ExamGecko
Login
Home / Amazon / SCS-C01 / List of questions
Ask Question

Amazon SCS-C01 Practice Test - Questions Answers, Page 21

List of questions

Question 201

Report
Export
Collapse

A company has two AWS accounts, each containing one VPC. The first VPC has a VPN connection with its corporate network. The second VPC, without a VPN, hosts an Amazon Aurora database cluster in private subnets. Developers manage the Aurora database from a bastion host in a public subnet as shown in the image.

Amazon SCS-C01 image Question 201 7319 09162024005923000000

A security review has flagged this architecture as vulnerable, and a Security Engineer has been asked to make this design more secure. The company has a short deadline and a second VPN connection to the Aurora account is not possible. How can a Security Engineer securely set up the bastion host?

Move the bastion host to the VPC with VPN connectivity. Create a VPC peering relationship between the bastion host VPC and Aurora VPC.
Move the bastion host to the VPC with VPN connectivity. Create a VPC peering relationship between the bastion host VPC and Aurora VPC.
Create a SSH port forwarding tunnel on the Developer’s workstation to the bastion host to ensure that only authorized SSH clients can access the bastion host.
Create a SSH port forwarding tunnel on the Developer’s workstation to the bastion host to ensure that only authorized SSH clients can access the bastion host.
Move the bastion host to the VPC with VPN connectivity. Create a cross-account trust relationship between the bastion VPC and Aurora VPC, and update the Aurora security group for the relationship.
Move the bastion host to the VPC with VPN connectivity. Create a cross-account trust relationship between the bastion VPC and Aurora VPC, and update the Aurora security group for the relationship.
Create an AWS Direct Connect connection between the corporate network and the Aurora account, and adjust the Aurora security group for this connection.
Create an AWS Direct Connect connection between the corporate network and the Aurora account, and adjust the Aurora security group for this connection.
Suggested answer: A
asked 16/09/2024
Muhammad Gul
41 questions

Question 202

Report
Export
Collapse

An organization operates a web application that serves users globally. The application runs on Amazon EC2 instances behind an Application Load Balancer. There is an Amazon CloudFront distribution in front of the load balancer, and the organization uses AWS WAF. The application is currently experiencing a volumetric attack whereby the attacker is exploiting a bug in a popular mobile game. The application is being flooded with HTTP requests from all over the world with the User-Agent setto the following string: Mozilla/5.0 (compatible; ExampleCorp; ExampleGame/1.22; Mobile/1.0)What mitigation can be applied to block attacks resulting from this bug while continuing to servicelegitimate requests?

Create a rule in AWS WAF rules with conditions that block requests based on the presence of ExampleGame/1.22 in the User-Agent header
Create a rule in AWS WAF rules with conditions that block requests based on the presence of ExampleGame/1.22 in the User-Agent header
Create a geographic restriction on the CloudFront distribution to prevent access to the application from most geographic regions
Create a geographic restriction on the CloudFront distribution to prevent access to the application from most geographic regions
Create a rate-based rule in AWS WAF to limit the total number of requests that the web application services.
Create a rate-based rule in AWS WAF to limit the total number of requests that the web application services.
Create an IP-based blacklist in AWS WAF to block the IP addresses that are originating from requests that contain ExampleGame/1.22 in the User-Agent header.
Create an IP-based blacklist in AWS WAF to block the IP addresses that are originating from requests that contain ExampleGame/1.22 in the User-Agent header.
Suggested answer: A

Explanation:

Since all the attack has http header- User-Agent set to string: Mozilla/5.0 (compatible; ExampleCorp;)it would be much more easier to block these attack by simply denying traffic with the header match . HTH ExampleGame/1.22; Mobile/1.0)

asked 16/09/2024
Liam Derwin
41 questions

Question 203

Report
Export
Collapse

Some highly sensitive analytics workloads are to be moved to Amazon EC2 hosts. Threat modeling has found that a risk exists where a subnet could be maliciously or accidentally exposed to the internet. Which of the following mitigations should be recommended?

Use AWS Config to detect whether an Internet Gateway is added and use an AWS Lambda function to provide auto-remediation.
Use AWS Config to detect whether an Internet Gateway is added and use an AWS Lambda function to provide auto-remediation.
Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses.
Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses.
Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet.
Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet.
Move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.
Move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.
Suggested answer: A

Explanation:

By default, Private instance has a private IP address, but no public IP address. These instances can communicate with each other, but can't access the Internet. You can enable Internet access for an instance launched into a nondefault subnet by attaching an Internet gateway to its VPC (if its VPC is not a default VPC) and associating an Elastic IP address with the instance. Alternatively, to allow an instance in your VPC to initiate outbound connections to the Internet but prevent unsolicited inbound connections from the Internet, you can use a network address translation (NAT) instance. NAT maps multiple private IP addresses to a single public IP address. A NAT instance has an Elastic IP address and is connected to the Internet through an Internet gateway.You can connect an instance in a private subnet to the Internet through the NAT instance, which routes traffic from the instance to the Internet gateway, and routes any responses to the instance.

asked 16/09/2024
Spandana Gangavaram
32 questions

Question 204

Report
Export
Collapse

A Developer who is following AWS best practices for secure code development requires an application to encrypt sensitive data to be stored at rest, locally in the application, using AWS KMS. What is the simplest and MOST secure way to decrypt this data when required?

Request KMS to provide the stored unencrypted data key and then use the retrieved data key to decrypt the data.
Request KMS to provide the stored unencrypted data key and then use the retrieved data key to decrypt the data.
Keep the plaintext data key stored in Amazon DynamoDB protected with IAM policies. Query DynamoDB to retrieve the data key to decrypt the data
Keep the plaintext data key stored in Amazon DynamoDB protected with IAM policies. Query DynamoDB to retrieve the data key to decrypt the data
Use the Encrypt API to store an encrypted version of the data key with another customer managed key. Decrypt the data key and use it to decrypt the data when required.
Use the Encrypt API to store an encrypted version of the data key with another customer managed key. Decrypt the data key and use it to decrypt the data when required.
Store the encrypted data key alongside the encrypted data. Use the Decrypt API to retrieve the data key to decrypt the data when required.
Store the encrypted data key alongside the encrypted data. Use the Decrypt API to retrieve the data key to decrypt the data when required.
Suggested answer: D

Explanation:

We recommend that you use the following pattern to locally encrypt data: call the GenerateDataKey API, use the key returned in the Plaintext response field to locally encrypt data, and then erase the plaintext data key from memory. Store the encrypted data key (contained in the CiphertextBlob field) alongside of the locally encrypted data. The Decrypt API returns the plaintext key from the encrypted key. https://docs.aws.amazon.com/sdkfornet/latest/apidocs/items/MKeyManagementServiceKeyManagementServiceGenerateDataKeyGenerateDataKeyRequestNET45.html

asked 16/09/2024
KENEILWE DITHLAGE
42 questions

Question 205

Report
Export
Collapse

An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised. What techniques will limit lateral movement and allow evidence gathering?

Remove the instance from the load balancer and terminate it.
Remove the instance from the load balancer and terminate it.
Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.
Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.
Reboot the instance and check for any Amazon CloudWatch alarms.
Reboot the instance and check for any Amazon CloudWatch alarms.
Stop the instance and make a snapshot of the root EBS volume.
Stop the instance and make a snapshot of the root EBS volume.
Suggested answer: B

Explanation:

https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf

asked 16/09/2024
Edgar Zapico
39 questions

Question 206

Report
Export
Collapse

A Development team has asked for help configuring the IAM roles and policies in a new AWS account. The team using the account expects to have hundreds of master keys and therefore does not want to manage access control for customer master keys (CMKs).

Which of the following will allow the team to manage AWS KMS permissions in IAM without the complexity of editing individual key policies?

The account’s CMK key policy must allow the account’s IAM roles to perform KMS EnableKey.
The account’s CMK key policy must allow the account’s IAM roles to perform KMS EnableKey.
Newly created CMKs must have a key policy that allows the root principal to perform all actions.
Newly created CMKs must have a key policy that allows the root principal to perform all actions.
Newly created CMKs must allow the root principal to perform the kms CreateGrant API operation.
Newly created CMKs must allow the root principal to perform the kms CreateGrant API operation.
Newly created CMKs must mirror the IAM policy of the KMS key administrator.
Newly created CMKs must mirror the IAM policy of the KMS key administrator.
Suggested answer: B

Explanation:

https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-defaultallow-root-enable-iam

asked 16/09/2024
Djordje Novakovic
35 questions

Question 207

Report
Export
Collapse

An Amazon EC2 instance is part of an EC2 Auto Scaling group that is behind an Application Load Balancer (ALB). It is suspected that the EC2 instance has been compromised. Which steps should be taken to investigate the suspected compromise? (Choose three.)

Detach the elastic network interface from the EC2 instance.
Detach the elastic network interface from the EC2 instance.
Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.
Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.
Disable any Amazon Route 53 health checks associated with the EC2 instance.
Disable any Amazon Route 53 health checks associated with the EC2 instance.
De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.
De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.
Attach a security group that has restrictive ingress and egress rules to the EC2 instance.
Attach a security group that has restrictive ingress and egress rules to the EC2 instance.
Add a rule to an AWS WAF to block access to the EC2 instance.
Add a rule to an AWS WAF to block access to the EC2 instance.
Suggested answer: B, D, E

Explanation:

https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf

asked 16/09/2024
Martin Ng
43 questions

Question 208

Report
Export
Collapse


A company has five AWS accounts and wants to use AWS CloudTrail to log API calls. The log files must be stored in an Amazon S3 bucket that resides in a new account specifically built for centralized services with a unique top-level prefix for each trail. The configuration must also enable detection of any modification to the logs.

Which of the following steps will implement these requirements? (Choose three.)

Create a new S3 bucket in a separate AWS account for centralized storage of CloudTrail logs, and enable “Log File Validation” on all trails.
Create a new S3 bucket in a separate AWS account for centralized storage of CloudTrail logs, and enable “Log File Validation” on all trails.
Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
Use unique log file prefixes for trails in each AWS account.
Use unique log file prefixes for trails in each AWS account.
Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.
Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.
Enable encryption of the log files by using AWS Key Management Service
Enable encryption of the log files by using AWS Key Management Service
Suggested answer: A, C, E

Explanation:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.htmlIf you have created an organization in AWS Organizations, you can create a trail that will log allevents for all AWS accounts in that organization. This is sometimes referred to as an organizationtrail. You can also choose to edit an existing trail in the master account and apply it to anorganization, making it an organization trail. Organization trails log events for the master account andall member accounts in the organization. For more information about AWS Organizations, seeOrganizations Terminology and Concepts. Note Reference:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html Youmust be logged in with the master account for the organization in order to create an organizationtrail. You must also have sufficient permissions for the IAM user or role in the master account inorder to successfully create an organization trail. If you do not have sufficient permissions, you willnot see the option to apply a trail to an organization.

asked 16/09/2024
Rahul Chugh
38 questions

Question 209

Report
Export
Collapse

A Security Engineer is implementing a solution to allow users to seamlessly encrypt Amazon S3 objects without having to touch the keys directly. The solution must be highly scalable without requiring continual management. Additionally, the organization must be able to immediately delete the encryption keys.

Which solution meets these requirements?

Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary.
Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary.
Use KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.
Use KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.
Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.
Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.
Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the key if necessary.
Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the key if necessary.
Suggested answer: B

Explanation:

https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-delete-key-material.html

asked 16/09/2024
Sunil Reddy
36 questions

Question 210

Report
Export
Collapse

An application uses Amazon Cognito to manage end users’ permissions when directly accessing AWS resources, including Amazon DynamoDB. A new feature request reads as follows:

Provide a mechanism to mark customers as suspended pending investigation or suspended permanently. Customers should still be able to log in when suspended, but should not be able to make changes. The priorities are to reduce complexity and avoid potential for future security issues.

Which approach will meet these requirements and priorities?

Create a new database field “suspended_status” and modify the application logic to validate that field when processing requests.
Create a new database field “suspended_status” and modify the application logic to validate that field when processing requests.
Add suspended customers to second Cognito user pool and update the application login flow to check both user pools.
Add suspended customers to second Cognito user pool and update the application login flow to check both user pools.
Use Amazon Cognito Sync to push out a “suspension_status” parameter and split the lAM policy into normal users and suspended users.
Use Amazon Cognito Sync to push out a “suspension_status” parameter and split the lAM policy into normal users and suspended users.
Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.
Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.
Suggested answer: D

Explanation:

https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-basedaccess-control-2/

asked 16/09/2024
Kevin Lizano
37 questions
Total 590 questions
Go to page: of 59
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture: 1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets. 3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other 4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols 5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required Which of the following accurately reflects the access control mechanisms the Architect should verify1?
A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances. Which solution will meet this requirement with the LEAST operational effort?
A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution. Which solution will meet these requirements MOST securely?
A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below Please select:
A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents. A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly. Which combination of actions would build the required solution? (Choose three.)
After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised. How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of “Sensitive,” “Confidential,” and “Restricted.” The security solution must meet all of the following requirements: Each object must be encrypted using a unique key. Items that are stored in the “Restricted” bucket require two-factor authentication for decryption. AWS KMS must automatically rotate encryption keys annually. Which of the following meets these requirements?