ExamGecko
Login
Home / Amazon / SCS-C01 / List of questions
Ask Question

Amazon SCS-C01 Practice Test - Questions Answers, Page 18

List of questions

Question 171

Report
Export
Collapse

Which of the following minimizes the potential attack surface for applications?

Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level.
Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level.
Use network ACLs to provide stateful firewalls at the VPC level to prevent access to any specific AWS resource.
Use network ACLs to provide stateful firewalls at the VPC level to prevent access to any specific AWS resource.
Use AWS Direct Connect for secure trusted connections between EC2 instances within private subnets.
Use AWS Direct Connect for secure trusted connections between EC2 instances within private subnets.
Design network security in a single layer within the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) to facilitate quicker responses to threats.
Design network security in a single layer within the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) to facilitate quicker responses to threats.
Suggested answer: A

Explanation:

https://aws.amazon.com/answers/networking/vpc-security-capabilities/ Security Group is statefuland hypervisor level.

asked 16/09/2024
Rajiesh George
39 questions

Question 172

Report
Export
Collapse

A distributed web application is installed across several EC2 instances in public subnets residing in two Availability Zones. Apache logs show several intermittent brute-force attacks from hundreds of IP addresses at the layer 7 level over the past six months.

What would be the BEST way to reduce the potential impact of these attacks in the future?

Use custom route tables to prevent malicious traffic from routing to the instances.
Use custom route tables to prevent malicious traffic from routing to the instances.
Update security groups to deny traffic from the originating source IP addresses.
Update security groups to deny traffic from the originating source IP addresses.
Use network ACLs.
Use network ACLs.
Install intrusion prevention software (IPS) on each instance.
Install intrusion prevention software (IPS) on each instance.
Suggested answer: D

Explanation:

https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html NACL has limit 20 (canincrease to maximum 40 rule), and more rule will make more low-latency

asked 16/09/2024
AHOPkos Varga
29 questions

Question 173

Report
Export
Collapse

A company plans to move most of its IT infrastructure to AWS. They want to leverage their existing on-premises Active Directory as an identity provider for AWS.

Which combination of steps should a Security Engineer take to federate the company’s on-premises Active Directory with AWS? (Choose two.)

Create IAM roles with permissions corresponding to each Active Directory group.
Create IAM roles with permissions corresponding to each Active Directory group.
Create IAM groups with permissions corresponding to each Active Directory group.
Create IAM groups with permissions corresponding to each Active Directory group.
Configure Amazon Cloud Directory to support a SAML provider.
Configure Amazon Cloud Directory to support a SAML provider.
Configure Active Directory to add relying party trust between Active Directory and AWS.
Configure Active Directory to add relying party trust between Active Directory and AWS.
Configure Amazon Cognito to add relying party trust between Active Directory and AWS.
Configure Amazon Cognito to add relying party trust between Active Directory and AWS.
Suggested answer: A, D

Explanation:

https://aws.amazon.com/blogs/security/how-to-establish-federated-access-to-your-aws-resourcesby-using-active-directory-user-attributes/

asked 16/09/2024
Alper Atar
32 questions

Question 174

Report
Export
Collapse

A security alert has been raised for an Amazon EC2 instance in a customer account that is exhibiting strange behavior. The Security Engineer must first isolate the EC2 instance and then use tools for further investigation. What should the Security Engineer use to isolate and research this event? (Choose three.)

AWS CloudTrail
AWS CloudTrail
Amazon Athena
Amazon Athena
AWS Key Management Service (AWS KMS)
AWS Key Management Service (AWS KMS)
VPC Flow Logs
VPC Flow Logs
AWS Firewall Manager
AWS Firewall Manager
Security groups
Security groups
Suggested answer: A, D, F

Explanation:

https://github.com/awslabs/aws-well-architectedlabs/blob/master/Security/300_Incident_Response_with_AWS_Console_and_CLI/Lab_Guide.md

asked 16/09/2024
pheangphadhu pravitpinyo
44 questions

Question 175

Report
Export
Collapse

An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs a network port scan against other instances in the VPC. When the Security team performs its own internal tests in a separate account by using pre-approved third-party scanners from the AWS Marketplace, the Security team also then receives multiple Amazon GuardDuty events from Amazon CloudWatch alerting on its test activities. How can the Security team suppress alerts about authorized security tests while still receiving alerts about the unauthorized activity?

Use a filter in AWS CloudTrail to exclude the IP addresses of the Security team’s EC2 instances.
Use a filter in AWS CloudTrail to exclude the IP addresses of the Security team’s EC2 instances.
Add the Elastic IP addresses of the Security team’s EC2 instances to a trusted IP list in Amazon GuardDuty.
Add the Elastic IP addresses of the Security team’s EC2 instances to a trusted IP list in Amazon GuardDuty.
Install the Amazon Inspector agent on the EC2 instances that the Security team uses.
Install the Amazon Inspector agent on the EC2 instances that the Security team uses.
Grant the Security team’s EC2 instances a role with permissions to call Amazon GuardDuty API operations.
Grant the Security team’s EC2 instances a role with permissions to call Amazon GuardDuty API operations.
Suggested answer: B

Explanation:

Trusted IP lists consist of IP addresses that you have whitelisted for secure communication with your AWS infrastructure and applications. GuardDuty does not generate findings for IP addresses on trusted IP lists. At any given time, you can have only one uploaded trusted IP list per AWS account per region. Threat lists consist of known malicious IP addresses. GuardDuty generates findings based on threat lists. At any given time, you can have up to six uploaded threat lists per AWS account per region. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload_lists.html

asked 16/09/2024
Mohammed Hamid
46 questions

Question 176

Report
Export
Collapse

An organization is moving non-business-critical applications to AWS while maintaining a missioncritical application in an on-premises data center. An on-premises application must share limited confidential information with the applications in AWS. The internet performance is unpredictable.

Which configuration will ensure continued connectivity between sites MOST securely?

VPN and a cached storage gateway
VPN and a cached storage gateway
AWS Snowball Edge
AWS Snowball Edge
VPN Gateway over AWS Direct Connect
VPN Gateway over AWS Direct Connect
AWS Direct Connect
AWS Direct Connect
Suggested answer: C

Explanation:

https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-directconnect-plus-vpn-network-to-amazon.html

asked 16/09/2024
colin ciallella
29 questions

Question 177

Report
Export
Collapse

An application has been built with Amazon EC2 instances that retrieve messages from Amazon SQS.

Recently, IAM changes were made and the instances can no longer retrieve messages.

What actions should be taken to troubleshoot the issue while maintaining least privilege. (Select two.)

Configure and assign an MFA device to the role used by the instances.
Configure and assign an MFA device to the role used by the instances.
Verify that the SQS resource policy does not explicitly deny access to the role used by the instances.
Verify that the SQS resource policy does not explicitly deny access to the role used by the instances.
Verify that the access key attached to the role used by the instances is active.
Verify that the access key attached to the role used by the instances is active.
Attach the AmazonSQSFullAccess managed policy to the role used by the instances.
Attach the AmazonSQSFullAccess managed policy to the role used by the instances.
Verify that the role attached to the instances contains policies that allow access to the queue.
Verify that the role attached to the instances contains policies that allow access to the queue.
Suggested answer: B, E
asked 16/09/2024
José Gonçalves
31 questions

Question 178

Report
Export
Collapse

A company has a forensic logging use case whereby several hundred applications running on Docker on EC2 need to send logs to a central location. The Security Engineer must create a logging solution that is able to perform real-time analytics on the log files, grants the ability to replay events, and persists data.

Which AWS Services, together, can satisfy this use case? (Select two.)

Amazon Elasticsearch
Amazon Elasticsearch
Amazon Kinesis
Amazon Kinesis
Amazon SQS
Amazon SQS
Amazon CloudWatch
Amazon CloudWatch
Amazon Athena
Amazon Athena
Suggested answer: A, B

Explanation:

https://docs.aws.amazon.com/whitepapers/latest/aws-overview/analytics.html#amazon-athena

asked 16/09/2024
Javier Cardaba Enjuto
37 questions

Question 179

Report
Export
Collapse

Which of the following is the most efficient way to automate the encryption of AWS CloudTrail logs using a Customer Master Key (CMK) in AWS KMS?

Use the KMS direct encrypt function on the log data every time a CloudTrail log is generated.
Use the KMS direct encrypt function on the log data every time a CloudTrail log is generated.
Use the default Amazon S3 server-side encryption with S3-managed keys to encrypt and decrypt the CloudTrail logs.
Use the default Amazon S3 server-side encryption with S3-managed keys to encrypt and decrypt the CloudTrail logs.
Configure CloudTrail to use server-side encryption using KMS-managed keys to encrypt and decrypt CloudTrail logs.
Configure CloudTrail to use server-side encryption using KMS-managed keys to encrypt and decrypt CloudTrail logs.
Use encrypted API endpoints so that all AWS API calls generate encrypted CloudTrail log entries using the TLS certificate from the encrypted API call.
Use encrypted API endpoints so that all AWS API calls generate encrypted CloudTrail log entries using the TLS certificate from the encrypted API call.
Suggested answer: C

Explanation:

https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html

asked 16/09/2024
Jonas Weimar
45 questions

Question 180

Report
Export
Collapse

An organization is using AWS CloudTrail, Amazon CloudWatch Logs, and Amazon CloudWatch to send alerts when new access keys are created. However, the alerts are no longer appearing in the Security Operations mail box. Which of the following actions would resolve this issue?

In CloudTrail, verify that the trail logging bucket has a log prefix configured.
In CloudTrail, verify that the trail logging bucket has a log prefix configured.
In Amazon SNS, determine whether the “Account spend limit” has been reached for this alert.
In Amazon SNS, determine whether the “Account spend limit” has been reached for this alert.
In SNS, ensure that the subscription used by these alerts has not been deleted.
In SNS, ensure that the subscription used by these alerts has not been deleted.
In CloudWatch, verify that the alarm threshold “consecutive periods” value is equal to, or greater than 1.
In CloudWatch, verify that the alarm threshold “consecutive periods” value is equal to, or greater than 1.
Suggested answer: C
asked 16/09/2024
Steven Owens
36 questions
Total 590 questions
Go to page: of 59
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture: 1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets. 3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other 4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols 5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required Which of the following accurately reflects the access control mechanisms the Architect should verify1?
A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances. Which solution will meet this requirement with the LEAST operational effort?
A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution. Which solution will meet these requirements MOST securely?
A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below Please select:
A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents. A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly. Which combination of actions would build the required solution? (Choose three.)
After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised. How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of “Sensitive,” “Confidential,” and “Restricted.” The security solution must meet all of the following requirements: Each object must be encrypted using a unique key. Items that are stored in the “Restricted” bucket require two-factor authentication for decryption. AWS KMS must automatically rotate encryption keys annually. Which of the following meets these requirements?