• Home
  • Blogs
  • [Sep 23, 2023] Fully Updated Dumps PDF - Latest SCS-C01 Exam Questions and Answers [Q26-Q42]

[Sep 23, 2023] Fully Updated Dumps PDF - Latest SCS-C01 Exam Questions and Answers [Q26-Q42]

Share

[Sep 23, 2023] Fully Updated Dumps PDF - Latest SCS-C01 Exam Questions and Answers

100% Free SCS-C01 Exam Dumps to Pass Exam Easily from Exam4Labs


The AWS Certified Security - Specialty certification exam covers a wide range of topics related to AWS security, including identity and access management, network security, data protection, security operations, and incident response. Candidates are required to have a strong understanding of AWS security services and features, as well as best practices for securing applications and systems on the platform. AWS Certified Security - Specialty certification exam is designed to test the candidate's ability to design and implement secure solutions that meet the requirements of different organizations and industries.

 

NEW QUESTION # 26
A company is using a Redshift cluster to store their data warehouse. There is a requirement from the Internal IT Security team to ensure that data gets encrypted for the Redshift database. How can this be achieved?
Please select:

  • A. Use AWS KMS Customer Default master key
  • B. Encrypt the EBS volumes of the underlying EC2 Instances
  • C. Use S3 Encryption
  • D. Use SSL/TLS for encrypting the data

Answer: A

Explanation:
Explanation
The AWS Documentation mentions the following
Amazon Redshift uses a hierarchy of encryption keys to encrypt the database. You can use either AWS Key Management Servic (AWS KMS) or a hardware security module (HSM) to manage the top-level encryption keys in this hierarchy. The process that Amazon Redshift uses for encryption differs depending on how you manage keys.
Option A is invalid because its the cluster that needs to be encrypted
Option C is invalid because this encrypts objects in transit and not objects at rest Option D is invalid because this is used only for objects in S3 buckets For more information on Redshift encryption, please visit the following URL:
https://docs.aws.amazon.com/redshift/latest/memt/workine-with-db-encryption.htmll The correct answer is: Use AWS KMS Customer Default master key Submit your Feedback/Queries to our Experts


NEW QUESTION # 27
During a security event, it is discovered that some Amazon EC2 instances have not been sending Amazon CloudWatch logs.
Which steps can the Security Engineer take to troubleshoot this issue? (Select two.)

  • A. Verify that the EC2 instances have a route to the public AWS API endpoints.
  • B. Log in to the AWS account and select CloudWatch Logs. Check for any monitored EC2 instances that are in the "Alerting" state and restart them using the EC2 console.
  • C. Verify that the network access control lists and security groups of the EC2 instances have the access to send logs over SNMP.
  • D. Connect to the EC2 instances that are not sending the appropriate logs and verify that the CloudWatch Logs agent is running.
  • E. Connect to the EC2 instances that are not sending logs. Use the command prompt to verify that the right permissions have been set for the Amazon SNS topic.

Answer: B,D


NEW QUESTION # 28
An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs a network port scan against other instances in the VPC. When the Security team performs its own internal tests in a separate account by using pre-approved third-party scanners from the IAM Marketplace, the Security team also then receives multiple Amazon GuardDuty events from Amazon CloudWatch alerting on its test activities.
How can the Security team suppress alerts about authorized security tests while still receiving alerts about the unauthorized activity?

  • A. Grant the Security team's EC2 instances a role with permissions to call Amazon GuardDuty API operations.
  • B. Add the Elastic IP addresses of the Security team's EC2 instances to a trusted IP list in Amazon GuardDuty.
  • C. Install the Amazon Inspector agent on the EC2 instances that the Security team uses.
  • D. Use a filter in IAM CloudTrail to exclude the IP addresses of the Security team's EC2 instances.

Answer: B

Explanation:
Explanation
Trusted IP lists consist of IP addresses that you have whitelisted for secure communication with your IAM infrastructure and applications. GuardDuty does not generate findings for IP addresses on trusted IP lists. At any given time, you can have only one uploaded trusted IP list per IAM account per region. Threat lists consist of known malicious IP addresses. GuardDuty generates findings based on threat lists. At any given time, you can have up to six uploaded threat lists per IAM account per region.
https://docs.IAM.amazon.com/guardduty/latest/ug/guardduty_upload_lists.html


NEW QUESTION # 29
You currently operate a web application In the IAM US-East region. The application runs on an auto-scaled layer of EC2 instances and an RDS Multi-AZ database. Your IT security compliance officer has tasked you to develop a reliable and durable logging solution to track changes made to your EC2.IAM and RDS resources.
The solution must ensure the integrity and confidentiality of your log data. Which of these solutions would you recommend?
Please select:

  • A. Create a new CloudTrail with one new S3 bucket to store the logs. Configure SNS to send log file delivery notifications to your management system. Use IAM roles and S3 bucket policies on the S3 bucket that stores your logs.
  • B. Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected. Use IAM roles S3 bucket policies and Mufti Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.
  • C. Create three new CloudTrail trails with three new S3 buckets to store the logs one for the IAM Management console, one for IAM SDKs and one for command line tools. Use IAM roles and S3 bucket policies on the S3 buckets that store your logs.
  • D. Create a new CloudTrail trail with an existing S3 bucket to store the logs and with the global services option selected. Use S3 ACLsand Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.

