CertsTopics Logo

Weekend Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

SCS-C01 Questions Bank

Page: 15 / 44
Total 589 questions
Get SCS-C01 Full Access Download SCS-C01 PDF

AWS Certified Security - Specialty Questions and Answers

Question 57

A security engineer must use IAM Key Management Service (IAM KMS) to design a key management solution for a set of Amazon Elastic Block Store (Amazon EBS) volumes that contain sensitive data. The solution needs to ensure that the key material automatically expires in 90 days.

Which solution meets these criteria?

Options:

A.

A customer managed CMK that uses customer provided key material

B.

A customer managed CMK that uses IAM provided key material

C.

An IAM managed CMK

D.

Operating system-native encryption that uses GnuPG

Question 58

A company's on-premises data center forwards DNS logs to a third-party security incident events management (SIEM) solution that alerts on suspicious behavior. The company wants to introduce a similar capability to its IAM accounts that includes automatic remediation. The company expects to double in size within the next few months.

Which solution meets the company's current and future logging requirements?

Options:

A.

Enable Amazon GuardDuty and IAM Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Set up specific rules within Amazon Even;Bridge to trigger an IAM Lambda function for remediation steps.

B.

Ingest all IAM CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Use the current on-premises SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.

C.

Ingest all IAM CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Launch an Amazon EC2 instance and install the current SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.

D.

Enable Amazon GuardDuty and IAM Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Create an IAM Organizations SCP that denies access to certain API calls that are on an ignore list.

Question 59

A security engineer need to ensure their company’s uses of IAM meets IAM security best practices. As part of this, the IAM account root user must not be used for daily work. The root user must be monitored for use, and the Security team must be alerted as quickly as possible if the root user is used.

Which solution meets these requirements?

Options:

A.

Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification.

B.

Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification logs from S3 and generate notifications using Amazon SNS.

C.

Set up a rule in IAM config to trigger root user events. Trigger an IAM Lambda function and generate notifications using Amazon SNS.

D.

Use Amazon Inspector to monitor the usage of the root user and generate notifications using Amazon SNS

Question 60

A Security Engineer accidentally deleted the imported key material in an IAM KMS CMK. What should the Security Engineer do to restore the deleted key material?

Options:

A.

Create a new CMK. Download a new wrapping key and a new import token to import the original key material

B.

Create a new CMK Use the original wrapping key and import token to import the original key material.

C.

Download a new wrapping key and a new import token Import the original key material into the existing CMK.

D.

Use the original wrapping key and import token Import the original key material into the existing CMK

Page: 15 / 44
Total 589 questions
Get SCS-C01 Full Access Download SCS-C01 PDF