A company Is trying to replace its on-premises bastion hosts used to access on-premises Linux servers with AWS Systems Manager Session Manager. A security engineer has installed the Systems Manager Agent on all servers. The security engineer verifies that the agent is running on all the servers, but Session Manager cannot connect to them. The security engineer needs to perform verification steps before Session Manager will work on the servers.
Which combination of steps should the security engineer perform? (Select THREE.)

AOpen inbound port 22 to 0 0.0.0/0 on all Linux servers.

BEnable the advanced-instances tier in Systems Manager.

CCreate a managed-instance activation for the on-premises servers.

DReconfigure the Systems Manager Agent with the activation code and ID.

EAssign an IAM role to all of the on-premises servers.

FInitiate an inventory collection with Systems Manager on the on-premises servers

1 answers

83 votes

958

C, E, F

Answer Link

A recent security audit identified that a company's application team injects database credentials into the environment variables of an AWS Fargate task. The company's security policy mandates that all sensitive data be encrypted at rest and in transit.
When combination of actions should the security team take to make the application compliant within the security policy? (Select THREE)
A) Store the credentials securely in a file in an Amazon S3 bucket with restricted access to the application team IAM role Ask the application team to read the credentials from the S3 object instead
B)Create an AWS Secrets Manager secret and specify the key/value pairs to be stored in this secret
C)Modify the application to pull credentials from the AWS Secrets Manager secret instead of the environment variables.
D) Add the following statement to the container instance IAM role policy
E) Add the following statement to the execution role policy.
F)
Log in to the AWS Fargate instance, create a script to read the secret value from AWS Secret Manager, and inject the environment variables. Ask the application team to redeploy the application.

AOption A

BOption B

COption C

DOption D

EOption E

FOption F

1 answers

87 votes

1092

B, E, F

Answer Link

A company needs its Amazon Elastic Block Store (Amazon EBS) volumes to be encrypted at all times During a security incident. EBS snapshots of suspicious instances are shared to a forensics account for analysis A security engineer attempting to share a suspicious EBS snapshot to the forensics account receives the following error
"Unable to share snapshot: An error occurred (OperationNotPermitted) when calling the ModifySnapshotAttribute operation: Encrypted snapshots with EBS default key cannot be shared.
Which combination of steps should the security engineer take in the incident account to complete the sharing operation? (Select THREE )

ACreate a customer managed CMK Copy the EBS snapshot encrypting the destination snapshot using the new CMK.

BAllow forensics accounting principals to use the CMK by modifying its policy.

CCreate an Amazon EC2 instance. Attach the encrypted and suspicious EBS volume. Copy data from the suspicious volume to an unencrypted volume. Snapshot the unencrypted volume

DCopy the EBS snapshot to the new decrypted snapshot

ERestore a volume from the suspicious EBS snapshot. Create an unencrypted EBS volume of the same size.

FShare the target EBS snapshot with the forensics account.

1 answers

93 votes

1377

A, B, F

Answer Link

You are designing a custom 1AM policy that would allow uses to list buckets in S3 only if they are MFA authenticated. Which of the following would best match this requirement?

AOption

BOption

COption

DOption

1 answers

71 votes

1333

Answer Link

Every application in a company's portfolio has a separate AWS account for development and production. The security team wants to prevent the root user and all 1AM users in the production accounts from accessing a specific set of unneeded services. How can they control this functionality?
Please select:

ACreate a Service Control Policy that denies access to the services. Assemble all production accounts in an organizational unit. Apply the policy to that organizational unit.

BCreate a Service Control Policy that denies access to the services. Apply the policy to the root account.

CCreate an 1AM policy that denies access to the services. Associate the policy with an 1AM group and enlist all users and the root users in this group.

DCreate an 1AM policy that denies access to the services. Create a Config Rule that checks that all users have the policy m assigned. Trigger a Lambda function that adds the policy when found missing.

1 answers

86 votes

1133

Answer Link

Amazon SCS-C01 Quiz:4 Topic:6 Questions:16-20

Free Practice Mock Questions Set 16-20 (Quiz # 4) for Amazon SCS-C01 Exam, according to official Amazon AWS Certified Security - Specialty Exam syllabus topic # 6

Quiz 1

Quiz 2

Quiz 3

Quiz 4

Quiz 5

Quiz 6

Quiz 7