[Feb 08, 2022] SCS-C01 Test Engine files, SCS-C01 Dumps PDF Latest Amazon SCS-C01 PDF and Dumps (2022) Free Exam Questions Answers NEW QUESTION 206 While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host (IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did [...]

All Products Contact now

[Feb 08, 2022] SCS-C01 Test Engine files, SCS-C01 Dumps PDF [Q206-Q223]

Share

[Feb 08, 2022] SCS-C01 Test Engine files, SCS-C01 Dumps PDF

Latest Amazon SCS-C01 PDF and Dumps (2022) Free Exam Questions Answers

NEW QUESTION 206
While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host (IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following:
2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK
2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK What action should be performed to allow the ping to work?

  • A. In the security group of the EC2 instance, allow inbound ICMP traffic.
  • B. In the VPC's NACL, allow outbound ICMP traffic.
  • C. In the VPC's NACL, allow inbound ICMP traffic.
  • D. In the security group of the EC2 instance, allow outbound ICMP traffic.

Answer: D

 

NEW QUESTION 207
An application makes calls to AWS services using the AWS SDK. The application runs on Amazon EC2 instances with an associated IAM role. When the application attempts to access an object within an Amazon S3 bucket; the Administrator receives the following error message: HTTP 403: Access Denied.
Which combination of steps should the Administrator take to troubleshoot this issue? (Choose three.)

  • A. Verify that the KMS key policy allows decrypt access for the KMS key for this IAM principle.
  • B. Confirm that the EC2 instance is using the correct key pair.
  • C. Confirm that the EC2 instance's security group authorizes S3 access.
  • D. Confirm that the instance and the S3 bucket are in the same Region.
  • E. Confirm that the IAM role associated with the EC2 instance has the proper privileges.
  • F. Check the S3 bucket policy for statements that deny access to objects.

Answer: A,E,F

 

NEW QUESTION 208
A company has Windows Amazon EC2 instances in a VPC that are joined to on-premises Active Directory servers for domain services. The security team has enabled Amazon GuardDuty on the AWS account to alert on issues with the instances.
During a weekly audit of network traffic, the Security Engineer notices that one of the EC2 instances is attempting to communicate with a known command-and-control server but failing. This alert does not show up in GuardDuty.
Why did GuardDuty fail to alert to this behavior?

  • A. GuardDuty does not report on command-and-control activity.
  • B. GuardDuty only monitors active network traffic flow for command-and-control activity.
  • C. GuardDuty did not have the appropriate alerts activated.
  • D. GuardDuty does not see these DNS requests.

Answer: B

 

NEW QUESTION 209
A company is operating a website using Amazon CloudFornt. CloudFront servers some content from Amazon S3 and other from web servers running EC2 instances behind an Application. Load Balancer (ALB). Amazon DynamoDB is used as the data store. The company already uses AWS Certificate Manager (ACM) to store a public TLS certificate that can optionally secure connections between the website users and CloudFront. The company has a new requirement to enforce end-to-end encryption in transit.
Which combination of steps should the company take to meet this requirement? (Select THREE.)

  • A. Update the CloudFront distribution. configuring it to optionally use HTTPS when connecting to origins on Amazon S3
  • B. Update the web application configuration on the web servers to use HTTPS instead of HTTP when connecting to DynamoDB
  • C. Update the ALB listen to listen using HTTPS using the public ACM TLS certificate. Update the CloudFront distribution to connect to the HTTPS listener.
  • D. Configure the web servers on the EC2 instances to listen using HTTPS using the public ACM TLS certificate Update the ALB to connect to the target group using HTTPS
  • E. Update the CloudFront distribution to redirect HTTP corrections to HTTPS
  • F. Create a TLS certificate Configure the web servers on the EC2 instances to use HTTPS only with that certificate. Update the ALB to connect to the target group using HTTPS.

Answer: B,C,E

 

NEW QUESTION 210
You have setup a set of applications across 2 VPC's. You have also setup VPC Peering. The applications are still not able to communicate across the Peering connection. Which network troubleshooting steps should be taken to resolve the issue?
Please select:

  • A. Check to see if the VPC has an Internet gateway attached.
  • B. Check the Route tables for the VPC's
  • C. Check to see if the VPC has a NAT gateway attached.
  • D. Ensure the applications are hosted in a public subnet

Answer: B

Explanation:
After the VPC peering connection is established, you need to ensure that the route tables are modified to ensure traffic can between the VPCs Option A ,B and C are invalid because allowing access the Internet gateway and usage of public subnets can help for Inter, access, but not for VPC Peering.
For more information on VPC peering routing, please visit the below URL:
.com/AmazonVPC/latest/Peeri
The correct answer is: Check the Route tables for the VPCs Submit your Feedback/Queries to our Experts

 

NEW QUESTION 211
A company is designing the security architecture for a global latency-sensitive web application it plans to deploy to AWS. A security engineer needs to configure a highly available and secure two-tier architecture. The security design must include controls to prevent common attacks such as DDoS, cross-site scripting, and SQL injection.
Which solution meets these requirements?

