AWS Certified Security - Specialty SCS-C01 Free Questions https://www.passquestion.com/ SCS-C01 .html Amazon GuardDuty has detected communications to a known command and control end point from a company's Amazon EC2 instance. The instance was found to be running a v ulnerable version of a common web framework. The company's security operations team wants to quickly identity other compute resources with the specific version of that framew ork installed. Which approach should the team take to accomplish this task? A.Scan all the EC2 instances for noncompliance with AWS Config. Use Amazon Athena t o query AWS CloudTrail logs for the framework installation B.Scan all the EC2 instances with the Amazon Inspector Network Reachability rules pack age to identity instances running a web server with RecognizedPortWithListener findings C.Scan all the EC2 instances with AWS Systems Manager to identify the vulnerable versio n of the web framework D.Scan an the EC2 instances with AWS Resource Access Manager to identify the vulnera ble version of the web framework Question 1 A security engineer has enabled AWS Security Hub in their AWS account, and has enabled the Center for internet Security (CIS) AWS Foundations compliance standard. No evaluation results on compliance are returned in the Security Hub console after several hours. The engineer wants to ensure that Security Hub can evaluate their resources for CIS AWS Foundations compliance. Which steps should the security engineer take to meet these requirements? A.Add full Amazon Inspector 1AM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation B.Ensure that AWS Trusted Advisor Is enabled in the account and that the Security Hub service role has permissions to retrieve the Trusted Advisor security-related recommended actions C.Ensure that AWS Config. is enabled in the account, and that the required AWS Config rules have been created for the CIS compliance evaluation D.Ensure that the correct trail in AWS CloudTrail has been configured for monitoring by Security Hub and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrails Amazon S3 bucket Answer : A Question 2 You need to have a cloud security device which would allow to generate encryption keys based on FIPS 140-2 Level 3. Which of the following can be used for this purpose. A.AWS KMS B.AWS Customer Keys C.AWS managed keys D.AWS Cloud HSM Answer:A, D Question 3 You need to ensure that the cloudtrail logs which are being delivered in your AWS account is encrypted. How can this be achieved in the easiest way possible? A.Don't do anything since CloudTrail logs are automatically encrypted. B.Enable S3-SSE for the underlying bucket which receives the log files C.Enable S3-KMS for the underlying bucket which receives the log files D.Enable KMS encryption for the logs which are sent to Cloudwatch Answer:A Question 4 You are planning on hosting a web application on AWS. You create an EC2 Instance in a public subnet. This instance needs to connect to an EC2 Instance that will host an Oracle database. Which of the following steps should be followed to ensure a secure setup is in place? Select 2 answers. A.Place the EC2 Instance with the Oracle database in the same public subnet as the Web server for faster communication B.Place the EC2 Instance with the Oracle database in a separate private subnet C.Create a database security group and ensure the web security group to allowed incoming access D.Ensure the database security group allows incoming traffic from 0.0.0.0/0 Answer:B, C Question 5 A company hosts critical data in an S3 bucket. Even though they have assigned the appropriate permissions to the bucket, they are still worried about data deletion. What measures can be taken to restrict the risk of data deletion on the bucket. Choose 2 answers from the options given below A.Enable versioning on the S3 bucket B.Enable data at rest for the objects in the bucket C.Enable MFA Delete in the bucket policy D.Enable data in transit for the objects in the bucket Answer:A, C Question 6 A Network Load Balancer (NLB) target instance is not entering the InService state. A security engineer determines that health checks are failing. Which factors could cause the health check failures? (Select THREE.) A.The target instance's security group does not allow traffic from the NLB. B.The target instance's security group is not attached to the NLB. C.The NLB's security group is not attached to the target instance. D.The target instance's subnet network ACL does not allow traffic from the NLB. E.The target instance's security group is not using IP addresses to allow traffic from the NLB. F.The target network ACL is not attached to the NLB. Answer:A, C, D Question 7 Developers in an organization have moved from a standard application deployment to containers. The Security Engineer is tasked with ensuring that the containers are secure. Which strategies will reduce the attack surface and enhance the security of the containers? (Select TWO.) A.Use the containers to automate security deployments. B.Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries. C.Segregate containers by host, function, and data classification. D.Use Docker Notary framework to sign task definitions. E.Enable container breakout at the host kernel. Answer:A, C Question 8 A company is deploying a new web application on AWS. Based on their other web applications, they anticipate being the target of frequent DDoS attacks. Which steps can the company use to protect their application? Select 2 answers from the options given below. A.Associate the EC2 instances with a security group that blocks traffic from blacklisted IP addresses. B.Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic. C.Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious traffic. D.Use CloudFront and AWS WAF to prevent malicious traffic from reaching the application E.Enable GuardDuty to block malicious traffic from reaching the application Answer:B, D Question 9 Your company has many AWS accounts defined and all are managed via AWS Organizations. One AWS account has a S3 bucket that has critical data. How can we ensure that all the users in the AWS organisation have access to this bucket? A.Ensure the bucket policy has a condition which involves aws:PrincipalOrglD B.Ensure the bucket policy has a condition which involves aws:AccountNumber C.Ensure the bucket policy has a condition which involves aws:PrincipaliD D.Ensure the bucket policy has a condition which involves aws:OrglD Answer:A Question 10