Amazon Web Services chinesedumps legit Scs-c01 Exam Download by Rami q213 vce pdf

Page: 29 / 43

Exam Name:	AWS Certified Security - Specialty
Exam Code:	SCS-C01 Dumps
Vendor:	Amazon Web Services	Certification:	AWS Certified Specialty
Questions:	589 Q&A's	Shared By:	rami

Question 116

During a manual review of system logs from an Amazon Linux EC2 instance, a Security Engineer noticed that there are sudo commands that were never properly alerted or reported on the Amazon CloudWatch Logs agent

Why were there no alerts on the sudo commands?

Options:

There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs

The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch

CloudWatch Logs status is set to ON versus SECURE, which prevents it from pulling in OS security event logs

The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.

Discussion

Lennox

Something Special that they provide a comprehensive overview of the exam content. They cover all the important topics and concepts, so you can be confident that you are well-prepared for the test.

Aiza Oct 25, 2024

That makes sense. What makes Cramkey Dumps different from other study materials?

Fatima

Hey I passed my exam. The world needs to know about it. I have never seen real exam questions on any other exam preparation resource like I saw on Cramkey Dumps.

Niamh Oct 15, 2024

That's true. Cramkey Dumps are simply the best when it comes to preparing for the certification exam. They have all the key information you need and the questions are very similar to what you'll see on the actual exam.

Kingsley

Do anyone guide my how these dumps would be helpful for new students like me?

Haris Sep 11, 2024

Absolutely! They are highly recommended for anyone looking to pass their certification exam. The dumps are easy to understand and follow, making it easier for you to study and retain the information.

Osian

Dumps are fantastic! I recently passed my certification exam using these dumps and I must say, they are 100% valid.

Azaan Aug 8, 2024

They are incredibly accurate and valid. I felt confident going into my exam because the dumps covered all the important topics and the questions were very similar to what I saw on the actual exam. The team of experts behind Cramkey Dumps make sure the information is relevant and up-to-date.

Question 117

An AWS account that is used for development projects has a VPC that contains two subnets. The first subnet is named public-subnet-1 and has the CIDR block 192.168.1.0/24 assigned. The other subnet is named private-subnet-2 and has the CIDR block 192.168.2.0/24 assigned. Each subnet contains Amazon EC2 instances.

Each subnet is currently using the VPC's default network ACL. The security groups that the EC2 instances in these subnets use have rules that allow traffic between each instance where required. Currently, all network traffic flow is working as expected between the EC2 instances that are using these subnets.

A security engineer creates a new network ACL that is named subnet-2-NACL with default entries. The security engineer immediately configures private-subnet-2 to use the new network ACL and makes no other changes to the infrastructure. The security engineer starts to receive reports that the EC2 instances in public-subnet-1 and public-subnet-2 cannot communicate with each other.

Which combination of steps should the security engineer take to allow the EC2 instances that are running in these two subnets to communicate again? (Select TWO.)

Options:

Add an outbound allow rule for 192.168.2.0/24 in the VPC's default network ACL.

Add an inbound allow rule for 192.168.2.0/24 in the VPC's default network ACL.

Add an outbound allow rule for 192.168.2.0/24 in subnet-2-NACL.

Add an inbound allow rule for 192.168.1.0/24 in subnet-2-NACL.

Add an outbound allow rule for 192.168.1.0/24 in subnet-2-NACL.

Discussion

Question 118

There are currently multiple applications hosted in a VPC. During monitoring it has been noticed that multiple port scans are coming in from a specific IP Address block. The internal security team has requested that all offending IP Addresses be denied for the next 24 hours. Which of the following is the best method to quickly and temporarily deny access from the specified IP Address's.

Please select:

Options:

Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.

Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.

Add a rule to all of the VPC Security Groups to deny access from the IP Address block.

Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block.

Discussion

Question 119

A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution

Which solution will meet these requirements MOST securely?

Options:

Configure trusted access for AWS System Manager in Organizations Configure a bastion host from the management account Replace SSH and RDP by using Systems Manager Session Manager from the management account Configure Session Manager logging to Amazon CloudWatch Logs

Replace SSH and RDP with AWS Systems Manager Session Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the

AmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudWatch Logs Create a separate logging account that has appropriate cross-account permissions to audit the log data

Install a bastion host in the management account Reconfigure all SSH and RDP to allow access only from the bastion host Install AWS Systems Manager Agent (SSM Agent) on the bastion host Attach the AmazonSSMManagedlnstanceCore role to the bastion host Configure session data streaming to Amazon CloudWatch Logs in a separate logging account to audit log data

Replace SSH and RDP with AWS Systems Manager State Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the

AmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudTrail Use CloudTrail Insights to analyze the trail data