• Home
  • Articles
  • UPDATED [2024] Pass Amazon SCS-C01 Exam in First Attempt Guaranteed [Q136-Q158]

UPDATED [2024] Pass Amazon SCS-C01 Exam in First Attempt Guaranteed [Q136-Q158]

Share

UPDATED [2024] Pass Amazon SCS-C01 Exam in First Attempt Guaranteed

Pass SCS-C01 Exam Latest Practice Questions

NEW QUESTION # 136
A security engineer needs to implement a solution to create and control the keys that a company uses for cryptographic operations. The security engineer must create symmetric keys in which the key material is generated and used within a custom key store that is backed by an AWS CloudHSM cluster.
The security engineer will use symmetric and asymmetric data key pairs for local use within applications. The security engineer also must audit the use of the keys.
How can the security engineer meet these requirements?

  • A. To create the keys use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use AWS CloudTrail.
  • B. To create the keys use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon Athena
  • C. To create the keys use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon GuardDuty.
  • D. To create the keys use Amazon S3 and the custom key stores with the CloudHSM cluster. For auditing use AWS CloudTrail.

Answer: A

Explanation:
AWS KMS supports asymmetric KMS keys that represent a mathematically related RSA, elliptic curve (ECC), or SM2 (China Regions only) public and private key pair. These key pairs are generated in AWS KMS hardware security modules certified under the FIPS 140-2 Cryptographic Module Validation Program, except in the China (Beijing) and China (Ningxia) Regions. The private key never leaves the AWS KMS HSMs unencrypted. https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html


NEW QUESTION # 137
A company has multiple production AWS accounts. Each account has AWS CloudTrail configured to log to a single Amazon S3 bucket in a central account. Two of the production accounts have trails that are not logging anything to the S3 bucket.
Which steps should be taken to troubleshoot the issue? (Choose three.)

  • A. Create a new CloudTrail configuration in the account, and configure it to log to the account's S3 bucket.
  • B. Open the global CloudTrail configuration in the master account, and verify that the storage location is set to the correct S3 bucket.
  • C. Verify that the log file prefix is set to the name of the S3 bucket where the logs should go.
  • D. Confirm in the CloudTrail Console that each trail is active and healthy.
  • E. Confirm in the CloudTrail Console that the S3 bucket name is set correctly.
  • F. Verify that the S3 bucket policy allows access for CloudTrail from the production AWS account IDs.

Answer: D,E,F


NEW QUESTION # 138
An company is using IAM Secrets Manager to store secrets that are encrypted using a CMK and are stored in the security account 111122223333. One of the company's production accounts. 444455556666, must to retrieve the secret values from the security account 111122223333. A security engineer needs to apply a policy to the secret in the security account based on least privilege access so the production account can retrieve the secret value only.
Which policy should the security engineer apply?


  • A. Option B
  • B. Option D
  • C. Option C
  • D. Option A

Answer: D


NEW QUESTION # 139
Your CTO thinks your AWS account was hacked. What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated AWS engineers and doing everything they can to cover their tracks?
Please select:

  • A. Use CloudTrail Log File Integrity Validation.
  • B. Use AWS Config Timeline forensics.
  • C. Use AWS Config SNS Subscriptions and process events in real time.
  • D. Use CloudTrail backed up to AWS S3 and Glacier.

Answer: A

Explanation:
The AWS Documentation mentions the following
To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. You can use the AWS CLI to validate the files in the location where CloudTrail delivered them Validated log files are invaluable in security and forensic investigations. For example, a validated log file enables you to assert positively that the log file itself has not changed, or that particular user credentials performed specific API activity. The CloudTrail log file integrity validation process also lets you know if a log file has been deleted or changed, or assert positively that no log files were delivered to your account during a given period of time.
Options B.C and D is invalid because you need to check for log File Integrity Validation for cloudtrail logs For more information on Cloudtrail log file validation, please visit the below URL:
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html The correct answer is: Use CloudTrail Log File Integrity Validation.
omit your Feedback/Queries to our Expert


NEW QUESTION # 140
A company is planning on using AWS for hosting their applications. They want complete separation and isolation of their production , testing and development environments. Which of the following is an ideal way to design such a setup?
Please select:

  • A. Use separate 1AM Roles for each of the environments
  • B. Use separate 1AM Policies for each of the environments
  • C. Use separate AWS accounts for each of the environments
  • D. Use separate VPCs for each of the environments

Answer: C

Explanation:
Explanation
A recommendation from the AWS Security Best practices highlights this as well

option A is partially valid, you can segregate resources, but a best practise is to have multiple accounts for this setup.
Options B and C are invalid because from a maintenance perspective this could become very difficult For more information on the Security Best practices, please visit the following URL:
https://dl.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf The correct answer is: Use separate AWS accounts for each of the environments Submit your Feedback/Queries to our Experts


NEW QUESTION # 141
You have just received an email from AWS Support stating that your AWS account might have been compromised. Which of the following steps would you look to carry out immediately. Choose 3 answers from the options below.
Please select:

  • A. Change the password for all IAM users.
  • B. Change the root account password.
  • C. Keep all resources running to avoid disruption
  • D. Rotate all IAM access keys

Answer: A,B,D

Explanation:
One of the articles from AWS mentions what should be done in such a scenario If you suspect that your account has been compromised, or if you have received a notification from AWS that the account has been compromised, perform the following tasks:
Change your AWS root account password and the passwords of any IAM users.
Delete or rotate all root and AWS Identity and Access Management (IAM) access keys.
Delete any resources on your account you didn't create, especially running EC2 instances, EC2 spot bids, or IAM users.
Respond to any notifications you received from AWS Support through the AWS Support Center.
Option C is invalid because there could be compromised instances or resources running on your environment. They should be shutdown or stopped immediately.
For more information on the article, please visit the below URL:
https://aws.amazon.com/premiumsupport/knowledee-center/potential-account-compromise> The correct answers are: Change the root account password. Rotate all IAM access keys. Change the password for all IAM users. Submit your Feedback/Queries to our Experts


NEW QUESTION # 142
A company's application runs on Amazon EC2 and stores data in an Amazon S3 bucket The company wants additional security controls in place to limit the likelihood of accidental exposure of data to external parties Which combination of actions will meet this requirement? (Select THREE.)

  • A. Configure the bucket policy to allow access from the application instances only
  • B. Encrypt the data in Amazon S3 using server-side encryption with Amazon S3 managed encryption keys (SSE-S3)
  • C. Use the Amazon S3 Block Public Access feature.
  • D. Create a new Amazon S3 VPC endpoint and modify the VPC's routing tables to use the new endpoint
  • E. Use a NACL to filter traffic to Amazon S3
  • F. Encrypt the data in Amazon S3 using server-side encryption with IAM KMS managed encryption keys (SSE-KMS)

Answer: A,D,F


NEW QUESTION # 143
A Lambda function reads metadata from an S3 object and stores the metadata in a DynamoDB table. The function is triggered whenever an object is stored within the S3 bucket.
How should the Lambda function be given access to the DynamoDB table?
Please select:

  • A. Create a VPC endpoint for DynamoDB within a VPC. Configure the Lambda function to access resources in the VPC.
  • B. Create an IAM user with permissions to write to the DynamoDB table. Store an access key for that user in the Lambda environment variables.
  • C. Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the poll to the DynamoDB table.
  • D. Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.

Answer: D

Explanation:
The ideal way is to create an IAM role which has the required permissions and then associate it with the Lambda function The AWS Documentation additionally mentions the following Each Lambda function has an IAM role (execution role) associated with it. You specify the IAM role when you create your Lambda function. Permissions you grant to this role determine what AWS Lambda can do when it assumes the role. There are two types of permissions that you grant to the IAM role:
If your Lambda function code accesses other AWS resources, such as to read an object from an S3 bucket or write logs to CloudWatch Logs, you need to grant permissions for relevant Amazon S3 and CloudWatch actions to the role.
If the event source is stream-based (Amazon Kinesis Data Streams and DynamoDB streams), AWS Lambda polls these streams on your behalf. AWS Lambda needs permissions to poll the stream and read new records on the stream so you need to grant the relevant permissions to this role.
Option A is invalid because the VPC endpoint allows access instances in a private subnet to access DynamoDB Option B is invalid because resources policies are present for resources such as S3 and KMS, but not AWS Lambda Option C is invalid because AWS Roles should be used and not IAM Users For more information on the Lambda permission model, please visit the below URL:
https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html The correct answer is: Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.
Submit your Feedback/Queries to our Exp


NEW QUESTION # 144
A security engineer needs to ensure their company's use of AWS meets AWS security best practices. As part of this, the AWS account root user must not be used for daily work. The root user must be monitored for use, and the security team must be alerted as quickly as possible if the root user is used.
Which solution meets these requirements?

  • A. Create root user access keys. Use an AWS Lambda function to parse AWS CloudTrail logs from Amazon S3 and generate notifications using Amazon SNS.
  • B. Set up a rule in AWS Config to trigger root user events. Trigger an AWS Lambda function and generate notifications using Amazon SNS.
  • C. Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification.
  • D. Use Amazon Inspector to monitor the usage of the root user and generate notifications using Amazon SNS.

Answer: B


NEW QUESTION # 145
You have a set of 100 EC2 Instances in an AWS account. You need to ensure that all of these instances are patched and kept to date. All of the instances are in a private subnet. How can you achieve this. Choose 2 answers from the options given below Please select:

  • A. Use the AWS inspector to patch the updates
  • B. Ensure a NAT gateway is present to download the updates
  • C. Ensure an internet gateway is present to download the updates
  • D. Use the Systems Manager to patch the instances

Answer: B,D

Explanation:
Option C is invalid because the instances need to remain in the private:
Option D is invalid because AWS inspector can only detect the patches
One of the AWS Blogs mentions how patching of Linux servers can be accomplished. Below is the diagram representation of the architecture setup

For more information on patching Linux workloads in AWS, please refer to the Lin.
https://aws.amazon.com/blogs/security/how-to-patch-linux-workloads-on-awsj The correct answers are: Ensure a NAT gateway is present to download the updates. Use the Systems Manager to patch the instances Submit your Feedback/Queries to our Experts


NEW QUESTION # 146
A company is hosting a website that must be accessible to users for HTTPS traffic. Also port 22 should be open for administrative purposes. The administrator's workstation has a static IP address of 203.0.113.1/32. Which of the following security group configurations are the MOST secure but still functional to support these requirements? Choose 2 answers from the options given below
Please select:

  • A. Port 22 coming from 0.0.0.0/0
  • B. Port 443 coming from 10.0.0.0/16
  • C. Port 443 coming from 0.0.0.0/0
  • D. Port 22 coming from 203.0.113.1/32

Answer: C,D

Explanation:
Since HTTPS traffic is required for all users on the Internet, Port 443 should be open on all IP addresses. For port 22, the traffic should be restricted to an internal subnet.
Option B is invalid, because this only allow traffic from a particular CIDR block and not from the internet
Option C is invalid because allowing port 22 from the internet is a security risk
For more information on AWS Security Groups, please visit the following UR
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usins-network-secunty.htmll
The correct answers are: Port 443 coming from 0.0.0.0/0, Port 22 coming from 203.0.113.1 /32 Submit your Feedback/Queries to our Experts


NEW QUESTION # 147
You have an S3 bucket hosted in IAM. This is used to host promotional videos uploaded by yourself. You need to provide access to users for a limited duration of time. How can this be achieved?
Please select:

  • A. Use Pre-signed URL's
  • B. Use IAM Roles with a timestamp to limit the access
  • C. Use IAM policies with a timestamp to limit the access
  • D. Use versioning and enable a timestamp for each version

Answer: A

Explanation:
The IAM Documentation mentions the following
All objects by default are private. Only the object owner has permission to access these objects. However, the object owner can optionally share objects with others by creating a pre-signed URL using their own security credentials, to grant time-limited permission to download the objects.
Option A is invalid because this can be used to prevent accidental deletion of objects Option C is invalid because timestamps are not possible for Roles Option D is invalid because policies is not the right way to limit access based on time For more information on pre-signed URL's, please visit the URL:
https://docs.IAM.ama2on.com/AmazonS3/latest/dev/ShareObiectPreSisnedURL.html The correct answer is: Use Pre-signed URL's Submit your Feedback/Queries to our Experts


