Amazon SCS-C01 Practice Test - Questions Answers, Page 41
List of questions
Question 401
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
Your company has many AWS accounts defined and all are managed via AWS Organizations. One AWS account has a S3 bucket that has critical dat a. How can we ensure that all the users in the AWS organisation have access to this bucket?
Please select:
Explanation:
The AWS Documentation mentions the following
AWS Identity and Access Management (IAM) now makes it easier for you to control access to your AWS resources by using the AWS organization of IAM principals (users and roles). For some services, you grant permissions using resource- based policies to specify the accounts and principals that can access the resource and what actions they can perform on it. Now, you can use a new condition key, aws:PrincipalOrglD, in these policies to require all principals accessing the resource to be from an account in the organization Option B.C and D are invalid because the condition in the bucket policy has to mention aws:PrincipalOrglD For more information on controlling access via Organizations, please refer to the below Link:
https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-usins-the-awsorganization-of-iam-principal ( The correct answer is: Ensure the bucket policy has a condition which involves aws:PrincipalOrglD Submit your Feedback/Queries to our Experts
Question 402
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
Your company has defined a set of S3 buckets in AWS. They need to monitor the S3 buckets and know the source IP address and the person who make requests to the S3 bucket. How can this be achieved? Please select:
Explanation:
The AWS Documentation mentions the following
Amazon S3 is integrated with AWS CloudTrail. CloudTrail is a service that captures specific API calls made to Amazon S3 from your AWS account and delivers the log files to an Amazon S3 bucket that you specify. It captures API calls made from the Amazon S3 console or from the Amazon S3 API.
Using the information collected by CloudTrail, you can determine what request was made to Amazon S3, the source IP address from which the request was made, who made the request when it was made, and so on Options A,C and D are invalid because these services cannot be used to get the source IP address of the calls to S3 buckets For more information on Cloudtrail logging, please refer to the below Link:
https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logeins.htmllThe correct answer is: Monitor the S3 API calls by using Cloudtrail logging Submit yourFeedback/Queries to our Experts
Question 403
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which three IAM best practices should you consider implementing? Please select:
Explanation:
When you go to the security dashboard, the security status will show the best practices for initiating the first level of security.
Option D is invalid because as per the dashboard, this is not part of the security recommendation For more information on best security practices please visit the URL:
https://aws.amazon.com/whitepapers/aws-security-best-practices;The correct answers are: Create individual IAM users, Configure MFA on the root account and forprivileged IAM users. Assign IAM users and groups configured with policies granting least privilegeaccessSubmit your Feedback/Queries to our Experts
Question 404
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
Your team is experimenting with the API gateway service for an application. There is a need to implement a custom module which can be used for authentication/authorization for calls made to the API gateway. How can this be achieved? Please select:
Explanation:
The AWS Documentation mentions the following
An Amazon API Gateway Lambda authorizer (formerly known as a custom authorize?) is a Lambda function that you provide to control access to your API methods. A Lambda authorizer uses bearer token authentication strategies, such as OAuth or SAML. It can also use information described by headers, paths, query strings, stage variables, or context variables request parameters. Options A,C and D are invalid because these cannot be used if you need a custom authentication/authorization for calls made to the API gateway For more information on using the API gateway Lambda authorizer please visit the URL:
https://docs.aws.amazon.com/apisateway/latest/developerguide/apieateway-use-lambdaauthorizer.htmllThe correct answer is: Use a Lambda authorizerSubmit your Feedback/Queries to our Experts
Question 405
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A company has set up EC2 instances on the AW5 Cloud. There is a need to see all the IP addresses which are accessing the EC2 Instances. Which service can help achieve this? Please select:
Explanation:
The AWS Documentation mentions the foil
A flow log record represents a network flow in your flow log. Each record captures the network flow for a specific 5-tuple, for a specific capture window. A 5-tuple is a set of five different values that specify the source, destination, and protocol for an internet protocol (IP) flow.
Options A,C and D are all invalid because these services/tools cannot be used to get the the IP addresses which are accessing the EC2 Instances For more information on VPC Flow Logs please visit the URL https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.htmlThe correct answer is: Use AWS VPC Flow Logs Submit vour Feedback/Queries to our Experts
Question 406
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
You have private video content in S3 that you want to serve to subscribed users on the Internet. User IDs, credentials, and subscriptions are stored in an Amazon RDS database. Which configuration will allow you to securely serve private content to your users?
Please select:
Explanation:
All objects and buckets by default are private. The pre-signed URLs are useful if you want your user/customer to be able upload a specific object to your bucket but you don't require them to have AWS security credentials or permissions. When you create a pre-signed URL, you must provide your security credentials, specify a bucket name, an object key, an HTTP method (PUT for uploading objects), and an expiration date and time. The pre-signed URLs are valid only for the specified duration.
