Amazon Web Services Updated SCS-C01 Exam Questions and Answers by byron

Option A ,B and D are all invalid because the metadata will not be encrypted in any case and this is a key requirement from the question.

One key thing to note is that when the S3 bucket objects are encrypted, the meta data is not encrypted. So the best option is to use an encrypted DynamoDB table

Important

All GET and PUT requests for an object protected by IAM KMS will fail if they are not made via SSL or by using SigV4. SSE-KMS encrypts only the object data. Any object metadata is not encrypted. For more information on using KMS encryption for S3, please refer to below URL: 1 https://docs.IAM.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html

The correct answer is: Put the metadata in a DynamoDB table and ensure the table is encrypted during creation time. Submit your Feedback/Queries to our Experts

The above command with the "-sse-specification Enabled=true" parameter ensures that the data for the DynamoDB table is encrypted at rest.

Options A,C and D are all invalid because this command is specifically used to ensure data encryption at rest

For more information on DynamoDB encryption, please visit the URL:

https://docs.IAM.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html

The correct answer is: The above command ensures data encryption at rest for the Customer table

The enc

config rule for IAM Config can be used to check for unencrypted volumes.

encrypted-volurrn

5 volumes that are in an attached state are encrypted. If you specify the ID of a KMS key for encryptio using the kmsld parameter, the rule checks if the EBS volumes in an attached state are encrypted with that KMS key*1.

Options A and C are incorrect since these services cannot be used to check for unencrypted EBS volumes

Option D is incorrect because even though this is possible, trying to implement the solution alone with just the Lambda servk

would be too difficult

For more information on IAM Config and encrypted volumes, please refer to below URL:

• https://docs.IAM.amazon.com/config/latest/developerguide/encrypted-volumes.html

Submit your Feedback/Queries to our Experts

The IAM Documentation mentions the following

You can quickly remediate patch and association compliance issues by using Systems Manager Run Command. You can tat either instance IDs or Amazon EC2 tags and execute the IAM-RefreshAssociation document or the IAM-RunPatchBaseline document. If refreshing the association or re-running the patch baseline fails to resolve the compliance issue, then you need to investigate your associations, patch baselines, or instance configurations to understand why the Run Command executions did not resolve the problem

Options A and B are invalid because even though this is possible, still from a maintenance perspective it would be difficult to maintain the Lambda functions

Option C is invalid because this service cannot be used to patch servers

For more information on using Systems Manager for compliance remediation please visit the below Link:

https://docs.IAM.amazon.com/systems-manaeer/latest/usereuide/sysman-compliance-fixing.html

The correct answer is: Use IAM Systems Manager to patch the servers Submit your Feedback/Queries to our Experts