CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SCS-C01

Free SCS-C01 Exam Braindumps (page: 3)

Page 3 of 134
PDF with 532 Questions

A Security Engineer has several thousand Amazon EC2 instances split across production and development environments. Each instance is tagged with its environment. The Engineer needs to analyze and patch all the development EC2 instances to ensure they are not currently exposed to any common vulnerabilities or exposures (CVEs).

Which combination of steps is the MOST efficient way for the Engineer to meet these requirements? (Select TWO.)

  1. Log on to each EC2 instance, check and export the different software versions installed, and verify this against a list of current CVEs.
  2. Install the Amazon Inspector agent on all development instances Build a custom rule package, and configure Inspector to perform a scan using this custom rule on all instancestagged as being in the development environment.
  3. Install the Amazon Inspector agent on all development instances Configure Inspector to perform a scan using the CVE rule package on all instances tagged as being in the development environment.
  4. Install the Amazon EC2 System Manager agent on all development instances Issue the Run command to EC2 System Manager to update all instances
  5. Use IAM Trusted Advisor to check that all EC2 instances have been patched to the most recent version of operating system and installed software.

Answer(s): C,D



A company has decided to migrate sensitive documents from on-premises data centers to Amazon S3. Currently, the hard drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key.

Which of the following requires the LEAST amount of configuration when implementing this approach?

  1. Place each file into a different S3 bucket. Set the default encryption of each bucket to use a different IAM KMS customer managed key.
  2. Put all the files in the same S3 bucket. Using S3 events as a trigger, write an IAM Lambda function to encrypt each file as it is added using different IAM KMS data keys.
  3. Use the S3 encryption client to encrypt each file individually using S3-generated data keys
  4. Place all the files in the same S3 bucket. Use server-side encryption with IAM KMS- managed keys (SSE-KMS) to encrypt the data

Answer(s): D

Explanation:

Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) When you use Server- Side Encryption with Amazon S3-Managed Keys (SSE-S3), each object is encrypted with a unique key. Server-Side Encryption with Customer Master Keys (CMKs) Stored in IAM Key Management Service (SSE-KMS) is similar to SSE-S3, but with some additional benefits and charges for using this service.

When you use SSE-KMS to protect your data without an S3 Bucket Key, Amazon S3 uses an individual IAM KMS data key for every object. It makes a call to IAM KMS every time a request is made against a KMS-encrypted object.


Reference:

References:
https://docs.IAM.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
https://docs.IAM.amazon.com/AmazonS3/latest/dev/bucket-key.html https://docs.IAM.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html



A developer is creating an IAM Lambda function that requires environment variables to store connection information and logging settings. The developer is required to use an IAM KMS Customer Master Key (CMK> supplied by the information security department in order to adhere to company standards for securing Lambda environment variables.

Which of the following are required for this configuration to work? (Select TWO.)

  1. The developer must configure Lambda access to the VPC using the --vpc-config parameter.
  2. The Lambda function execution role must have the kms:Decrypt- permission added in the IAM IAM policy.
  3. The KMS key policy must allow permissions for the developer to use the KMS key.
  4. The IAM IAM policy assigned to the developer must have the kmseGcnerate-DataKcy permission added.
  5. The Lambda execution role must have the kms:Encrypt permission added in the IAM IAM policy.

Answer(s): B,C



A company uses a third-party identity provider and SAML-based SSO for its IAM accounts After the third-party identity provider renewed an expired signing certificate users saw the following message when trying to log in:



A security engineer needs to provide a solution that corrects the error and minimizes operational overhead Which solution meets these requirements?

  1. Upload the third-party signing certificate's new private key to the IAM identity providerentity defined in IAM identity and Access Management (IAM) by using the IAM Management Console
  2. Sign the identity provider's metadata file with the new public key Upload the signature to the IAM identity provider entity defined in IAM Identity and Access Management (IAM) by using the IAM CLI.
  3. Download the updated SAML metadata tile from the identity service provider Update the file in the IAM identity provider entity defined in IAM Identity and Access Management (IAM) by using the IAM CLI
  4. Configure the IAM identity provider entity defined in IAM Identity and Access Management (IAM) to synchronously fetch the new public key by using the IAM Management Console.

Answer(s): C






Post your Comments and Discuss Amazon SCS-C01 exam with other Community members:

SCS-C01 Exam Discussions & Posts