ExamGecko
Home / Amazon / SCS-C01 / List of questions
Ask Question

Amazon SCS-C01 Practice Test - Questions Answers, Page 34

List of questions

Question 331

Report
Export
Collapse

A customer has an instance hosted in the AWS Public Cloud. The VPC and subnet used to host the Instance have been created with the default settings for the Network Access Control Lists. They need to provide an IT Administrator secure access to the underlying instance. How can this be accomplished.

Please select:

Ensure the Network Access Control Lists allow Inbound SSH traffic from the IT Administrator's Workstation
Ensure the Network Access Control Lists allow Inbound SSH traffic from the IT Administrator's Workstation
Ensure the Network Access Control Lists allow Outbound SSH traffic from the IT Administrator's Workstation
Ensure the Network Access Control Lists allow Outbound SSH traffic from the IT Administrator's Workstation
Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation
Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation
Ensure that the security group allows Outbound SSH traffic from the IT Administrator's Workstation
Ensure that the security group allows Outbound SSH traffic from the IT Administrator's Workstation
Suggested answer: C

Explanation:

Options A & B are invalid as default NACL rule will allow all inbound and outbound traffic.

The requirement is that the IT administrator should be able to access this EC2 instance from his workstation. For that we need to enable the Security Group of EC2 instance to allow traffic from the IT administrator's workstation. Hence option C is correct.

Option D is incorrect as we need to enable the Inbound SSH traffic on the EC2 instance Security Group since the traffic originate' , from the IT admin's workstation. The correct answer is: Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation Submit your Feedback/Queries to our Experts

asked 16/09/2024
Morris Djavaheri
29 questions

Question 332

Report
Export
Collapse

A company is planning to run a number of Admin related scripts using the AWS Lambda service.

There is a need to understand if there are any errors encountered when the script run. How can this be accomplished in the most effective manner. Please select:

Use Cloudwatch metrics and logs to watch for errors
Use Cloudwatch metrics and logs to watch for errors
Use Cloudtrail to monitor for errors
Use Cloudtrail to monitor for errors
Use the AWS Config service to monitor for errors
Use the AWS Config service to monitor for errors
Use the AWS inspector service to monitor for errors
Use the AWS inspector service to monitor for errors
Suggested answer: A

Explanation:

The AWS Documentation mentions the following

AWS Lambda automatically monitors Lambda functions on your behalf, reporting metrics through Amazon CloudWatch. To help you troubleshoot failures in a function. Lambda logs all requests handled by your function and also automatically stores logs generated by your code through Amazon CloudWatch Logs.

Option B,C and D are all invalid because these services cannot be used to monitor for errors.

I

For more information on Monitoring Lambda functions, please visit the following URL:

https://docs.aws.amazon.com/lambda/latest/dg/monitorine-functions-loes.htmllThe correct answer is: Use Cloudwatch metrics and logs to watch for errors Submit yourFeedback/Queries to our Experts

asked 16/09/2024
Terence Coates
33 questions

Question 333

Report
Export
Collapse

A company hosts data in S3. There is now a mandate that going forward all data in the S3 bucket needs to encrypt at rest. How can this be achieved? Please select:

Use AWS Access keys to encrypt the data
Use AWS Access keys to encrypt the data
Use SSL certificates to encrypt the data
Use SSL certificates to encrypt the data
Enable server side encryption on the S3 bucket
Enable server side encryption on the S3 bucket
Enable MFA on the S3 bucket
Enable MFA on the S3 bucket
Suggested answer: C

Explanation:

The AWS Documentation mentions the following

Server-side encryption is about data encryption at rest—that is, Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects. Options A and B are invalid because neither Access Keys nor SSL certificates can be used to encrypt data. Option D is invalid because MFA is just used as an extra level of security for S3 buckets For more information on S3 server side encryption, please refer to the below Link:

https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.htmlSubmit your Feedback/Queries to our Experts

asked 16/09/2024
Jose Alberto Vecino Pacheco
31 questions

Question 334

Report
Export
Collapse

You have a set of application , database and web servers hosted in AWS. The web servers are placed behind an ELB. There are separate security groups for the application, database and web servers. The network security groups have been defined accordingly. There is an issue with the communication between the application and database servers. In order to troubleshoot the issue between just the application and database server, what is the ideal set of MINIMAL steps you would take?

Please select:

Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group
Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group
Check the Outbound security rules for the database security groupI Check the inbound security rules for the application security group
Check the Outbound security rules for the database security groupI Check the inbound security rules for the application security group
Check the both the Inbound and Outbound security rules for the database security group Check the inbound security rules for the application security group
Check the both the Inbound and Outbound security rules for the database security group Check the inbound security rules for the application security group
Check the Outbound security rules for the database security groupCheck the both the Inbound and Outbound security rules for the application security group
Check the Outbound security rules for the database security groupCheck the both the Inbound and Outbound security rules for the application security group
Suggested answer: A

Explanation:

Here since the communication would be established inward to the database server and outward from the application server, you need to ensure that just the Outbound rules for application server security groups are checked. And then just the Inbound rules for database server security groups are checked.

