ExamGecko
Login
Home / Amazon / SCS-C01 / List of questions
Ask Question

Amazon SCS-C01 Practice Test - Questions Answers, Page 26

List of questions

Question 251

Report
Export
Collapse

You are deivising a policy to allow users to have the ability to access objects in a bucket called appbucket. You define the below custom bucket policy

Amazon SCS-C01 image Question 251 7369 09162024005923000000

But when you try to apply the policy you get the error "Action does not apply to any resource(s) in statement." What should be done to rectify the error Please select:

Change the IAM permissions by applying PutBucketPolicy permissions.
Change the IAM permissions by applying PutBucketPolicy permissions.
Verify that the policy has the same name as the bucket name. If not. make it the same.
Verify that the policy has the same name as the bucket name. If not. make it the same.
Change the Resource section to "arn:aws:s3:::appbucket/*'.
Change the Resource section to "arn:aws:s3:::appbucket/*'.
Create the bucket "appbucket" and then apply the policy.
Create the bucket "appbucket" and then apply the policy.
Suggested answer: C

Explanation:

When you define access to objects in a bucket you need to ensure that you specify to which objects in the bucket access needs to be given to. In this case, the * can be used to assign the permission to all objects in the bucket Option A is invalid because the right permissions are already provided as per the question requirement Option B is invalid because it is not necessary that the policy has the same name as the bucket

Option D is invalid because this should be the default flow for applying the policy For more information on bucket policies please visit the below URL:

https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.htmllThe correct answer is: Change the Resource section to "arn:aws:s3:::appbucket/" Submit yourFeedback/Queries to our Experts

asked 16/09/2024
Vasyl Basaraba
28 questions

Question 252

Report
Export
Collapse

A company wants to have an Intrusion detection system available for their VPC in AWS. They want to have complete control over the system. Which of the following would be ideal to implement? Please select:

Use AWS WAF to catch all intrusions occurring on the systems in the VPC
Use AWS WAF to catch all intrusions occurring on the systems in the VPC
Use a custom solution available in the AWS Marketplace
Use a custom solution available in the AWS Marketplace
Use VPC Flow logs to detect the issues and flag them accordingly.
Use VPC Flow logs to detect the issues and flag them accordingly.
Use AWS Cloudwatch to monitor all traffic
Use AWS Cloudwatch to monitor all traffic
Suggested answer: B

Explanation:

Sometimes companies want to have custom solutions in place for monitoring Intrusions to their systems. In such a case, you can use the AWS Marketplace for looking at custom solutions.

Amazon SCS-C01 image Question 252 explanation 7370 09162024005923000000

Option A.C and D are all invalid because they cannot be used to conduct intrusion detection or prevention.

For more information on using custom security solutions please visit the below URL

https://d1.awsstatic.com/Marketplace/security/AWSMP_Security_Solution%200verview.pdfFor more information on using custom security solutions please visit the below URL:

https://d1 .awsstatic.com/Marketplace/security/AWSMP Security Solution%20Overview.pd1The correct answer is: Use a custom solution available in the AWS Marketplace Submit yourFeedback/Queries to our Experts

asked 16/09/2024
justen layne
37 questions

Question 253

Report
Export
Collapse

Your IT Security department has mandated that all data on EBS volumes created for underlying EC2 Instances need to be encrypted. Which of the following can help achieve this? Please select:

AWS KMS API
AWS KMS API
AWS Certificate Manager
AWS Certificate Manager
API Gateway with STS
API Gateway with STS
IAM Access Key
IAM Access Key
Suggested answer: A

Explanation:

The AWS Documentation mentions the following on AWS KMS

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. AWS KMS is integrated with other AWS services including Amazon Elastic Block Store (Amazon EBS), Amazon Simple Storage Service (Amazon S3), Amazon Redshift Amazon Elastic Transcoder, Amazon WorkMail, Amazon Relational Database Service (Amazon RDS), and others to make it simple to encrypt your data with encryption keys that you manage Option B is incorrect - The AWS Certificate manager can be used to generate SSL certificates that can be used to encrypt traffic transit, but not at rest Option C is incorrect is again used for issuing tokens when using API gateway for traffic in transit. Option D is used for secure access to EC2 Instances

For more information on AWS KMS, please visit the following URL:

https://docs.aws.amazon.com/kms/latest/developereuide/overview.htmllThe correct answer is: AWS KMS APISubmit your Feedback/Queries to our Experts

asked 16/09/2024
saud ahmed
38 questions

Question 254

Report
Export
Collapse

You have an S3 bucket hosted in AWS. This is used to host promotional videos uploaded by yourself.

You need to provide access to users for a limited duration of time. How can this be achieved?

Please select:

Use versioning and enable a timestamp for each version
Use versioning and enable a timestamp for each version
Use Pre-signed URL's
Use Pre-signed URL's
Use IAM Roles with a timestamp to limit the access
Use IAM Roles with a timestamp to limit the access
Use IAM policies with a timestamp to limit the access
Use IAM policies with a timestamp to limit the access
Suggested answer: B

Explanation:

The AWS Documentation mentions the following

All objects by default are private. Only the object owner has permission to access these objects.

