTION 4
An application has been built with Amazon EC2 instances that retrieve messages from Amazon SQS. Recently, IAM
changes were made and the instances can no longer retrieve messages.
What actions should be taken to troubleshoot the issue while maintaining the least privilege? (Select two.)
A. Configure and assign an MFA device to the role used by the instances.
B. Verify that the SQS resource policy does not explicitly deny access to the role used by the instances.
C. Verify that the access key attached to the role used by the instances is active.
D. Attach the AmazonSQSFullAccess managed policy to the role used by the instances.
E. Verify that the role attached to the instances contains policies that allow access to the queue.
Correct Answer: BE


QUESTION 5
A Security Engineer is implementing a solution to allow users to seamlessly encrypt Amazon S3 objects without having
to touch the keys directly. The solution must be highly scalable without requiring continual management. Additionally,
the organization must be able to immediately delete the encryption keys.
Which solution meets these requirements?
A. Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to
remove the keys if necessary.
B. Use KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key
material if necessary.
C. Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if
necessary.
D. Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the
key if necessary.
Correct Answer: C
https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-delete-key-material.html

QUESTION 6
After multiple compromises of its Amazon EC2 instances, a company\\’s Security Officer is mandating that memory
dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse
notification report from AWS stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is
compromised.
How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?
A. Give consent to the AWS Security team to dump the memory core on the compromised instance and provide it to
AWS Support for analysis.
B. Review memory dump data that the AWS Systems Manager Agent sent to Amazon CloudWatch Logs.
C. Download and run the EC2Rescue for Windows Server utility from AWS.
D. Reboot the EC2 Windows Server, enter safe mode, and select memory dump.
Correct Answer: A


QUESTION 7
A Security Architect has been asked to review existing security architecture and identify why the application servers
cannot successfully initiate a connection to the database servers. The following summary describes the architecture:
1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2.
Database, application, and web servers are configured on three different private subnets.
3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public
subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the
NAT gateway. All private subnets can route to each other
4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required
ports and protocols
5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound
connectivity to the minimum required
Which of the following accurately reflects the access control mechanisms the Architect should verify1?
A. Outbound SG configuration on database servers Inbound SG configuration on application servers inbound and
outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the
application server subnet
B. Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound and
outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the
application server subnet
C. Inbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application
servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the
application server subnet
D. Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound network
ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet.
Correct Answer: A

QUESTION 8
A company became aware that one of its access keys was exposed on a code-sharing website 11 days ago. A Security
The engineer must review all use of the exposed access keys to determine the extent of the exposure. The company
enabled AWS CloudTrail m a regions when it opened the account
Which of the following will allow (Security Engineer 10 to complete the task?
A. Filter the event history on the exposed access key in the CloudTrail console Examine the data from the past 11
days.
B. Use the AWS CLI to generate an IAM credential report Extract all the data from the past 11 days.
C. Use Amazon Athena to query the CloudTrail logs from Amazon S3 Retrieve the rows for the exposed access key tor
the past 11 days.
D. Use the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days.
Correct Answer: C

QUESTION 9
A company is deploying a new web application on AWS. Based on their other web applications, they anticipate being
the target of frequent DDoS attacks. Which steps can the company use to protect its application? Select 2 answers
from the options given below.
Please select:
A. Associate the EC2 instances with a security group that blocks traffic from blacklisted IP addresses.
B. Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application-layer traffic.
C. Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious traffic.
D. Use CloudFront and AWS WAF to prevent malicious traffic from reaching the application
E. Enable GuardDuty to block malicious traffic from reaching the application
Correct Answer: BD
The below diagram from AWS shows the best-case scenario for avoiding DDoS attacks using services such as AWS
Cloudflare WAF, ELB, and Autoscaling

scs-c01 exam questions-q9

Option A is invalid because by default security groups don\\’t allow access Option C is invalid because AWS Inspector
cannot be used to examine traffic Option E is invalid because this can be used for attacks on EC2 Instances but not
against DDos attacks on the entire application For more information on DDoS mitigation from AWS, please visit the
below URL: https://aws.amazon.com/answers/networking/aws-ddos-attack-mitieationi The correct answers are: Use an
ELB Application Load Balancer and Auto Scaling group to scale to absorb application-layer traffic., Use CloudFront and
AWS WAF to prevent malicious traffic from reaching the application


QUESTION 10
You have an Ec2 Instance in a private subnet that needs to access the KMS service. Which of the following methods
can help fulfill this requirement, keeping security in perspective
Please select:
A. Use a VPC endpoint
B. Attach an Internet gateway to the subnet
C. Attach a VPN connection to the VPC
D. Use VPC Peering
Correct Answer: A
The AWS Documentation mentions the following You can connect directly to AWS KMS through a private endpoint in
your VPC instead of connecting over the internet. When you use a VPC endpoint communication between your VPC
and AWS KMS is conducted entirely within the AWS network. Option B is invalid because this could open threats from
the internet Option C is invalid because this is normally used for communication between on-premise environments and
AWS. Option D is invalid because this is normally used for communication between VPCs For more information on
accessing KMS via an endpoint, please visit the following URL
https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpcendpoint.htmll The correct answer is: Use a VPC endpoint