Option B can't be the correct answer. It says that we need to check the outbound security group which is not needed. We need to check the inbound for DB SG and outbound of Application SG. Because, this two group need to communicate with each other to function properly. Option C is invalid because you don't need to check for Outbound security rules for the database security group Option D is invalid because you don't need to check for Inbound security rules for the application security group For more information on Security Groups, please refer to below URL:

The correct answer is: Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group Submit your Feedback/Queries to our Experts

asked 16/09/2024
Erik de Bont
39 questions

Question 335

Report
Export
Collapse

Your company has a requirement to work with a DynamoDB table. There is a security mandate that all data should be encrypted at rest. What is the easiest way to accomplish this for DynamoDB. Please select:

Use the AWS SDK to encrypt the data before sending it to the DynamoDB table
Use the AWS SDK to encrypt the data before sending it to the DynamoDB table
Encrypt the DynamoDB table using KMS during its creation
Encrypt the DynamoDB table using KMS during its creation
Encrypt the table using AWS KMS after it is created
Encrypt the table using AWS KMS after it is created
Use S3 buckets to encrypt the data before sending it to DynamoDB
Use S3 buckets to encrypt the data before sending it to DynamoDB
Suggested answer: B

Explanation:

The most easiest option is to enable encryption when the DynamoDB table is created.

The AWS Documentation mentions the following

Amazon DynamoDB offers fully managed encryption at rest. DynamoDB encryption at rest provides enhanced security by encrypting your data at rest using an AWS Key Management Service (AWS KMS) managed encryption key for DynamoDB. This functionality eliminates the operational burden and complexity involved in protecting sensitive data. Option A is partially correct, you can use the AWS SDK to encrypt the data, but the easier option would be to encrypt the table before hand. Option C is invalid because you cannot encrypt the table after it is created

Option D is invalid because encryption for S3 buckets is for the objects in S3 only.

For more information on securing data at rest for DynamoDB please refer to below URL:

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.htmllThe correct answer is: Encrypt the DynamoDB table using KMS during its creation Submit yourFeedback/Queries to our Experts

asked 16/09/2024
Jean-Bosco Muganza
42 questions

Question 336

Report
Export
Collapse

Your company hosts critical data in an S3 bucket. There is a requirement to ensure that all data is encrypted. There is also metadata about the information stored in the bucket that needs to be encrypted as well. Which of the below measures would you take to ensure that the metadata is encrypted?

Please select:

Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server side encryption.
Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server side encryption.
Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server KMS encryption.
Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server KMS encryption.
Put the metadata in a DynamoDB table and ensure the table is encrypted during creation time.
Put the metadata in a DynamoDB table and ensure the table is encrypted during creation time.
Put thp metadata in thp S3 hurkpf itself.
Put thp metadata in thp S3 hurkpf itself.
Suggested answer: C

Explanation:

Option A ,B and D are all invalid because the metadata will not be encrypted in any case and this is a key requirement from the question. One key thing to note is that when the S3 bucket objects are encrypted, the meta data is not encrypted. So the best option is to use an encrypted DynamoDB table Important All GET and PUT requests for an object protected by AWS KMS will fail if they are not made via SSL or by using SigV4. SSE-KMS encrypts only the object data. Any object metadata is not encrypted. For more information on using KMS encryption for S3, please refer to below URL: 1 https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.htmlThe correct answer is: Put the metadata in a DynamoDB table and ensure the table is encryptedduring creation time. Submit your Feedback/Queries to our Experts

asked 16/09/2024
JUAN LUIS BERMUDEZ MAYORAL
27 questions

Question 337

Report
Export
Collapse

One of the EC2 Instances in your company has been compromised. What steps would you take to ensure that you could apply digital forensics on the Instance. Select 2 answers from the options given below Please select:

Remove the role applied to the Ec2 Instance
Remove the role applied to the Ec2 Instance
Create a separate forensic instance
Create a separate forensic instance
Ensure that the security groups only allow communication to this forensic instance
Ensure that the security groups only allow communication to this forensic instance
Terminate the instance
Terminate the instance
Suggested answer: B, C

Explanation:

Option A is invalid because removing the role will not help completely in such a situation Option D is invalid because terminating the instance means that you cannot conduct forensic analysis on the instance One way to isolate an affected EC2 instance for investigation is to place it in a Security Group that only the forensic investigators can access. Close all ports except to receive inbound SSH or RDP traffic from one single IP address from which the investigators can safely examine the instance.

For more information on security scenarios for your EC2 Instance, please refer to below URL:

https://d1.awsstatic.com/Marketplace/scenarios/security/SEC 11 TSB Final.pd1The correct answers are: Create a separate forensic instance. Ensure that the security groups onlyallow communication to this forensic instanceSubmit your Feedback/Queries to our Experts

asked 16/09/2024
Miguel Triebel
36 questions

Question 338

Report
Export
Collapse

One of your company's EC2 Instances have been compromised. The company has strict po thorough investigation on finding the culprit for the security breach. What would you do in from the options given below. Please select:

Take a snapshot of the EBS volume
Take a snapshot of the EBS volume
Isolate the machine from the network
Isolate the machine from the network
Make sure that logs are stored securely for auditing and troubleshooting purpose
Make sure that logs are stored securely for auditing and troubleshooting purpose
Ensure all passwords for all IAM users are changed
Ensure all passwords for all IAM users are changed
Ensure that all access kevs are rotated.
Ensure that all access kevs are rotated.
Suggested answer: A, B, C

Explanation:

Some of the important aspects in such a situation are

1) First isolate the instance so that no further security harm can occur on other AWS resources 2) Take a snapshot of the EBS volume for further investigation. This is incase if you need to shutdown the initial instance and do a separate investigation on the data 3) Next is Option C. This indicates that we have already got logs and we need to make sure that it is stored securely so that n unauthorised person can access it and manipulate it. Option D and E are invalid because they could have adverse effects for the other IAM users.

For more information on adopting a security framework, please refer to below URL

https://d1 .awsstatic.com/whitepapers/compliance/NIST Cybersecurity FrameworkNote:

In the question we have been asked to take actions to find the culprit and to help the investigation or to further reduce the damage that has happened due to the security breach. So by keeping logs secure is one way of helping the investigation.

The correct answers are: Take a snapshot of the EBS volume. Isolate the machine from the network.

Make sure that logs are stored securely for auditing and troubleshooting purpose Submit your Feedback/Queries to our Experts

asked 16/09/2024
Natcha Koopipat
42 questions

Question 339

Report
Export
Collapse

Your company has a set of EC2 Instances that are placed behind an ELB. Some of the applications hosted on these instances communicate via a legacy protocol. There is a security mandate that all traffic between the client and the EC2 Instances need to be secure. How would you accomplish this?

Please select:

Use an Application Load balancer and terminate the SSL connection at the ELB
Use an Application Load balancer and terminate the SSL connection at the ELB
Use a Classic Load balancer and terminate the SSL connection at the ELB
Use a Classic Load balancer and terminate the SSL connection at the ELB
Use an Application Load balancer and terminate the SSL connection at the EC2 Instances
Use an Application Load balancer and terminate the SSL connection at the EC2 Instances
Use a Classic Load balancer and terminate the SSL connection at the EC2 Instances
Use a Classic Load balancer and terminate the SSL connection at the EC2 Instances
Suggested answer: D

Explanation:

Since there are applications which work on legacy protocols, you need to ensure that the ELB can be used at the network layer as well and hence you should choose the Classic ELB. Since the traffic needs to be secure till the EC2 Instances, the SSL termination should occur on the Ec2 Instances.

Option A and C are invalid because you need to use a Classic Load balancer since this is a legacy application. Option B is incorrect since encryption is required until the EC2 Instance For more information on HTTPS listeners for classic load balancers, please refer to below URL https://docs.aws.ama20n.com/elasticloadbalancing/latest/classic/elb-https-load-balancers.htmllThe correct answer is: Use a Classic Load balancer and terminate the SSL connection at the EC2InstancesSubmit your Feedback/Queries to our Experts

asked 16/09/2024
David Kimovec
33 questions

Question 340

Report
Export
Collapse

A company has a large set of keys defined in AWS KMS. Their developers frequently use the keys for the applications being developed. What is one of the ways that can be used to reduce the cost of accessing the keys in the AWS KMS service.

Please select:

Enable rotation of the keys
Enable rotation of the keys
Use Data key caching
Use Data key caching
Create an alias of the key
Create an alias of the key
Use the right key policy
Use the right key policy
Suggested answer: B

Explanation:

The AWS Documentation mentions the following

Data key caching stores data keys and related cryptographic material in a cache. When you encrypt or decrypt data, the AWS Encryption SDK looks for a matching data key in the cache. If it finds a match, it uses the cached data key rather than generatir a new one. Data key caching can improve performance, reduce cost, and help you stay within service limits as your application scales. Option A.C and D are all incorrect since these options will not impact how the key is used.

For more information on data key caching, please refer to below URL:

https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/data-key-cachine.htmllThe correct answer is: Use Data key caching Submit your Feedback/Queries to our Experts

asked 16/09/2024
Sacha CONTI
43 questions
Total 590 questions
Go to page: of 59
Search

Related questions