CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SCS-C01

Free SCS-C01 Exam Braindumps (page: 14)

Page 13 of 134
PDF with 532 Questions

A company's security team has defined a set of IAM Config rules that must be enforced globally in all IAM accounts the company owns. What should be done to provide a consolidated compliance overview for the security team?

  1. Use IAM Organizations to limit IAM Config rules to the appropriate Regions, and then consolidate the Amazon CloudWatch dashboard into one IAM account.
  2. Use IAM Config aggregation to consolidate the views into one IAM account, and provide role access to the security team.
  3. Consolidate IAM Config rule results with an IAM Lambda function and push data to Amazon SQS. Use Amazon SNS to consolidate and alert when some metrics are triggered.
  4. Use Amazon GuardDuty to load data results from the IAM Config rules compliance status, aggregate GuardDuty findings of all IAM accounts into one IAM account, and provide role access to the security team.

Answer(s): B



A company is using IAM Organizations to manage multiple IAM accounts. The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an IAM KMS CMK However when users try to access the files in the S3 bucket they get an access denied error.

What should a Security Engineer do to troubleshoot this error? (Select THREE )

  1. Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK
  2. Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket
  3. Ensure the CMK was created before the S3 bucket.
  4. Ensure the S3 block public access feature is enabled for the S3 bucket.
  5. Ensure that automatic key rotation is disabled for the CMK
  6. Ensure the SCPs within Organizations allow access to the S3 bucket.

Answer(s): A,B,F



A company has a compliance requirement to rotate its encryption keys on an annual basis. A Security Engineer needs a process to rotate the KMS Customer Master Keys (CMKs) that were created using imported key material.

How can the Engineer perform the key rotation process MOST efficiently?

  1. Create a new CMK, and redirect the existing Key Alias to the new CMK
  2. Select the option to auto-rotate the key
  3. Upload new key material into the existing CMK.
  4. Create a new CMK, and change the application to point to the new CMK

Answer(s): A



A company Is trying to replace its on-premises bastion hosts used to access on-premises Linux servers with IAM Systems Manager Session Manager. A security engineer has installed the Systems Manager Agent on all servers. The security engineer verifies that the agent is running on all the servers, but Session Manager cannot connect to them. The security engineer needs to perform verification steps before Session Manager will work on the servers.

Which combination of steps should the security engineer perform? (Select THREE.)

  1. Open inbound port 22 to 0 0.0.0/0 on all Linux servers.
  2. Enable the advanced-instances tier in Systems Manager.
  3. Create a managed-instance activation for the on-premises servers.
  4. Reconfigure the Systems Manager Agent with the activation code and I
  5. Assign an IAM role to all of the on-premises servers.
  6. Initiate an inventory collection with Systems Manager on the on-premises servers

Answer(s): C,E,F






Post your Comments and Discuss Amazon SCS-C01 exam with other Community members:

SCS-C01 Exam Discussions & Posts