Amazon Web Services Updated SCS-C01 Exam Questions and Answers by kaitlyn

With VPC Flow logs you can get the list of IP addresses which are hitting the Instances in your VPC You can then use the information in the logs to see which external IP addresses are sending a flurry of requests which could be the potential threat foi a DDos attack.

Option B is incorrect Cloud Trail records IAM API calls for your account. VPC FLowlogs logs network traffic for VPC, subnets. Network interfaces etc.

As per IAM,

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC where as IAM CloudTrail, is a service that captures API calls and delivers the log files to an Amazon S3 bucket that you specify.

Option C is invalid this is a config service and will not be able to get the IP addresses

Option D is invalid because this is a recommendation service and will not be able to get the IP addresses

For more information on VPC Flow Logs, please visit the following URL:

https://docs.IAM.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html

The correct answer is: Use VPC Flow logs to get the IP addresses accessing the EC2 Instances Submit your Feedback/Queries to our Experts

The Cloud Trail event history allows to view events which are recorded for 90 days. So one can use a metric filter to gather the API calls from 11 days ago.

Option A and C is invalid because Cloudwatch is used for logging and not for monitoring API activity

Option D is invalid because IAMConfig is a configuration service and not for monitoring API activity

For more information on IAM Cloudtrail, please visit the following URL:

https://docs.IAM.amazon.com/IAMcloudtrail/latest/usereuide/how-cloudtrail-works.html

Note:

In this question we assume that the customer has enabled cloud trail service.

IAM CloudTrail is enabled by default for ALL CUSTOMERS and will provide visibility into the past seven days of account activity without the need for you to configure a trail in the service to get started. So for an activity that happened 11 days ago to be stored in the cloud trail we need to configure the trail manually to ensure that it is stored in the events history.

• https://IAM.amazon.com/blogs/IAM/new-amazon-web-services-extends-cloudtrail-to-all-IAM-customers/

The correct answer is: Search the Cloudtrail event history on the API events which occurred 11 days ago.

The IAM Documentation mentions the following

Server-side encryption protects data at rest. Server-side encryption with Amazon S3-managed encryption keys (SSE-S3) uses strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it rotates regularly. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.

All other options are invalid since here you need to ensure the keys are manually rotated since you manage the entire key set Using IAM S3 Server side encryption, IAM will manage the rotation of keys automatically.

For more information on Server side encryption, please visit the following URL:

https://docs.IAM.amazon.com/AmazonS3/latest/dev/UsineServerSideEncryption.htmll

The correct answer is: IAM S3 Server side encryption Submit your Feedback/Queries to our Experts

This is mentioned in the IAM Documentation

Restricting Access to a Specific VPC Endpoint

The following is an example of an S3 bucket policy that restricts access to a specific bucket, examplebucket only from the VPC endpoint with the ID vpce-la2b3c4d. The policy denies all access to the bucket if the specified endpoint is not being used. The IAM:sourceVpce condition is used to the specify the endpoint. The IAM:sourceVpce condition does not require an ARN for the VPC endpoint resource, only the VPC endpoint ID. For more information about using conditions in a policy, see Specifying Conditions in a Policy.

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Options A and B are incorrect because using Security Groups nor route tables will help to allow access specifically for that bucke via the VPC endpoint Here you specifically need to ensure the bucket policy is changed.

Option C is incorrect because it is the bucket policy that needs to be changed and not the IAM policy.

For more information on example bucket policies for VPC endpoints, please refer to below URL:

• https://docs.IAM.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html

The correct answer is: Modify the bucket Policy for the bucket to allow access for the VPC endpoint Submit your Feedback/Queries to our Experts