QUESTION: 81 Exam Topic: 1 Exam Pool A

A Security Engineer is troubleshooting a connectivity issue between a web server that is writing log files to the logging server in another VPC. The Engineer has confirmed that a peering relationship exists between the two VPCs. VPC flow logs show that requests sent from the web server are accepted by the togging server but the web server never receives a reply

Which of the following actions could fix this issue1?

Add an inbound rule to the security group associated with the logging server that allows requests from the web server
Add an outbound rule to the security group associated with the web server that allows requests to the logging server.
Add a route to the route table associated with the subnet that hosts the logging server that targets the peering connection
Add a route to the route table associated with the subnet that hosts the web server that targets the peering connection

Answer(s): C

Show Answer Next Question

QUESTION: 82 Exam Topic: 1 Exam Pool A

A company has the software development teams that are creating applications that store sensitive data in Amazon S3 Each team's data must always be separate. The company's security team must design a data encryption strategy for both teams that provides the ability to audit key usage. The solution must also minimize operational overhead. What should the security team recommend?

Tell the application teams to use two different S3 buckets with separate IAM Key Management Service (IAM KMS) IAM managed CMKs Limit the key process to allow encryption and decryption of the CMKs to their respective teams only. Force the teams to use encryption context to encrypt and decrypt
Tell the application teams to use two different S3 buckets with a single IAM Key Management Service (IAM KMS) IAM managed CMK Limit the key policy to allow encryption and decryption of the CMK only. Do not allow the teams to use encryption context to encrypt and decrypt
Tell the application teams to use two different S3 buckets with separate IAM Key Management Service (IAM KMS) customer managed CMKs Limit the key policies to allow encryption and decryption of the CMKs to their respective teams only Force the teams to use encryption context to encrypt and decrypt
Tell the application teams to use two different S3 buckets with a single IAM Key Management Service (IAM KMS) customer managed CMK Limit the key policy to allow encryption and decryption of the CMK only Do not allow the teams to use encryption context to encrypt and decrypt

Answer(s): A

Show Answer Next Question

QUESTION: 83 Exam Topic: 1 Exam Pool A

A company hosts a web-based application that captures and stores sensitive data in an Amazon DynamoDB table. A security audit reveals that the application does not provide end-to-end data protection or the ability to detect unauthorized data changes The software engineering team needs to make changes that will address the audit findings.

Which set of steps should the software engineering team take?

Use an IAM Key Management Service (IAM KMS) CMK. Encrypt the data at rest.
Use IAM Certificate Manager (ACM) Private Certificate Authority Encrypt the data in transit.
Use a DynamoDB encryption client. Use client-side encryption and sign the table items
Use the IAM Encryption SDK. Use client-side encryption and sign the table items.

Answer(s): A

Show Answer Next Question

QUESTION: 84 Exam Topic: 1 Exam Pool A

A Security Engineer launches two Amazon EC2 instances in the same Amazon VPC but in separate Availability Zones. Each instance has a public IP address and is able to connect to external hosts on the internet. The two instances are able to communicate with each other by using their private IP addresses, but they are not able to communicate with each other when using their public IP addresses.

Which action should the Security Engineer take to allow communication over the public IP addresses?

Associate the instances to the same security groups.
Add 0.0.0.0/0 to the egress rules of the instance security groups.
Add the instance IDs to the ingress rules of the instance security groups.
Add the public IP addresses to the ingress rules of the instance security groups.

Answer(s): D

Reference:

https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/security-group-rules- reference.html#sg-rules-other-instances

Show Answer Next Question

Free Amazon SCS-C01 Exam Braindumps (page: 22)

QUESTION: 81 Exam Topic: 1 Exam Pool A

QUESTION: 82 Exam Topic: 1 Exam Pool A

QUESTION: 83 Exam Topic: 1 Exam Pool A

QUESTION: 84 Exam Topic: 1 Exam Pool A

Reference:

SCS-C01 Exam Discussions & Posts