CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SCS-C02

Free SCS-C02 Exam Braindumps (page: 4)

Page 4 of 63
PDF with 249 Questions

You work at a company that makes use of IAM resources. One of the key security policies is to ensure that all data i encrypted both at rest and in transit.
Which of the following is one of the right ways to implement this.

  1. Use S3 SSE and use SSL for data in transit.
  2. SSL termination on the ELB
  3. Enabling Proxy Protocol.
  4. Enabling sticky sessions on your load balancer.

Answer(s): A

Explanation:

By disabling SSL termination, you are leaving an unsecure connection from the ELB to the back end instances. Hence this means that part of the data transit is not being encrypted.

Option B is incorrect because this would not guarantee complete encryption of data in transit.

Option C and D are incorrect because these would not guarantee encryption.

For more information on SSL Listeners for your load balancer, please visit the below URL:

http://docs.IAM.amazon.com/elasticloadbalancine/latest/classic/elb-https-load-balancers.htmll.

The correct answer is: Use S3 SSE and use SSL for data in transit.



There are currently multiple applications hosted in a VPC. During monitoring it has been noticed that multiple port scans are coming in from a specific IP Address block. The internal security team has requested that all offending IP Addresses be denied for the next 24 hours.
Which of the following is the best method to quickly and temporarily deny access from the specified IP Address's.

  1. Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.
  2. Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.
  3. Add a rule to all of the VPC Security Groups to deny access from the IP Address block.
  4. Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block.

Answer(s): B

Explanation:

NACL acts as a firewall at the subnet level of the VPC and we can deny the offending IP address block at the subnet level using NACL rules to block the incoming traffic to the VPC instances. Since NACL rules are applied as per the Rule numbers make sure that this rule number should take precedence over other rule numbers if there are any such rules that will allow traffic from these IP ranges. The lowest rule number has more precedence over a rule that has a higher number.

The IAM Documentation mentions the following as a best practices for IAM users.

For extra security, enable multi-factor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or APIs). With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP). Users must provide both their normal credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone).

Options C is invalid because these options are not available.

Option D is invalid because there is not root access for users.

For more information on IAM best practices, please visit the below URL:

https://docs.IAM.amazon.com/IAM/latest/UserGuide/best-practices.html.

The correct answer is: Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.

omit your Feedback/Queries to our Experts.



A company has a set of EC2 Instances hosted in IAM. The EC2 Instances have EBS volumes which is used to store critical information. There is a business continuity requirement to ensure high availability for the EBS volumes. How can you achieve this?

  1. Use lifecycle policies for the EBS volumes.
  2. Use EBS Snapshots.
  3. Use EBS volume replication.
  4. Use EBS volume encryption.

Answer(s): B

Explanation:

Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations as part of normal operation of those services and at no additional charge. However, Amazon EBS replication is stored within the same availability zone, not across multiple zones; therefore, it is highly recommended that you conduct regular snapshots to Amazon S3 for long-term data durability Option A is invalid because there is no lifecycle policy for EBS volumes Option C is invalid because there is no EBS volume replication Option D is invalid because EBS volume encryption will not ensure business continuity For information on security for Compute Resources, please visit the below URL:
https://d1.awsstatic.com/whitepapers/Security/Security_Compute_Services_Whitepaper.pdf.



A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances . The application will store highly sensitive user data in Amazon RDS tables.

The application must.

- Include migration to a different IAM Region in the application disaster recovery plan.

- Provide a full audit trail of encryption key administration events.

- Allow only company administrators to administer keys.

- Protect data at rest using application layer encryption.

A Security Engineer is evaluating options for encryption key management.

Why should the Security Engineer choose IAM CloudHSM over IAM KMS for encryption key management in this situation?

  1. The key administration event logging generated by CloudHSM is significantly more extensive than IAM KMS.
  2. CloudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys.
  3. The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by IAM KMS
  4. CloudHSM provides the ability to copy keys to a different Region, whereas IAM KMS does not.

Answer(s): B

Explanation:

CloudHSM allows full control of your keys such including Symmetric (AES), Asymmetric (RSA), Sha- 256, SHA 512, Hash Based, Digital Signatures (RSA). On the other hand, AWS Key Management Service is a multi-tenant key storage that is owned and managed by AWS1.


Reference:

1: What are the differences between AWS Cloud HSM and KMS?



Page 4 of 63



Post your Comments and Discuss Amazon SCS-C02 exam with other Community members:

Mohammed Haque commented on October 04, 2024
very useful site for exam prep
UNITED STATES
upvote