ExamGecko
Home / Amazon / SCS-C01 / List of questions
Ask Question

Amazon SCS-C01 Practice Test - Questions Answers, Page 41

List of questions

Question 401

Report
Export
Collapse

Your company has many AWS accounts defined and all are managed via AWS Organizations. One AWS account has a S3 bucket that has critical dat a. How can we ensure that all the users in the AWS organisation have access to this bucket?

Please select:

Ensure the bucket policy has a condition which involves aws:PrincipalOrglD
Ensure the bucket policy has a condition which involves aws:PrincipalOrglD
Ensure the bucket policy has a condition which involves aws:AccountNumber
Ensure the bucket policy has a condition which involves aws:AccountNumber
Ensure the bucket policy has a condition which involves aws:PrincipaliD
Ensure the bucket policy has a condition which involves aws:PrincipaliD
Ensure the bucket policy has a condition which involves aws:OrglD
Ensure the bucket policy has a condition which involves aws:OrglD
Suggested answer: A

Explanation:

The AWS Documentation mentions the following

AWS Identity and Access Management (IAM) now makes it easier for you to control access to your AWS resources by using the AWS organization of IAM principals (users and roles). For some services, you grant permissions using resource- based policies to specify the accounts and principals that can access the resource and what actions they can perform on it. Now, you can use a new condition key, aws:PrincipalOrglD, in these policies to require all principals accessing the resource to be from an account in the organization Option B.C and D are invalid because the condition in the bucket policy has to mention aws:PrincipalOrglD For more information on controlling access via Organizations, please refer to the below Link:

https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-usins-the-awsorganization-of-iam-principal ( The correct answer is: Ensure the bucket policy has a condition which involves aws:PrincipalOrglD Submit your Feedback/Queries to our Experts

asked 16/09/2024
Luigi Trigilio
42 questions

Question 402

Report
Export
Collapse

Your company has defined a set of S3 buckets in AWS. They need to monitor the S3 buckets and know the source IP address and the person who make requests to the S3 bucket. How can this be achieved? Please select:

Enable VPC flow logs to know the source IP addresses
Enable VPC flow logs to know the source IP addresses
Monitor the S3 API calls by using Cloudtrail logging
Monitor the S3 API calls by using Cloudtrail logging
Monitor the S3 API calls by using Cloudwatch logging
Monitor the S3 API calls by using Cloudwatch logging
Enable AWS Inspector for the S3 bucket
Enable AWS Inspector for the S3 bucket
Suggested answer: B

Explanation:

The AWS Documentation mentions the following

Amazon S3 is integrated with AWS CloudTrail. CloudTrail is a service that captures specific API calls made to Amazon S3 from your AWS account and delivers the log files to an Amazon S3 bucket that you specify. It captures API calls made from the Amazon S3 console or from the Amazon S3 API.

Using the information collected by CloudTrail, you can determine what request was made to Amazon S3, the source IP address from which the request was made, who made the request when it was made, and so on Options A,C and D are invalid because these services cannot be used to get the source IP address of the calls to S3 buckets For more information on Cloudtrail logging, please refer to the below Link:

https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logeins.htmllThe correct answer is: Monitor the S3 API calls by using Cloudtrail logging Submit yourFeedback/Queries to our Experts

asked 16/09/2024
Corey Workman
35 questions

Question 403

Report
Export
Collapse

Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which three IAM best practices should you consider implementing? Please select:

Create individual IAM users
Create individual IAM users
Configure MFA on the root account and for privileged IAM users
Configure MFA on the root account and for privileged IAM users
Assign IAM users and groups configured with policies granting least privilege access
Assign IAM users and groups configured with policies granting least privilege access
Ensure all users have been assigned and dre frequently rotating a password, access ID/secret key, and X.509 certificate
Ensure all users have been assigned and dre frequently rotating a password, access ID/secret key, and X.509 certificate
Suggested answer: A, B, C

Explanation:

When you go to the security dashboard, the security status will show the best practices for initiating the first level of security.

Amazon SCS-C01 image Question 403 explanation 7521 09162024005924000000

Option D is invalid because as per the dashboard, this is not part of the security recommendation For more information on best security practices please visit the URL:

https://aws.amazon.com/whitepapers/aws-security-best-practices;The correct answers are: Create individual IAM users, Configure MFA on the root account and forprivileged IAM users. Assign IAM users and groups configured with policies granting least privilegeaccessSubmit your Feedback/Queries to our Experts

asked 16/09/2024
Koen Poos
40 questions

Question 404

Report
Export
Collapse

Your team is experimenting with the API gateway service for an application. There is a need to implement a custom module which can be used for authentication/authorization for calls made to the API gateway. How can this be achieved? Please select:

Use the request parameters for authorization
Use the request parameters for authorization
Use a Lambda authorizer
Use a Lambda authorizer
Use the gateway authorizer
Use the gateway authorizer
Use CORS on the API gateway
Use CORS on the API gateway
Suggested answer: B

Explanation:

The AWS Documentation mentions the following

An Amazon API Gateway Lambda authorizer (formerly known as a custom authorize?) is a Lambda function that you provide to control access to your API methods. A Lambda authorizer uses bearer token authentication strategies, such as OAuth or SAML. It can also use information described by headers, paths, query strings, stage variables, or context variables request parameters. Options A,C and D are invalid because these cannot be used if you need a custom authentication/authorization for calls made to the API gateway For more information on using the API gateway Lambda authorizer please visit the URL:

https://docs.aws.amazon.com/apisateway/latest/developerguide/apieateway-use-lambdaauthorizer.htmllThe correct answer is: Use a Lambda authorizerSubmit your Feedback/Queries to our Experts

asked 16/09/2024
Bogdan Paun
35 questions

Question 405

Report
Export
Collapse

A company has set up EC2 instances on the AW5 Cloud. There is a need to see all the IP addresses which are accessing the EC2 Instances. Which service can help achieve this? Please select:

Use the AWS Inspector service
Use the AWS Inspector service
Use AWS VPC Flow Logs
Use AWS VPC Flow Logs
Use Network ACL's
Use Network ACL's
Use Security Groups
Use Security Groups
Suggested answer: B

Explanation:

The AWS Documentation mentions the foil

A flow log record represents a network flow in your flow log. Each record captures the network flow for a specific 5-tuple, for a specific capture window. A 5-tuple is a set of five different values that specify the source, destination, and protocol for an internet protocol (IP) flow.

Options A,C and D are all invalid because these services/tools cannot be used to get the the IP addresses which are accessing the EC2 Instances For more information on VPC Flow Logs please visit the URL https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.htmlThe correct answer is: Use AWS VPC Flow Logs Submit vour Feedback/Queries to our Experts

asked 16/09/2024
Musaddiq Shorunke
44 questions

Question 406

Report
Export
Collapse

You have private video content in S3 that you want to serve to subscribed users on the Internet. User IDs, credentials, and subscriptions are stored in an Amazon RDS database. Which configuration will allow you to securely serve private content to your users?

Please select:

Generate pre-signed URLs for each user as they request access to protected S3 content
Generate pre-signed URLs for each user as they request access to protected S3 content
Create an IAM user for each subscribed user and assign the GetObject permission to each IAM user
Create an IAM user for each subscribed user and assign the GetObject permission to each IAM user
Create an S3 bucket policy that limits access to your private content to only your subscribed users'credentials n. Crpafp a Cloud Front Clriein Identity user for vnur suhsrrihprl users and assign the GptOhiprt oprmissinn to this user
Create an S3 bucket policy that limits access to your private content to only your subscribed users'credentials n. Crpafp a Cloud Front Clriein Identity user for vnur suhsrrihprl users and assign the GptOhiprt oprmissinn to this user
Suggested answer: A

Explanation:

All objects and buckets by default are private. The pre-signed URLs are useful if you want your user/customer to be able upload a specific object to your bucket but you don't require them to have AWS security credentials or permissions. When you create a pre-signed URL, you must provide your security credentials, specify a bucket name, an object key, an HTTP method (PUT for uploading objects), and an expiration date and time. The pre-signed URLs are valid only for the specified duration.

Option B is invalid because this would be too difficult to implement at a user level.

Option C is invalid because this is not possible

Option D is invalid because this is used to serve private content via Cloudfront For more information on pre-signed urls, please refer to the Link: http://docs.aws.amazon.com/AmazonS3/latest/dev/PresienedUrlUploadObiect.htmll The correct answer is: Generate pre-signed URLs for each user as they request access to protected S3 content Submit your Feedback/Queries to our Experts

asked 16/09/2024
Nelson Mira
44 questions

Question 407

Report
Export
Collapse

A company is hosting sensitive data in an AWS S3 bucket. It needs to be ensured that the bucket always remains private. How can this be ensured continually? Choose 2 answers from the options given below Please select:

Use AWS Config to monitor changes to the AWS Bucket
Use AWS Config to monitor changes to the AWS Bucket
Use AWS Lambda function to change the bucket policy
Use AWS Lambda function to change the bucket policy
Use AWS Trusted Advisor API to monitor the changes to the AWS Bucket
Use AWS Trusted Advisor API to monitor the changes to the AWS Bucket
Use AWS Lambda function to change the bucket ACL
Use AWS Lambda function to change the bucket ACL
Suggested answer: A, D

Explanation:

One of the AWS Blogs mentions the usage of AWS Config and Lambda to achieve this. Below is the diagram representation of this

Amazon SCS-C01 image Question 407 explanation 7525 09162024005924000000

Option C is invalid because the Trusted Advisor API cannot be used to monitor changes to the AWS Bucket Option B doesn't seems to be the most appropriate.

1. If the object is in a bucket in which all the objects need to be private and the object is not private anymore, the Lambda function makes a PutObjectAcI call to S3 to make the object private. |https://aws.amazon.com/blogs/security/how-to-detect-and-automatically-remediate-unintendedpermissions-in-amazon-s3-bbiect-acls-with-cloudwatch-events/

The following link also specifies thatCreate a new Lambda function to examine an Amazon S3 buckets ACL and bucket policy. If the bucket ACL is found to al public access, the Lambda function overwrites it to be private. If a bucket policy is found, the Lambda function creatt an SNS message, puts the policy in the message body, and publishes it to the Amazon SNS topic we created. Bucket policies can be complex, and overwriting your policy may cause unexpected loss of access, so this Lambda function doesn't attempt to alter your policy in any way.

https://aws.amazon.com/blogs/security/how-to-use-aws-config-to-monitor-for-and-respond-toamazon-s3-buckets-allowinj Based on these facts Option D seems to be more appropriate then Option B.

For more information on implementation of this use case, please refer to the Link:

https://aws.amazon.com/blogs/security/how-to-use-aws-config-to-monitor-for-and-respond-toamazon-s3-buckets-allowinj The correct answers are: Use AWS Config to monitor changes to the AWS Bucket Use AWS Lambda function to change the bucket ACL

asked 16/09/2024
Sukhpreet Sidhu
40 questions

Question 408

Report
Export
Collapse

You have a set of 100 EC2 Instances in an AWS account. You need to ensure that all of these instances are patched and kept to date. All of the instances are in a private subnet. How can you achieve this. Choose 2 answers from the options given below

Please select:

Ensure a NAT gateway is present to download the updates
Ensure a NAT gateway is present to download the updates
Use the Systems Manager to patch the instances
Use the Systems Manager to patch the instances
Ensure an internet gateway is present to download the updates
Ensure an internet gateway is present to download the updates
Use the AWS inspector to patch the updates
Use the AWS inspector to patch the updates
Suggested answer: A, B

Explanation:

Option C is invalid because the instances need to remain in the private:

Option D is invalid because AWS inspector can only detect the patches One of the AWS Blogs mentions how patching of Linux servers can be accomplished. Below is the diagram representation of the architecture setup

Amazon SCS-C01 image Question 408 explanation 7526 09162024005924000000

For more information on patching Linux workloads in AWS, please refer to the Lin.

https://aws.amazon.com/blogs/security/how-to-patch-linux-workloads-on-awsjThe correct answers are: Ensure a NAT gateway is present to download the updates. Use the SystemsManager to patch the instancesSubmit your Feedback/ Queries to our Experts

asked 16/09/2024
Carlos Fonseca
30 questions

Question 409

Report
Export
Collapse

You have an EC2 instance with the following security configured: a. ICMP inbound allowed on Security Group b. ICMP outbound not configured on Security Group c. ICMP inbound allowed on Network ACL d. ICMP outbound denied on Network ACL If Flow logs is enabled for the instance, which of the following flow records will be recorded? Choose 3 answers from the options give below Please select:

An ACCEPT record for the request based on the Security Group
An ACCEPT record for the request based on the Security Group
An ACCEPT record for the request based on the NACL
An ACCEPT record for the request based on the NACL
A REJECT record for the response based on the Security Group
A REJECT record for the response based on the Security Group
A REJECT record for the response based on the NACL
A REJECT record for the response based on the NACL
Suggested answer: A, B, D

Explanation:

This example is given in the AWS documentation as well

For example, you use the ping command from your home computer (IP address is 203.0.113.12) to your instance (the network interface's private IP address is 172.31.16.139). Your security group's inbound rules allow ICMP traffic and the outbound rules do not allow ICMP traffic however, because security groups are stateful, the response ping from your instance is allowed. Your network ACL permits inbound ICMP traffic but does not permit outbound ICMP traffic. Because network ACLs are stateless, the response ping is dropped and will not reach your home computer. In a flow log, this is displayed as 2 flow log records:

An ACCEPT record for the originating ping that was allowed by both the network ACL and the security group, and therefore was allowed to reach your instance. A REJECT record for the response ping that the network ACL denied.

Option C is invalid because the REJECT record would not be present For more information on Flow Logs, please refer to the below URL: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-loes.html The correct answers are: An ACCEPT record for the request based on the Security Group, An ACCEPT record for the request based on the NACL, A REJECT record for the response based on the NACL Submit your Feedback/Queries to our Experts

asked 16/09/2024
Andrej Mišura
31 questions

Question 410

Report
Export
Collapse

Your company looks at the gaming domain and hosts several Ec2 Instances as game servers. The servers each experience user loads in the thousands. There is a concern of DDos attacks on the EC2 Instances which could cause a huge revenue loss to the company. Which of the following can help mitigate this security concern and also ensure minimum downtime for the servers. Please select:

Use VPC Flow logs to monitor the VPC and then implement NACL's to mitigate attacks
Use VPC Flow logs to monitor the VPC and then implement NACL's to mitigate attacks
Use AWS Shield Advanced to protect the EC2 Instances
Use AWS Shield Advanced to protect the EC2 Instances
Use AWS Inspector to protect the EC2 Instances
Use AWS Inspector to protect the EC2 Instances
Use AWS Trusted Advisor to protect the EC2 Instances
Use AWS Trusted Advisor to protect the EC2 Instances
Suggested answer: B

Explanation:

Below is an excerpt from the AWS Documentation on some of the use cases for AWS Shield

Amazon SCS-C01 image Question 410 explanation 7528 09162024005924000000

asked 16/09/2024
Sandeep Ramakrishnan
49 questions
Total 590 questions
Go to page: of 59
Search

Related questions