CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SCS-C01

Free SCS-C01 Exam Braindumps (page: 7)

Page 7 of 134
PDF with 532 Questions

A recent security audit identified that a company's application team injects database credentials into the environment variables of an IAM Fargate task. The company's security policy mandates that all sensitive data be encrypted at rest and in transit.

When combination of actions should the security team take to make the application compliant within the security policy? (Select THREE)

  1. Store the credentials securely in a file in an Amazon S3 bucket with restricted access to the application team IAM role Ask the application team to read the credentials from the S3 object instead
  2. Create an IAM Secrets Manager secret and specify the key/value pairs to be stored in this secret
  3. Modify the application to pull credentials from the IAM Secrets Manager secret instead of the environment variables.
  4. Add the following statement to the container instance IAM role policy


  5. Add the following statement to the execution role policy.


  6. Log in to the IAM Fargate instance, create a script to read the secret value from IAM Secret Manager, and inject the environment variables. Ask the application team to redeploy the application.

Answer(s): B,E,F



A company has an application hosted in an Amazon EC2 instance and wants the application to access secure strings stored in IAM Systems Manager Parameter Store When the application tries to access the secure string key value, it fails.

Which factors could be the cause of this failure? (Select TWO.)

  1. The EC2 instance role does not have decrypt permissions on the IAM Key Management Sen/ice (IAM KMS) key used to encrypt the secret
  2. The EC2 instance role does not have read permissions to read the parameters In Parameter Store
  3. Parameter Store does not have permission to use IAM Key Management Service (IAM KMS) to decrypt the parameter
  4. The EC2 instance role does not have encrypt permissions on the IAM Key Management Service (IAM KMS) key associated with the secret
  5. The EC2 instance does not have any tags associated.

Answer(s): A,B


Reference:

https://docs.IAM.amazon.com/systems-manager/latest/userguide/sysman-paramstore-access.html



A company uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using Amazon CloudFront. HLS splits the video content into chunks so that the user can request the right chunk based on different conditions Because the video events last for several hours, the total video is made up of thousands of chunks

The origin URL is not disclosed and every user is forced to access the CloudFront URL The company has a web application that authenticates the paying users against an internal repository and a CloudFront key pair that is already issued.

What is the simplest and MOST effective way to protect the content?

  1. Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content.
  2. Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.
  3. Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content
  4. Keep the CloudFront URL encrypted inside the application, and use IAM KMS to resolve the URL on-the-fly after the user is authenticated.

Answer(s): B



A Security Engineer discovered a vulnerability in an application running on Amazon ECS. The vulnerability allowed attackers to install malicious code. Analysis of the code shows it exfiltrates data on port 5353 in batches at random time intervals.

While the code of the containers is being patched, how can Engineers quickly identify all compromised hosts and stop the egress of data on port 5353?

  1. Enable IAM Shield Advanced and IAM WAF. Configure an IAM WAF custom filter for egress traffic on port 5353
  2. Enable Amazon Inspector on Amazon ECS and configure a custom assessment to evaluate containers that have port 5353 open. Update the NACLs to block port 5353 outbound.
  3. Create an Amazon CloudWatch custom metric on the VPC Flow Logs identifying egress traffic on port 5353. Update the NACLs to block port 5353 outbound.
  4. Use Amazon Athena to query IAM CloudTrail logs in Amazon S3 and look for any traffic on port 5353. Update the security groups to block port 5353 outbound.

Answer(s): C






Post your Comments and Discuss Amazon SCS-C01 exam with other Community members:

SCS-C01 Exam Discussions & Posts