Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SCS-C01

Free Amazon SCS-C01 Exam Braindumps (page: 25)

Page 25 of 134
PDF with 532 Questions

A company is designing the securely architecture (or a global latency-sensitive web application it plans to deploy to IAM. A Security Engineer needs to configure a highly available and secure two-tier architecture. The security design must include controls to prevent common attacks such as DDoS, cross-site scripting, and SQL injection.

Which solution meets these requirements?

  1. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon
    CloudFront distribution that uses the ALB as its origin. Create appropriate IAM WAF ACLs and enable them on the CloudFront distribution.
  2. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate IAM WAF ACLs and enable them on the CloudFront distribution.
  3. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate IAM WAF ACLs and enable them on the ALB.
  4. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate IAM WAF ACLs and enable them on the ALB.

Answer(s): A



An employee accidentally exposed an IAM access key and secret access key during a public presentation. The company Security Engineer immediately disabled the key.

How can the Engineer assess the impact of the key exposure and ensure that the credentials were not misused? (Choose two.)

  1. Analyze IAM CloudTrail for activity.
  2. Analyze Amazon CloudWatch Logs for activity.
  3. Download and analyze the IAM Use report from IAM Trusted Advisor.
  4. Analyze the resource inventory in IAM Config for IAM user activity.
  5. Download and analyze a credential report from IAM.

Answer(s): A,D


Reference:

https://docs.IAM.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html



A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an EC2 Auto Scaling group across multiple Availability Zones. The website is under a DDoS attack by a specific loT device brand that is visible in the user agent A security engineer needs to mitigate the attack without impacting the availability of the public website.

What should the security engineer do to accomplish this?

  1. Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT device. Associate the v/eb ACL with the ALB.
  2. Configure an Amazon CloudFront distribution to use the ALB as an origin. Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT device. Associate the web ACL with the ALB Change the public DNS entry of the website to point to the CloudFront distribution.
  3. Configure an Amazon CloudFront distribution to use a new ALB as an origin. Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT device. Change the ALB security group to alow access from CloudFront IP address ranges only Change the public DNS entry of the website to point to the CloudFront distribution.
  4. Activate IAM Shield Advanced to enable DDoS protection. Apply an IAM WAF ACL to the ALB. and configure a listener rule on the ALB to block loT devices based on the user agent.

Answer(s): D



A Security Engineer is setting up an IAM CloudTrail trail for all regions in an IAM account.

For added security, the logs are stored using server-side encryption with IAM KMS- managed keys (SSE-KMS) and have log integrity validation enabled.

While testing the solution, the Security Engineer discovers that the digest files are readable, but the log files are not. What is the MOST likely cause?

  1. The log files fail integrity validation and automatically are marked as unavailable.
  2. The KMS key policy does not grant the Security Engineer's IAM user or role permissions to decrypt with it.
  3. The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.
  4. An IAM policy applicable to the Security Engineer's IAM user or role denies access to the "CloudTrail/" prefix in the Amazon S3 bucket

Answer(s): B

Explanation:

Enabling server-side encryption encrypts the log files but not the digest files with SSE- KMS. Digest files are encrypted with Amazon S3-managed encryption keys (SSE-S3).


Reference:

https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/encrypting-cloudtrail-log-files- with-IAM-kms.html



Viewing page 25 of 134
Viewing questions 97 - 100 out of 532 questions



Post your Comments and Discuss Amazon SCS-C01 exam prep with other Community members:

SCS-C01 Exam Discussions & Posts