Answer: A

Explanation:
Explanation
IAM Identity and Access Management (IAM) is integrated with IAM CloudTrail, a service that logs IAM events made by or on behalf of your IAM account. CloudTrail logs authenticated IAM API calls and also IAM sign-in events, and collects this event information in files that are delivered to Amazon S3 buckets. You need to ensure that all services are included. Hence option B is partially correct.
Option B is invalid because you need to ensure that global services is select Option C is invalid because you should use bucket policies Option D is invalid because you should ideally just create one S3 bucket For more information on Cloudtrail, please visit the below URL:
http://docs.IAM.amazon.com/IAM/latest/UserGuide/cloudtrail-inteeration.html The correct answer is: Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services o selected. Use IAM roles S3 bucket policies and Mulrj Factor Authentication (MFA) Delete on the S3 bucket that stores your l(


NEW QUESTION # 30
A company has Windows Amazon EC2 instances in a VPC that are joined to on-premises Active Directory servers for domain services. The security team has enabled Amazon GuardDuty on the IAM account to alert on issues with the instances.
During a weekly audit of network traffic, the Security Engineer notices that one of the EC2 instances is attempting to communicate with a known command-and-control server but failing. This alert does not show up in GuardDuty.
Why did GuardDuty fail to alert to this behavior?

  • A. GuardDuty did not have the appropriate alerts activated.
  • B. GuardDuty does not see these DNS requests.
  • C. GuardDuty does not report on command-and-control activity.
  • D. GuardDuty only monitors active network traffic flow for command-and-control activity.

Answer: B

Explanation:
Explanation
https://docs.IAM.amazon.com/guardduty/latest/ug/guardduty_data-sources.html
https://docs.IAM.amazon.com/guardduty/latest/ug/guardduty_backdoor.html


NEW QUESTION # 31
A company has a customer master key (CMK) with imported key materials. Company policy requires that all encryption keys must be rotated every year.
What can be done to implement the above policy?

  • A. Enable automatic key rotation annually for the CMK.
  • B. Create a new CMK, import new key material to it, and point the key alias to the new CMK.
  • C. Use IAM Command Line Interface to create an IAM Lambda function to rotate the existing CMK annually.
  • D. Import new key material to the existing CMK and manually rotate the CMK.

Answer: B

Explanation:
Explanation
https://docs.IAM.amazon.com/en_pv/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually
"You might prefer to rotate keys manually so you can control the rotation frequency. It's also a good solution for CMKs that are not eligible for automatic key rotation, such as asymmetric CMKs, CMKs in custom key stores and CMKs with imported key material. Because the new CMK is a different resource from the current CMK, it has a different key ID and ARN. When you change CMKs, you need to update references to the CMK ID or ARN in your applications. Aliases, which associate a friendly name with a CMK, make this process easier. Use an alias to refer to a CMK in your applications. Then, when you want to change the CMK that the application uses, change the target CMK of the alias. To update the target CMK of an alias, use UpdateAlias operation in the IAM KMS API. "


NEW QUESTION # 32
A company's security policy requires that VPC Flow Logs are enabled on all VPCs. A Security Engineer is looking to automate the process of auditing the VPC resources for compliance.
What combination of actions should the Engineer take? (Choose two.)

  • A. Create an Amazon CloudWatch Event rule that triggers on events emitted by AWS Config.
  • B. Create an AWS Config managed rule with a resource type of AWS:: Lambda:: Function.
  • C. Create an AWS Config configuration item for each VPC in the company AWS account.
  • D. Create an AWS Config custom rule, and associate it with an AWS Lambda function that contains the evaluating logic.
  • E. Create an AWS Lambda function that determines whether Flow Logs are enabled for a given VPC.

Answer: A,C


NEW QUESTION # 33
A Development team has asked for help configuring the IAM roles and policies in a new AWS account. The team using the account expects to have hundreds of master keys and therefore does not want to manage access control for customer master keys (CMKs).
Which of the following will allow the team to manage AWS KMS permissions in IAM without the complexity of editing individual key policies?

