ExamGecko
Home / Amazon / SCS-C02 / List of questions
Ask Question

Amazon SCS-C02 Practice Test - Questions Answers, Page 3

List of questions

Question 21

Report
Export
Collapse

You work at a company that makes use of IAM resources. One of the key security policies is to ensure that all data i encrypted both at rest and in transit. Which of the following is one of the right ways to implement this.

Please select:

Use S3 SSE and use SSL for data in transit
Use S3 SSE and use SSL for data in transit
SSL termination on the ELB
SSL termination on the ELB
Enabling Proxy Protocol
Enabling Proxy Protocol
Enabling sticky sessions on your load balancer
Enabling sticky sessions on your load balancer
Suggested answer: A

Explanation:

By disabling SSL termination, you are leaving an unsecure connection from the ELB to the back end instances. Hence this means that part of the data transit is not being encrypted.

Option B is incorrect because this would not guarantee complete encryption of data in transit

Option C and D are incorrect because these would not guarantee encryption

For more information on SSL Listeners for your load balancer, please visit the below URL:

http://docs.IAM.amazon.com/elasticloadbalancine/latest/classic/elb-https-load-balancers.htmll

The correct answer is: Use S3 SSE and use SSL for data in transit

Submit your Feedback/Queries to our Experts

asked 16/09/2024
Brian Kryszewski
33 questions

Question 22

Report
Export
Collapse

There are currently multiple applications hosted in a VPC. During monitoring it has been noticed that multiple port scans are coming in from a specific IP Address block. The internal security team has requested that all offending IP Addresses be denied for the next 24 hours. Which of the following is the best method to quickly and temporarily deny access from the specified IP Address's.

Please select:

Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.
Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.
Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.
Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.
Add a rule to all of the VPC Security Groups to deny access from the IP Address block.
Add a rule to all of the VPC Security Groups to deny access from the IP Address block.
Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block.
Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block.
Suggested answer: B

Explanation:

NACL acts as a firewall at the subnet level of the VPC and we can deny the offending IP address block at the subnet level using NACL rules to block the incoming traffic to the VPC instances. Since NACL rules are applied as per the Rule numbers make sure that this rule number should take precedence over other rule numbers if there are any such rules that will allow traffic from these IP ranges. The lowest rule number has more precedence over a rule that has a higher number.

The IAM Documentation mentions the following as a best practices for IAM users

For extra security, enable multi-factor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or APIs). With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP). Users must provide both their normal credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone).

Options C is invalid because these options are not available

Option D is invalid because there is not root access for users

For more information on IAM best practices, please visit the below URL:

https://docs.IAM.amazon.com/IAM/latest/UserGuide/best-practices.html

The correct answer is: Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.

omit your Feedback/Queries to our Experts

asked 16/09/2024
Beatriz Mejia
42 questions

Question 23

Report
Export
Collapse

A company has a set of EC2 Instances hosted in IAM. The EC2 Instances have EBS volumes which is used to store critical information. There is a business continuity requirement to ensure high availability for the EBS volumes. How can you achieve this?

Use lifecycle policies for the EBS volumes
Use lifecycle policies for the EBS volumes
Use EBS Snapshots
Use EBS Snapshots
Use EBS volume replication
Use EBS volume replication
Use EBS volume encryption
Use EBS volume encryption
Suggested answer: B

Explanation:

Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations as part of normal operation of those services and at no additional charge. However, Amazon EBS replication is stored within the same availability zone, not across multiple zones; therefore, it is highly recommended that you conduct regular snapshots to Amazon S3 for long-term data durability Option A is invalid because there is no lifecycle policy for EBS volumes Option C is invalid because there is no EBS volume replication Option D is invalid because EBS volume encryption will not ensure business continuity For information on security for Compute Resources, please visit the below URL: https://d1.awsstatic.com/whitepapers/Security/Security_Compute_Services_Whitepaper.pdf

asked 16/09/2024
Nour Algharbi
42 questions

Question 24

Report
Export
Collapse

A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances . The application will store highly sensitive user data in Amazon RDS tables

The application must

* Include migration to a different IAM Region in the application disaster recovery plan.