  • A. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.
  • B. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate AWS WAF ACLs and enable them on the ALB.
  • C. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.
  • D. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate AWS WAF ACLs and enable them on the ALB.

Answer: C

 

NEW QUESTION 212
A company recently experienced a DDoS attack that prevented its web server from serving content. The website is static and hosts only HTML, CSS, and PDF files that users download.
Based on the architecture shown in the image, what is the BEST way to protect the site against future attacks while minimizing the ongoing operational overhead?

  • A. Launch a second Amazon EC2 instance in a new subnet. Launch an Application Load Balancer in front of both instances.
  • B. Launch an Application Load Balancer in front of the EC2 instance. Create an Amazon CloudFront distribution in front of the Application Load Balancer.
  • C. Move all the files to an Amazon S3 bucket. Create a CloudFront distribution in front of the bucket and terminate the web server.
  • D. Move all the files to an Amazon S3 bucket. Have the web server serve the files from the S3 bucket.

Answer: D

 

NEW QUESTION 213
A security engineer noticed an anomaly within a company EC2 instance as shown in the image. The engineer must now investigate what is causing the anomaly.

What are the MOST effective steps to take to ensure that the instance is not further manipulated, while allowing the engineer to understand what happened?

  • A. Remove the instance from the Auto Scaling group and the Elastic Load Balancer. Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 instance with a forensic toolkit, and attach the copy of the EBS volume to investigate.
  • B. Remove the instance from the Auto Scaling group and the Elastic Load Balancer. Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious instance to perform the investigation.
  • C. Remove the instance from the Auto Scaling group. Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and use the forensic toolkit image to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance.
  • D. Remove the instance from the Auto Scaling group. Place the instance within an isolation security group, detach the EBS volume, launch an EC2 instance with a forensic toolkit, and attach the EBS volume to investigate.

Answer: A

 

NEW QUESTION 214
A company stores images for a website in an Amazon S3 bucket. The company is using Amazon CloudFront to serve the images to end users. The company recently discovered that the images are being accessed from countries where the company does not have a distribution license.
Which actions should the company take to secure the images to limit their distribution? (Select TWO.)

  • A. Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.
  • B. Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).
  • C. Add a CloudFront geo restriction deny list of countries where the company lacks a license.
  • D. Update the S3 bucket policy with a deny list of countries where the company lacks a license.
  • E. Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.

Answer: B,C

 

NEW QUESTION 215
An organization is using Amazon CloudWatch Logs with agents deployed on its Linux Amazon EC2 instances.
The agent configuration files have been checked and the application log files to be pushed are configured correctly. A review has identified that logging from specific instances is missing.
Which steps should be taken to troubleshoot the issue? (Choose two.)

  • A. Verify that the time zone on the application servers is in UTC.
  • B. Verify that the permissions used by the agent allow creation of log groups/streams and to put log events.
  • C. Check that the trust relationship grants the service "cwlogs.amazonaws.com" permission to write objects to the Amazon S3 staging bucket.
  • D. Use an EC2 run command to confirm that the "awslogs" service is running on all instances.
  • E. Check whether any application log entries were rejected because of invalid time stamps by reviewing /var/ cwlogs/rejects.log.

Answer: B,E

 

NEW QUESTION 216
A Systems Engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the Development team wants to use security groups and network ACLs to accomplish various security requirements in the environment.
What configuration is necessary to allow the virtual security appliance to route the traffic?

  • A. Disable the Network Source/Destination check on the security appliance's elastic network interface
  • B. Place the security appliance in the public subnet with the internet gateway
  • C. Configure the security appliance's elastic network interface for promiscuous mode.
  • D. Disable network ACLs.

Answer: A

Explanation:
Explanation
Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. In this case virtual security appliance instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance."

 

NEW QUESTION 217
In order to encrypt data in transit for a connection to an AWS RDS instance, which of the following would you implement Please select:

  • A. Data keys from AWS KMS
  • B. Data Keys from CloudHSM
  • C. SSL from your application
  • D. Transparent data encryption

Answer: C

Explanation:
Explanation
This is mentioned in the AWS Documentation
You can use SSL from your application to encrypt a connection to a DB instance running MySQL MariaDB, Amazon Aurora, SQL Server, Oracle, or PostgreSQL.
Option A is incorrect since Transparent data encryption is used for data at rest and not in transit Options C and D are incorrect since keys can be used for encryption of data at rest For more information on working with RDS and SSL, please refer to below URL:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html The correct answer is: SSL from your application Submit your Feedback/Queries to our Experts

 

NEW QUESTION 218
The Information Technology department has stopped using Classic Load Balancers and switched to Application Load Balancers to save costs. After the switch, some users on older devices are no longer able to connect to the website.
What is causing this situation?

