ExamGecko
Login
Home / Amazon / SCS-C02 / List of questions
Ask Question

Amazon SCS-C02 Practice Test - Questions Answers, Page 3

List of questions

Question 21

Report
Export
Collapse

You work at a company that makes use of IAM resources. One of the key security policies is to ensure that all data i encrypted both at rest and in transit. Which of the following is one of the right ways to implement this.

Please select:

Use S3 SSE and use SSL for data in transit
Use S3 SSE and use SSL for data in transit
SSL termination on the ELB
SSL termination on the ELB
Enabling Proxy Protocol
Enabling Proxy Protocol
Enabling sticky sessions on your load balancer
Enabling sticky sessions on your load balancer
Suggested answer: A

Explanation:

By disabling SSL termination, you are leaving an unsecure connection from the ELB to the back end instances. Hence this means that part of the data transit is not being encrypted.

Option B is incorrect because this would not guarantee complete encryption of data in transit

Option C and D are incorrect because these would not guarantee encryption

For more information on SSL Listeners for your load balancer, please visit the below URL:

http://docs.IAM.amazon.com/elasticloadbalancine/latest/classic/elb-https-load-balancers.htmll

The correct answer is: Use S3 SSE and use SSL for data in transit

Submit your Feedback/Queries to our Experts

asked 16/09/2024
Brian Kryszewski
33 questions

Question 22

Report
Export
Collapse

There are currently multiple applications hosted in a VPC. During monitoring it has been noticed that multiple port scans are coming in from a specific IP Address block. The internal security team has requested that all offending IP Addresses be denied for the next 24 hours. Which of the following is the best method to quickly and temporarily deny access from the specified IP Address's.

Please select:

Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.
Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.
Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.
Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.
Add a rule to all of the VPC Security Groups to deny access from the IP Address block.
Add a rule to all of the VPC Security Groups to deny access from the IP Address block.
Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block.
Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block.
Suggested answer: B

Explanation:

NACL acts as a firewall at the subnet level of the VPC and we can deny the offending IP address block at the subnet level using NACL rules to block the incoming traffic to the VPC instances. Since NACL rules are applied as per the Rule numbers make sure that this rule number should take precedence over other rule numbers if there are any such rules that will allow traffic from these IP ranges. The lowest rule number has more precedence over a rule that has a higher number.

The IAM Documentation mentions the following as a best practices for IAM users

For extra security, enable multi-factor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or APIs). With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP). Users must provide both their normal credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone).

Options C is invalid because these options are not available

Option D is invalid because there is not root access for users

For more information on IAM best practices, please visit the below URL:

https://docs.IAM.amazon.com/IAM/latest/UserGuide/best-practices.html

The correct answer is: Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.

omit your Feedback/Queries to our Experts

asked 16/09/2024
Beatriz Mejia
42 questions

Question 23

Report
Export
Collapse

A company has a set of EC2 Instances hosted in IAM. The EC2 Instances have EBS volumes which is used to store critical information. There is a business continuity requirement to ensure high availability for the EBS volumes. How can you achieve this?

Use lifecycle policies for the EBS volumes
Use lifecycle policies for the EBS volumes
Use EBS Snapshots
Use EBS Snapshots
Use EBS volume replication
Use EBS volume replication
Use EBS volume encryption
Use EBS volume encryption
Suggested answer: B

Explanation:

Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations as part of normal operation of those services and at no additional charge. However, Amazon EBS replication is stored within the same availability zone, not across multiple zones; therefore, it is highly recommended that you conduct regular snapshots to Amazon S3 for long-term data durability Option A is invalid because there is no lifecycle policy for EBS volumes Option C is invalid because there is no EBS volume replication Option D is invalid because EBS volume encryption will not ensure business continuity For information on security for Compute Resources, please visit the below URL: https://d1.awsstatic.com/whitepapers/Security/Security_Compute_Services_Whitepaper.pdf

asked 16/09/2024
Nour Algharbi
42 questions

Question 24

Report
Export
Collapse

A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances . The application will store highly sensitive user data in Amazon RDS tables

The application must

* Include migration to a different IAM Region in the application disaster recovery plan.