* Provide a full audit trail of encryption key administration events

* Allow only company administrators to administer keys.

* Protect data at rest using application layer encryption

A Security Engineer is evaluating options for encryption key management

Why should the Security Engineer choose IAM CloudHSM over IAM KMS for encryption key management in this situation?

The key administration event logging generated by CloudHSM is significantly more extensive than IAM KMS.
The key administration event logging generated by CloudHSM is significantly more extensive than IAM KMS.
CloudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys
CloudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys
The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by IAM KMS
The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by IAM KMS
CloudHSM provides the ability to copy keys to a different Region, whereas IAM KMS does not
CloudHSM provides the ability to copy keys to a different Region, whereas IAM KMS does not
Suggested answer: B

Explanation:

CloudHSM allows full control of your keys such including Symmetric (AES), Asymmetric (RSA), Sha-256, SHA 512, Hash Based, Digital Signatures (RSA).On the other hand, AWS Key Management Service is a multi-tenant key storage that is owned and managed by AWS1.

asked 16/09/2024
cheitram patel
34 questions

Question 25

Report
Export
Collapse

A company has multiple Amazon S3 buckets encrypted with customer-managed CMKs Due to regulatory requirements the keys must be rotated every year. The company's Security Engineer has enabled automatic key rotation for the CMKs; however the company wants to verity that the rotation has occurred.

What should the Security Engineer do to accomplish this?

Filter IAM CloudTrail logs for KeyRotaton events
Filter IAM CloudTrail logs for KeyRotaton events
Monitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events
Monitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events
Using the IAM CLI. run the IAM kms gel-key-relation-status operation with the --key-id parameter to check the CMK rotation date
Using the IAM CLI. run the IAM kms gel-key-relation-status operation with the --key-id parameter to check the CMK rotation date
Use Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filter Generate New Key events
Use Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filter Generate New Key events
Suggested answer: C

Explanation:

theaws kms get-key-rotation-statuscommand returns a boolean value that indicates whether automatic rotation of the customer master key (CMK) is enabled1.This command also shows the date and time when the CMK was last rotated2. The other options are not valid ways to check the CMK rotation status.

asked 16/09/2024
Kurt Woodfin
43 questions

Question 26

Report
Export
Collapse

A company needs a forensic-logging solution for hundreds of applications running in Docker on Amazon EC2 The solution must perform real-time analytics on the togs must support the replay of messages and must persist the logs.

Which IAM services should be used to meet these requirements? (Select TWO)

Amazon Athena
Amazon Athena
Amazon Kinesis
Amazon Kinesis
Amazon SQS
Amazon SQS
Amazon Elasticsearch
Amazon Elasticsearch
Amazon EMR
Amazon EMR
Suggested answer: B, D

Explanation:

Amazon Kinesis and Amazon Elasticsearch are both suitable for forensic-logging solutions.Amazon Kinesis can collect, process, and analyze streaming data in real time3. Amazon Elasticsearch can store, search, and analyze log data using the popular open-source tool Elasticsearch. The other options are not designed for forensic-logging purposes. Amazon Athena is a query service that can analyze data in S3, Amazon SQS is a message queue service that can decouple and scale microservices, and Amazon EMR is a big data platform that can run Apache Spark and Hadoop clusters.

asked 16/09/2024
Marcos Antonio Dantas
42 questions

Question 27

Report
Export
Collapse

Auditors for a health care company have mandated that all data volumes be encrypted at rest Infrastructure is deployed mainly via IAM CloudFormation however third-party frameworks and manual deployment are required on some legacy systems

What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume
On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume
Configure an IAM Config rule lo run on a recurring basis 'or volume encryption
Configure an IAM Config rule lo run on a recurring basis 'or volume encryption
Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule
Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule
Use CloudWatch Logs to determine whether instances were created with an encrypted volume
Use CloudWatch Logs to determine whether instances were created with an encrypted volume
Suggested answer: B

Explanation:

To support answer B, use the reference https://d1.IAMstatic.com/whitepapers/IAM-security-whitepaper.pdf

'For example, IAM Config provides a managed IAM Config Rules to ensure that encryption is turned on for all EBS volumes in your account.'

asked 16/09/2024
Carol Phelps
35 questions

Question 28

Report
Export
Collapse

A company became aware that one of its access keys was exposed on a code sharing website 11 days ago. A Security Engineer must review all use of the exposed access keys to determine the extent of the exposure. The company enabled IAM CloudTrail m an regions when it opened the account

Which of the following will allow (he Security Engineer 10 complete the task?