NEW QUESTION # 148
Your company has an EC2 Instance that is hosted in an AWS VPC. There is a requirement to ensure that logs files from the EC2 Instance are stored accordingly. The access should also be limited for the destination of the log files. How can this be accomplished? Choose 2 answers from the options given below. Each answer forms part of the solution Please select:

  • A. Create an IAM policy that gives the desired level of access to the Cloudwatch Log group
  • B. Stream the log files to a separate Cloudwatch Log group
  • C. Stream the log files to a separate Cloudtrail trail
  • D. Create an IAM policy that gives the desired level of access to the Cloudtrail trail

Answer: A,B

Explanation:
Explanation
You can create a Log group and send all logs from the EC2 Instance to that group. You can then limit the access to the Log groups via an IAM policy.
Option A is invalid because Cloudtrail is used to record API activity and not for storing log files Option C is invalid because Cloudtrail is the wrong service to be used for this requirement For more information on Log Groups and Log Streams, please visit the following URL:
* https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Workinj
For more information on Access to Cloudwatch logs, please visit the following URL:
* https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/auth-and-access-control-cwl.html The correct answers are: Stream the log files to a separate Cloudwatch Log group. Create an IAM policy that gives the desired level of access to the Cloudwatch Log group Submit your Feedback/Queries to our Experts


NEW QUESTION # 149
You have an instance setup in a test environment in AWS. You installed the required application and the promoted the server to a production environment. Your IT Security team has advised that there maybe traffic flowing in from an unknown IP address to port 22. How can this be mitigated immediately?
Please select:

  • A. Remove the rule for incoming traffic on port 22 for the Security Group
  • B. Change the AMI for the instance
  • C. Change the Instance type for the instance
  • D. Shutdown the instance

Answer: A

Explanation:
In the test environment the security groups might have been opened to all IP addresses for testing purpose. Always to ensure to remove this rule once all testing is completed.
Option A, C and D are all invalid because this would affect the application running on the server. The easiest way is just to remove the rule for access on port 22.
For more information on authorizing access to an instance, please visit the below URL:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.htmll The correct answer is: Remove the rule for incoming traffic on port 22 for the Security Group Submit your Feedback/Queries to our Experts


NEW QUESTION # 150
An organization has a multi-petabyte workload that it is moving to Amazon S3, but the CISO is concerned about cryptographic wear-out and the blast radius if a key is compromised.
How can the CISO be assured that AWS KMS and Amazon S3 are addressing the concerns? (Choose two.)

  • A. The KMS encryption envelope digitally signs the master key during encryption to prevent cryptographic wear-out.
  • B. Using a single master key to encrypt all data includes having a single place to perform audits and usage validation.
  • C. Encryption of S3 objects is performed within the secure boundary of the KMS service.
  • D. There is no API operation to retrieve an S3 object in its encrypted form.
  • E. S3 uses KMS to generate a unique data key for each individual object.

Answer: B,E


NEW QUESTION # 151
A security team is creating a response plan in the event an employee executes unauthorized actions on AWS infrastructure. They want to include steps to determine if the employee's IAM permissions changed as part of the incident.
What steps should the team document in the plan?
Please select:

  • A. Use AWS Config to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
  • B. Use Made to examine the employee's IAM permissions prior to the incident and compare them to the employee's A current IAM permissions.
  • C. Use Trusted Advisor to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
  • D. Use CloudTrail to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.

Answer: A

Explanation:
You can use the AWSConfig history to see the history of a particular item.
The below snapshot shows an example configuration for a user in AWS Config

Option B,C and D are all invalid because these services cannot be used to see the history of a particular configuration item. This can only be accomplished by AWS Config.
For more information on tracking changes in AWS Config, please visit the below URL:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/TrackineChanees.htmll
The correct answer is: Use AWS Config to examine the employee's IAM permissions prior to the incident and compare them the employee's current IAM permissions.
Submit your Feedback/Queries to our Experts


NEW QUESTION # 152
An IAM user with fill EC2 permissions could bot start an Amazon EC2 instance after it was stopped for a maintenance task. Upon starting the instance, the instance state would change to "Pending", but after a few seconds, it would switch back to "Stopped".
An inspection revealed that the instance has attached Amazon EBS volumes that were encrypted by using a Customer Master Key (CMK). When these encrypted volumes were detached, the IAM user was able to start the EC2 instances.
The IAM user policy is as follows:

What additional items need to be added to the IAM user policy? (Choose two.)

  • A. kms:Decrypt
  • B. kms:GenerateDataKey
  • C. kms:CreateGrant
  • D. "Condition": {"Bool": {"kms:GrantIsForAWSResource": true}}
  • E. "Condition": {"Bool": {"kms:ViaService": "ec2.us-west-2.amazonaws.com"}}

Answer: C,D


NEW QUESTION # 153
A company has a set of EC2 instances hosted in AWS. These instances have EBS volumes for storing critical information. There is a business continuity requirement and in order to boost the agility of the business and to ensure data durability which of the following options are not required.
Please select:

  • A. Use lifecycle policies for the EBS volumes
  • B. Use EBS volume replication
  • C. Use EBS Snapshots
  • D. Use EBS volume encryption

Answer: B,D

Explanation:
Explanation
Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations as part of normal operation of those services and at no additional charge. However, Amazon EBS replication is stored within the same availability zone, not across multiple zones; therefore, it is highly recommended that you conduct regular snapshots to Amazon S3 for long-term data durability.
You can use Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes.
With lifecycle management, you can be sure that snapshots are cleaned up regularly and keep costs under control.
EBS Lifecycle Policies
A lifecycle policy consists of these core settings:
* Resource type-The AWS resource managed by the policy, in this case, EBS volumes.
* Target tag-The tag that must be associated with an EBS volume for it to be managed by the policy.
* Schedule-Defines how often to create snapshots and the maximum number of snapshots to keep. Snapshot creation starts within an hour of the specified start time. If creating a new snapshot exceeds the maximum number of snapshots to keep for the volume, the oldest snapshot is deleted.
Option C is correct. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. But it does not have an explicit feature like that.
Option D is correct Encryption does not ensure data durability
For information on security for Compute Resources, please visit the below URL
https://d1.awsstatic.com/whitepapers/Security/Security Compute Services Whitepaper.pdl The correct answers are: Use EBS volume replication. Use EBS volume encryption Submit your Feedback/Queries to our Experts


NEW QUESTION # 154
A company is running workloads in a single IAM account on Amazon EC2 instances and Amazon EMR clusters a recent security audit revealed that multiple Amazon Elastic Block Store (Amazon EBS) volumes and snapshots are not encrypted The company's security engineer is working on a solution that will allow users to deploy EC2 Instances and EMR clusters while ensuring that all new EBS volumes and EBS snapshots are encrypted at rest. The solution must also minimize operational overhead Which steps should the security engineer take to meet these requirements?

  • A. Use a customer managed IAM policy that will verify that the encryption ag of the Createvolume context is set to true. Apply this rule to all users.
  • B. Create an IAM Config rule to evaluate the conguration of each EC2 instance on creation or modication.
    Have the IAM Cong rule trigger an IAM Lambdafunction to alert the security team and terminate the instance it the EBS volume is not encrypted. 5
  • C. Use the IAM Management Console or IAM CLi to enable encryption by default for EBS volumes in each IAM Region where the company operates.
  • D. Create an Amazon Event Bridge (Amazon Cloud watch Events) event with an EC2 instance as the source and create volume as the event trigger. When the event is triggered invoke an IAM Lambda function to evaluate and notify the security engineer if the EBS volume that was created is not encrypted.

Answer: C


NEW QUESTION # 155
You have just developed a new mobile application that handles analytics workloads on large scale datasets that are stored on Amazon Redshift. Consequently, the application needs to access Amazon Redshift tables. Which of the belov methods would be the best both practically and security-wise, to access the tables? Choose the correct answer from the options below
Please select:

  • A. Create a Redshift read-only access policy in IAM and embed those credentials in the application.
  • B. Use roles that allow a web identity federated user to assume a role that allows access to the Redshift table by providing temporary credentials.
  • C. Create an HSM client certificate in Redshift and authenticate using this certificate.
  • D. Create an IAM user and generate encryption keys for that user. Create a policy for Redshift read-only access. Embed th keys in the application.

Answer: B

Explanation:
The AWS Documentation mentions the following
"When you write such an app, you'll make requests to AWS services that must be signed with an AWS access key. However, we strongly recommend that you do not embed or distribute long-term AWS credentials with apps that a user downloads t device, even in an encrypted store. Instead, build your app so that it requests temporary AWS security credentials dynamica when needed using web identify federation. The supplied temporary credentials map to an AWS role that has only the permissioi needed to perform the tasks required by the mobile app".
Option A.B and C are all automatically incorrect because you need to use IAM Roles for Secure access to services For more information on web identity federation please refer to the below Link:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html
The correct answer is: Use roles that allow a web identity federated user to assume a role that allows access to the RedShift table by providing temporary credentials.
Submit your Feedback/Queries to our Experts


NEW QUESTION # 156
A security engineer must ensure that all infrastructure launched in the company IAM account be monitored for deviation from compliance rules, specifically that all EC2 instances are launched from one of a specified list of AM Is and that all attached EBS volumes are encrypted. Infrastructure not in compliance should be terminated. What combination of steps should the Engineer implement? Select 2 answers from the options given below.
Please select:

  • A. Set up a CloudWatch event based on Trusted Advisor metrics
  • B. Trigger a Lambda function from a scheduled CloudWatch event that terminates non-compliant infrastructure.
  • C. Set up a CloudWatch event based on Amazon inspector findings
  • D. Trigger a CLI command from a CloudWatch event that terminates the infrastructure
  • E. Monitor compliance with IAM Config Rules triggered by configuration changes

Answer: B,E

Explanation:
Explanation
You can use IAM Config to monitor for such Event
Option A is invalid because you cannot set Cloudwatch events based on Trusted Advisor checks.
Option C is invalid Amazon inspector cannot be used to check whether instances are launched from a specific A Option E is invalid because triggering a CLI command is not the preferred option, instead you should use Lambda functions for all automation purposes.
For more information on Config Rules please see the below Link:
https://docs.IAM.amazon.com/config/latest/developerguide/evaluate-config-rules.html These events can then trigger a lambda function to terminate instances For more information on Cloudwatch events please see the below Link:
https://docs.IAM.amazon.com/AmazonCloudWatch/latest/events/WhatlsCloudWatchEvents.
(
The correct answers are: Trigger a Lambda function from a scheduled Cloudwatch event that terminates non-compliant infrastructure., Monitor compliance with IAM Config Rules triggered by configuration changes Submit your Feedback/Queries to our Experts


NEW QUESTION # 157
A security engineer is asked to update an AW3 CoudTrail log file prefix for an existing trail. When attempting to save the change in the CloudTrail console, the security engineer receives the following error message. "There is a problem with the bucket policy''
What will enable the security engineer to saw the change?

  • A. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.
  • B. Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console
  • C. Create a new trail with the updated log file prefix, and then delete the original nail Update the existing bucket policy in the Amazon S3 console with the new log the prefix, and then update the log file prefix in the CloudTrail console
  • D. Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform PutBucketPolicy. and then update the log file prefix in the CloudTrail console

Answer: A

Explanation:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html#cloudtrail-add-change-or-remove-a-bucket-prefix


NEW QUESTION # 158
......


The Amazon SCS-C01 exam consists of multiple-choice and multiple-response questions that test a candidate's understanding of AWS security best practices, AWS services and features related to security, and their ability to design, implement, and troubleshoot security solutions. SCS-C01 exam is 170 minutes long, and the passing score is 750 out of 1000. AWS Certified Security - Specialty certification is valid for three years, after which the professional must recertify to maintain their credentials.

 

Amazon SCS-C01 Study Guide Archives : https://prepaway.testinsides.top/SCS-C01-dumps-review.html

Related Articles

more
Amazon SCS-C01 Certification Practice Exam

Our TestInsides has employed a lot of leading experts in the field in order to compile the exam materials. Many candidates are attracted by our high quality dumps. It turned out that choose our study materials will help you pass the exam in short time.

Latest Test Dumps

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 TestInsides NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy