Amazon SCS-C01 Practice Test - Questions Answers, Page 39

The AWS Documentation mentions the following

You can quickly remediate patch and association compliance issues by using Systems Manager Run Command. You can tat either instance IDs or Amazon EC2 tags and execute the AWSRefreshAssociation document or the AWS- RunPatchBaseline document. If refreshing the association or re-running the patch baseline fails to resolve the compliance issue, then you need to investigate your associations, patch baselines, or instance configurations to understand why the Run Command executions did not resolve the problem Options A and B are invalid because even though this is possible, still from a maintenance perspective it would be difficult to maintain the Lambda functions Option C is invalid because this service cannot be used to patch servers For more information on using Systems Manager for compliance remediation please visit the below Link:

https://docs.aws.amazon.com/systems-manaeer/latest/usereuide/sysman-compliance-fixing.htmlThe correct answer is: Use AWS Systems Manager to patch the servers Submit yourFeedback/Queries to our Experts

Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type — you can quickly identify a specific resource based on the tags you've assigned to it

Option A is invalid because this is not a recommended practices

Option B is invalid because this is an overhead to maintain this in policies

Option C is invalid because the instance type will not resolve the requirement For information on resource tagging, please visit the below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Usine_Tags.htmll The correct answer is:

Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specific tags Submit your Feedback/Queries to our Experts

Explanation: y ensuring that you generate the key pairs for EC2 Instances, you will have complete control of the access keys. Options A,C and D are invalid because all of these processes means that AWS has ownership of the keys. And the question specifically mentions that you need ownership of the keys For information on security for Compute Resources, please visit the below URL:

https://d1.awsstatic.com/whitepapers/Security/Security Compute Services Whitepaper.pdflThe correct answer is: Generating the key pairs for the EC2 Instances using puttygen Submit yourFeedback/Queries to our Experts

Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations as part of normal operation of those services and at no additional charge. However, Amazon EBS replication is stored within the same availability zone, not across multiple zones; therefore, it is highly recommended that you conduct regular snapshots to Amazon S3 for long-term data durability. You can use Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes. With lifecycle management, you can be sure that snapshots are cleaned up regularly and keep costs under control. EBS Lifecycle Policies

A lifecycle policy consists of these core settings:

• Resource type—The AWS resource managed by the policy, in this case, EBS volumes.

• Target tag—The tag that must be associated with an EBS volume for it to be managed by the policy.

• Schedule—Defines how often to create snapshots and the maximum number of snapshots to keep. Snapshot creation starts within an hour of the specified start time. If creating a new snapshot exceeds the maximum number of snapshots to keep for the volume, the oldest snapshot is deleted.

Option C is correct. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. But it does not have an explicit feature like that. Option D is correct Encryption does not ensure data durability

For information on security for Compute Resources, please visit the below URL

https://d1.awsstatic.com/whitepapers/Security/Security Compute Services Whitepaper.pdlThe correct answers are: Use EBS volume replication. Use EBS volume encryption Submit yourFeedback/Queries to our Experts

Explanation: the aws documentation, below is the access required for a user to access the Usage reports page and as per this, Option C is the right answer.

Your answer is incorrect

Answer -D

The AWS Documentation mentions the following on AWS WAF which can be used to protect Application Load Balancers and Cloud front A web access control list (web ACL) gives you fine-grained control over the web requests that your Amazon CloudFront distributions or Application Load Balancers respond to. You can allow or block the following types of requests:

Originate from an IP address or a range of IP addresses

Originate from a specific country or countries

Contain a specified string or match a regular expression (regex) pattern in a particular part of requests Exceed a specified length Appear to contain malicious SQL code (known as SQL injection) Appear to contain malicious scripts (known as cross-site scripting)

Option A is invalid because by default Security Groups have the Deny policy Options B and C are invalid because these services cannot be used to block IP addresses For information on AWS WAF, please visit the below URL:

https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.htmlThe correct answer is: Use AWS WAF to block the IP addressesSubmit your Feedback/Queries to our Experts

You can actually use a Deny condition which will not allow the person to log in from outside. The below example shows the Deny condition to ensure that any address specified in the source address is not allowed to access the resources in aws.

Option A is invalid because you don't mention the security group in the IAM policy

Option C is invalid because security groups by default don't allow traffic

Option D is invalid because the IAM policy does not have such an option For more information on IAM policy conditions, please visit the URL: http://docs.aws.amazon.com/IAM/latest/UserGuide/access pol examples.htm l#iam-policy- example-ec2-two-condition! The correct answer is: Create an IAM policy with a condition which denies access when the IP address range is not from the organization Submit your Feedback/Queries to our Experts

AWS Lambda functions uses roles to interact with other AWS services. So use an IAM role which has permissions to the DynamoDB table and attach it to the Lambda function. Options A and C are all invalid because you should never use AWS keys for access.

Option D is invalid because the VPC endpoint is used for VPCs

For more information on Lambda function Permission model, please visit the URL

https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.htmlThe correct answer is: Use an IAM role which has permissions to the DynamoDB table and attach it tothe Lambda function. Submit your Feedback/Queries to our Experts

The following diagram from the AWS Documentation shows how you can access the DynamoDB service from within a V without going to the Internet This can be done with the help of a VPC endpoint

Option B is invalid because this is used for connection between an on-premise solution and AWS

Option C is invalid because there is no such option

Option D is invalid because this is used to connect 2 VPCs For more information on VPC endpointsfor DynamoDB, please visit the URL:

The correct answer is: Use a VPC endpoint to the DynamoDB table Submit your Feedback/Queries to our Experts