Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SCS-C01

Free Amazon SCS-C01 Exam Braindumps (page: 19)

Page 19 of 134
PDF with 532 Questions

A company requires that SSH commands used to access its IAM instance be traceable to the user who executed each command.

How should a Security Engineer accomplish this?

  1. Allow inbound access on port 22 at the security group attached to the instance Use IAM

    Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging tor Systems Manager sessions
  2. Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each user Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on port 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance
  3. Deny inbound access on port 22 at the security group attached to the instance Use IAM Systems Manager Session Manager tor shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging for Systems Manager sessions
  4. Use Amazon S3 to securely store one Privacy Enhanced Mall Certificate (PEM fie) for each team or group Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on pod 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance

Answer(s): C



A Security Engineer has been asked to troubleshoot inbound connectivity to a web server. This single web server is not receiving inbound connections from the internet, whereas all other web servers are functioning properly.

The architecture includes network ACLs, security groups, and a virtual security appliance. In addition, the Development team has implemented Application Load Balancers (ALBs) to distribute the load across all web servers. It is a requirement that traffic between the web servers and the internet flow through the virtual security appliance.

The Security Engineer has verified the following:

1. The rule set in the Security Groups is correct

2. The rule set in the network ACLs is correct

3. The rule set in the virtual appliance is correct

Which of the following are other valid items to troubleshoot in this scenario? (Choose two.)

  1. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway.
  2. Verify which Security Group is applied to the particular web server's elastic networkinterface (ENI).
  3. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance.
  4. Verify the registered targets in the ALB.
  5. Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.

Answer(s): C,D


Reference:

https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/using-eni.html



While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host (IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following:

2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK

2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK

What action should be performed to allow the ping to work?

  1. In the security group of the EC2 instance, allow inbound ICMP traffic.
  2. In the security group of the EC2 instance, allow outbound ICMP traffic.
  3. In the VPC's NACL, allow inbound ICMP traffic.
  4. In the VPC's NACL, allow outbound ICMP traffic.

Answer(s): D



A large government organization is moving to the cloud and has specific encryption requirements. The first workload to move requires that a customer's data be immediately destroyed when the customer makes that request.

Management has asked the security team to provide a solution that will securely store the data, allow only authorized applications to perform encryption and decryption and allow for immediate destruction of the data

Which solution will meet these requirements?

  1. Use IAM Secrets Manager and an IAM SDK to create a unique secret for the customer- specific data
  2. Use IAM Key Management Service (IAM KMS) and the IAM Encryption SDK to generate and store a data encryption key for each customer.
  3. Use IAM Key Management Service (IAM KMS) with service-managed keys to generate and store customer-specific data encryption keys
  4. Use IAM Key Management Service (IAM KMS) and create an IAM CloudHSM custom key store Use CloudHSM to generate and store a new CMK for each customer.

Answer(s): A



Viewing page 19 of 134
Viewing questions 73 - 76 out of 532 questions



Post your Comments and Discuss Amazon SCS-C01 exam prep with other Community members:

SCS-C01 Exam Discussions & Posts