Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SCS-C01

Free Amazon SCS-C01 Exam Braindumps (page: 24)

Page 24 of 134
PDF with 532 Questions

A Developer reported that IAM CloudTrail was disabled on their account. A Security Engineer investigated the account and discovered the event was undetected by the current security solution. The Security Engineer must recommend a solution that will detect future changes to the CloudTrail configuration and send alerts when changes occur.

What should the Security Engineer do to meet these requirements?

  1. Use IAM Resource Access Manager (IAM RAM) to monitor the IAM CloudTrail configuration. Send notifications using Amazon SNS.
  2. Create an Amazon CloudWatch Events rule to monitor Amazon GuardDuty findings.
    Send email notifications using Amazon SNS.
  3. Update security contact details in IAM account settings for IAM Support to send alertswhen suspicious activity is detected.
  4. Use Amazon Inspector to automatically detect security issues. Send alerts using Amazon SNS.

Answer(s): B



A Security Engineer has discovered that, although encryption was enabled on the Amazon S3 bucket example bucket, anyone who has access to the bucket has the ability to retrieve the files. The Engineer wants to limit access to each IAM user can access an assigned folder only.

What should the Security Engineer do to achieve this?

  1. Use envelope encryption with the IAM-managed CMK IAM/s3.
  2. Create a customer-managed CMK with a key policy granting "kms:Decrypt" based on the "${IAM:username}" variable.
  3. Create a customer-managed CMK for each user. Add each user as a key user in their corresponding key policy.
  4. Change the applicable IAM policy to grant S3 access to "Resource":
    "arn:IAM:s3:::examplebucket/${IAM:username}/*"

Answer(s): B


Reference:

https://IAM.amazon.com/premiumsupport/knowledge-center/iam-s3-user- specific-folder/



A company uses SAML federation with IAM Identity and Access Management (IAM) to provide internal users with SSO for their IAM accounts. The company's identity provider certificate was rotated as part of its normal lifecycle. Shortly after, users started receiving the following error when attempting to log in:

"Error: Response Signature Invalid (Service: IAMSecuntyTokenService; Status Code: 400; Error Code: InvalidldentltyToken)"

A security engineer needs to address the immediate issue and ensure that it will not occur again.

Which combination of steps should the security engineer take to accomplish this? (Select TWO.)

  1. Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity.
  2. During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provider. Generate a new metadata file and upload it to the IAM identity provider entity. Perform automated or manual rotation of the certificate when required.
  3. Download a new copy of the SAML metadata file from the identity provider Upload the new metadata to the IAM identity provider entity configured for the SAML integration in question.
  4. During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provider. Generate a new copy of the metadata file and create a new IAM identity provider entity. Upload the metadata file to the new IAM identity provider entity. Perform automated or manual rotation of the certificate when required.
  5. Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity. Update the identity provider configurations to pass a new IAM identity provider entity name in the SAML assertion.

Answer(s): A,D



A company has implemented centralized logging and monitoring of IAM CloudTrail logs from all Regions in an Amazon S3 bucket. The log Hies are encrypted using IAM KMS. A Security Engineer is attempting to review the log files using a third-party tool hosted on an Amazon EC2 instance The Security Engineer is unable to access the logs in the S3 bucket and receives an access denied error message

What should the Security Engineer do to fix this issue?

  1. Check that the role the Security Engineer uses grants permission to decrypt objects using the KMS CMK.
  2. Check that the role the Security Engineer uses grants permission to decrypt objects using the KMS CMK and gives access to the S3 bucket and objects
  3. Check that the role the EC2 instance profile uses grants permission lo decrypt objects using the KMS CMK and gives access to the S3 bucket and objects
  4. Check that the role the EC2 instance profile uses grants permission to decrypt objects using the KMS CMK

Answer(s): C



Viewing page 24 of 134
Viewing questions 93 - 96 out of 532 questions



Post your Comments and Discuss Amazon SCS-C01 exam prep with other Community members:

SCS-C01 Exam Discussions & Posts