ExamGecko
Login
Home / Amazon / SCS-C01 / List of questions
Ask Question

Amazon SCS-C01 Practice Test - Questions Answers, Page 9

List of questions

Question 81

Report
Export
Collapse

A company has several workloads running on AWS. Employees are required to authenticate using onpremises ADFS and SSO to access the AWS Management Console. Developers migrated an existing legacy web application to an Amazon EC2 instance.

Employees need to access this application from anywhere on the internet, but currently, there is no authentication system built into the application. How should the Security Engineer implement employee-only access to this system without changing the application?

Place the application behind an Application Load Balancer (ALB). Use Amazon Cognito as authentication for the ALB. Define a SAML-based Amazon Cognito user pool and connect it to ADFS.
Place the application behind an Application Load Balancer (ALB). Use Amazon Cognito as authentication for the ALB. Define a SAML-based Amazon Cognito user pool and connect it to ADFS.
Implement AWS SSO in the master account and link it to ADFS as an identity provider. Define the EC2 instance as a managed resource, then apply an IAM policy on the resource.
Implement AWS SSO in the master account and link it to ADFS as an identity provider. Define the EC2 instance as a managed resource, then apply an IAM policy on the resource.
Define an Amazon Cognito identity pool, then install the connector on the Active Directory server. Use the Amazon Cognito SDK on the application instance to authenticate the employees using their Active Directory user names and passwords.
Define an Amazon Cognito identity pool, then install the connector on the Active Directory server. Use the Amazon Cognito SDK on the application instance to authenticate the employees using their Active Directory user names and passwords.
Create an AWS Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2. Ensure the security group on Amazon EC2 only allows access from the Lambda function.
Create an AWS Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2. Ensure the security group on Amazon EC2 only allows access from the Lambda function.
Suggested answer: A

Explanation:

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticateusers.html

- Authenticate users through social IdPs, such as Amazon, Facebook, or Google, through the user pools supported by Amazon Cognito.

- Authenticate users through corporate identities, using SAML, LDAP, or Microsoft AD, through the user pools supported by Amazon Cognito.

asked 16/09/2024
Yuriy Georgiev
40 questions

Question 82

Report
Export
Collapse

A Security Engineer for a large company is managing a data processing application used by 1,500 subsidiary companies. The parent and subsidiary companies all use AWS. The application uses TCP port 443 and runs on Amazon EC2 behind a Network Load Balancer (NLB). For compliance reasons, the application should only be accessible to the subsidiaries and should not be available on the public internet. To meet the compliance requirements for restricted access, the Engineer has received the public and private CIDR block ranges for each subsidiary What solution should the Engineer use to implement the appropriate access restrictions for the application?

Create a NACL to allow access on TCP port 443 from the 1;500 subsidiary CIDR block ranges.Associate the NACL to both the NLB and EC2 instances
Create a NACL to allow access on TCP port 443 from the 1;500 subsidiary CIDR block ranges.Associate the NACL to both the NLB and EC2 instances
Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group to the NLB. Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group.
Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group to the NLB. Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group.
Create an AWS PrivateLink endpoint service in the parent company account attached to the NLB.Create an AWS security group for the instances to allow access on TCP port 443 from the AWS PrivateLink endpoint. Use AWS PrivateLink interface endpoints in the 1,500 subsidiary AWS accounts to connect to the data processing application.
Create an AWS PrivateLink endpoint service in the parent company account attached to the NLB.Create an AWS security group for the instances to allow access on TCP port 443 from the AWS PrivateLink endpoint. Use AWS PrivateLink interface endpoints in the 1,500 subsidiary AWS accounts to connect to the data processing application.
Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.
Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.
Suggested answer: D
asked 16/09/2024
James Davis
41 questions

Question 83

Report
Export
Collapse

A company's Director of information Security wants a daily email report from AWS that contains recommendations for each company account to meet AWS Security best practices. Which solution would meet these requirements?