  • A. Newly created CMKs must mirror the IAM policy of the KMS key administrator.
  • B. Newly created CMKs must allow the root principal to perform the kms CreateGrant API operation.
  • C. The account's CMK key policy must allow the account's IAM roles to perform KMS EnableKey.
  • D. Newly created CMKs must have a key policy that allows the root principal to perform all actions.

Answer: A


NEW QUESTION # 34
Amazon GuardDuty has detected communications to a known command and control endpoint from a company's Amazon EC2 instance. The instance was found to be running a vulnerable version of a common web framework. The company's security operations team wants to quickly identity other compute resources with the specific version of that framework installed.
Which approach should the team take to accomplish this task?

  • A. Scan all the EC2 instances with AWS Systems Manager to identify the vulnerable version of the web framework
  • B. Scan all the EC2 instances with the Amazon Inspector Network Reachability rules package to identity instances running a web server with RecognizedPortWithListener findings
  • C. Scan an the EC2 instances with AWS Resource Access Manager to identify the vulnerable version of the web framework
  • D. Scan all the EC2 instances for noncompliance with AWS Config. Use Amazon Athena to query AWS CloudTrail logs for the framework installation

Answer: B


NEW QUESTION # 35
You have an EC2 instance with the following security configured:
a. ICMP inbound allowed on Security Group
b. ICMP outbound not configured on Security Group
c. ICMP inbound allowed on Network ACL
d. ICMP outbound denied on Network ACL
If Flow logs is enabled for the instance, which of the following flow records will be recorded? Choose 3 answers from the options give below Please select:

  • A. An ACCEPT record for the request based on the NACL
  • B. An ACCEPT record for the request based on the Security Group
  • C. A REJECT record for the response based on the NACL
  • D. A REJECT record for the response based on the Security Group

Answer: A,B,C

Explanation:
Explanation
This example is given in the IAM documentation as well
For example, you use the ping command from your home computer (IP address is 203.0.113.12) to your instance (the network interface's private IP address is 172.31.16.139). Your security group's inbound rules allow ICMP traffic and the outbound rules do not allow ICMP traffic however, because security groups are stateful, the response ping from your instance is allowed. Your network ACL permits inbound ICMP traffic but does not permit outbound ICMP traffic. Because network ACLs are stateless, the response ping is dropped and will not reach your home computer. In a flow log, this is displayed as 2 flow log records:
An ACCEPT record for the originating ping that was allowed by both the network ACL and the security group, and therefore was allowed to reach your instance.
A REJECT record for the response ping that the network ACL denied.
Option C is invalid because the REJECT record would not be present For more information on Flow Logs, please refer to the below URL:
http://docs.IAM.amazon.com/AmazonVPC/latest/UserGuide/flow-loes.html
The correct answers are: An ACCEPT record for the request based on the Security Group, An ACCEPT record for the request based on the NACL, A REJECT record for the response based on the NACL Submit your Feedback/Queries to our Experts


NEW QUESTION # 36
You need to create a policy and apply it for just an individual user. How could you accomplish this in the right way?
Please select:

  • A. Add an AWS managed policy for the user
  • B. Add a service policy for the user
  • C. Add an inline policy for the user
  • D. Add an 1AM role for the user

Answer: C

Explanation:
Explanation
Options A and B are incorrect since you need to add an inline policy just for the user Option C is invalid because you don't assign an 1AM role to a user The AWS Documentation mentions the following An inline policy is a policy that's embedded in a principal entity (a user, group, or role)-that is, the policy is an inherent part of the principal entity. You can create a policy and embed it in a principal entity, either when you create the principal entity or later.
For more information on 1AM Access and Inline policies, just browse to the below URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access
The correct answer is: Add an inline policy for the user Submit your Feedback/Queries to our Experts


NEW QUESTION # 37
A windows machine in one VPC needs to join the AD domain in another VPC. VPC Peering has been established. But the domain join is not working. What is the other step that needs to be followed to ensure that the AD domain join can work as intended Please select:

  • A. Ensure the security groups for the AD hosted subnet has the right rule for relevant subnets
  • B. Change the VPC peering connection to a VPN connection
  • C. Change the VPC peering connection to a Direct Connect connection
  • D. Ensure that the AD is placed in a public subnet

Answer: A

Explanation:
In addition to VPC peering and setting the right route tables, the security groups for the AD EC2 instance needs to ensure the right rules are put in place for allowing incoming traffic.
Option A and B is invalid because changing the connection type will not help. This is a problem with the Security Groups.
Option D is invalid since the AD should not be placed in a public subnet For more information on allowing ingress traffic for AD, please visit the following url
|https://docs.aws.amazon.com/quickstart/latest/active-directory-ds/ingress.html| The correct answer is: Ensure the security groups for the AD hosted subnet has the right rule for relevant subnets Submit your Feedback/Queries to our Experts


NEW QUESTION # 38
A company uses identity federation to authenticate users into an identity account (987654321987) where the users assume an IAM role named IdentityRole. The users then assume an IAM role named JobFunctionRole in the target AWS account (123456789123) to perform their job functions.
A user is unable to assume the IAM role in the target account. The policy attached to the role in the identity account is:

What should be done to enable the user to assume the appropriate role in the target account?