Option B is invalid because this would be too difficult to implement at a user level.
Option C is invalid because this is not possible
Option D is invalid because this is used to serve private content via Cloudfront For more information on pre-signed urls, please refer to the Link: http://docs.aws.amazon.com/AmazonS3/latest/dev/PresienedUrlUploadObiect.htmll The correct answer is: Generate pre-signed URLs for each user as they request access to protected S3 content Submit your Feedback/Queries to our Experts
Question 407
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A company is hosting sensitive data in an AWS S3 bucket. It needs to be ensured that the bucket always remains private. How can this be ensured continually? Choose 2 answers from the options given below Please select:
Explanation:
One of the AWS Blogs mentions the usage of AWS Config and Lambda to achieve this. Below is the diagram representation of this
Option C is invalid because the Trusted Advisor API cannot be used to monitor changes to the AWS Bucket Option B doesn't seems to be the most appropriate.
1. If the object is in a bucket in which all the objects need to be private and the object is not private anymore, the Lambda function makes a PutObjectAcI call to S3 to make the object private. |https://aws.amazon.com/blogs/security/how-to-detect-and-automatically-remediate-unintendedpermissions-in-amazon-s3-bbiect-acls-with-cloudwatch-events/
The following link also specifies thatCreate a new Lambda function to examine an Amazon S3 buckets ACL and bucket policy. If the bucket ACL is found to al public access, the Lambda function overwrites it to be private. If a bucket policy is found, the Lambda function creatt an SNS message, puts the policy in the message body, and publishes it to the Amazon SNS topic we created. Bucket policies can be complex, and overwriting your policy may cause unexpected loss of access, so this Lambda function doesn't attempt to alter your policy in any way.
https://aws.amazon.com/blogs/security/how-to-use-aws-config-to-monitor-for-and-respond-toamazon-s3-buckets-allowinj Based on these facts Option D seems to be more appropriate then Option B.
For more information on implementation of this use case, please refer to the Link:
https://aws.amazon.com/blogs/security/how-to-use-aws-config-to-monitor-for-and-respond-toamazon-s3-buckets-allowinj The correct answers are: Use AWS Config to monitor changes to the AWS Bucket Use AWS Lambda function to change the bucket ACL
Question 408
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
You have a set of 100 EC2 Instances in an AWS account. You need to ensure that all of these instances are patched and kept to date. All of the instances are in a private subnet. How can you achieve this. Choose 2 answers from the options given below
Please select:
Explanation:
Option C is invalid because the instances need to remain in the private:
Option D is invalid because AWS inspector can only detect the patches One of the AWS Blogs mentions how patching of Linux servers can be accomplished. Below is the diagram representation of the architecture setup
For more information on patching Linux workloads in AWS, please refer to the Lin.
https://aws.amazon.com/blogs/security/how-to-patch-linux-workloads-on-awsjThe correct answers are: Ensure a NAT gateway is present to download the updates. Use the SystemsManager to patch the instancesSubmit your Feedback/ Queries to our Experts
Question 409
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
You have an EC2 instance with the following security configured: a. ICMP inbound allowed on Security Group b. ICMP outbound not configured on Security Group c. ICMP inbound allowed on Network ACL d. ICMP outbound denied on Network ACL If Flow logs is enabled for the instance, which of the following flow records will be recorded? Choose 3 answers from the options give below Please select:
Explanation:
This example is given in the AWS documentation as well
For example, you use the ping command from your home computer (IP address is 203.0.113.12) to your instance (the network interface's private IP address is 172.31.16.139). Your security group's inbound rules allow ICMP traffic and the outbound rules do not allow ICMP traffic however, because security groups are stateful, the response ping from your instance is allowed. Your network ACL permits inbound ICMP traffic but does not permit outbound ICMP traffic. Because network ACLs are stateless, the response ping is dropped and will not reach your home computer. In a flow log, this is displayed as 2 flow log records:
An ACCEPT record for the originating ping that was allowed by both the network ACL and the security group, and therefore was allowed to reach your instance. A REJECT record for the response ping that the network ACL denied.
Option C is invalid because the REJECT record would not be present For more information on Flow Logs, please refer to the below URL: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-loes.html The correct answers are: An ACCEPT record for the request based on the Security Group, An ACCEPT record for the request based on the NACL, A REJECT record for the response based on the NACL Submit your Feedback/Queries to our Experts
Question 410
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
Your company looks at the gaming domain and hosts several Ec2 Instances as game servers. The servers each experience user loads in the thousands. There is a concern of DDos attacks on the EC2 Instances which could cause a huge revenue loss to the company. Which of the following can help mitigate this security concern and also ensure minimum downtime for the servers. Please select:
Explanation:
Below is an excerpt from the AWS Documentation on some of the use cases for AWS Shield
Question