* Provide a full audit trail of encryption key administration events

* Allow only company administrators to administer keys.

* Protect data at rest using application layer encryption

A Security Engineer is evaluating options for encryption key management

Why should the Security Engineer choose IAM CloudHSM over IAM KMS for encryption key management in this situation?

The key administration event logging generated by CloudHSM is significantly more extensive than IAM KMS.
The key administration event logging generated by CloudHSM is significantly more extensive than IAM KMS.
CloudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys
CloudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys
The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by IAM KMS
The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by IAM KMS
CloudHSM provides the ability to copy keys to a different Region, whereas IAM KMS does not
CloudHSM provides the ability to copy keys to a different Region, whereas IAM KMS does not
Suggested answer: B

Explanation:

CloudHSM allows full control of your keys such including Symmetric (AES), Asymmetric (RSA), Sha-256, SHA 512, Hash Based, Digital Signatures (RSA).On the other hand, AWS Key Management Service is a multi-tenant key storage that is owned and managed by AWS1.

asked 16/09/2024
cheitram patel
34 questions

Question 25

Report
Export
Collapse

A company has multiple Amazon S3 buckets encrypted with customer-managed CMKs Due to regulatory requirements the keys must be rotated every year. The company's Security Engineer has enabled automatic key rotation for the CMKs; however the company wants to verity that the rotation has occurred.

What should the Security Engineer do to accomplish this?

Filter IAM CloudTrail logs for KeyRotaton events
Filter IAM CloudTrail logs for KeyRotaton events
Monitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events
Monitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events
Using the IAM CLI. run the IAM kms gel-key-relation-status operation with the --key-id parameter to check the CMK rotation date
Using the IAM CLI. run the IAM kms gel-key-relation-status operation with the --key-id parameter to check the CMK rotation date
Use Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filter Generate New Key events
Use Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filter Generate New Key events
Suggested answer: C

Explanation:

theaws kms get-key-rotation-statuscommand returns a boolean value that indicates whether automatic rotation of the customer master key (CMK) is enabled1.This command also shows the date and time when the CMK was last rotated2. The other options are not valid ways to check the CMK rotation status.

asked 16/09/2024
Kurt Woodfin
43 questions

Question 26

Report
Export
Collapse

A company needs a forensic-logging solution for hundreds of applications running in Docker on Amazon EC2 The solution must perform real-time analytics on the togs must support the replay of messages and must persist the logs.

Which IAM services should be used to meet these requirements? (Select TWO)

Amazon Athena
Amazon Athena
Amazon Kinesis
Amazon Kinesis
Amazon SQS
Amazon SQS
Amazon Elasticsearch
Amazon Elasticsearch
Amazon EMR
Amazon EMR
Suggested answer: B, D

Explanation:

Amazon Kinesis and Amazon Elasticsearch are both suitable for forensic-logging solutions.Amazon Kinesis can collect, process, and analyze streaming data in real time3. Amazon Elasticsearch can store, search, and analyze log data using the popular open-source tool Elasticsearch. The other options are not designed for forensic-logging purposes. Amazon Athena is a query service that can analyze data in S3, Amazon SQS is a message queue service that can decouple and scale microservices, and Amazon EMR is a big data platform that can run Apache Spark and Hadoop clusters.

asked 16/09/2024
Marcos Antonio Dantas
42 questions

Question 27

Report
Export
Collapse

Auditors for a health care company have mandated that all data volumes be encrypted at rest Infrastructure is deployed mainly via IAM CloudFormation however third-party frameworks and manual deployment are required on some legacy systems

What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume
On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume
Configure an IAM Config rule lo run on a recurring basis 'or volume encryption
Configure an IAM Config rule lo run on a recurring basis 'or volume encryption
Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule
Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule
Use CloudWatch Logs to determine whether instances were created with an encrypted volume
Use CloudWatch Logs to determine whether instances were created with an encrypted volume
Suggested answer: B

Explanation:

To support answer B, use the reference https://d1.IAMstatic.com/whitepapers/IAM-security-whitepaper.pdf

'For example, IAM Config provides a managed IAM Config Rules to ensure that encryption is turned on for all EBS volumes in your account.'

asked 16/09/2024
Carol Phelps
35 questions

Question 28

Report
Export
Collapse

A company became aware that one of its access keys was exposed on a code sharing website 11 days ago. A Security Engineer must review all use of the exposed access keys to determine the extent of the exposure. The company enabled IAM CloudTrail m an regions when it opened the account

Which of the following will allow (he Security Engineer 10 complete the task?