  • A. The Perfect Forward Secrecy settings are not configured correctly.
  • B. Application Load Balancers do not support older web browsers.
  • C. The intermediate certificate is installed within the Application Load Balancer.
  • D. The cipher suites on the Application Load Balancers are blocking connections.

Answer: D

Explanation:
Explanation
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

 

NEW QUESTION 219
A Developer who is following AWS best practices for secure code development requires an application to encrypt sensitive data to be stored at rest, locally in the application, using AWS KMS. What is the simplest and MOST secure way to decrypt this data when required?

  • A. Store the encrypted data key alongside the encrypted data. Use the Decrypt API to retrieve the data key to decrypt the data when required.
  • B. Keep the plaintext data key stored in Amazon DynamoDB protected with IAM policies. Query DynamoDB to retrieve the data key to decrypt the data
  • C. Use the Encrypt API to store an encrypted version of the data key with another customer managed key.
    Decrypt the data key and use it to decrypt the data when required.
  • D. Request KMS to provide the stored unencrypted data key and then use the retrieved data key to decrypt the data.

Answer: A

 

NEW QUESTION 220
The Security Engineer for a mobile game has to implement a method to authenticate users so that they
can save their progress. Because most of the users are part of the same OpenID-Connect compatible
social media website, the Security Engineer would like to use that as the identity provider.
Which solution is the SIMPLEST way to allow the authentication of users using their social media
identities?

  • A. Active Directory (AD) Connector
  • B. Amazon Cognito
  • C. AssumeRoleWithWebIdentity API
  • D. Amazon Cloud Directory

Answer: B

Explanation:
Explanation/Reference:
Reference: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-
provider.html

 

NEW QUESTION 221
A company is planning to run a number of Admin related scripts using the AWS Lambda service. There is a need to understand if there are any errors encountered when the script run. How can this be accomplished in the most effective manner.
Please select:

  • A. Use Cloudwatch metrics and logs to watch for errors
  • B. Use the AWS Config service to monitor for errors
  • C. Use the AWS inspector service to monitor for errors
  • D. Use Cloudtrail to monitor for errors

Answer: A

Explanation:
The AWS Documentation mentions the following
AWS Lambda automatically monitors Lambda functions on your behalf, reporting metrics through Amazon CloudWatch. To help you troubleshoot failures in a function. Lambda logs all requests handled by your function and also automatically stores logs generated by your code through Amazon CloudWatch Logs.
Option B,C and D are all invalid because these services cannot be used to monitor for errors. I For more information on Monitoring Lambda functions, please visit the following URL:
https://docs.aws.amazon.com/lambda/latest/dg/monitorine-functions-loes.htmll The correct answer is: Use Cloudwatch metrics and logs to watch for errors Submit your Feedback/Queries to our Experts

 

NEW QUESTION 222
Users report intermittent availability of a web application hosted on AWS. Monitoring systems report an excess of abnormal network traffic followed by high CPU utilization on the application web tier.
Which of the following techniques will improve the availability of the application? (Choose two.)

  • A. Deploy an Intrusion Detection/Prevention Systems (IDS/IPS) to monitor or block unusual incoming network traffic.
  • B. Use the default Amazon VPC for external-facing systems to allow AWS to actively block malicious network traffic affecting Amazon EC2 instances.
  • C. Create Amazon CloudFront distribution and configure AWS WAF rules to protect the web applications from malicious traffic.
  • D. Configure security groups to allow outgoing network traffic only from hosts that are protected with up-to-date antivirus software.
  • E. Deploy AWS WAF to block all unsecured web applications from accessing the internet.

Answer: A,E

 

NEW QUESTION 223
......


Amazon SCS-C01 Exam Syllabus Topics:

TopicDetails
Topic 1
  • An Understanding of Specialized Data Classifications and AWS Data Protection Mechanisms
Topic 2
  • An Understanding of Secure Internet Protocols and AWS Mechanisms to Implement Them
Topic 3
  • An Understanding of Data Encryption Methods and AWS Mechanisms to Implement Them
Topic 4
  • Ability to Make Tradeoff Decisions with Regard to Cost, Security, and Deployment Complexity Given a Set of Application Requirements
Topic 5
  • A Working Knowledge of AWS Security Services and Features of Services to Provide a Secure Production Environment

 

Pass Your AWS Certified Security SCS-C01 Exam on Feb 08, 2022 with 530 Questions: https://freetorrent.braindumpsvce.com/SCS-C01_exam-dumps-torrent.html

Related Articles

more
Amazon SCS-C01 Certification Practice Exam