Amazon Web Services nwexams ace Your Scs-c01 Aws Certified Specialty Exam by Mabli q426 vce pdf

Page: 17 / 43

Exam Name:	AWS Certified Security - Specialty
Exam Code:	SCS-C01 Dumps
Vendor:	Amazon Web Services	Certification:	AWS Certified Specialty
Questions:	589 Q&A's	Shared By:	mabli

Question 68

A company uses user data scripts that contain sensitive information to bootstrap Amazon EC2 instances. A Security Engineer discovers that this sensitive information is viewable by people who should not have access to it.

What is the MOST secure way to protect the sensitive information used to bootstrap the instances?

Options:

Store the scripts in the AMI and encrypt the sensitive data using IAM KMS Use the instance role profile to control access to the KMS keys needed to decrypt the data.

Store the sensitive data in IAM Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role.

Externalize the bootstrap scripts in Amazon S3 and encrypt them using IAM KMS. Remove the scripts from the instance and clear the logs after the instance is configured.

Block user access of the EC2 instance's metadata service using IAM policies. Remove all scripts and clear the logs after execution.

Discussion

Question 69

An application uses Amazon Cognito to manage end users’ permissions when directly accessing IAM resources, including Amazon DynamoDB. A new feature request reads as follows:

Provide a mechanism to mark customers as suspended pending investigation or suspended permanently. Customers should still be able to log in when suspended, but should not be able to make changes.

The priorities are to reduce complexity and avoid potential for future security issues.

Which approach will meet these requirements and priorities?

Options:

Create a new database field “suspended_status” and modify the application logic to validate that field when processing requests.

Add suspended customers to second Cognito user pool and update the application login flow to check both user pools.

Use Amazon Cognito Sync to push out a “suspension_status” parameter and split the lAM policy into normal users and suspended users.

Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.

Discussion

Syeda

I passed, Thank you Cramkey for your precious Dumps.

Stella (not set)

That's great. I think I'll give Cramkey Dumps a try.

Erik

Hey, I have passed my exam using Cramkey Dumps?

Freyja (not set)

Really, what are they? All come in your pool? Please give me more details, I am going to have access their subscription. Please brother, give me more details.

Ava-Rose

Yes! Cramkey Dumps are amazing I passed my exam…Same these questions were in exam asked.

Ismail (not set)

Wow, that sounds really helpful. Thanks, I would definitely consider these dumps for my certification exam.

Amy

I passed my exam and found your dumps 100% relevant to the actual exam.

Lacey (not set)

Yeah, definitely. I experienced the same.

Question 70

A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password.

Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)

Options:

Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.

Configure a scheduled job that updates the credential in IAM Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.

Configure automatic rotation of credentials in IAM Secrets Manager.

Store the credential in an encrypted string parameter in IAM Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the IAM KMS key that is used to encrypt it.

Configure the Java application to catch a connection failure and make a call to IAM Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.

Discussion

Question 71

A company runs an application on IAM that needs to be accessed only by employees. Most employees work from the office, but others work remotely or travel.

How can the Security Engineer protect this workload so that only employees can access it?

Options:

Add each employee’s home IP address to the security group for the application so that only those users can access the workload.

Create a virtual gateway for VPN connectivity for each employee, and restrict access to the workload from within the VPC.

Use a VPN appliance from the IAM Marketplace for users to connect to, and restrict workload access to traffic from that appliance.

Route all traffic to the workload through IAM WAF. Add each employee’s home IP address into an IAM WAF rule, and block all other traffic.