Amazon SCS-C01 Practice Test - Questions Answers, Page 34

The AWS Documentation mentions the following

AWS Lambda automatically monitors Lambda functions on your behalf, reporting metrics through Amazon CloudWatch. To help you troubleshoot failures in a function. Lambda logs all requests handled by your function and also automatically stores logs generated by your code through Amazon CloudWatch Logs.

Option B,C and D are all invalid because these services cannot be used to monitor for errors.

I

For more information on Monitoring Lambda functions, please visit the following URL:

https://docs.aws.amazon.com/lambda/latest/dg/monitorine-functions-loes.htmllThe correct answer is: Use Cloudwatch metrics and logs to watch for errors Submit yourFeedback/Queries to our Experts

The AWS Documentation mentions the following

Server-side encryption is about data encryption at rest—that is, Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects. Options A and B are invalid because neither Access Keys nor SSL certificates can be used to encrypt data. Option D is invalid because MFA is just used as an extra level of security for S3 buckets For more information on S3 server side encryption, please refer to the below Link:

https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.htmlSubmit your Feedback/Queries to our Experts

Here since the communication would be established inward to the database server and outward from the application server, you need to ensure that just the Outbound rules for application server security groups are checked. And then just the Inbound rules for database server security groups are checked.

Option B can't be the correct answer. It says that we need to check the outbound security group which is not needed. We need to check the inbound for DB SG and outbound of Application SG. Because, this two group need to communicate with each other to function properly. Option C is invalid because you don't need to check for Outbound security rules for the database security group Option D is invalid because you don't need to check for Inbound security rules for the application security group For more information on Security Groups, please refer to below URL:

The correct answer is: Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group Submit your Feedback/Queries to our Experts

The most easiest option is to enable encryption when the DynamoDB table is created.

The AWS Documentation mentions the following

Amazon DynamoDB offers fully managed encryption at rest. DynamoDB encryption at rest provides enhanced security by encrypting your data at rest using an AWS Key Management Service (AWS KMS) managed encryption key for DynamoDB. This functionality eliminates the operational burden and complexity involved in protecting sensitive data. Option A is partially correct, you can use the AWS SDK to encrypt the data, but the easier option would be to encrypt the table before hand. Option C is invalid because you cannot encrypt the table after it is created

Option D is invalid because encryption for S3 buckets is for the objects in S3 only.

For more information on securing data at rest for DynamoDB please refer to below URL:

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.htmllThe correct answer is: Encrypt the DynamoDB table using KMS during its creation Submit yourFeedback/Queries to our Experts

Option A ,B and D are all invalid because the metadata will not be encrypted in any case and this is a key requirement from the question. One key thing to note is that when the S3 bucket objects are encrypted, the meta data is not encrypted. So the best option is to use an encrypted DynamoDB table Important All GET and PUT requests for an object protected by AWS KMS will fail if they are not made via SSL or by using SigV4. SSE-KMS encrypts only the object data. Any object metadata is not encrypted. For more information on using KMS encryption for S3, please refer to below URL: 1 https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.htmlThe correct answer is: Put the metadata in a DynamoDB table and ensure the table is encryptedduring creation time. Submit your Feedback/Queries to our Experts

Option A is invalid because removing the role will not help completely in such a situation Option D is invalid because terminating the instance means that you cannot conduct forensic analysis on the instance One way to isolate an affected EC2 instance for investigation is to place it in a Security Group that only the forensic investigators can access. Close all ports except to receive inbound SSH or RDP traffic from one single IP address from which the investigators can safely examine the instance.

For more information on security scenarios for your EC2 Instance, please refer to below URL:

https://d1.awsstatic.com/Marketplace/scenarios/security/SEC 11 TSB Final.pd1The correct answers are: Create a separate forensic instance. Ensure that the security groups onlyallow communication to this forensic instanceSubmit your Feedback/Queries to our Experts

Some of the important aspects in such a situation are

1) First isolate the instance so that no further security harm can occur on other AWS resources 2) Take a snapshot of the EBS volume for further investigation. This is incase if you need to shutdown the initial instance and do a separate investigation on the data 3) Next is Option C. This indicates that we have already got logs and we need to make sure that it is stored securely so that n unauthorised person can access it and manipulate it. Option D and E are invalid because they could have adverse effects for the other IAM users.

For more information on adopting a security framework, please refer to below URL

https://d1 .awsstatic.com/whitepapers/compliance/NIST Cybersecurity FrameworkNote:

In the question we have been asked to take actions to find the culprit and to help the investigation or to further reduce the damage that has happened due to the security breach. So by keeping logs secure is one way of helping the investigation.

The correct answers are: Take a snapshot of the EBS volume. Isolate the machine from the network.

Make sure that logs are stored securely for auditing and troubleshooting purpose Submit your Feedback/Queries to our Experts

Since there are applications which work on legacy protocols, you need to ensure that the ELB can be used at the network layer as well and hence you should choose the Classic ELB. Since the traffic needs to be secure till the EC2 Instances, the SSL termination should occur on the Ec2 Instances.

Option A and C are invalid because you need to use a Classic Load balancer since this is a legacy application. Option B is incorrect since encryption is required until the EC2 Instance For more information on HTTPS listeners for classic load balancers, please refer to below URL https://docs.aws.ama20n.com/elasticloadbalancing/latest/classic/elb-https-load-balancers.htmllThe correct answer is: Use a Classic Load balancer and terminate the SSL connection at the EC2InstancesSubmit your Feedback/Queries to our Experts

The AWS Documentation mentions the following

Data key caching stores data keys and related cryptographic material in a cache. When you encrypt or decrypt data, the AWS Encryption SDK looks for a matching data key in the cache. If it finds a match, it uses the cached data key rather than generatir a new one. Data key caching can improve performance, reduce cost, and help you stay within service limits as your application scales. Option A.C and D are all incorrect since these options will not impact how the key is used.

For more information on data key caching, please refer to below URL:

https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/data-key-cachine.htmllThe correct answer is: Use Data key caching Submit your Feedback/Queries to our Experts