2021 Update AWS Certified Security-Specialty SCS-C01 Real Questions

1. SCS-C01 Free Questions SCS-C01 Free Questions AWS Certified Security - Specialty https://www.passquestion.com/ https://www.passquestion.com/SCS-C01 SCS-C01.html .html

2. Question 1 Question 1 Amazon GuardDuty has detected communications to a known command and control end Amazon GuardDuty has detected communications to a known command and control end point from a company's Amazon EC2 instance. The instance was found to be running a v point from a company's Amazon EC2 instance. The instance was found to be running a v ulnerable version of a common web framework. The company's security operations team ulnerable version of a common web framework. The company's security operations team wants to quickly identity other compute resources with the specific version of that framew wants to quickly identity other compute resources with the specific version of that framew ork installed. ork installed. Which approach should the team take to accomplish this task? Which approach should the team take to accomplish this task? A.Scan all the EC2 instances for noncompliance with AWS Config. Use Amazon Athena t A.Scan all the EC2 instances for noncompliance with AWS Config. Use Amazon Athena t o query AWS CloudTrail logs for the framework installation o query AWS CloudTrail logs for the framework installation B.Scan all the EC2 instances with the Amazon Inspector Network Reachability rules pack B.Scan all the EC2 instances with the Amazon Inspector Network Reachability rules pack age to identity instances running a web server with RecognizedPortWithListener findings age to identity instances running a web server with RecognizedPortWithListener findings C.Scan all the EC2 instances with AWS Systems Manager to identify the vulnerable versio C.Scan all the EC2 instances with AWS Systems Manager to identify the vulnerable versio n of the web framework n of the web framework D.Scan an the EC2 instances with AWS Resource Access Manager to identify the vulnera D.Scan an the EC2 instances with AWS Resource Access Manager to identify the vulnera ble version of the web framework ble version of the web framework Answer : C Answer : C

3. Question 2 Question 2 A security engineer has enabled AWS Security Hub in their AWS account, and has enabled the Center A security engineer has enabled AWS Security Hub in their AWS account, and has enabled the Center for internet Security (CIS) AWS Foundations compliance standard. No evaluation results on for internet Security (CIS) AWS Foundations compliance standard. No evaluation results on compliance are returned in the Security Hub console after several hours. The engineer wants to compliance are returned in the Security Hub console after several hours. The engineer wants to ensure that Security Hub can evaluate their resources for CIS AWS Foundations compliance. ensure that Security Hub can evaluate their resources for CIS AWS Foundations compliance. Which steps should the security engineer take to meet these requirements? Which steps should the security engineer take to meet these requirements? A.Add full Amazon Inspector 1AM permissions to the Security Hub service role to allow it to A.Add full Amazon Inspector 1AM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation perform the CIS compliance evaluation B.Ensure that AWS Trusted Advisor Is enabled in the account and that the Security Hub service role B.Ensure that AWS Trusted Advisor Is enabled in the account and that the Security Hub service role has permissions to retrieve the Trusted Advisor security-related recommended actions has permissions to retrieve the Trusted Advisor security-related recommended actions C.Ensure that AWS Config. is enabled in the account, and that the required AWS Config rules have C.Ensure that AWS Config. is enabled in the account, and that the required AWS Config rules have been created for the CIS compliance evaluation been created for the CIS compliance evaluation D.Ensure that the correct trail in AWS CloudTrail has been configured for monitoring by Security D.Ensure that the correct trail in AWS CloudTrail has been configured for monitoring by Security Hub and that the Security Hub service role has permissions to perform the GetObject operation on Hub and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrails Amazon S3 bucket CloudTrails Amazon S3 bucket Answer : A Answer : A

4. Question 3 Question 3 You need to have a cloud security device which would allow to generate encryption keys based on You need to have a cloud security device which would allow to generate encryption keys based on FIPS 140-2 Level 3. Which of the following can be used for this purpose. FIPS 140-2 Level 3. Which of the following can be used for this purpose. A.AWS KMS A.AWS KMS B.AWS Customer Keys B.AWS Customer Keys C.AWS managed keys C.AWS managed keys D.AWS Cloud HSM D.AWS Cloud HSM Answer:A, D Answer:A, D

5. Question 4 Question 4 You need to ensure that the cloudtrail logs which are being delivered in your AWS account is You need to ensure that the cloudtrail logs which are being delivered in your AWS account is encrypted. How can this be achieved in the easiest way possible? encrypted. How can this be achieved in the easiest way possible? A.Don't do anything since CloudTrail logs are automatically encrypted. A.Don't do anything since CloudTrail logs are automatically encrypted. B.Enable S3-SSE for the underlying bucket which receives the log files B.Enable S3-SSE for the underlying bucket which receives the log files C.Enable S3-KMS for the underlying bucket which receives the log files C.Enable S3-KMS for the underlying bucket which receives the log files D.Enable KMS encryption for the logs which are sent to Cloudwatch D.Enable KMS encryption for the logs which are sent to Cloudwatch Answer:A Answer:A

6. Question 5 Question 5 You are planning on hosting a web application on AWS. You create an EC2 Instance in a public You are planning on hosting a web application on AWS. You create an EC2 Instance in a public subnet. This instance needs to connect to an EC2 Instance that will host an Oracle database. Which subnet. This instance needs to connect to an EC2 Instance that will host an Oracle database. Which of the following steps should be followed to ensure a secure setup is in place? Select 2 answers. of the following steps should be followed to ensure a secure setup is in place? Select 2 answers. A.Place the EC2 Instance with the Oracle database in the same public subnet as the Web server for A.Place the EC2 Instance with the Oracle database in the same public subnet as the Web server for faster communication faster communication B.Place the EC2 Instance with the Oracle database in a separate private subnet B.Place the EC2 Instance with the Oracle database in a separate private subnet C.Create a database security group and ensure the web security group to allowed incoming access C.Create a database security group and ensure the web security group to allowed incoming access D.Ensure the database security group allows incoming traffic from 0.0.0.0/0 D.Ensure the database security group allows incoming traffic from 0.0.0.0/0 Answer:B, C Answer:B, C

7. Question 6 Question 6 A company hosts critical data in an S3 bucket. Even though they have assigned the appropriate A company hosts critical data in an S3 bucket. Even though they have assigned the appropriate permissions to the bucket, they are still worried about data deletion. What measures can be taken to permissions to the bucket, they are still worried about data deletion. What measures can be taken to restrict the risk of data deletion on the bucket. Choose 2 answers from the options given below restrict the risk of data deletion on the bucket. Choose 2 answers from the options given below A.Enable versioning on the S3 bucket A.Enable versioning on the S3 bucket B.Enable data at rest for the objects in the bucket B.Enable data at rest for the objects in the bucket C.Enable MFA Delete in the bucket policy C.Enable MFA Delete in the bucket policy D.Enable data in transit for the objects in the bucket D.Enable data in transit for the objects in the bucket Answer:A, C Answer:A, C

8. Question 7 Question 7 A Network Load Balancer (NLB) target instance is not entering the InService state. A security A Network Load Balancer (NLB) target instance is not entering the InService state. A security engineer determines that health checks are failing. engineer determines that health checks are failing. Which factors could cause the health check failures? (Select THREE.) Which factors could cause the health check failures? (Select THREE.) A.The target instance's security group does not allow traffic from the NLB. A.The target instance's security group does not allow traffic from the NLB. B.The target instance's security group is not attached to the NLB. B.The target instance's security group is not attached to the NLB. C.The NLB's security group is not attached to the target instance. C.The NLB's security group is not attached to the target instance. D.The target instance's subnet network ACL does not allow traffic from the NLB. D.The target instance's subnet network ACL does not allow traffic from the NLB. E.The target instance's security group is not using IP addresses to allow traffic from the NLB. E.The target instance's security group is not using IP addresses to allow traffic from the NLB. F.The target network ACL is not attached to the NLB. F.The target network ACL is not attached to the NLB. Answer:A, C, D Answer:A, C, D

9. Question 8 Question 8 Developers in an organization have moved from a standard application deployment to containers. Developers in an organization have moved from a standard application deployment to containers. The Security Engineer is tasked with ensuring that the containers are secure. Which strategies will The Security Engineer is tasked with ensuring that the containers are secure. Which strategies will reduce the attack surface and enhance the security of the containers? (Select TWO.) reduce the attack surface and enhance the security of the containers? (Select TWO.) A.Use the containers to automate security deployments. A.Use the containers to automate security deployments. B.Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary B.Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries. container libraries. C.Segregate containers by host, function, and data classification. C.Segregate containers by host, function, and data classification. D.Use Docker Notary framework to sign task definitions. D.Use Docker Notary framework to sign task definitions. E.Enable container breakout at the host kernel. E.Enable container breakout at the host kernel. Answer:A, C Answer:A, C

10. Question 9 Question 9 A company is deploying a new web application on AWS. Based on their other web applications, they A company is deploying a new web application on AWS. Based on their other web applications, they anticipate being the target of frequent DDoS attacks. Which steps can the company use to protect anticipate being the target of frequent DDoS attacks. Which steps can the company use to protect their application? Select 2 answers from the options given below. their application? Select 2 answers from the options given below. A.Associate the EC2 instances with a security group that blocks traffic from blacklisted IP addresses. A.Associate the EC2 instances with a security group that blocks traffic from blacklisted IP addresses. B.Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer B.Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic. traffic. C.Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious C.Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious traffic. traffic. D.Use CloudFront and AWS WAF to prevent malicious traffic from reaching the application D.Use CloudFront and AWS WAF to prevent malicious traffic from reaching the application E.Enable GuardDuty to block malicious traffic from reaching the application E.Enable GuardDuty to block malicious traffic from reaching the application Answer:B, D Answer:B, D

11. Question 10 Question 10 Your company has many AWS accounts defined and all are managed via AWS Organizations. One Your company has many AWS accounts defined and all are managed via AWS Organizations. One AWS account has a S3 bucket that has critical data. How can we ensure that all the users in the AWS AWS account has a S3 bucket that has critical data. How can we ensure that all the users in the AWS organisation have access to this bucket? organisation have access to this bucket? A.Ensure the bucket policy has a condition which involves aws:PrincipalOrglD A.Ensure the bucket policy has a condition which involves aws:PrincipalOrglD B.Ensure the bucket policy has a condition which involves aws:AccountNumber B.Ensure the bucket policy has a condition which involves aws:AccountNumber C.Ensure the bucket policy has a condition which involves aws:PrincipaliD C.Ensure the bucket policy has a condition which involves aws:PrincipaliD D.Ensure the bucket policy has a condition which involves aws:OrglD D.Ensure the bucket policy has a condition which involves aws:OrglD Answer:A Answer:A