Amazon SCS-C01 Practice Test - Questions Answers, Page 18
List of questions
Question 171
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
Which of the following minimizes the potential attack surface for applications?
Explanation:
https://aws.amazon.com/answers/networking/vpc-security-capabilities/ Security Group is statefuland hypervisor level.
Question 172
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A distributed web application is installed across several EC2 instances in public subnets residing in two Availability Zones. Apache logs show several intermittent brute-force attacks from hundreds of IP addresses at the layer 7 level over the past six months.
What would be the BEST way to reduce the potential impact of these attacks in the future?
Explanation:
https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html NACL has limit 20 (canincrease to maximum 40 rule), and more rule will make more low-latency
Question 173
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A company plans to move most of its IT infrastructure to AWS. They want to leverage their existing on-premises Active Directory as an identity provider for AWS.
Which combination of steps should a Security Engineer take to federate the company’s on-premises Active Directory with AWS? (Choose two.)
Explanation:
https://aws.amazon.com/blogs/security/how-to-establish-federated-access-to-your-aws-resourcesby-using-active-directory-user-attributes/
Question 174
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A security alert has been raised for an Amazon EC2 instance in a customer account that is exhibiting strange behavior. The Security Engineer must first isolate the EC2 instance and then use tools for further investigation. What should the Security Engineer use to isolate and research this event? (Choose three.)
Explanation:
https://github.com/awslabs/aws-well-architectedlabs/blob/master/Security/300_Incident_Response_with_AWS_Console_and_CLI/Lab_Guide.md
Question 175
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs a network port scan against other instances in the VPC. When the Security team performs its own internal tests in a separate account by using pre-approved third-party scanners from the AWS Marketplace, the Security team also then receives multiple Amazon GuardDuty events from Amazon CloudWatch alerting on its test activities. How can the Security team suppress alerts about authorized security tests while still receiving alerts about the unauthorized activity?
Explanation:
Trusted IP lists consist of IP addresses that you have whitelisted for secure communication with your AWS infrastructure and applications. GuardDuty does not generate findings for IP addresses on trusted IP lists. At any given time, you can have only one uploaded trusted IP list per AWS account per region. Threat lists consist of known malicious IP addresses. GuardDuty generates findings based on threat lists. At any given time, you can have up to six uploaded threat lists per AWS account per region. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload_lists.html
Question 176
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
An organization is moving non-business-critical applications to AWS while maintaining a missioncritical application in an on-premises data center. An on-premises application must share limited confidential information with the applications in AWS. The internet performance is unpredictable.
Which configuration will ensure continued connectivity between sites MOST securely?
Explanation:
https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-directconnect-plus-vpn-network-to-amazon.html
Question 177
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
An application has been built with Amazon EC2 instances that retrieve messages from Amazon SQS.
Recently, IAM changes were made and the instances can no longer retrieve messages.
What actions should be taken to troubleshoot the issue while maintaining least privilege. (Select two.)
Question 178
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A company has a forensic logging use case whereby several hundred applications running on Docker on EC2 need to send logs to a central location. The Security Engineer must create a logging solution that is able to perform real-time analytics on the log files, grants the ability to replay events, and persists data.
Which AWS Services, together, can satisfy this use case? (Select two.)
Explanation:
https://docs.aws.amazon.com/whitepapers/latest/aws-overview/analytics.html#amazon-athena
Question 179
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
Which of the following is the most efficient way to automate the encryption of AWS CloudTrail logs using a Customer Master Key (CMK) in AWS KMS?
Explanation:
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
Question 180
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
An organization is using AWS CloudTrail, Amazon CloudWatch Logs, and Amazon CloudWatch to send alerts when new access keys are created. However, the alerts are no longer appearing in the Security Operations mail box. Which of the following actions would resolve this issue?
Question