• Home
  • Blogs
  • [Jan-2024] The Best AWS Certified Security SCS-C01 Professional Exam Questions [Q146-Q161]

[Jan-2024] The Best AWS Certified Security SCS-C01 Professional Exam Questions [Q146-Q161]

Share

[Jan-2024] The Best AWS Certified Security SCS-C01 Professional Exam Questions

Try 100% Updated SCS-C01 Exam Questions [2024]

NEW QUESTION # 146
An application makes calls to AWS services using the AWS SDK. The application runs on Amazon EC2 instances with an associated IAM role. When the application attempts to access an object within an Amazon S3 bucket; the Administrator receives the following error message: HTTP 403: Access Denied.
Which combination of steps should the Administrator take to troubleshoot this issue? (Select three.)

  • A. Confirm that the EC2 instance's security group authorizes S3 access.
  • B. Check the S3 bucket policy for statements that deny access to objects.
  • C. Confirm that the IAM role associated with the EC2 instance has the proper privileges.
  • D. Verify that the KMS key policy allows decrypt access for the KMS key for this IAM principle.
  • E. Confirm that the instance and the S3 bucket are in the same Region.
  • F. Confirm that the EC2 instance is using the correct key pair.

Answer: A,B,D


NEW QUESTION # 147
A company is planning to run a number of Admin related scripts using the IAM Lambda service. There is a need to understand if there are any errors encountered when the script run. How can this be accomplished in the most effective manner.
Please select:

  • A. Use the IAM Config service to monitor for errors
  • B. Use the IAM inspector service to monitor for errors
  • C. Use Cloudwatch metrics and logs to watch for errors
  • D. Use Cloudtrail to monitor for errors

Answer: C

Explanation:
The IAM Documentation mentions the following
IAM Lambda automatically monitors Lambda functions on your behalf, reporting metrics through Amazon CloudWatch. To help you troubleshoot failures in a function. Lambda logs all requests handled by your function and also automatically stores logs generated by your code through Amazon CloudWatch Logs.
Option B,C and D are all invalid because these services cannot be used to monitor for errors. I For more information on Monitoring Lambda functions, please visit the following URL:
https://docs.IAM.amazon.com/lambda/latest/dg/monitorine-functions-loes.htmll The correct answer is: Use Cloudwatch metrics and logs to watch for errors Submit your Feedback/Queries to our Experts


NEW QUESTION # 148
Your IT Security department has mandated that all data on EBS volumes created for underlying EC2 Instances need to be encrypted. Which of the following can help achieve this?
Please select:

  • A. IAM KMS API
  • B. API Gateway with STS
  • C. IAM Certificate Manager
  • D. IAM Access Key

Answer: A

Explanation:
The IAM Documentation mentions the following on IAM KMS
IAM Key Management Service (IAM KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. IAM KMS is integrated with other IAM services including Amazon Elastic Block Store (Amazon EBS), Amazon Simple Storage Service (Amazon S3), Amazon Redshift Amazon Elastic Transcoder, Amazon WorkMail, Amazon Relational Database Service (Amazon RDS), and others to make it simple to encrypt your data with encryption keys that you manage Option B is incorrect - The IAM Certificate manager can be used to generate SSL certificates that can be used to encrypt traffic transit, but not at rest Option C is incorrect is again used for issuing tokens when using API gateway for traffic in transit.
Option D is used for secure access to EC2 Instances
For more information on IAM KMS, please visit the following URL:
https://docs.IAM.amazon.com/kms/latest/developereuide/overview.htmll
The correct answer is: IAM KMS API
Submit your Feedback/Queries to our Experts


NEW QUESTION # 149
You have a set of 100 EC2 Instances in an AWS account. You need to ensure that all of these instances are patched and kept to date. All of the instances are in a private subnet. How can you achieve this. Choose 2 answers from the options given below
Please select:

  • A. Use the Systems Manager to patch the instances
  • B. Ensure a NAT gateway is present to download the updates
  • C. Ensure an internet gateway is present to download the updates
  • D. Use the AWS inspector to patch the updates

Answer: A,B

Explanation:
Option C is invalid because the instances need to remain in the private:
Option D is invalid because AWS inspector can only detect the patches
One of the AWS Blogs mentions how patching of Linux servers can be accomplished. Below is the diagram representation of the architecture setup

For more information on patching Linux workloads in AWS, please refer to the Lin.
https://aws.amazon.com/blogs/security/how-to-patch-linux-workloads-on-awsj
The correct answers are: Ensure a NAT gateway is present to download the updates. Use the Systems Manager to patch the instances
Submit your Feedback/Queries to our Experts


NEW QUESTION # 150
A security team must present a daily briefing to the CISO that includes a report of which of the company's thousands of EC2 instances and on-premises servers are missing the latest security patches. All instances/servers must be brought into compliance within 24 hours so they do not show up on the next day's report. How can the security team fulfill these requirements?
Please select:

  • A. Use Trusted Advisor to generate the report of out of compliance instances/servers. Use Systems Manger Patch Manger to install the missing patches.
  • B. Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Use Systems Manager Patch Manger to install the missing patches.
  • C. Use Amazon QuickSight and Cloud Trail to generate the report of out of compliance instances/servers. Redeploy all out of compliance instances/servers using an AMI with the latest patches.
  • D. Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Redeploy all out of1 compliance instances/servers using an AMI with the latest patches.

