ExamGecko
Login
Home / Amazon / SCS-C01 / List of questions
Ask Question

Amazon SCS-C01 Practice Test - Questions Answers, Page 40

List of questions

Question 391

Report
Export
Collapse

A company has a requirement to create a DynamoDB table. The company's software architect has provided the following CLI command for the DynamoDB table

Amazon SCS-C01 image Question 391 7509 09162024005924000000

Which of the following has been taken of from a security perspective from the above command?

Please select:

Since the ID is hashed, it ensures security of the underlying table.
Since the ID is hashed, it ensures security of the underlying table.
The above command ensures data encryption at rest for the Customer table
The above command ensures data encryption at rest for the Customer table
The above command ensures data encryption in transit for the Customer table
The above command ensures data encryption in transit for the Customer table
The right throughput has been specified from a security perspective
The right throughput has been specified from a security perspective
Suggested answer: B

Explanation:

The above command with the "-sse-specification Enabled=true" parameter ensures that the data for the DynamoDB table is encrypted at rest. Options A,C and D are all invalid because this command is specifically used to ensure data encryption at rest For more information on DynamoDB encryption, please visit the URL:

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.htmlThe correct answer is: The above command ensures data encryption at rest for the Customer table

asked 16/09/2024
M S
30 questions

Question 392

Report
Export
Collapse

You need to establish a secure backup and archiving solution for your company, using AWS.

Documents should be immediately accessible for three months and available for five years for compliance reasons. Which AWS service fulfills these requirements in the most cost-effective way?

Upload data to S3 and use lifecycle policies to move the data into Glacier for long-term archiving.
Upload data to S3 and use lifecycle policies to move the data into Glacier for long-term archiving.
Upload the data on EBS, use lifecycle policies to move EBS snapshots into S3 and later into Glacier for long-term archiving.
Upload the data on EBS, use lifecycle policies to move EBS snapshots into S3 and later into Glacier for long-term archiving.
Use Direct Connect to upload data to S3 and use IAM policies to move the data into Glacier for long-term archiving.
Use Direct Connect to upload data to S3 and use IAM policies to move the data into Glacier for long-term archiving.
Use Storage Gateway to store data to S3 and use lifecycle policies to move the data into Redshift for long-term archiving.
Use Storage Gateway to store data to S3 and use lifecycle policies to move the data into Redshift for long-term archiving.
Suggested answer: A

Explanation:

Explanation: amazon Glacier is a secure, durable, and extremely low-cost cloud storage service for data archiving and long-term backup. Customers can reliably store large or small amounts of data for as little as $0,004 per gigabyte per month, a significant savings compared to on-premises solutions.

With Amazon lifecycle policies you can create transition actions in which you define when objects transition to another Amazon S3 storage class. For example, you may choose to transition objects to the STANDARDJA (IA, for infrequent access) storage class 30 days after creation, or archive objects to the GLACIER storage class one year after creation. Option B is invalid because lifecycle policies are not available for EBS volumes Option C is invalid because IAM policies cannot be used to move data to Glacier Option D is invalid because lifecycle policies is not used to move data to Redshif For more information on S3 lifecycle policies, please visit the URL: http://docs.aws.amazon.com/AmazonS3/latest/dev/obiect-lifecycle-mgmt.html The correct answer is: Upload data to S3 and use lifecycle policies to move the data into Glacier for long-term archiving.

Submit your Feedback/Queries to our Experts

asked 16/09/2024
takasuka masahide
39 questions

Question 393

Report
Export
Collapse

What is the result of the following bucket policy?

Amazon SCS-C01 image Question 393 7511 09162024005924000000

It will allow all access to the bucket mybucket
It will allow all access to the bucket mybucket
It will allow the user mark from AWS account number 111111111 all access to the bucket but deny everyone else all access to the bucket
It will allow the user mark from AWS account number 111111111 all access to the bucket but deny everyone else all access to the bucket
It will deny all access to the bucket mybucket
It will deny all access to the bucket mybucket
None of these
None of these
Suggested answer: C

Explanation:

The policy consists of 2 statements, one is the allow for the user mark to the bucket and the next is the deny policy for all other users. The deny permission will override the allow and hence all users will not have access to the bucket. Options A,B and D are all invalid because this policy is used to deny all access to the bucket mybucket For examples on S3 bucket policies, please refer to the below Link: http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket- policies.htmll The correct answer is: It will deny all access to the bucket mybucket Submit your FeedbacK/Quenes to our Experts

asked 16/09/2024
Sanaa CHOKIRI
45 questions

Question 394

Report
Export
Collapse

A company is planning on using AWS EC2 and AWS Cloudfrontfor their web application. For which one of the below attacks is usage of Cloudfront most suited for? Please select:

Cross side scripting
Cross side scripting
SQL injection
SQL injection
DDoS attacks
DDoS attacks
Malware attacks
Malware attacks
Suggested answer: C

Explanation:

The below table from AWS shows the security capabilities of AWS Cloudfront AWS Cloudfront is more prominent for DDoS attacks.

Amazon SCS-C01 image Question 394 explanation 7512 09162024005924000000

Options A,B and D are invalid because Cloudfront is specifically used to protect sites against DDoS attacks For more information on security with Cloudfront, please refer to the below Link:

https://d1.awsstatic.com/whitepapers/Security/Secure content delivery with CloudFrontwhitepaper.pdiThe correct answer is: DDoS attacksSubmit your Feedback/Queries to our Experts

asked 16/09/2024
Sergio Guerra
43 questions

Question 395

Report
Export
Collapse

Your company is planning on using AWS EC2 and ELB for deployment for their web applications. The security policy mandates that all traffic should be encrypted. Which of the following options will ensure that this requirement is met. Choose 2 answers from the options below.

Please select:

Ensure the load balancer listens on port 80
Ensure the load balancer listens on port 80
Ensure the load balancer listens on port 443
Ensure the load balancer listens on port 443
Ensure the HTTPS listener sends requests to the instances on port 443
Ensure the HTTPS listener sends requests to the instances on port 443
Ensure the HTTPS listener sends requests to the instances on port 80
Ensure the HTTPS listener sends requests to the instances on port 80
Suggested answer: B, C

Explanation:

The AWS Documentation mentions the following

You can create a load balancer that listens on both the HTTP (80) and HTTPS (443) ports. If youspecify that the HTTPS listener sends requests to the instances on port 80, the load balancerterminates the requests and communication from the load balancer to the instances is notencrypted, if the HTTPS listener sends requests to the instances on port 443, communication fromthe load balancer to the instances is encrypted. Option A is invalid because there is a need for secure traffic, so port 80 should not be used Option D is invalid because for the HTTPS listener you need to use port 443 For more information on HTTPS with ELB, please refer to the below Link:

https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-loadbalancer.htmllThe correct answers are: Ensure the load balancer listens on port 443, Ensure the HTTPS listenersends requests to the instances on port 443Submit your Feedback/Queries to our Experts

asked 16/09/2024
tho nguyen
37 questions

Question 396

Report
Export
Collapse

Your company is hosting a set of EC2 Instances in AWS. They want to have the ability to detect if any port scans occur on their AWS EC2 Instances. Which of the following can help in this regard? Please select:

Use AWS inspector to consciously inspect the instances for port scans
Use AWS inspector to consciously inspect the instances for port scans
Use AWS Trusted Advisor to notify of any malicious port scans
Use AWS Trusted Advisor to notify of any malicious port scans
Use AWS Config to notify of any malicious port scans
Use AWS Config to notify of any malicious port scans
Use AWS Guard Duty to monitor any malicious port scans
Use AWS Guard Duty to monitor any malicious port scans
Suggested answer: D

Explanation:

The AWS blogs mention the following to support the use of AWS GuardDuty GuardDuty voraciously consumes multiple data streams, including several threat intelligence feeds, staying aware of malicious addresses, devious domains, and more importantly, learning to accurately identify malicious or unauthorized behavior in your AWS accounts. In combination with information gleaned from your VPC Flow Logs, AWS CloudTrail Event Logs, and DNS logs, th allows GuardDuty to detect many different types of dangerous and mischievous behavior including probes for known vulnerabilities, port scans and probes, and access from unusual locations. On the AWS side, it looks for suspicious AWS account activity such as unauthorized deployments, unusual CloudTrail activity, patterns of access to AWS API functions, and attempts to exceed multiple service limits. GuardDuty will also look for compromised EC2 instances talking to malicious entities or services, data exfiltration attempts, and instances that are mining cryptocurrency.

Options A, B and C are invalid because these services cannot be used to detect port scans For more information on AWS Guard Duty, please refer to the below Link:

https://aws.amazon.com/blogs/aws/amazon-guardduty-continuous-security-monitoring-threatdetection;

( The correct answer is: Use AWS Guard Duty to monitor any malicious port scans Submit your Feedback/Queries to our Experts

asked 16/09/2024
Jagatnata Gurusinga
38 questions

Question 397

Report
Export
Collapse

You have an Amazon VPC that has a private subnet and a public subnet in which you have a NAT instance server. You have created a group of EC2 instances that configure themselves at startup by downloading a bootstrapping script from S3 that deploys an application via GIT.

Which one of the following setups would give us the highest level of security?

Choose the correct answer from the options given below.

Please select:

EC2 instances in our public subnet, no EIPs, route outgoing traffic via the IGW
EC2 instances in our public subnet, no EIPs, route outgoing traffic via the IGW
EC2 instances in our public subnet, assigned EIPs, and route outgoing traffic via the NAT
EC2 instances in our public subnet, assigned EIPs, and route outgoing traffic via the NAT
EC2 instance in our private subnet, assigned EIPs, and route our outgoing traffic via our IGW
EC2 instance in our private subnet, assigned EIPs, and route our outgoing traffic via our IGW
EC2 instances in our private subnet, no EIPs, route outgoing traffic via the NAT
EC2 instances in our private subnet, no EIPs, route outgoing traffic via the NAT
Suggested answer: D

Explanation:

The below diagram shows how the NAT instance works. To make EC2 instances very secure, they need to be in a private sub such as the database server shown below with no EIP and all traffic routed via the NAT.

Amazon SCS-C01 image Question 397 explanation 7515 09162024005924000000

Options A and B are invalid because the instances need to be in the private subnet Option C is invalid because since the instance needs to be in the private subnet, you should not attach an EIP to the instance For more information on NAT instance, please refer to the below Link: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuideA/PC lnstance.html! The correct answer is: EC2 instances in our private subnet no EIPs, route outgoing traffic via the NAT Submit your Feedback/Queries to our Experts

asked 16/09/2024
AXEL AXELOPOULOS
41 questions

Question 398

Report
Export
Collapse

In your LAMP application, you have some developers that say they would like access to your logs.

However, since you are using an AWS Auto Scaling group, your instances are constantly being recreated. What would you do to make sure that these developers can access these log files? Choose the correct answer from the options below Please select:

Give only the necessary access to the Apache servers so that the developers can gain access to the log files.
Give only the necessary access to the Apache servers so that the developers can gain access to the log files.
Give root access to your Apache servers to the developers.
Give root access to your Apache servers to the developers.
Give read-only access to your developers to the Apache servers.
Give read-only access to your developers to the Apache servers.
Set up a central logging server that you can use to archive your logs; archive these logs to an S3 bucket for developer-access.
Set up a central logging server that you can use to archive your logs; archive these logs to an S3 bucket for developer-access.
Suggested answer: D

Explanation:

One important security aspect is to never give access to actual servers, hence Option A.B and C are just totally wrong from a security perspective. The best option is to have a central logging server that can be used to archive logs. These logs can then be stored in S3. Options A,B and C are all invalid because you should not give access to the developers on the Apache se For more information on S3, please refer to the below link https://aws.amazon.com/documentation/s3jThe correct answer is: Set up a central logging server that you can use to archive your logs; archivethese logs to an S3 bucket for developer-access. Submit vour Feedback/Queries to our Experts

asked 16/09/2024
Vitalii Lutsenko
33 questions

Question 399

Report
Export
Collapse

Your company is planning on developing an application in AWS. This is a web based application. The application users will use their facebook or google identities for authentication. You want to have the ability to manage user profiles without having to add extra coding to manage this. Which of the below would assist in this.

Please select:

Create an OlDC identity provider in AWS
Create an OlDC identity provider in AWS
Create a SAML provider in AWS
Create a SAML provider in AWS
Use AWS Cognito to manage the user profiles
Use AWS Cognito to manage the user profiles
Use IAM users to manage the user profiles
Use IAM users to manage the user profiles
Suggested answer: B

Explanation:

The AWS Documentation mentions the following

The AWS Documentation mentions the following

OIDC identity providers are entities in IAM that describe an identity provider (IdP) service that supports the OpenID Connect (OIDC) standard. You use an OIDC identity provider when you want to establish trust between an OlDC-compatible IdP—such as Google, Salesforce, and many others—and your AWS account This is useful if you are creating a mobile app or web application that requires access to AWS resources, but you don't want to create custom sign-in code or manage your own user identities Option A is invalid because in the security groups you would not mention this information/ Option C is invalid because SAML is used for federated authentication Option D is invalid because you need to use the OIDC identity provider in AWS For more information on ODIC identity providers, please refer to the below Link:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id roles providers create oidc.htmllThe correct answer is: Create an OIDC identity provider in AWS

asked 16/09/2024
Johnny Tien
47 questions

Question 400

Report
Export
Collapse

Your company is planning on developing an application in AWS. This is a web based application. The application user will use their facebook or google identities for authentication. You want to have the ability to manage user profiles without having to add extra coding to manage this. Which of the below would assist in this.

Please select:

Create an OlDC identity provider in AWS
Create an OlDC identity provider in AWS
Create a SAML provider in AWS
Create a SAML provider in AWS
Use AWS Cognito to manage the user profiles
Use AWS Cognito to manage the user profiles
Use IAM users to manage the user profiles
Use IAM users to manage the user profiles
Suggested answer: C

Explanation:

The AWS Documentation mentions the following

A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito. Your users can also sign in through social identity providers like Facebook or Amazon, and through SAML identity providers. Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through an SDK. User pools provide:

Sign-up and sign-in services.

A built-in, customizable web Ul to sign in users.

Social sign-in with Facebook, Google, and Login with Amazon, as well as sign-in with SAML identity providers from your user pool. User directory management and user profiles.

Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification. Customized workflows and user migration through AWS Lambda triggers.

Options A and B are invalid because these are not used to manage users Option D is invalid because this would be a maintenance overhead For more information on Cognito User Identity pools, please refer to the below Link:

https://docs.aws.amazon.com/coenito/latest/developerguide/cognito-user-identity-pools.htmlThe correct answer is: Use AWS Cognito to manage the user profiles Submit your Feedback/Queriesto our Experts

asked 16/09/2024
Alexander Ferrer
46 questions
Total 590 questions
Go to page: of 59
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture: 1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets. 3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other 4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols 5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required Which of the following accurately reflects the access control mechanisms the Architect should verify1?
A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances. Which solution will meet this requirement with the LEAST operational effort?
A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution. Which solution will meet these requirements MOST securely?
A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below Please select:
A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents. A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly. Which combination of actions would build the required solution? (Choose three.)
After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised. How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of “Sensitive,” “Confidential,” and “Restricted.” The security solution must meet all of the following requirements: Each object must be encrypted using a unique key. Items that are stored in the “Restricted” bucket require two-factor authentication for decryption. AWS KMS must automatically rotate encryption keys annually. Which of the following meets these requirements?