Filter the event history on the exposed access key in the CloudTrail console Examine the data from the past 11 days.
Filter the event history on the exposed access key in the CloudTrail console Examine the data from the past 11 days.
Use the IAM CLI lo generate an IAM credential report Extract all the data from the past 11 days.
Use the IAM CLI lo generate an IAM credential report Extract all the data from the past 11 days.
Use Amazon Athena to query the CloudTrail logs from Amazon S3 Retrieve the rows for the exposed access key tor the past 11 days.
Use Amazon Athena to query the CloudTrail logs from Amazon S3 Retrieve the rows for the exposed access key tor the past 11 days.
Use the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days.
Use the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days.
Suggested answer: C

Explanation:

Amazon Athena is a service that enables you to analyze data in Amazon S3 using standard SQL1.You can use Athena to query the CloudTrail logs that are stored in S3 and filter them by the exposed access key and the date range2. The other options are not effective ways to review the use of the exposed access key.

asked 16/09/2024
paloma giraudo
34 questions

Question 29

Report
Export
Collapse

For compliance reasons a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied. The Engineer must also ensure that no system goes more than 30 days without the latest approved updates being applied

What would the MOST efficient way to achieve these goals?

Use Amazon inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version
Use Amazon inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version
Configure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows
Configure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows
Examine IAM CloudTrail togs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances
Examine IAM CloudTrail togs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances
Update the AMls with the latest approved patches and redeploy each instance during the defined maintenance window
Update the AMls with the latest approved patches and redeploy each instance during the defined maintenance window
Suggested answer: B

Explanation:

Amazon EC2 Systems Manager is a service that helps you automatically collect software inventory, apply OS patches, create system images, and configure Windows and Linux operating systems3.You can use Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows4. The other options are either inefficient or not feasible for achieving the goals.

asked 16/09/2024
Mathieu Alingum Nubee
39 questions

Question 30

Report
Export
Collapse

A Security Engineer has been tasked with enabling IAM Security Hub to monitor Amazon EC2 instances fix CVE in a single IAM account The Engineer has already enabled IAM Security Hub and Amazon Inspector m the IAM Management Console and has installed me Amazon Inspector agent on an EC2 instances that need to be monitored.

Which additional steps should the Security Engineer lake 10 meet this requirement?

Configure the Amazon inspector agent to use the CVE rule package
Configure the Amazon inspector agent to use the CVE rule package
Configure the Amazon Inspector agent to use the CVE rule package Configure Security Hub to ingest from IAM inspector by writing a custom resource policy
Configure the Amazon Inspector agent to use the CVE rule package Configure Security Hub to ingest from IAM inspector by writing a custom resource policy
Configure the Security Hub agent to use the CVE rule package Configure IAM Inspector lo ingest from Security Hub by writing a custom resource policy
Configure the Security Hub agent to use the CVE rule package Configure IAM Inspector lo ingest from Security Hub by writing a custom resource policy
Configure the Amazon Inspector agent to use the CVE rule package Install an additional Integration library Allow the Amazon Inspector agent to communicate with Security Hub
Configure the Amazon Inspector agent to use the CVE rule package Install an additional Integration library Allow the Amazon Inspector agent to communicate with Security Hub
Suggested answer: D

Explanation:

you need to configure the Amazon Inspector agent to use the CVE rule package, which is a set of rules that check for vulnerabilities and exposures on your EC2 instances5.You also need to install an additional integration library that enables communication between the Amazon Inspector agent and Security Hub6.Security Hub is a service that provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices7. The other options are either incorrect or incomplete for meeting the requirement.