Answer: B

Explanation:
Use the Systems Manger Patch Manger to generate the report and also install the missing patches
The AWS Documentation mentions the following
AWS Systems Manager Patch Manager automates the process of patching managed instances with security-related updates. For Linux-based instances, you can also install patches for non-security updates. You can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type. This includes supported versions of Windows, Ubuntu Server, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), and Amazon Linux. You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches.
Option A is invalid because Amazon QuickSight and Cloud Trail cannot be used to generate the list of servers that don't meet compliance needs.
Option C is wrong because deploying instances via new AMI'S would impact the applications hosted on these servers
Option D is invalid because Amazon Trusted Advisor cannot be used to generate the list of servers that don't meet compliance needs.
For more information on the AWS Patch Manager, please visit the below URL:
https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html
(
The correct answer is: Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Use Systems Manager Patch Manger to install the missing patches.
Submit your Feedback/Queries to our Experts


NEW QUESTION # 151
A Security Engineer has discovered that, although encryption was enabled on the Amazon S3 bucket example bucket, anyone who has access to the bucket has the ability to retrieve the files. The Engineer wants to limit access to each IAM user can access an assigned folder only.
What should the Security Engineer do to achieve this?

  • A. Create a customer-managed CMK with a key policy granting "kms:Decrypt" based on the "${aws:username}" variable.
  • B. Change the applicable IAM policy to grant S3 access to "Resource": "arn:aws:s3:::examplebucket/${aws:username}/*"
  • C. Create a customer-managed CMK for each user. Add each user as a key user in their corresponding key policy.
  • D. Use envelope encryption with the AWS-managed CMK aws/s3.

Answer: A


NEW QUESTION # 152
A Solutions Architect is designing a web application that uses Amazon CloudFront, an Elastic Load
Balancing Application Load Balancer, and an Auto Scaling group of Amazon EC2 instances. The load
balancer and EC2 instances are in the US West (Oregon) region. It has been decided that encryption in
transit is necessary by using a customer-branded domain name from the client to CloudFront and from
CloudFront to the load balancer.
Assuming that AWS Certificate Manager is used, how many certificates will need to be generated?

  • A. One in the US West (Oregon) region and none in the US East (Virginia) region.
  • B. Two in the US West (Virginia) region and none in the US West (Oregon) region.
  • C. One in the US West (Oregon) region and one in the US East (Virginia) region.
  • D. Two in the US West (Oregon) region and none in the US East (Virginia) region.

Answer: C


NEW QUESTION # 153
A company requires that SSH commands used to access its AWS instance be traceable to the user who executed each command.
How should a Security Engineer accomplish this?

  • A. Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each user Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on port 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance
  • B. Deny inbound access on port 22 at the security group attached to the instance Use AWS Systems Manager Session Manager tor shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging for Systems Manager sessions
  • C. Use Amazon S3 to securely store one Privacy Enhanced Mall Certificate (PEM fie) for each team or group Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on pod 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance
  • D. Allow inbound access on port 22 at the security group attached to the instance Use AWS Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging tor Systems Manager sessions

Answer: A


NEW QUESTION # 154
A company has five AWS accounts and wants to use AWS CloudTrail to log API calls. The log files must be stored in an Amazon S3 bucket that resides in a new account specifically built for centralized services with a unique top-level prefix for each trail. The configuration must also enable detection of any modification to the logs.
Which of the following steps will implement these requirements? (Choose three.)

  • A. Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
  • B. Use unique log file prefixes for trails in each AWS account.
  • C. Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.
  • D. Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
  • E. Enable encryption of the log files by using AWS Key Management Service
  • F. Create a new S3 bucket in a separate AWS account for centralized storage of CloudTrail logs, and enable
    "Log File Validation" on all trails.

Answer: C,D,E


NEW QUESTION # 155
For compliance reasons a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied. The Engineer must also ensure that no system goes more than 30 days without the latest approved updates being applied What would the MOST efficient way to achieve these goals?

  • A. Use Amazon inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version
  • B. Update the AMls with the latest approved patches and redeploy each instance during the defined maintenance window
  • C. Configure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows
  • D. Examine IAM CloudTrail togs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances

Answer: C


NEW QUESTION # 156
An organization is moving non-business-critical applications to AWS while maintaining a mission-critical application in an on-premises data center. An on-premises application must share limited confidential information with the applications in AWS. The internet performance is unpredictable.
Which configuration will ensure continued connectivity between sites MOST securely?

  • A. VPN and a cached storage gateway
  • B. AWS Direct Connect
  • C. AWS Snowball Edge
  • D. VPN Gateway over AWS Direct Connect

Answer: D


NEW QUESTION # 157
The Accounting department at Example Corp. has made a decision to hire a third-party firm, AnyCompany, to monitor Example Corp.'s IAM account to help optimize costs.
The Security Engineer for Example Corp. has been tasked with providing AnyCompany with access to the required Example Corp. IAM resources. The Engineer has created an IAM role and granted permission to AnyCompany's IAM account to assume this role.
When customers contact AnyCompany, they provide their role ARN for validation. The Engineer is concerned that one of AnyCompany's other customers might deduce Example Corp.'s role ARN and potentially compromise the company's account.
What steps should the Engineer perform to prevent this outcome?

  • A. Request an external ID from AnyCompany and add a condition with sts:Externald to the role's trust policy.
  • B. Require two-factor authentication by adding a condition to the role's trust policy with IAM:MultiFactorAuthPresent.
  • C. Request an IP range from AnyCompany and add a condition with IAM:SourceIp to the role's trust policy.
  • D. Create an IAM user and generate a set of long-term credentials. Provide the credentials to AnyCompany.
    Monitor access in IAM access advisor and plan to rotate credentials on a recurring basis.

Answer: A


NEW QUESTION # 158
The Security Engineer created a new IAM Key Management Service (IAM KMS) key with the following key policy:

What are the effects of the key policy? (Choose two.)

  • A. The policy allows all IAM users in account 111122223333 to have full access to the KMS key.
  • B. The policy allows the KMS service-linked role in account 111122223333 to have full access to the KMS key.
  • C. The policy allows access for the IAM account 111122223333 to manage key access though IAM policies.
  • D. The policy allows the root user in account 111122223333 to have full access to the KMS key.
  • E. The policy allows all IAM roles in account 111122223333 to have full access to the KMS key.

Answer: C,D

Explanation:
Explanation
Giving the IAM account full access to the CMK does this; it enables you to use IAM policies to give IAM users and roles in the account access to the CMK. It does not by itself give any IAM users or roles access to the CMK, but it enables you to use IAM policies to do so.
https://docs.IAM.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enabl


NEW QUESTION # 159
Which of the following are valid configurations for using SSL certificates with Amazon CloudFront? (Select THREE )

  • A. Default SSL certificate stored in IAM Secrets Manager
  • B. Default CloudFront certificate
  • C. Custom SSL certificate stored in IAM IAM
  • D. Custom SSL certificate stored in IAM Certificate Manager
  • E. Default IAM Certificate Manager certificate
  • F. Custom SSL certificate stored in IAM KMS

Answer: B,D,E


NEW QUESTION # 160
A security team must present a daily briefing to the CISO that includes a report of which of the company's thousands of EC2 instances and on-premises servers are missing the latest security patches. All instances/servers must be brought into compliance within 24 hours so they do not show up on the next day's report. How can the security team fulfill these requirements?
Please select:

  • A. Use Trusted Advisor to generate the report of out of compliance instances/servers. Use Systems Manger Patch Manger to install the missing patches.
  • B. Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Use Systems Manager Patch Manger to install the missing patches.
  • C. Use Amazon QuickSight and Cloud Trail to generate the report of out of compliance instances/servers. Redeploy all out of compliance instances/servers using an AMI with the latest patches.
  • D. Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Redeploy all out of1 compliance instances/servers using an AMI with the latest patches.

Answer: B

Explanation:
Use the Systems Manger Patch Manger to generate the report and also install the missing patches The IAM Documentation mentions the following IAM Systems Manager Patch Manager automates the process of patching managed instances with security-related updates. For Linux-based instances, you can also install patches for non-security updates. You can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type. This includes supported versions of Windows, Ubuntu Server, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), and Amazon Linux. You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches.
Option A is invalid because Amazon QuickSight and Cloud Trail cannot be used to generate the list of servers that don't meet compliance needs.
Option C is wrong because deploying instances via new AMI'S would impact the applications hosted on these servers Option D is invalid because Amazon Trusted Advisor cannot be used to generate the list of servers that don't meet compliance needs.
For more information on the IAM Patch Manager, please visit the below URL:
https://docs.IAM.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html ( The correct answer is: Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Use Systems Manager Patch Manger to install the missing patches.
Submit your Feedback/Queries to our Experts


NEW QUESTION # 161
......


The AWS Certified Security - Specialty (SCS-C01) exam is a certification that validates an individual’s knowledge and skills in securing applications and infrastructure on the Amazon Web Services (AWS) platform. AWS Certified Security - Specialty certification is designed for professionals who are responsible for designing, implementing, and maintaining security solutions on AWS. The SCS-C01 exam covers a broad range of security topics, including identity and access management, network security, data protection, and incident response.

 

SCS-C01 Exam Questions Get Updated [2024] with Correct Answers: https://www.exam4labs.com/SCS-C01-practice-torrent.html

Pass SCS-C01 Exam - Real Questions and Answers: https://drive.google.com/open?id=1PH6a4nsgWhXS2rutlIngCx6Z86ul791F

Related Blogs

more
Amazon SCS-C01 Certification Practice Exam

Copyright © 2026 EXAM4LABS.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor.