ExamGecko
Home / Amazon / SCS-C01 / List of questions
Ask Question

Amazon SCS-C01 Practice Test - Questions Answers, Page 6

List of questions

Question 51

Report
Export
Collapse

A company's on-premises data center forwards DNS logs to a third-party security incident events management (SIEM) solution that alerts on suspicious behavior. The company wants to introduce a similar capability to its AWS accounts that includes automatic remediation. The company expects to double in size within the next few months.

Which solution meets the company's current and future logging requirements?

Enable Amazon GuardDuty and AWS Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Set up specific rules within Amazon Even;Bridge to trigger an AWS Lambda function for remediation steps.
Enable Amazon GuardDuty and AWS Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Set up specific rules within Amazon Even;Bridge to trigger an AWS Lambda function for remediation steps.
Ingest all AWS CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Use the current on-premises SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.
Ingest all AWS CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Use the current on-premises SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.
Ingest all AWS CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Launch an Amazon EC2 instance and install the current SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.
Ingest all AWS CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Launch an Amazon EC2 instance and install the current SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.
Enable Amazon GuardDuty and AWS Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Create an AWS Organizations SCP that denies access to certain API calls that are on an ignore list.
Enable Amazon GuardDuty and AWS Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Create an AWS Organizations SCP that denies access to certain API calls that are on an ignore list.
Suggested answer: A
asked 16/09/2024
Jeff Fazio
43 questions

Question 52

Report
Export
Collapse

A company has multiple AWS accounts that are part of AW5 Organizations. The company's Security team wants to ensure that even those Administrators with full access to the company's AWS accounts are unable to access the company's Amazon S3 buckets How should this be accomplished?

UseSCPs
UseSCPs
Add a permissions boundary to deny access to Amazon S3 and attach it to all roles
Add a permissions boundary to deny access to Amazon S3 and attach it to all roles
Use an S3 bucket policy
Use an S3 bucket policy
Create a VPC endpoint for Amazon S3 and deny statements for access to Amazon S3
Create a VPC endpoint for Amazon S3 and deny statements for access to Amazon S3
Suggested answer: A
asked 16/09/2024
Pamela Joanne Ang
31 questions

Question 53

Report
Export
Collapse

A company has an AWS account and allows a third-party contractor who uses another AWS account, to assume certain IAM roles. The company wants to ensure that IAM roles can be assumed by the contractor only if the contractor has multi-factor authentication enabled on their IAM user accounts What should the company do to accomplish this?

Suggested answer: A
asked 16/09/2024
Brad Jarrett
42 questions

Question 54

Report
Export
Collapse

Two Amazon EC2 instances in different subnets should be able to connect to each other but cannot. It has been confirmed that other hosts in the same subnets are able to communicate successfully, and that security groups have valid ALLOW rules in place to permit this traffic.

Which of the following troubleshooting steps should be performed?

Check inbound and outbound security groups, looking for DENY rules.
Check inbound and outbound security groups, looking for DENY rules.
Check inbound and outbound Network ACL rules, looking for DENY rules.
Check inbound and outbound Network ACL rules, looking for DENY rules.
Review the rejected packet reason codes in the VPC Flow Logs.
Review the rejected packet reason codes in the VPC Flow Logs.
Use AWS X-Ray to trace the end-to-end application flow
Use AWS X-Ray to trace the end-to-end application flow
Suggested answer: C
asked 16/09/2024
Mohit Mohit
45 questions

Question 55

Report
Export
Collapse

An application developer is using an AWS Lambda function that must use AWS KMS to perform encrypt and decrypt operations for API keys that are less than 2 KB Which key policy would allow the application to do this while granting least privilege?

