Amazon Web Services Updated SCS-C01 Exam Questions and Answers by amani

The below diagram shows how a WAF sandwich is created. Its the concept of placing the Ec2 instance which hosts the WAF software in between 2 elastic load balancers.

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A.B and C are incorrect since the EC2 Instance with the WAF software needs to be placed in an Autoscaling Group For more information on a WAF sandwich please refer to the below Link:

https://www.cloudaxis.eom/2016/11/2l/waf-sandwich/l

The correct answer is: The EC2 instance running your WAF software is included in an Auto Scaling group and placed in between two Elastic load balancers.

Submit your Feedback/Queries to our Experts

The IAM Documentation mentions the following

Amazon S3 is integrated with IAM CloudTrail. CloudTrail is a service that captures specific API calls made to Amazon S3 from your IAM account and delivers the log files to an Amazon S3 bucket that you specify. It captures API calls made from the Amazon S3 console or from the Amazon S3 API.

Using the information collected by CloudTrail, you can determine what request was made to Amazon S3, the source IP address from which the request was made, who made the request when it was made, and so on

Options A,C and D are invalid because these services cannot be used to get the source IP address of the calls to S3 buckets

For more information on Cloudtrail logging, please refer to the below Link:

https://docs.IAM.amazon.com/AmazonS3/latest/dev/cloudtrail-logeins.htmll

The correct answer is: Monitor the S3 API calls by using Cloudtrail logging Submit your Feedback/Queries to our Experts

If you want to inspect the packets themselves, then you need to use custom based software

A diagram representation of this is given in the IAM Security best practices

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option C is invalid because VPC Flow logs cannot conduct packet inspection.

For more information on IAM Security best practices, please refer to below URL:

The correct answers are: Use a host based intrusion detection system. Use a third party firewall installed on a central EC2

Submit your Feedback/Queries to our Experts

The IAM Documentation mentions the following

Amazon Redshift uses a hierarchy of encryption keys to encrypt the database. You can use either IAM Key Management Servic (IAM KMS) or a hardware security module (HSM) to manage the top-level encryption keys in this hierarchy. The process that Amazon Redshift uses for encryption differs depending on how you manage keys.

Option A is invalid because its the cluster that needs to be encrypted

Option C is invalid because this encrypts objects in transit and not objects at rest

Option D is invalid because this is used only for objects in S3 buckets

For more information on Redshift encryption, please visit the following URL:

https://docs.IAM.amazon.com/redshift/latest/memt/workine-with-db-encryption.htmll

The correct answer is: Use IAM KMS Customer Default master key Submit your Feedback/Queries to our Experts