ExamGecko
Login
Home / Amazon / SCS-C01 / List of questions
Ask Question

Amazon SCS-C01 Practice Test - Questions Answers, Page 13

List of questions

Question 121

Report
Export
Collapse

The Security Engineer implemented a new vault lock policy for 10TB of data and called initiate-vaultlock 12 hours ago. The Audit team identified a typo that is allowing incorrect access to the vault. What is the MOST cost-effective way to correct this?

Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again.
Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again.
Copy the vault data to Amazon S3, delete the vault, and create a new vault with the data.
Copy the vault data to Amazon S3, delete the vault, and create a new vault with the data.
Update the policy, keeping the vault lock in place.
Update the policy, keeping the vault lock in place.
Update the policy and call initiate-vault-lock again to apply the new policy.
Update the policy and call initiate-vault-lock again to apply the new policy.
Suggested answer: A

Explanation:

Initiate the lock by attaching a vault lock policy to your vault, which sets the lock to an in-progress state and returns a lock ID. While in the in-progress state, you have 24 hours to validate your vault lock policy before the lock ID expires. Use the lock ID to complete the lock process. If the vault lock policy doesn't work as expected, you can abort the lock and restart from the beginning. For information on how to use the S3 Glacier API to lock a vault, see Locking a Vault by Using the Amazon S3 Glacier API. https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock-policy.html

asked 16/09/2024
Samya Sharab
40 questions

Question 122

Report
Export
Collapse

A company wants to control access to its AWS resources by using identities and groups that are defined in its existing Microsoft Active Directory. What must the company create in its AWS account to map permissions for AWS services to Active Directory user attributes?

AWS IAM groups
AWS IAM groups
AWS IAM users
AWS IAM users
AWS IAM roles
AWS IAM roles
AWS IAM access keys
AWS IAM access keys
Suggested answer: C

Explanation:

Prerequisites to establish Federation Services in AWS - You have a working AD directory and AD FS server. - You have created an identity provider (IdP) in your AWS account using your XML file from your AD FS server. Remember the name of your IdP because you will use it later in this solution. -You have created the appropriate IAM roles in your AWS account, which will be used for federated access. https://aws.amazon.com/blogs/security/how-to-establish-federated- access-to-your-awsresources- by-using-active-directory-user-attributes/

asked 16/09/2024
Simon Merlin AGHOKENG
39 questions

Question 123

Report
Export
Collapse

A company has contracted with a third party to audit several AWS accounts. To enable the audit, cross-account IAM roles have been created in each account targeted for audit. The Auditor is having trouble accessing some of the accounts. Which of the following may be causing this problem? (Choose three.)

The external ID used by the Auditor is missing or incorrect.
The external ID used by the Auditor is missing or incorrect.
The Auditor is using the incorrect password.
The Auditor is using the incorrect password.
The Auditor has not been granted sts:AssumeRole for the role in the destination account.
The Auditor has not been granted sts:AssumeRole for the role in the destination account.
The Amazon EC2 role used by the Auditor must be set to the destination account role.
The Amazon EC2 role used by the Auditor must be set to the destination account role.
The secret key used by the Auditor is missing or incorrect.
The secret key used by the Auditor is missing or incorrect.
The role ARN used by the Auditor is missing or incorrect.
The role ARN used by the Auditor is missing or incorrect.
Suggested answer: A, C, F

Explanation:

Using IAM to grant access to a Third-Party Account 1) Create a role to provide access to the require resources 1.1) Create a role policy that specifies the AWS Account ID to be accessed, "sts:AssumeRole" as action, and "sts:ExternalID" as condition 1.2) Create a role using the role policy just created 1.3) Assign a resouce policy to the role. This will provide permission to access resource ARNs to the auditor 2) Repeat steps 1 and 2 on all AWS accounts 3) The auditor connects to the AWS account AWS Security Token Service (STS). The auditor must provide its ExternalID from step 1.2, the ARN of the role he is trying to assume from step 1.3, sts:ExternalID 4) STS provide the auditor with temporary credentials that provides the role access from step 1

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html

https://aws.amazon.com/blogs/security/how-to-audit-cross-account-roles-using-aws-cloudtrail-andamazon-cloudwatch-events/

asked 16/09/2024
Youssef El Akhal
39 questions

Question 124

Report
Export
Collapse

Compliance requirements state that all communications between company on-premises hosts and EC2 instances be encrypted in transit. Hosts use custom proprietary protocols for their communication, and EC2 instances need to be fronted by a load balancer for increased availability.

Which of the following solutions will meet these requirements?

Offload SSL termination onto an SSL listener on a Classic Load Balancer, and use a TCP connection between the load balancer and the EC2 instances.
Offload SSL termination onto an SSL listener on a Classic Load Balancer, and use a TCP connection between the load balancer and the EC2 instances.
Route all traffic through a TCP listener on a Classic Load Balancer, and terminate the TLS connection on the EC2 instances.
Route all traffic through a TCP listener on a Classic Load Balancer, and terminate the TLS connection on the EC2 instances.
Create an HTTPS listener using an Application Load Balancer, and route all of the communicationthrough that load balancer.
Create an HTTPS listener using an Application Load Balancer, and route all of the communicationthrough that load balancer.
Offload SSL termination onto an SSL listener using an Application Load Balancer, and re-spawn and SSL connection between the load balancer and the EC2 instances.
Offload SSL termination onto an SSL listener using an Application Load Balancer, and re-spawn and SSL connection between the load balancer and the EC2 instances.
Suggested answer: B

Explanation:

https://aws.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to-yourcontainer-using-the-network-load-balancer-with-amazon-ecs/

asked 16/09/2024
David Fernando del Villar
44 questions

Question 125

Report
Export
Collapse

A Security Administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has enabled it for all feature sets, including consolidated billing. The top-level account is used for billing and administrative purposes, not for operational AWS resource purposes.

How can the Administrator restrict usage of member root user accounts across the organization?

Disable the use of the root user account at the organizational root. Enable multi-factor authentication of the root user account for each organizational member account.
Disable the use of the root user account at the organizational root. Enable multi-factor authentication of the root user account for each organizational member account.
Configure IAM user policies to restrict root account capabilities for each Organizations member account.
Configure IAM user policies to restrict root account capabilities for each Organizations member account.
Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU.
Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU.
Configure AWS CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric filter for RootAccountUsage.
Configure AWS CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric filter for RootAccountUsage.
Suggested answer: C

Explanation:

Applying a "Control Policy" in your organization. A policy applied to: 1) root applies to all accounts in the organization 2) OU applies to all accounts in the OU and to any child OUs 3) account applies to one account only Note- this requires that Acquirements: -all features are enabled for the organization in AWS Organizations -Only service control policy (SCP) are supported https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html

asked 16/09/2024
pheangphadhu pravitpinyo
44 questions

Question 126

Report
Export
Collapse

A Systems Engineer has been tasked with configuring outbound mail through Simple Email Service (SES) and requires compliance with current TLS standards.

The mail application should be configured to connect to which of the following endpoints and corresponding ports?

email.us-east-1.amazonaws.com over port 8080
email.us-east-1.amazonaws.com over port 8080
email-pop3.us-east-1.amazonaws.com over port 995
email-pop3.us-east-1.amazonaws.com over port 995
email-smtp.us-east-1.amazonaws.com over port 587
email-smtp.us-east-1.amazonaws.com over port 587
email-imap.us-east-1.amazonaws.com over port 993
email-imap.us-east-1.amazonaws.com over port 993
Suggested answer: C

Explanation:

https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-connect.html

asked 16/09/2024
Paul Schwarz
38 questions

Question 127

Report
Export
Collapse

A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data from production host running inside AWS (Account 1). The threat was documented as follows:

Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials for an AWS account (Account 2) they control and uploading data to an Amazon S3 bucket within their control. Server X has outbound internet access configured via a proxy server. Legitimate access to S3 is required so that the application can upload encrypted files to an S3 bucket. Server X is currently using an IAM instance role. The proxy server is not able to inspect any of the server communication due to TLS encryption.

Which of the following options will mitigate the threat? (Choose two.)

Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.
Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.
Block outbound access to public S3 endpoints on the proxy server.
Block outbound access to public S3 endpoints on the proxy server.
Configure Network ACLs on Server X to deny access to S3 endpoints.
Configure Network ACLs on Server X to deny access to S3 endpoints.
Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application server.
Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application server.
Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted application config file.
Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted application config file.
Suggested answer: A, B
asked 16/09/2024
Lakshmana Mittadoddi
39 questions

Question 128

Report
Export
Collapse

A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of “Sensitive,” “Confidential,” and “Restricted.” The security solution must meet all of the following requirements:

Each object must be encrypted using a unique key.

Items that are stored in the “Restricted” bucket require two-factor authentication for decryption.

AWS KMS must automatically rotate encryption keys annually.

Which of the following meets these requirements?

Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the “Restricted” CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.
Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the “Restricted” CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.
Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK.
Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK.
Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket.
Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket.
Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the “Restricted” key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.
Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the “Restricted” key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.
Suggested answer: A

Explanation:

CMKs that are not eligible for automatic key rotation, including asymmetric CMKs, CMKs in custom key stores, and CMKs with imported key material.

asked 16/09/2024
Aldays Kausiona
43 questions

Question 129

Report
Export
Collapse

An organization wants to deploy a three-tier web application whereby the application servers run on Amazon EC2 instances. These EC2 instances need access to credentials that they will use to authenticate their SQL connections to an Amazon RDS DB instance. Also, AWS Lambda functions must issue queries to the RDS database by using the same database credentials. The credentials must be stored so that the EC2 instances and the Lambda functions can access them.

No other access is allowed. The access logs must record when the credentials were accessed and by whom. What should the Security Engineer do to meet these requirements?

Store the database credentials in AWS Key Management Service (AWS KMS). Create an IAM role with access to AWS KMS by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.
Store the database credentials in AWS Key Management Service (AWS KMS). Create an IAM role with access to AWS KMS by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.
Store the database credentials in AWS KMS. Create an IAM role with access to KMS by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function.
Store the database credentials in AWS KMS. Create an IAM role with access to KMS by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function.
Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function.
Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function.
Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.
Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.
Suggested answer: D
asked 16/09/2024
Rehan r
38 questions

Question 130

Report
Export
Collapse

A company has a customer master key (CMK) with imported key materials. Company policy requires that all encryption keys must be rotated every year. What can be done to implement the above policy?

Enable automatic key rotation annually for the CMK.
Enable automatic key rotation annually for the CMK.
Use AWS Command Line Interface to create an AWS Lambda function to rotate the existing CMK annually.
Use AWS Command Line Interface to create an AWS Lambda function to rotate the existing CMK annually.
Import new key material to the existing CMK and manually rotate the CMK.
Import new key material to the existing CMK and manually rotate the CMK.
Create a new CMK, import new key material to it, and point the key alias to the new CMK.
Create a new CMK, import new key material to it, and point the key alias to the new CMK.
Suggested answer: D

Explanation:

https://docs.aws.amazon.com/en_pv/kms/latest/developerguide/rotate-keys.html#rotate-keysmanually"You might prefer to rotate keys manually so you can control the rotation frequency. It's also a goodsolution for CMKs that are not eligible for automatic key rotation, such as asymmetric CMKs, CMKs incustom key stores and CMKs with imported key material. Because the new CMK is a differentresource from the current CMK, it has a different key ID and ARN. When you change CMKs, you needto update references to the CMK ID or ARN in your applications. Aliases, which associate a friendlyname with a CMK, make this process easier. Use an alias to refer to a CMK in your applications. Then,when you want to change the CMK that the application uses, change the target CMK of the alias. Toupdate the target CMK of an alias, use UpdateAlias operation in the AWS KMS API. "

asked 16/09/2024
MIGUEL FERNANDEZ
36 questions
Total 590 questions
Go to page: of 59
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture: 1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets. 3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other 4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols 5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required Which of the following accurately reflects the access control mechanisms the Architect should verify1?
A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances. Which solution will meet this requirement with the LEAST operational effort?
A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution. Which solution will meet these requirements MOST securely?
A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below Please select:
A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents. A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly. Which combination of actions would build the required solution? (Choose three.)
After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised. How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of “Sensitive,” “Confidential,” and “Restricted.” The security solution must meet all of the following requirements: Each object must be encrypted using a unique key. Items that are stored in the “Restricted” bucket require two-factor authentication for decryption. AWS KMS must automatically rotate encryption keys annually. Which of the following meets these requirements?