However, the object owner can optionally share objects with others by creating a pre-signed URL using their own security credentials, to grant time-limited permission to download the objects. Option A is invalid because this can be used to prevent accidental deletion of objects Option C is invalid because timestamps are not possible for Roles Option D is invalid because policies is not the right way to limit access based on time For more information on pre-signed URL's, please visit the URL:

https://docs.aws.ama2on.com/AmazonS3/latest/dev/ShareObiectPreSisnedURL.htmlThe correct answer is: Use Pre-signed URL's Submit your Feedback/Queries to our Experts

asked 16/09/2024
Peter Lam
42 questions

Question 255

Report
Export
Collapse

Your company has mandated that all calls to the AWS KMS service be recorded. How can this be achieved? Please select:

Enable logging on the KMS service
Enable logging on the KMS service
Enable a trail in Cloudtrail
Enable a trail in Cloudtrail
Enable Cloudwatch logs
Enable Cloudwatch logs
Use Cloudwatch metrics
Use Cloudwatch metrics
Suggested answer: B

Explanation:

The AWS Documentation states the following

AWS KMS is integrated with CloudTrail, a service that captures API calls made by or on behalf of AWS KMS in your AWS account and delivers the log files to an Amazon S3 bucket that you specify. CloudTrail captures API calls from the AWS KMS console or from the AWS KMS API. Using the information collected by CloudTrail, you can determine what request was made, the source IP address from which the request was made, who made the request when it was made, and so on.

Option A is invalid because logging is not possible in the KMS service Option C and D are invalid because Cloudwatch cannot be used to monitor API calls For more information on logging using Cloudtrail please visit the below URL https://docs.aws.amazon.com/kms/latest/developerguide/loeeing-usine-cloudtrail.htmlThe correct answer is: Enable a trail in CloudtrailJubmit your Feedback/Queries to our Experts

asked 16/09/2024
AHOPlvaro Zorrilla
37 questions

Question 256

Report
Export
Collapse

You want to get a list of vulnerabilities for an EC2 Instance as per the guidelines set by the Center of Internet Security. How can you go about doing this? Please select:

Enable AWS Guard Duty for the Instance
Enable AWS Guard Duty for the Instance
Use AWS Trusted Advisor
Use AWS Trusted Advisor
Use AWS inspector
Use AWS inspector
UseAWSMacie
UseAWSMacie
Suggested answer: C

Explanation:

The AWS Inspector service can inspect EC2 Instances based on specific Rules. One of the rules packages is based on the guidelines set by the Center of Internet Security Center for Internet security (CIS) Benchmarks The CIS Security Benchmarks program provides well-defined, un-biased and consensus-based industry best practices to help organizations assess and improve their security. Amazon Web Services is a CIS Security Benchmarks Member company and the list of Amazon Inspector certifications can be viewed nere.

Option A is invalid because this can be used to protect an instance but not give the list of vulnerabilities Options B and D are invalid because these services cannot give a list of vulnerabilities For more information on the guidelines, please visit the below URL:

* https://docs.aws.amazon.com/inspector/latest/userguide/inspector_cis.html The correct answeris: Use AWS InspectorSubmit your Feedback/Queries to our Experts

asked 16/09/2024
Matt Gifford
33 questions

Question 257

Report
Export
Collapse

You have an instance setup in a test environment in AWS. You installed the required application and the promoted the server to a production environment. Your IT Security team has advised that there maybe traffic flowing in from an unknown IP address to port 22. How can this be mitigated immediately?

Please select:

Shutdown the instance
Shutdown the instance
Remove the rule for incoming traffic on port 22 for the Security Group
Remove the rule for incoming traffic on port 22 for the Security Group
Change the AMI for the instance
Change the AMI for the instance
Change the Instance type for the instance
Change the Instance type for the instance
Suggested answer: B

Explanation:

In the test environment the security groups might have been opened to all IP addresses for testing purpose. Always to ensure to remove this rule once all testing is completed. Option A, C and D are all invalid because this would affect the application running on the server. The easiest way is just to remove the rule for access on port 22. For more information on authorizing access to an instance, please visit the below URL:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.htmllThe correct answer is: Remove the rule for incoming traffic on port 22 for the Security Group Submityour Feedback/Queries to our Experts

asked 16/09/2024
Marc-Antoine Meyssat
26 questions

Question 258

Report
Export
Collapse

Your company has defined a number of EC2 Instances over a period of 6 months. They want to know if any of the security groups allow unrestricted access to a resource. What is the best option to accomplish this requirement? Please select:

Use AWS Inspector to inspect all the security Groups
Use AWS Inspector to inspect all the security Groups
Use the AWS Trusted Advisor to see which security groups have compromised access.
Use the AWS Trusted Advisor to see which security groups have compromised access.
Use AWS Config to see which security groups have compromised access.
Use AWS Config to see which security groups have compromised access.
Use the AWS CLI to query the security groups and then filter for the rules which have unrestricted accessd
Use the AWS CLI to query the security groups and then filter for the rules which have unrestricted accessd
Suggested answer: B

Explanation:

The AWS Trusted Advisor can check security groups for rules that allow unrestricted access to a resource. Unrestricted access increases opportunities for malicious activity (hacking, denial-ofservice attacks, loss of data). If you go to AWS Trusted Advisor, you can see the details

Amazon SCS-C01 image Question 258 explanation 7376 09162024005923000000

Option A is invalid because AWS Inspector is used to detect security vulnerabilities in instances and not for security groups.