asked 16/09/2024
Venish Arumugam
35 questions
Total 372 questions
Go to page: of 38
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company's engineering team is developing a new application that creates IAM Key Management Service (IAM KMS) CMK grants for users immediately after a grant IS created users must be able to use the CMK tu encrypt a 512-byte payload. During load testing, a bug appears |intermittently where AccessDeniedExceptions are occasionally triggered when a user rst attempts to encrypt using the CMK Which solution should the c0mpany's security specialist recommend'?
An international company has established a new business entity in South Kore a. The company also has established a new AWS account to contain the workload for the South Korean region. The company has set up the workload in the new account in the ap-northeast-2 Region. The workload consists of three Auto Scaling groups of Amazon EC2 instances. All workloads that operate in this Region must keep system logs and application logs for 7 years. A security engineer must implement a solution to ensure that no logging data is lost for each instance during scaling activities. The solution also must keep the logs for only the required period of 7 years. Which combination of steps should the security engineer take to meet these requirements? (Choose three.)
A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture: 1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets. 3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other 4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols 5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required Which of the following accurately reflects the access control mechanisms the Architect should verify1?
A company Is planning to use Amazon Elastic File System (Amazon EFS) with its on-premises servers. The company has an existing IAM Direct Connect connection established between its on-premises data center and an IAM Region Security policy states that the company's on-premises firewall should only have specific IP addresses added to the allow list and not a CIDR range. The company also wants to restrict access so that only certain data center-based servers have access to Amazon EFS How should a security engineer implement this solution''
A company is using Amazon Route 53 Resolver for its hybrid DNS infrastructure. The company has set up Route 53 Resolver forwarding rules for authoritative domains that are hosted on on-premises DNS servers. A new security mandate requires the company to implement a solution to log and query DNS traffic that goes to the on-premises DNS servers. The logs must show details of the source IP address of the instance from which the query originated. The logs also must show the DNS name that was requested in Route 53 Resolver. Which solution will meet these requirements?
A company that uses AWS Organizations is migrating workloads to AWS. The compa-nys application team determines that the workloads will use Amazon EC2 instanc-es, Amazon S3 buckets, Amazon DynamoDB tables, and Application Load Balancers. For each resource type, the company mandates that deployments must comply with the following requirements: * All EC2 instances must be launched from approved AWS accounts. * All DynamoDB tables must be provisioned with a standardized naming convention. * All infrastructure that is provisioned in any accounts in the organization must be deployed by AWS CloudFormation templates. Which combination of steps should the application team take to meet these re-quirements? (Select TWO.)
An IAM user receives an Access Denied message when the user attempts to access objects in an Amazon S3 bucket. The user and the S3 bucket are in the same AWS account. The S3 bucket is configured to use server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all of its objects at rest by using a customer managed key from the same AWS account. The S3 bucket has no bucket policy defined. The IAM user has been granted permissions through an IAM policy that allows the kms:Decrypt permission to the customer managed key. The IAM policy also allows the s3:List* and s3:Get* permissions for the S3 bucket and its objects. Which of the following is a possible reason that the IAM user cannot access the objects in the S3 bucket?
A company is using AWS to run a long-running analysis process on data that is stored in Amazon S3 buckets. The process runs on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are deployed in a private subnet Of a VPC that does not have internet access. The EC2 instances and the S3 buckets are in the same AWS account The EC2 instances access the S3 buckets through an S3 gateway endpoint that has the default access policy. Each EC2 instance is associated With an instance profile role that has a policy that explicitly allows the s3:GetObject action and the s3:PutObject action for only the required S3 buckets. The company learns that one or more of the EC2 instances are compromised and are exfiltrating data to an S3 bucket that is outside the companys organization in AWS Organizations. A security engtneer must implement a solution to stop this exfiltration of data and to keep the EC2 processing job functional. Which solution will meet these requirements?
The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet. What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.)
A company uses AWS Organizations. The company wants to implement short-term cre-dentials for third-party AWS accounts to use to access accounts within the com-pany's organization. Access is for the AWS Management Console and third-party software-as-a-service (SaaS) applications. Trust must be enhanced to prevent two external accounts from using the same credentials. The solution must require the least possible operational effort. Which solution will meet these requirements?