Amazon SCS-C01 image Question 55 7173 09162024005923000000

Option A
Option A
Option B
Option B
Option C
Option C
Option D
Option D
Suggested answer: C
asked 16/09/2024
Dominic Lugg
44 questions

Question 56

Report
Export
Collapse

A company is collecting AWS CloudTrail log data from multiple AWS accounts by managing individual trails in each account and forwarding log data to a centralized Amazon S3 bucket residing in a log archive account. After CloudTrail introduced support for AWS Organizations trails, the company decided to further centralize management and automate deployment of the CloudTrail logging capability across all of its AWS accounts. The company's security engineer created an AWS Organizations trail in the master account, enabled server-side encryption with AWS KMS managed keys (SSE-KMS) for the log files, and specified the same bucket as the storage location. However, the engineer noticed that logs recorded by the new trail were not delivered to the bucket.

Which factors could cause this issue? (Select TWO.)

The CMK key policy does not allow CloudTrail to make encrypt and decrypt API calls against the key.
The CMK key policy does not allow CloudTrail to make encrypt and decrypt API calls against the key.
The CMK key policy does not allow CloudTrail to make GenerateDataKey API calls against the key.
The CMK key policy does not allow CloudTrail to make GenerateDataKey API calls against the key.
The IAM role used by the CloudTrail trail does not have permissions to make PutObject API calls against a folder created for the Organizations trail.
The IAM role used by the CloudTrail trail does not have permissions to make PutObject API calls against a folder created for the Organizations trail.
The S3 bucket policy does not allow CloudTrail to make PutObject API calls against a folder created for the Organizations trail.
The S3 bucket policy does not allow CloudTrail to make PutObject API calls against a folder created for the Organizations trail.
The CMK key policy does not allow the IAM role used by the CloudTrail trail to use the key for crypto graphicaI operations.
The CMK key policy does not allow the IAM role used by the CloudTrail trail to use the key for crypto graphicaI operations.
Suggested answer: A, D
asked 16/09/2024
Donnie Roach
29 questions

Question 57

Report
Export
Collapse

A Security Engineer has several thousand Amazon EC2 instances split across production and development environments. Each instance is tagged with its environment. The Engineer needs to analyze and patch all the development EC2 instances to ensure they are not currently exposed to any common vulnerabilities or exposures (CVEs) Which combination of steps is the MOST efficient way for the Engineer to meet these requirements? (Select TWO.)

Log on to each EC2 instance, check and export the different software versions installed, and verify this against a list of current CVEs.
Log on to each EC2 instance, check and export the different software versions installed, and verify this against a list of current CVEs.
Install the Amazon Inspector agent on all development instances Build a custom rule package, and configure Inspector to perform a scan using this custom rule on all instances tagged as being in the development environment.
Install the Amazon Inspector agent on all development instances Build a custom rule package, and configure Inspector to perform a scan using this custom rule on all instances tagged as being in the development environment.
Install the Amazon Inspector agent on all development instances Configure Inspector to perform a scan using the CVE rule package on all instances tagged as being in the development environment.
Install the Amazon Inspector agent on all development instances Configure Inspector to perform a scan using the CVE rule package on all instances tagged as being in the development environment.
Install the Amazon EC2 System Manager agent on all development instances Issue the Run command to EC2 System Manager to update all instances
Install the Amazon EC2 System Manager agent on all development instances Issue the Run command to EC2 System Manager to update all instances
Use AWS Trusted Advisor to check that all EC2 instances have been patched to the most recent version of operating system and installed software.
Use AWS Trusted Advisor to check that all EC2 instances have been patched to the most recent version of operating system and installed software.
Suggested answer: C, D
asked 16/09/2024
David Sichimwi
38 questions

Question 58

Report
Export
Collapse

A company's architecture requires that its three Amazon EC2 instances run behind an Application Load Balancer (ALB). The EC2 instances transmit sensitive data between each other Developers use SSL certificates to encrypt the traffic between the public users and the ALB However the Developers are unsure of how to encrypt the data in transit between the ALB and the EC2 instances and the traffic between the EC2 instances Which combination of activities must the company implement to meet its encryption requirements'?

(Select TWO )

Configure SSLTLS on the EC2 instances and configure the ALB target group to use HTTPS
Configure SSLTLS on the EC2 instances and configure the ALB target group to use HTTPS
Ensure that all resources are in the same VPC so the default encryption provided by the VPC is used to encrypt the traffic between the EC2 instances.
Ensure that all resources are in the same VPC so the default encryption provided by the VPC is used to encrypt the traffic between the EC2 instances.
In the ALB. select the default encryption to encrypt the traffic between the ALB and the EC2 instances
In the ALB. select the default encryption to encrypt the traffic between the ALB and the EC2 instances
In the code for the application, include a cryptography library and encrypt the data before sending it between the EC2 instances
In the code for the application, include a cryptography library and encrypt the data before sending it between the EC2 instances
Configure AWS Direct Connect to provide an encrypted tunnel between the EC2 instances
Configure AWS Direct Connect to provide an encrypted tunnel between the EC2 instances
Suggested answer: B, C
asked 16/09/2024
krishamrock krishqmrock
34 questions

Question 59

Report
Export
Collapse

A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer

(ALB). The instances are in an EC2 Auto Scaling group across multiple Availability Zones. The website is under a DDoS attack by a specific loT device brand that is visible in the user agent A security engineer needs to mitigate the attack without impacting the availability of the public website.

What should the security engineer do to accomplish this?

Configure a web ACL rule for AWS WAF to block requests with a string match condition for the user agent of the loT device. Associate the v/eb ACL with the ALB.
Configure a web ACL rule for AWS WAF to block requests with a string match condition for the user agent of the loT device. Associate the v/eb ACL with the ALB.
Configure an Amazon CloudFront distribution to use the ALB as an origin. Configure a web ACL rule for AWS WAF to block requests with a string match condition for the user agent of the loT device. Associate the web ACL with the ALB Change the public DNS entry of the website to point to the CloudFront distribution.
Configure an Amazon CloudFront distribution to use the ALB as an origin. Configure a web ACL rule for AWS WAF to block requests with a string match condition for the user agent of the loT device. Associate the web ACL with the ALB Change the public DNS entry of the website to point to the CloudFront distribution.
Configure an Amazon CloudFront distribution to use a new ALB as an origin. Configure a web ACL rule for AWS WAF to block requests with a string match condition for the user agent of the loT device. Change the ALB security group to alow access from CloudFront IP address ranges only Change the public DNS entry of the website to point to the CloudFront distribution.
Configure an Amazon CloudFront distribution to use a new ALB as an origin. Configure a web ACL rule for AWS WAF to block requests with a string match condition for the user agent of the loT device. Change the ALB security group to alow access from CloudFront IP address ranges only Change the public DNS entry of the website to point to the CloudFront distribution.
Activate AWS Shield Advanced to enable DDoS protection. Apply an AWS WAF ACL to the ALB. and configure a listener rule on the ALB to block loT devices based on the user agent.
Activate AWS Shield Advanced to enable DDoS protection. Apply an AWS WAF ACL to the ALB. and configure a listener rule on the ALB to block loT devices based on the user agent.
Suggested answer: D
asked 16/09/2024
William Hyde
40 questions

Question 60

Report
Export
Collapse

An company is using AWS Secrets Manager to store secrets that are encrypted using a CMK and are stored in the security account 111122223333. One of the company's production accounts. 444455556666, must to retrieve the secret values from the security account 111122223333. A security engineer needs to apply a policy to the secret in the security account based on least privilege access so the production account can retrieve the secret value only.

Amazon SCS-C01 image Question 60 7178 09162024005923000000

Which policy should the security engineer apply?

Option A
Option A
Option B
Option B
Option C
Option C
Option D
Option D
Suggested answer: A
asked 16/09/2024
Nick Daniel
37 questions
Total 590 questions
Go to page: of 59
Search

Related questions