Option C is invalid because this can be used to detect changes in security groups but not show you security groups that have compromised access.

Option Dis partially valid but would just be a maintenance overhead

For more information on the AWS Trusted Advisor, please visit the below URL:

https://aws.amazon.com/premiumsupport/trustedadvisor/best-practices;The correct answer is: Use the AWS Trusted Advisor to see which security groups have compromisedaccess. Submit your Feedback/Queries to our Experts

asked 16/09/2024
Juan Carlos Yepez
36 questions

Question 259

Report
Export
Collapse

A company is using CloudTrail to log all AWS API activity for all regions in all of its accounts. The CISO has asked that additional steps be taken to protect the integrity of the log files. What combination of steps will protect the log files from intentional or unintentional alteration?

Choose 2 answers from the options given below

Please select:

Create an S3 bucket in a dedicated log account and grant the other accounts write only access.Deliver all log files from every account to this S3 bucket.
Create an S3 bucket in a dedicated log account and grant the other accounts write only access.Deliver all log files from every account to this S3 bucket.
Write a Lambda function that queries the Trusted Advisor Cloud Trail checks. Run the function every 10 minutes.
Write a Lambda function that queries the Trusted Advisor Cloud Trail checks. Run the function every 10 minutes.
Enable CloudTrail log file integrity validation
Enable CloudTrail log file integrity validation
Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs.
Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs.
Create a Security Group that blocks all traffic except calls from the CloudTrail service. Associate the security group with) all the Cloud Trail destination S3 buckets.
Create a Security Group that blocks all traffic except calls from the CloudTrail service. Associate the security group with) all the Cloud Trail destination S3 buckets.
Suggested answer: A, C

Explanation:

The AWS Documentation mentions the following

To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it you can use CloudTrail log fill integrity validation. This feature is built using industry standard algorithms:

SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. Option B is invalid because there is no such thing as Trusted Advisor Cloud Trail checks Option D is invalid because Systems Manager cannot be used for this purpose. Option E is invalid because Security Groups cannot be used to block calls from other services For more information on Cloudtrail log file validation, please visit the below URL:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-loe-file-validationintro.htmllFor more information on delivering Cloudtrail logs from multiple accounts, please visit the belowURL:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multipleaccounts.htmlThe correct answers are: Create an S3 bucket in a dedicated log account and grant the other accountswrite only access. Deliver all log files from every account to this S3 bucket, Enable Cloud Trail log fileintegrity validationSubmit your Feedback/Queries to our Experts

asked 16/09/2024
Anthony Bradley
43 questions

Question 260

Report
Export
Collapse

You have just received an email from AWS Support stating that your AWS account might have been compromised. Which of the following steps would you look to carry out immediately. Choose 3 answers from the options below. Please select:

Change the root account password.
Change the root account password.
Rotate all IAM access keys
Rotate all IAM access keys
Keep all resources running to avoid disruption
Keep all resources running to avoid disruption
Change the password for all IAM users.
Change the password for all IAM users.
Suggested answer: A, B, D

Explanation:

One of the articles from AWS mentions what should be done in such a scenario If you suspect that your account has been compromised, or if you have received a notification from AWS that the account has been compromised, perform the following tasks:

Change your AWS root account password and the passwords of any IAM users.

Delete or rotate all root and AWS Identity and Access Management (IAM) access keys.

Delete any resources on your account you didn't create, especially running EC2 instances, EC2 spot bids, or IAM users. Respond to any notifications you received from AWS Support through the AWS Support Center.

Option C is invalid because there could be compromised instances or resources running on your environment. They should be shutdown or stopped immediately. For more information on the article, please visit the below URL:

https://aws.amazon.com/premiumsupport/knowledee-center/potential-account-compromise>The correct answers are: Change the root account password. Rotate all IAM access keys. Change thepassword for all IAM users. Submit your Feedback/Queries to our Experts

asked 16/09/2024
Isidre Piguillem
42 questions
Total 590 questions
Go to page: of 59
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture: 1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets. 3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other 4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols 5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required Which of the following accurately reflects the access control mechanisms the Architect should verify1?
A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances. Which solution will meet this requirement with the LEAST operational effort?
A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution. Which solution will meet these requirements MOST securely?
A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below Please select:
A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents. A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly. Which combination of actions would build the required solution? (Choose three.)
After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised. How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of “Sensitive,” “Confidential,” and “Restricted.” The security solution must meet all of the following requirements: Each object must be encrypted using a unique key. Items that are stored in the “Restricted” bucket require two-factor authentication for decryption. AWS KMS must automatically rotate encryption keys annually. Which of the following meets these requirements?