Amazon Web Services Updated SCS-C01 Exam Questions and Answers by cezar

One can send the log files to Cloudwatch Logs. Log files can also be sent from On-premise servers. You can then specify metrii to search the logs for any specific values. And then create alarms based on these metrics.

Option A is invalid because this will be just a long over drawn process to achieve this requirement

Option C is invalid because IAM Inspector cannot be used to monitor for security related messages.

Option D is invalid because files cannot be exported to IAM Cloudtrail

For more information on Cloudwatch logs agent please visit the below URL:

https://docs.IAM.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2lnstance.hti

The correct answer is: Send the local text log files to Cloudwatch Logs and configure a Cloudwatch metric filter. Trigger cloudwatch alarms based on the metrics.

Submit your Feedback/Queries to our Experts

IAM Identity and Access Management (IAM) is integrated with IAM CloudTrail, a service that logs IAM events made by or on behalf of your IAM account. CloudTrail logs authenticated IAM API calls and also IAM sign-in events, and collects this event information in files that are delivered to Amazon S3 buckets. You need to ensure that all services are included. Hence option B is partially correct.

Option B is invalid because you need to ensure that global services is select

Option C is invalid because you should use bucket policies

Option D is invalid because you should ideally just create one S3 bucket

For more information on Cloudtrail, please visit the below URL:

http://docs.IAM.amazon.com/IAM/latest/UserGuide/cloudtrail-inteeration.html

The correct answer is: Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services o selected. Use IAM roles S3 bucket policies and Mulrj Factor Authentication (MFA) Delete on the S3 bucket that stores your l(

The IAM Documentation mentions the following about these services

IAM CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your IAM account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your IAM infrastructure. CloudTrail provides event history of your IAM account activity, including actions taken through the IAM Management Console, IAM SDKs, command line tools, and other IAM services. This event history simplifies security analysis, resource change tracking, and troubleshooting.

Option B is incorrect because VPC flow logs can only check for flow to instances in a VPC

Option C is incorrect because this can check for configuration changes only

For more information on Cloudtrail, please refer to below URL:

https://IAM.amazon.com/cloudtrail;

You can use Amazon CloudWatch Logs to monitor, store, and access your log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, IAM CloudTrail, Amazon Route 53, and other sources. You can then retrieve the associated log data from CloudWatch Logs.

For more information on Cloudwatch logs, please refer to below URL:

http://docs.IAM.amazon.com/AmazonCloudWatch/latest/loes/WhatisCloudWatchLoES.htmll

The correct answers are: Amazon Cloudwatch Logs, Amazon Cloudtrail

The IAM Documentation mentions some key aspects with regards to the configuration of On-premise AD with IAM

One is the Groups configuration in AD

Active Directory Configuration

Determining how you will create and delineate your AD groups and IAM roles in IAM is crucial to how you secure access to your account and manage resources. SAML assertions to the IAM environment and the respective IAM role access will be managed through regular expression (regex) matching between your on-premises AD group name to an IAM IAM role.

One approach for creating the AD groups that uniquely identify the IAM IAM role mapping is by selecting a common group naming convention. For example, your AD groups would start with an identifier, for example, IAM-, as this will distinguish your IAM groups from others within the organization. Next include the 12-digitIAM account number. Finally, add the matching role name within the IAM account. Here is an example:

C:\Users\wk\Desktop\mudassar\Untitled.jpg

And next is the configuration of the relying party which is IAM

ADFS federation occurs with the participation of two parties; the identity or claims provider (in this case the owner of the identity repository - Active Directory) and the relying party, which is another application that wishes to outsource authentication to the identity provider; in this case Amazon Secure Token Service (STS). The relying party is a federation partner that is represented by a claims provider trust in the federation service.

Option B is invalid because AD groups should not be matched to IAM Groups

Option C is invalid because the relying party should be configured in Active Directory Federation services

For more information on the federated access, please visit the following URL:

1 https://IAM.amazon.com/blogs/security/IAM-federated-authentication-with-active-directory-federation-services-ad-fs/

The correct answers are: Ensure the right match is in place for On-premise AD Groups and IAM Roles., Configure IAM as the relying party in Active Directory Federation services

Submit your Feedback/Queries to our Experts