Helping Hand Questions for SCS-C01

AWS Certified Security - Specialty Questions and Answers

Question 165

The Security Engineer is managing a web application that processes highly sensitive personal information. The application runs on Amazon EC2. The application has strict compliance requirements, which instruct that all incoming traffic to the application is protected from common web exploits and that all outgoing traffic from the EC2 instances is restricted to specific whitelisted URLs.

Which architecture should the Security Engineer use to meet these requirements?

Options:

Use IAM Shield to scan inbound traffic for web exploits. Use VPC Flow Logs and IAM Lambda to restrict egress traffic to specific whitelisted URLs.

Use IAM Shield to scan inbound traffic for web exploits. Use a third-party IAM Marketplace solution to restrict egress traffic to specific whitelisted URLs.

Use IAM WAF to scan inbound traffic for web exploits. Use VPC Flow Logs and IAM Lambda to restrict egress traffic to specific whitelisted URLs.

Use IAM WAF to scan inbound traffic for web exploits. Use a third-party IAM Marketplace solution to restrict egress traffic to specific whitelisted URLs.

Question 166

A company plans to move most of its IT infrastructure to IAM. They want to leverage their existing on-premises Active Directory as an identity provider for IAM.

Which combination of steps should a Security Engineer take to federate the company’s on-premises Active Directory with IAM? (Choose two.)

Options:

Create IAM roles with permissions corresponding to each Active Directory group.

Create IAM groups with permissions corresponding to each Active Directory group.

Configure Amazon Cloud Directory to support a SAML provider.

Configure Active Directory to add relying party trust between Active Directory and IAM.

Configure Amazon Cognito to add relying party trust between Active Directory and IAM.

Question 167

An organization is moving non-business-critical applications to IAM while maintaining a mission-critical application in an on-premises data center. An on-premises application must share limited confidential information with the applications in IAM. The internet performance is unpredictable.

Which configuration will ensure continued connectivity between sites MOST securely?

Options:

VPN and a cached storage gateway

IAM Snowball Edge

VPN Gateway over IAM Direct Connect

IAM Direct Connect

Question 168

A corporate cloud security policy states that communications between the company's VPC and KMS must travel entirely within the IAM network and not use public service endpoints.

Which combination of the following actions MOST satisfies this requirement? (Choose two.)

Options:

Add the IAM:sourceVpce condition to the IAM KMS key policy referencing the company's VPC endpoint ID.

Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.

Create a VPC endpoint for IAM KMS with private DNS enabled.

Use the KMS Import Key feature to securely transfer the IAM KMS key over a VPN.

Add the following condition to the IAM KMS key policy: "IAM:SourceIp": "10.0.0.0/16".

New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

AWS Certified Security - Specialty Questions and Answers

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

CompTIA

Fortinet

Microsoft

Salesforce