  • A. Update the IAM policy attached to the role in the target account to be:
  • B. Update the IAM policy attached to the role in the identity account to be:
  • C. Update the trust policy on the role in the identity account to be:
  • D. Update the trust policy on the role in the target account to be:

Answer: B


NEW QUESTION # 39
A Security Engineer is defining the logging solution for a newly developed product. Systems Administrators and Developers need to have appropriate access to event log files in IAM CloudTrail to support and troubleshoot the product.
Which combination of controls should be used to protect against tampering with and unauthorized access to log files? (Choose two.)

  • A. Ensure that all log files are stored on Amazon EC2 instances that allow SSH access from the internal corporate network only.
  • B. Ensure that Systems Administrators and Developers with job-related need-to-know requirements only are capable of viewing-but not modifying-the log files.
  • C. Ensure that all log files are written to at least two separate Amazon S3 buckets in the same account.
  • D. Ensure that Systems Administrators and Developers can edit log files, but prevent any other access.
  • E. Ensure that the log file integrity validation mechanism is enabled.

Answer: B,E


NEW QUESTION # 40
You have a set of Customer keys created using the AWS KMS service. These keys have been used for around
6 months. You are now trying to use the new KMS features for the existing set of key's but are not able to do so. What could be the reason for this.
Please select:

  • A. You have not explicitly given access via the key policy
  • B. You have not given access via the 1AM roles
  • C. You have not explicitly given access via 1AM users
  • D. You have not explicitly given access via the 1AM policy

Answer: A

Explanation:
Explanation
By default, keys created in KMS are created with the default key policy. When features are added to KMS, you need to explii update the default key policy for these keys.
Option B,C and D are invalid because the key policy is the main entity used to provide access to the keys For more information on upgrading key policies please visit the following URL:
https://docs.aws.ama20n.com/kms/latest/developerguide/key-policy-upgrading.html ( The correct answer is: You have not explicitly given access via the key policy Submit your Feedback/Queries to our Experts


NEW QUESTION # 41
One of your company's EC2 Instances have been compromised. The company has strict po thorough investigation on finding the culprit for the security breach. What would you do in from the options given below.
Please select:

  • A. Isolate the machine from the network
  • B. Make sure that logs are stored securely for auditing and troubleshooting purpose
  • C. Take a snapshot of the EBS volume
  • D. Ensure all passwords for all IAM users are changed
  • E. Ensure that all access kevs are rotated.

Answer: A,B,C

Explanation:
Some of the important aspects in such a situation are
1) First isolate the instance so that no further security harm can occur on other AWS resources
2) Take a snapshot of the EBS volume for further investigation. This is incase if you need to shutdown the initial instance and do a separate investigation on the data
3) Next is Option C. This indicates that we have already got logs and we need to make sure that it is stored securely so that n unauthorised person can access it and manipulate it.
Option D and E are invalid because they could have adverse effects for the other IAM users.
For more information on adopting a security framework, please refer to below URL
https://d1.awsstatic.com/whitepapers/compliance/NIST Cybersecurity Framework
Note:
In the question we have been asked to take actions to find the culprit and to help the investigation or to further reduce the damage that has happened due to the security breach. So by keeping logs secure is one way of helping the investigation.
The correct answers are: Take a snapshot of the EBS volume. Isolate the machine from the network. Make sure that logs are stored securely for auditing and troubleshooting purpose Submit your Feedback/Queries to our Experts


NEW QUESTION # 42
......


To prepare for the AWS-Security-Specialty exam, candidates should have a minimum of two years of experience working with AWS security, as well as a strong understanding of AWS services and the AWS shared responsibility model. Candidates can also benefit from attending AWS training courses, such as the AWS Security Fundamentals course, and practicing with AWS security tools and services. Passing the AWS-Security-Specialty exam demonstrates a high level of proficiency in securing AWS environments and can lead to career advancement opportunities in cloud security.

 

Free SCS-C01 Exam Questions SCS-C01 Actual Free Exam Questions: https://www.exam4labs.com/SCS-C01-practice-torrent.html

Verified SCS-C01 dumps and 557 unique questions: https://drive.google.com/open?id=1c-t_KOUFMbtX9pGmGuFrF2QRucL-5Wn-

Related Blogs

more
Amazon SCS-C01 Certification Practice Exam

Copyright © 2026 EXAM4LABS.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor.