The latest Amazon SCS-C01 dumps by exam2pass helps you pass the SCS-C01 exam for the first time! exam2pass Latest Update Amazon SCS-C01 VCE Dump and SCS-C01 PDF Dumps, exam2pass SCS-C01 Exam Questions Updated, Answers corrected! Get the latest exam2pass SCS-C01 dumps with Vce and PDF: https://www.exam2pass.com/aws-certified-security-specialty.html (Q&As: 358 dumps)
[Free SCS-C01 PDF] Latest Amazon SCS-C01 Dumps PDF collected by exam2pass Google Drive:
https://drive.google.com/file/d/1-3X-dhBJTU-fGirrKiA29g2GCTj49WMv/
[exam2pass SCS-C01 Youtube] Amazon SCS-C01 Dumps can be viewed on Youtube shared by exam2pass
Latest Amazon SCS-C01 Exam Practice Questions and Answers
QUESTION 1
You have private video content in S3 that you want to serve to subscribe to users on the Internet. User IDs, credentials,
and subscriptions are stored in an Amazon RDS database. Which configuration will allow you to securely serve private
content to your users?
Please select:
A. Generate pre-signed URLs for each user as they request access to protected S3 content
B. Create a 1 AM user for each subscribed user and assign the GetObject permission to each 1 AM user
C. Create an S3 bucket policy that limits access to your private content to only your subscribed users\\’credentials
D. Crpafp a Cloud Front Clriein Identity user for venue suhsrrihprl users and assign the GptOhiprt permission to this user
Correct Answer: A
All objects and buckets by default are private. The pre-signed URLs are useful if you want your user/customer to be able to upload a specific object to your bucket but you don\\’t require them to have AWS security credentials or permissions.
When you create a pre-signed URL, you must provide your security credentials, specify a bucket name, an object key,
an HTTP method (PUT for uploading objects), and expiration date and time. The pre-signed URLs are valid only for
the specified duration.
Option B is invalid because this would be too difficult to implement at a user level. Option C is invalid because this is not
possible Option D is invalid because this is used to serve private content via Cloudfront For more information on presigned URLs, please refer to the Link: http://docs.aws.amazon.com/AmazonS3/latest/dev/PresienedUrlUploadObiect.htmll
The correct answer is: Generate pre-signed URLs for each user as they request access to protected S3 content Submit
your Feedback/Queries to our Experts
QUESTION 2
A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements:
Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail
Which of the following meet these security requirements? (Choose three.)
A. Specify “aws: SecureTransport”: “true” within a condition in the S3 bucket policy.
B. Enable a security group for the S3 bucket that allows port 443, but not port 80.
C. Set up default encryption for the S3 bucket.
D. Enable Amazon CloudWatch Logs for the AWS account.
E. Enable API logging of data events for all S3 objects.
F. Enable S3 object versioning for the S3 bucket.
Correct Answer: ACD
QUESTION 3
Your company has confidential documents stored in a simple storage service. Due to compliance requirements, you
have to ensure that the data in the S3 bucket is available in a different geographical location. As an architect what is the
change you would make to comply with this requirement?
Please select:
A. Apply Multi-AZ for the underlying 53 bucket
B. Copy the data to an EBS Volume in another Region
C. Create a snapshot of the S3 bucket and copy it to another region
D. Enable Cross-region replication for the S3 bucket
Correct Answer: D
This is mentioned clearly as a use case for S3 cross-region replication You might configure cross-region replication on a
bucket for various reasons, including the following: Compliance requirements – Although, by default Amazon S3 stores
your data across multiple geographically distant Availability Zones, compliance requirements might dictate that you store
data at even further distances. Cross-region
replication allows you to replicate data between distant AWS Regions to satisfy these compliance requirements. Option
A is invalid because Multi-AZ cannot be used to S3 buckets Option B is invalid because copying it to an EBS volume is
not a recommended practice Option C is invalid because creating snapshots is not possible in S3 For more information
on S3 cross-region replication, please visit the following URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.htmll
The correct answer is: Enable Cross-region replication for the S3 bucket Submit your Feedback/Queries to our Experts
QUESTION 4
You are planning to use AWS Config to check the configuration of the resources in your AWS account. You are planning
on using an existing 1 AM role and using it for the AWS Config resource. Which of the following is required to ensure the
AWS config service can work as required?
Please select:
A. Ensure that there is a trust policy in place for the AWS Config service within the role
B. Ensure that there is a grant policy in place for the AWS Config service within the role
C. Ensure that there is a user policy in place for the AWS Config service within the role
D. Ensure that there is a group policy in place for the AWS Config service within the role
Correct Answer: A
Options B, C, and D are invalid because you need to ensure a trust policy is in place and not a grant, user, or group policy
or more information on the 1 AM role permissions please visit the below Link:
https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.htmll The correct answer is: Ensure that
there is a trust policy in place for the AWS Config service within the role Submit your Feedback/Queries to our Experts
QUESTION 5
A Security Architect is evaluating managed solutions for the storage of encryption keys. The requirements are:
-Storage is accessible by using only VPCs.
-Service has tamper-evident controls.
-Access logging is enabled.
-Storage has high availability.
Which of the following services meets these requirements?
A. Amazon S3 with default encryption
B. AWS CloudHSM
C. Amazon DynamoDB with server-side encryption
D. AWS Systems Manager Parameter Store
Correct Answer: B
QUESTION 6
An auditor needs access to logs that record all API events on AWS. The auditor only needs read-only access to the log
files and does not need access to each AWS account. The company has multiple AWS accounts, and the auditor needs
access to all the logs for all the accounts. What is the best way to configure access for the auditor to view event logs
from all accounts? Choose the correct answer from the options below
Please select:
A. Configure the CloudTrail service in each AWS account and have the logs delivered to an AWS bucket on each
account, while granting the auditor permissions to the bucket via roles in the secondary accounts and a single primary
1 AM account that can assume a read-only role in the secondary AWS accounts.
B. Configure the CloudTrail service in the primary AWS account and configure consolidated billing for all the secondary
accounts. Then grant the auditor access to the S3 bucket that receives the CloudTrail log files.
C. Configure the CloudTrail service in each AWS account and enable consolidated logging inside of CloudTrail.
D. Configure the CloudTrail service in each AWS account and have the logs delivered to a single AWS bucket in the
primary account and grant the auditor access to that single bucket in the primary account.
Correct Answer: D
Given the current requirements, assume the method of “least privilege” security design and only allow the auditor
access to the minimum amount of AWS resources as possible AWS CloudTrail is a service that enables governance,
compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously
monitor, and retain events related to API calls across your AWS
infrastructure. CloudTrail provides a history of AWS API calls for your account including API calls made through the
AWS Management Console, AWS SDKs, command-line tools, and other AWS services. This history simplifies security
analysis, resource change tracking, and troubleshooting only be granted access in one location Option Option A is
incorrect since the auditor should B is incorrect since consolidated billing is not a key requirement as part of the
question Option C is incorrect since there is not consolidated logging For more information on Cloudtrail please refer to
the below URL: https://aws.amazon.com/cloudtraiL ( The correct answer is: Configure the CloudTrail service in each
AWS account and have the logs delivered to a single AWS bud in the primary account and grant the auditor access to
that single bucket in the primary account. Submit your Feedback/Queries to our Experts
QUESTION 7
A Development team has asked for help configuring the IAM roles and policies in a new AWS account. The team using
the account expects to have hundreds of master keys and therefore does not want to manage access control for
customer master keys (CMKs).
Which of the following will allow the team to manage AWS KMS permissions in IAM without the complexity of editing
individual key policies?
A. The account\\’s CMK key policy must allow the account\\’s IAM roles to perform KMS EnableKey.
B. Newly created CMKs must have a key policy that allows the root principal to perform all actions.
C. Newly created CMKs must allow the root principal to perform the KMS CreateGrant API operation.
D. Newly created CMKs must mirror the IAM policy of the KMS key administrator.
Correct Answer: D
QUESTION 8
An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs a network port
scan against other instances in the VPC. When the Security team performs its own internal tests in a separate account
by using pre-approved third-party scanners from the AWS Marketplace, the Security team also then receives multiple
Amazon GuardDuty events from Amazon CloudWatch alerting on its test activities.
How can the Security team suppress alerts about authorized security tests while still receiving alerts about the
unauthorized activity?
A. Use a filter in AWS CloudTrail to exclude the IP addresses of the Security team\\’s EC2 instances.
B. Add the Elastic IP addresses of the Security team\\’s EC2 instances to a trusted IP list in Amazon GuardDuty.
C. Install the Amazon Inspector agent on the EC2 instances that the Security team uses.
D. Grant the Security team\\’s EC2 instances a role with permissions to call Amazon GuardDuty API operations.
Correct Answer: C
QUESTION 9
Your IT Security department has mandated that all data on EBS volumes created for underlying EC2 Instances need to
be encrypted. Which of the following can help achieve this? Please select:
A. AWS KMS API
B. AWS Certificate Manager
C. API Gateway with STS
D. 1 AM Access Key
Correct Answer: A
The AWS Documentation mentions the following on AWS KMS AWS Key Management Service (AWS KMS) is a
managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. AWS
KMS is integrated with other AWS services including Amazon Elastic
Block Store (Amazon EBS), Amazon Simple Storage Service (Amazon S3), Amazon Redshift Amazon Elastic
Transcoder, Amazon WorkMail, Amazon Relational Database Service (Amazon RDS), and others to make it simple to
encrypt your data with encryption keys that you manage Option B is incorrect – The AWS Certificate manager can be
used to generate SSL certificates that can be used to encrypt traffic transit, but not at rest Option C is incorrect is again
used for issuing tokens when using API gateway for traffic in
transit. Option D is used for secure access to EC2 Instances For more information on AWS KMS, please visit the
following URL: https://docs.aws.amazon.com/kms/latest/developereuide/overview.htmll The correct answer is: AWS
KMS API Submit your Feedback/Queries to our Experts
QUESTION 10
Your company looks at the gaming domain and hosts several Ec2 Instances as game servers. The servers each
experience user loads in the thousands. There is a concern of DDoS attacks on the EC2 Instances which could cause a
huge revenue loss to the company. Which of the following can help mitigate this security concern and also ensure
minimum downtime for the servers.
Please select:
A. Use VPC Flow logs to monitor the VPC and then implement NACL\\’s to mitigate attacks
B. Use AWS Shield Advanced to protect the EC2 Instances
C. Use AWS Inspector to protect the EC2 Instances
D. Use AWS Trusted Advisor to protect the EC2 Instances
Correct Answer: B
Below is an excerpt from the AWS Documentation on some of the use cases for AWS Shield
QUESTION 11
Your company has a set of 1000 EC2 Instances defined in an AWS Account. They want to effectively automate several
administrative tasks on these instances. Which of the following would be an effective way to achieve this? Please
select:
A. Use the AWS Systems Manager Parameter Store
B. Use the AWS Systems Manager Run Command
C. Use the AWS Inspector
D. Use AWS Config
Correct Answer: B
The AWS Documentation mentions the following
AWS Systems Manager Run Command lets you remotely and securely manage the configuration of your managed
instances. A managed instance is an Amazon EC2 instance or on-premises machine in your hybrid environment that
has
been configured for Systems Manager. Run Command enables you to automate common administrative tasks and
perform ad hoc configuration changes at scale. You can use Run Command from the AWS console, the AWS
Command Line
Interface, AWS Tools for Windows PowerShell, or the AWS SDKs.
Run Command is offered at no additional cost.
Option A is invalid because this service is used to store parameter Option C is invalid because this service is used to
scan vulnerabilities in an EC2 Instance. Option D is invalid because this service is used to check for configuration
changes
For more information on executing remote commands, please visit the below U
https://docs.aws.amazon.com/systems-manaEer/latest/usereuide/execute-remote-commands.htmll
(
The correct answer is: Use the AWS Systems Manager Run Command Submit your Feedback/Queries to our Experts
QUESTION 12
A company wants to have an Intrusion detection system available for their VPC in AWS. They want to have complete
control over the system. Which of the following would be ideal to implement? Please select:
A. Use AWS WAF to catch all intrusions occurring on the systems in the VPC
B. Use a custom solution available in the AWS Marketplace
C. Use VPC Flow logs to detect the issues and flag them accordingly.
D. Use AWS Cloudwatch to monitor all traffic
Correct Answer: B
QUESTION 13
A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and
logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor\\’s
requirements without comprising security in the AWS environment? Choose the correct answer from the options below
Please select:
A. Create a role that has the required permissions for the auditor.
B. Create an SNS notification that sends the CloudTrail log files to the auditor\\’s email when CIoudTrail delivers the
logs to S3, but do not allow the auditor access to the AWS environment.
C. The company should contact AWS as part of the shared responsibility model, and AWS will grant required access to
th^ third-party auditor.
D. Enable CloudTrail logging and create a 1 AM user who has read-only permissions to the required AWS resources,
including the bucket containing the CloudTrail logs.
Correct Answer: D
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS
account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS
infrastructure. CloudTrail provides a history of AWS API calls for your account including API calls made through the
AWS Management Console, AWS SDKs, command-line tools, and other AWS services. This history simplifies security
analysis, resource change tracking, and troubleshooting.
Options A and C are incorrect since Cloudtrail needs to be used as part of the solution
Option B is incorrect since the auditor needs to have access to Cloudtrail For more information on cloud trail, please visit
the below URL:
https://aws.amazon.com/cloudtraiL
The correct answer is: Enable CloudTrail logging and create a 1 AM user who has read-only permissions to the
required AWS resources, including the bucket containing the CloudTrail logs.
Submit your Feedback/Queries to our Experts
latest updated Amazon SCS-C01 exam questions from the exam2pass SCS-C01 dumps! 100% pass the SCS-C01 exam! Download exam2pass SCS-C01 VCE and PDF dumps: https://www.exam2pass.com/aws-certified-security-specialty.html (Q&As: 358 dumps)
Get free Amazon SCS-C01 dumps PDF online: https://drive.google.com/file/d/1-3X-dhBJTU-fGirrKiA29g2GCTj49WMv/