Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SCS-C01

Free Amazon SCS-C01 Exam Braindumps (page: 21)

Page 21 of 134
PDF with 532 Questions

A company's development team is designing an application using IAM Lambda and Amazon Elastic Container Service (Amazon ECS). The development team needs to create IAM roles to support these systems. The company's security team wants to allow the developers to build IAM roles directly, but the security team wants to retain control over the permissions the developers can delegate to those roles. The development team needs access to more permissions than those required for the application's IAM services. The solution must minimize management overhead.

How should the security team prevent privilege escalation for both teams?

  1. Enable IAM CloudTrail. Create a Lambda function that monitors the event history for privilege escalation events and notifies the security team.
  2. Create a managed IAM policy for the permissions required. Reference the IAM policy as a permissions boundary within the development team's IAM role.
  3. Enable IAM Organizations Create an SCP that allows the IAM CreateUser action but that has a condition that prevents API calls other than those required by the development team
  4. Create an IAM policy with a deny on the IAMCreateUser action and assign the policy to the development team. Use a ticket system to allow the developers to request new IAM roles for their applications. The IAM roles will then be created by the security team.

Answer(s): A



A financial institution has the following security requirements:

Cloud-based users must be contained in a separate authentication domain. Cloud-based users cannot access on-premises systems.

As part of standing up a cloud environment, the financial institution is creating a number of Amazon managed databases and Amazon EC2 instances. An Active Directory service exists on-premises that has all the administrator accounts, and these must be able to access the databases and instances.

How would the organization manage its resources in the MOST secure manner? (Choose two.)

  1. Configure an IAM Managed Microsoft AD to manage the cloud resources.
  2. Configure an additional on-premises Active Directory service to manage the cloud resources.
  3. Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service.
  4. Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service.
  5. Establish a two-way trust between the new and existing Active Directory services.

Answer(s): A,D

Explanation:

Deploy a new forest/domain on IAM with one-way trust. If you are planning on leveraging credentials from an on-premises AD on IAM member servers, you must establish at least a one-way trust to the Active Directory running on IAM. In this model, the IAM domain becomes the resource domain where computer objects are located and on-premises domain becomes the account domain.


Reference:

https://d1.IAMstatic.com/whitepapers/adds-on- IAM.pdf
https://docs.IAM.amazon.com/directoryservice/latest/admin- guide/directory_microsoft_ad.html



A Security Engineer has launched multiple Amazon EC2 instances from a private AMI using an IAM CloudFormation template. The Engineer notices instances terminating right after they are launched.

What could be causing these terminations?

  1. The IAM user launching those instances is missing ec2:Runinstances permission.
  2. The AMI used as encrypted and the IAM does not have the required IAM KMS permissions.
  3. The instance profile used with the EC2 instances in unable to query instance metadata.
  4. IAM currently does not have sufficient capacity in the Region.

Answer(s): B


Reference:

https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/troubleshooting- launch.html



A company uses Microsoft Active Directory for access management for on-premises resources and wants to use the same mechanism for accessing its IAM accounts. Additionally, the development team plans to launch a public-facing application for which they need a separate authentication solution.

When coma nation of the following would satisfy these requirements? (Select TWO)

  1. Set up domain controllers on Amazon EC2 to extend the on-premises directory to IAM
  2. Establish network connectivity between on-premises and the user's VPC
  3. Use Amazon Cognito user pools for application authentication
  4. Use AD Connector tor application authentication.
  5. Set up federated sign-in to IAM through ADFS and SAML.

Answer(s): C,D



Viewing page 21 of 134
Viewing questions 81 - 84 out of 532 questions



Post your Comments and Discuss Amazon SCS-C01 exam prep with other Community members:

SCS-C01 Exam Discussions & Posts