Filter the event history on the exposed access key in the CloudTrail console Examine the data from the past 11 days.
Filter the event history on the exposed access key in the CloudTrail console Examine the data from the past 11 days.
Use the IAM CLI lo generate an IAM credential report Extract all the data from the past 11 days.
Use the IAM CLI lo generate an IAM credential report Extract all the data from the past 11 days.
Use Amazon Athena to query the CloudTrail logs from Amazon S3 Retrieve the rows for the exposed access key tor the past 11 days.
Use Amazon Athena to query the CloudTrail logs from Amazon S3 Retrieve the rows for the exposed access key tor the past 11 days.
Use the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days.
Use the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days.
Suggested answer: C

Explanation:

Amazon Athena is a service that enables you to analyze data in Amazon S3 using standard SQL1.You can use Athena to query the CloudTrail logs that are stored in S3 and filter them by the exposed access key and the date range2. The other options are not effective ways to review the use of the exposed access key.

asked 16/09/2024
paloma giraudo
34 questions

Question 29

Report
Export
Collapse

For compliance reasons a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied. The Engineer must also ensure that no system goes more than 30 days without the latest approved updates being applied

What would the MOST efficient way to achieve these goals?

Use Amazon inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version
Use Amazon inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version
Configure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows
Configure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows
Examine IAM CloudTrail togs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances
Examine IAM CloudTrail togs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances
Update the AMls with the latest approved patches and redeploy each instance during the defined maintenance window
Update the AMls with the latest approved patches and redeploy each instance during the defined maintenance window
Suggested answer: B

Explanation:

Amazon EC2 Systems Manager is a service that helps you automatically collect software inventory, apply OS patches, create system images, and configure Windows and Linux operating systems3.You can use Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows4. The other options are either inefficient or not feasible for achieving the goals.

asked 16/09/2024
Mathieu Alingum Nubee
39 questions

Question 30

Report
Export
Collapse

A Security Engineer has been tasked with enabling IAM Security Hub to monitor Amazon EC2 instances fix CVE in a single IAM account The Engineer has already enabled IAM Security Hub and Amazon Inspector m the IAM Management Console and has installed me Amazon Inspector agent on an EC2 instances that need to be monitored.

Which additional steps should the Security Engineer lake 10 meet this requirement?

Configure the Amazon inspector agent to use the CVE rule package
Configure the Amazon inspector agent to use the CVE rule package
Configure the Amazon Inspector agent to use the CVE rule package Configure Security Hub to ingest from IAM inspector by writing a custom resource policy
Configure the Amazon Inspector agent to use the CVE rule package Configure Security Hub to ingest from IAM inspector by writing a custom resource policy
Configure the Security Hub agent to use the CVE rule package Configure IAM Inspector lo ingest from Security Hub by writing a custom resource policy
Configure the Security Hub agent to use the CVE rule package Configure IAM Inspector lo ingest from Security Hub by writing a custom resource policy
Configure the Amazon Inspector agent to use the CVE rule package Install an additional Integration library Allow the Amazon Inspector agent to communicate with Security Hub
Configure the Amazon Inspector agent to use the CVE rule package Install an additional Integration library Allow the Amazon Inspector agent to communicate with Security Hub
Suggested answer: D

Explanation:

you need to configure the Amazon Inspector agent to use the CVE rule package, which is a set of rules that check for vulnerabilities and exposures on your EC2 instances5.You also need to install an additional integration library that enables communication between the Amazon Inspector agent and Security Hub6.Security Hub is a service that provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices7. The other options are either incorrect or incomplete for meeting the requirement.

asked 16/09/2024
Venish Arumugam
35 questions
Total 372 questions
Go to page: of 38
Search

Related questions