QUESTION 11
A company has external vendors that must deliver files to the company. These vendors have cross-account that gives
their permission to upload objects to one of the company\\’s S3 buckets.
What combination of steps must the vendor follow to successfully deliver a file to the company? Select 2 answers from
the options are given below
Please select:
A. Attach an IAM role to the bucket that grants the bucket owner full permissions to the object
B. Add a grant to the objects ACL giving full permissions to the bucket owner.
C. Encrypt the object with a KMS key controlled by the company.
D. Add a bucket policy to the bucket that grants the bucket owner full permissions to the object
E. Upload the file to the company\\’s S3 bucket
Correct Answer: BE
This scenario is given in the AWS Documentation A bucket owner can enable other AWS accounts to upload objects.
These objects are owned by the accounts that created them. The bucket owner does not own objects that were not
created by the bucket owner. Therefore, for the bucket owner to grant access to these objects, the object owner must
first grant permission to the bucket owner to use an object ACL. The bucket owner can then delegate those permissions
via a bucket policy. In this example, the bucket owner delegates permission to users in its own account.

scs-c01 exam questions-q11

Options A and D are invalid because bucket ACL\\’s are used to give grants to bucket Option C is not required since
the encryption is not part of the requirement For more information on this scenario please see the below Link:
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroushs-manaeing-accessexample3.htmll The
correct answers are: Add a grant to the objects ACL giving full permissions to bucket owner., Upload the file to the
company\\’s S3 bucket


QUESTION 12
Your company has a set of EC2 Instances defined in AWS. These Ec2 Instances have strict security groups attached to
them. You need to ensure that changes to the Security groups are noted and acted on accordingly. How can you
achieve this?
Please select:
A. Use Cloudwatch logs to monitor the activity on the Security Groups. Use filters to search for the changes and use
SNS for the notification.
B. Use Cloudwatch metrics to monitor the activity on the Security Groups. Use filters to search for the changes and use
SNS for the notification.
C. Use AWS inspector to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS
f the notification.
D. Use Cloudwatch events to be triggered for any changes to the Security Groups.Configure the Lambda function for
email notification as well.
Correct Answer: D
The below diagram from an AWS blog shows how security groups can be monitored Option A is invalid because you
need to use Cloudwatch Events to check for chan, Option B is invalid because you need to use Cloudwatch Events to
check for change Option C is invalid because AWS inspector is not used to monitoring the activity on Security Groups For
more information on monitoring security groups, please visit the below URL: Ihttpsy/aws.amazon.com/blogs/security/how-to-automatically-revert-and-receive-notifications-aboutchanges-to-your-amazonj \\’pc-security-groups/ The correct
answer is: Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda
function for email notification as well.

scs-c01 exam questions-q12

 

QUESTION 13
An external Auditor finds that a company\\’s user passwords have no minimum length. The company is currently using
two identity providers:
1.
AWS IAM federated with on-premises Active Directory
2.
Amazon Cognito user pools to accessing an AWS Cloud application developed by the company
Which combination o1 actions should the Security Engineer take to solve this issue? (Select TWO.)
A. Update the password length policy In the on-premises Active Directory configuration.
B. Update the password length policy In the IAM configuration.
C. Enforce an IAM policy In Amazon Cognito and AWS IAM with a minimum password length condition.
D. Update the password length policy in the Amazon Cognito configuration.
E. Create an SCP with AWS Organizations that enforces a minimum password length for AWS IAM and Amazon
Cognito.
Correct Answer: AC

Welcome to download the valid Pass4itsure SCS-C01 pdf

Free downloadGoogle Drive
Amazon AWS SCS-C01 pdf https://drive.google.com/file/d/1JRPXuxAvU2SKyppRM8NVWT0LSCp3gArr/view?usp=sharing

Pass4itsure latest Amazon exam dumps coupon code free share

Summary:

New Amazon SCS-C01 exam questions from Pass4itsure SCS-C01 dumps! Welcome to download the newest Pass4itsure SCS-C01 dumps https://www.pass4itsure.com/aws-certified-security-specialty.html (487 Q&As), verified the latest SCS-C01 practice test questions with relevant answers.

Amazon AWS SCS-C01 dumps pdf free share https://drive.google.com/file/d/1JRPXuxAvU2SKyppRM8NVWT0LSCp3gArr/view?usp=sharing