CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SCS-C01

Free SCS-C01 Exam Braindumps (page: 12)

Page 12 of 134
PDF with 532 Questions

A security engineer is auditing a production system and discovers several additional IAM roles that are not required and were not previously documented during the last audit 90 days ago. The engineer is trying to find out who created these IAM roles and when they were created. The solution must have the lowest operational overhead.

Which solution will meet this requirement?

  1. Import IAM CloudTrail logs from Amazon S3 into an Amazon Elasticsearch Service cluster, and search through the combined logs for CreateRole events.
  2. Create a table in Amazon Athena for IAM CloudTrail events. Query the table in Amazon Athena for CreateRole events.
  3. Use IAM Config to look up the configuration timeline for the additional IAM roles andview the linked IAM CloudTrail event.
  4. Download the credentials report from the IAM console to view the details for each IAM entity, including the creation dates.

Answer(s): A



A Solutions Architect is designing a web application that uses Amazon CloudFront, an Elastic Load Balancing Application Load Balancer, and an Auto Scaling group of Amazon EC2 instances. The load balancer and EC2 instances are in the US West (Oregon) region. It has been decided that encryption in transit is necessary by using a customer-branded domain name from the client to CloudFront and from CloudFront to the load balancer.

Assuming that IAM Certificate Manager is used, how many certificates will need to be generated?

  1. One in the US West (Oregon) region and one in the US East (Virginia) region.
  2. Two in the US West (Oregon) region and none in the US East (Virginia) region.
  3. One in the US West (Oregon) region and none in the US East (Virginia) region.
  4. Two in the US East (Virginia) region and none in the US West (Oregon) region.

Answer(s): A

Explanation:

Why? If you want to require HTTPS between viewers and CloudFront, you must change the IAM Region to US East (N. Virginia) in the IAM Certificate Manager console before you request or import a certificate. If you want to require HTTPS between CloudFront and your origin, and you're using an ELB load balancer as your origin, you can request or import a certificate in any Region.


Reference:

https://docs.IAM.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and- https-requirements.html



A company is configuring three Amazon EC2 instances with each instance in a separate Availability Zone. The EC2 instances wilt be used as transparent proxies for outbound internet traffic for ports 80 and 443 so the proxies can block traffic to certain internet destinations as required by the company's security policies. A Security Engineer completedthe following:

· Set up the proxy software on the EC2 instances.

· Modified the route tables on the private subnets to use the proxy EC2 instances as the default route.

· Created a security group rule opening inbound port 80 and 443 TCP protocols on the proxy EC2 instance security group.

However, the proxy EC2 instances are not successfully forwarding traffic to the internet.

What should the Security Engineer do to make the proxy EC2 instances route traffic to the internet?

  1. Put all the proxy EC2 instances in a cluster placement group.
  2. Disable source and destination checks on the proxy EC2 instances.
  3. Open all inbound ports on the proxy EC2 instance security group.
  4. Change the VPC's DHCP domain-name-servers options set to the IP addresses of proxy EC2 instances.

Answer(s): B



A company has a VPC with an IPv6 address range and a public subnet with an IPv6 address block. The VPC currently hosts some public Amazon EC2 instances but a Security Engineer needs to migrate a second application into the VPC that also requires IPv6 connectivity.

This new application will occasionally make API requests to an external, internet-accessible endpoint to receive updates However, the Security team does not want the application's EC2 instance exposed directly to the internet The Security Engineer intends to create a private subnet with a custom route table and to associate the route table with the private subnet

What else does the Security Engineer need to do to ensure the application will not be exposed directly to the internet, but can still communicate as required''

  1. Launch a NAT instance in the public subnet Update the custom route table with a new route to the NAT instance
  2. Remove the internet gateway, and add IAM PrivateLink to the VPC Then update the custom route table with a new route to IAM PrivateLink
  3. Add a managed NAT gateway to the VPC Update the custom route table with a new route to the gateway
  4. Add an egress-only internet gateway to the VPC. Update the custom route table with a new route to the gateway

Answer(s): D






Post your Comments and Discuss Amazon SCS-C01 exam with other Community members:

SCS-C01 Exam Discussions & Posts