in every AWS account, configure AWS Lambda to query me AWS Support API tor AWS Trusted Advisor security checks Send the results from Lambda to an Amazon SNS topic to send reports.
in every AWS account, configure AWS Lambda to query me AWS Support API tor AWS Trusted Advisor security checks Send the results from Lambda to an Amazon SNS topic to send reports.
Configure Amazon GuardDuty in a master account and invite all other accounts to be managed by the master account Use GuardDuty's integration with Amazon SNS to report on findings
Configure Amazon GuardDuty in a master account and invite all other accounts to be managed by the master account Use GuardDuty's integration with Amazon SNS to report on findings
Use Amazon Athena and Amazon QuickSight to build reports off of AWS CloudTrail Create a daily Amazon CloudWatch trigger to run the report dally and email It using Amazon SNS
Use Amazon Athena and Amazon QuickSight to build reports off of AWS CloudTrail Create a daily Amazon CloudWatch trigger to run the report dally and email It using Amazon SNS
Use AWS Artifact's prebuilt reports and subscriptions Subscribe the Director of Information Security to the reports by adding the Director as the security alternate contact tor each account
Use AWS Artifact's prebuilt reports and subscriptions Subscribe the Director of Information Security to the reports by adding the Director as the security alternate contact tor each account
Suggested answer: A
asked 16/09/2024
Idan Bar-On
37 questions

Question 84

Report
Export
Collapse


A company has decided to migrate sensitive documents from on-premises data centers to Amazon S3. Currently, the hard drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key. Which of the following requires the LEAST amount of configuration when implementing this approach?

Place each file into a different S3 bucket. Set the default encryption of each bucket to use a different AWS KMS customer managed key.
Place each file into a different S3 bucket. Set the default encryption of each bucket to use a different AWS KMS customer managed key.
Put all the files in the same S3 bucket. Using S3 events as a trigger, write an AWS Lambda function to encrypt each file as it is added using different AWS KMS data keys.
Put all the files in the same S3 bucket. Using S3 events as a trigger, write an AWS Lambda function to encrypt each file as it is added using different AWS KMS data keys.
Use the S3 encryption client to encrypt each file individually using S3-generated data keys
Use the S3 encryption client to encrypt each file individually using S3-generated data keys
Place all the files in the same S3 bucket. Use server-side encryption with AWS KMS-managed keys(SSE-KMS) to encrypt the data
Place all the files in the same S3 bucket. Use server-side encryption with AWS KMS-managed keys(SSE-KMS) to encrypt the data
Suggested answer: D

Explanation:

References:

https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.htmlServer-Side Encryption with Amazon S3-Managed Keys (SSE-S3) When you use Server-SideEncryption with Amazon S3-Managed Keys (SSE-S3), each object is encrypted with a unique key.

Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service

(SSE-KMS) is similar to SSE-S3, but with some additional benefits and charges for using this service.

When you use SSE-KMS to protect your data without an S3 Bucket Key, Amazon S3 uses an individual AWS KMS data key for every object. It makes a call to AWS KMS every time a request is made against a KMS-encrypted object. https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html

https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html

asked 16/09/2024
Kefash White
38 questions

Question 85

Report
Export
Collapse

A company uses Microsoft Active Directory for access management for on-premises resources and wants to use the same mechanism for accessing its AWS accounts. Additionally, the development team plans to launch a public-facing application for which they need a separate authentication solution.

When coma nation of the following would satisfy these requirements? (Select TWO)

Set up domain controllers on Amazon EC2 to extend the on-premises directory to AWS
Set up domain controllers on Amazon EC2 to extend the on-premises directory to AWS
Establish network connectivity between on-premises and the user's VPC
Establish network connectivity between on-premises and the user's VPC
Use Amazon Cognito user pools for application authentication
Use Amazon Cognito user pools for application authentication
Use AD Connector tor application authentication.
Use AD Connector tor application authentication.
Set up federated sign-in to AWS through ADFS and SAML.
Set up federated sign-in to AWS through ADFS and SAML.
Suggested answer: C, D
asked 16/09/2024
Shrini Ch
30 questions

Question 86

Report
Export
Collapse

A Security Administrator at a university is configuring a fleet of Amazon EC2 instances. The EC2 instances are shared among students, and non-root SSH access is allowed. The Administrator is concerned about students attacking other AWS account resources by using the EC2 instance metadata service.

What can the Administrator do to protect against this potential attack?

Disable the EC2 instance metadata service.
Disable the EC2 instance metadata service.
Log all student SSH interactive session activity.
Log all student SSH interactive session activity.
Implement ip tables-based restrictions on the instances.
Implement ip tables-based restrictions on the instances.
Install the Amazon Inspector agent on the instances.
Install the Amazon Inspector agent on the instances.
Suggested answer: A

Explanation:

"To turn off access to instance metadata on an existing instance....."

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadataservice.html You can disable the service for existing (running or stopped) ec2 instances. https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-metadata-options.html

asked 16/09/2024
Danish Vohra
38 questions

Question 87

Report
Export
Collapse

While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host (IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following:

2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK 2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK What action should be performed to allow the ping to work?

In the security group of the EC2 instance, allow inbound ICMP traffic.
In the security group of the EC2 instance, allow inbound ICMP traffic.
In the security group of the EC2 instance, allow outbound ICMP traffic.
In the security group of the EC2 instance, allow outbound ICMP traffic.
In the VPC's NACL, allow inbound ICMP traffic.
In the VPC's NACL, allow inbound ICMP traffic.
In the VPC's NACL, allow outbound ICMP traffic.
In the VPC's NACL, allow outbound ICMP traffic.
Suggested answer: D
asked 16/09/2024
Abdulraheem alsaka
30 questions

Question 88

Report
Export
Collapse

A global company must mitigate and respond to DDoS attacks at Layers 3, 4 and 7 All of the company's AWS applications are serverless with static content hosted on Amazon S3 using Amazon CloudFront and Amazon Route 53 Which solution will meet these requirements?

Use AWS WAF with an upgrade to the AWS Business support plan
Use AWS WAF with an upgrade to the AWS Business support plan
Use AWS Certificate Manager with an Application Load Balancer configured with an origin access identity
Use AWS Certificate Manager with an Application Load Balancer configured with an origin access identity
Use AWS Shield Advanced
Use AWS Shield Advanced
Use AWS WAF to protect AWS Lambda functions encrypted with AWS KMS and a NACL restricting all Ingress traffic
Use AWS WAF to protect AWS Lambda functions encrypted with AWS KMS and a NACL restricting all Ingress traffic
Suggested answer: C
asked 16/09/2024
Mattie Hendricks
46 questions

Question 89

Report
Export
Collapse

A financial institution has the following security requirements:

Cloud-based users must be contained in a separate authentication domain.

Cloud-based users cannot access on-premises systems.

As part of standing up a cloud environment, the financial institution is creating a number of Amazon managed databases and Amazon EC2 instances. An Active Directory service exists on-premises that has all the administrator accounts, and these must be able to access the databases and instances.

How would the organization manage its resources in the MOST secure manner? (Choose two.)

Configure an AWS Managed Microsoft AD to manage the cloud resources.
Configure an AWS Managed Microsoft AD to manage the cloud resources.
Configure an additional on-premises Active Directory service to manage the cloud resources.
Configure an additional on-premises Active Directory service to manage the cloud resources.
Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service.
Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service.
Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service.
Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service.
Establish a two-way trust between the new and existing Active Directory services.
Establish a two-way trust between the new and existing Active Directory services.
Suggested answer: A, D

Explanation:

Deploy a new forest/domain on AWS with one-way trust. If you are planning on leveraging credentials from an on-premises AD on AWS member servers, you must establish at least a one-way trust to the Active Directory running on AWS. In this model, the AWS domain becomes the resource domain where computer objects are located and on-premises domain becomes the account domain. Ref: https://d1.awsstatic.com/whitepapers/adds-on-aws.pdf

https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html

asked 16/09/2024
Parita Malbari
48 questions

Question 90

Report
Export
Collapse

A security engineer is asked to update an AW3 CoudTrail log file prefix for an existing trail. When attempting to save the change in the CloudTrail console, the security engineer receives the following error message. "There is a problem with the bucket policy'' What will enable the security engineer to saw the change?

Create a new trail with the updated log file prefix, and then delete the original nail Update the existing bucket policy in the Amazon S3 console with the new log the prefix, and then update the log file prefix in the CloudTrail console
Create a new trail with the updated log file prefix, and then delete the original nail Update the existing bucket policy in the Amazon S3 console with the new log the prefix, and then update the log file prefix in the CloudTrail console
Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform PutBucketPolicy. and then update the log file prefix in the CloudTrail console
Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform PutBucketPolicy. and then update the log file prefix in the CloudTrail console
Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.
Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.
Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console
Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console
Suggested answer: C

Explanation:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-forcloudtrail.html#cloudtrail-add-change-or-remove-a-bucket-prefix

asked 16/09/2024
Harry Vervelde
40 questions
Total 590 questions
Go to page: of 59
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture: 1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets. 3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other 4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols 5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required Which of the following accurately reflects the access control mechanisms the Architect should verify1?
A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances. Which solution will meet this requirement with the LEAST operational effort?
A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution. Which solution will meet these requirements MOST securely?
A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below Please select:
A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents. A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly. Which combination of actions would build the required solution? (Choose three.)
After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised. How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of “Sensitive,” “Confidential,” and “Restricted.” The security solution must meet all of the following requirements: Each object must be encrypted using a unique key. Items that are stored in the “Restricted” bucket require two-factor authentication for decryption. AWS KMS must automatically rotate encryption keys annually. Which of the following meets these requirements?