Quiz IT certification exam

Question 1

A company has several workloads running on AWS. Employees are required to authenticate using onpremises ADFS and SSO to access the AWS Management Console. Developers migrated an existing legacy web application to an Amazon EC2 instance.

Employees need to access this application from anywhere on the internet, but currently, there is no authentication system built into the application. How should the Security Engineer implement employee-only access to this system without changing the application?

Accepted Answer

Place the application behind an Application Load Balancer (ALB). Use Amazon Cognito as authentication for the ALB. Define a SAML-based Amazon Cognito user pool and connect it to ADFS.

Answer

Implement AWS SSO in the master account and link it to ADFS as an identity provider. Define the EC2 instance as a managed resource, then apply an IAM policy on the resource.

Answer

Define an Amazon Cognito identity pool, then install the connector on the Active Directory server. Use the Amazon Cognito SDK on the application instance to authenticate the employees using their Active Directory user names and passwords.

Answer

Create an AWS Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2. Ensure the security group on Amazon EC2 only allows access from the Lambda function.

Question 2

A Security Engineer for a large company is managing a data processing application used by 1,500 subsidiary companies. The parent and subsidiary companies all use AWS. The application uses TCP port 443 and runs on Amazon EC2 behind a Network Load Balancer (NLB). For compliance reasons, the application should only be accessible to the subsidiaries and should not be available on the public internet. To meet the compliance requirements for restricted access, the Engineer has received the public and private CIDR block ranges for each subsidiary What solution should the Engineer use to implement the appropriate access restrictions for the application?

Accepted Answer

Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.

Answer

Create a NACL to allow access on TCP port 443 from the 1;500 subsidiary CIDR block ranges.Associate the NACL to both the NLB and EC2 instances

Answer

Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group to the NLB. Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group.

Answer

Create an AWS PrivateLink endpoint service in the parent company account attached to the NLB.Create an AWS security group for the instances to allow access on TCP port 443 from the AWS PrivateLink endpoint. Use AWS PrivateLink interface endpoints in the 1,500 subsidiary AWS accounts to connect to the data processing application.

Question 3

A company's Director of information Security wants a daily email report from AWS that contains recommendations for each company account to meet AWS Security best practices. Which solution would meet these requirements?

Accepted Answer

in every AWS account, configure AWS Lambda to query me AWS Support API tor AWS Trusted Advisor security checks Send the results from Lambda to an Amazon SNS topic to send reports.

Answer

Configure Amazon GuardDuty in a master account and invite all other accounts to be managed by the master account Use GuardDuty's integration with Amazon SNS to report on findings

Answer

Use Amazon Athena and Amazon QuickSight to build reports off of AWS CloudTrail Create a daily Amazon CloudWatch trigger to run the report dally and email It using Amazon SNS

Answer

Use AWS Artifact's prebuilt reports and subscriptions Subscribe the Director of Information Security to the reports by adding the Director as the security alternate contact tor each account

Question 4

A company has decided to migrate sensitive documents from on-premises data centers to Amazon S3. Currently, the hard drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key. Which of the following requires the LEAST amount of configuration when implementing this approach?

Accepted Answer

Place all the files in the same S3 bucket. Use server-side encryption with AWS KMS-managed keys(SSE-KMS) to encrypt the data

Answer

Place each file into a different S3 bucket. Set the default encryption of each bucket to use a different AWS KMS customer managed key.

Answer

Put all the files in the same S3 bucket. Using S3 events as a trigger, write an AWS Lambda function to encrypt each file as it is added using different AWS KMS data keys.

Answer

Use the S3 encryption client to encrypt each file individually using S3-generated data keys

Question 5

A company uses Microsoft Active Directory for access management for on-premises resources and wants to use the same mechanism for accessing its AWS accounts. Additionally, the development team plans to launch a public-facing application for which they need a separate authentication solution.When coma nation of the following would satisfy these requirements? (Select TWO)

Accepted Answer

Use Amazon Cognito user pools for application authentication

Accepted Answer

Use AD Connector tor application authentication.

Answer

Set up domain controllers on Amazon EC2 to extend the on-premises directory to AWS

Answer

Establish network connectivity between on-premises and the user's VPC

Answer

Set up federated sign-in to AWS through ADFS and SAML.

Question 6

A Security Administrator at a university is configuring a fleet of Amazon EC2 instances. The EC2 instances are shared among students, and non-root SSH access is allowed. The Administrator is concerned about students attacking other AWS account resources by using the EC2 instance metadata service.What can the Administrator do to protect against this potential attack?

Accepted Answer

Disable the EC2 instance metadata service.

Answer

Log all student SSH interactive session activity.

Answer

Implement ip tables-based restrictions on the instances.

Answer

Install the Amazon Inspector agent on the instances.

Question 7

While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host (IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following:2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK 2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK What action should be performed to allow the ping to work?

Accepted Answer

In the VPC's NACL, allow outbound ICMP traffic.

Answer

In the security group of the EC2 instance, allow inbound ICMP traffic.

Answer

In the security group of the EC2 instance, allow outbound ICMP traffic.

Answer

In the VPC's NACL, allow inbound ICMP traffic.

Question 8

A global company must mitigate and respond to DDoS attacks at Layers 3, 4 and 7 All of the company's AWS applications are serverless with static content hosted on Amazon S3 using Amazon CloudFront and Amazon Route 53 Which solution will meet these requirements?

Accepted Answer

Use AWS Shield Advanced

Answer

Use AWS WAF with an upgrade to the AWS Business support plan

Answer

Use AWS Certificate Manager with an Application Load Balancer configured with an origin access identity

Answer

Use AWS WAF to protect AWS Lambda functions encrypted with AWS KMS and a NACL restricting all Ingress traffic

Question 9

A financial institution has the following security requirements:Cloud-based users must be contained in a separate authentication domain.Cloud-based users cannot access on-premises systems.As part of standing up a cloud environment, the financial institution is creating a number of Amazon managed databases and Amazon EC2 instances. An Active Directory service exists on-premises that has all the administrator accounts, and these must be able to access the databases and instances.How would the organization manage its resources in the MOST secure manner? (Choose two.)

Accepted Answer

Configure an AWS Managed Microsoft AD to manage the cloud resources.

Accepted Answer

Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service.

Answer

Configure an additional on-premises Active Directory service to manage the cloud resources.

Answer

Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service.

Answer

Establish a two-way trust between the new and existing Active Directory services.

Question 10

A security engineer is asked to update an AW3 CoudTrail log file prefix for an existing trail. When attempting to save the change in the CloudTrail console, the security engineer receives the following error message. "There is a problem with the bucket policy'' What will enable the security engineer to saw the change?

Accepted Answer

Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.

Answer

Create a new trail with the updated log file prefix, and then delete the original nail Update the existing bucket policy in the Amazon S3 console with the new log the prefix, and then update the log file prefix in the CloudTrail console

Answer

Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform PutBucketPolicy. and then update the log file prefix in the CloudTrail console

Answer

Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console

Question 11

A Security Engineer is setting up a new AWS account. The Engineer has been asked to continuously monitor the company's AWS account using automated compliance checks based on AWS best practices and Center for Internet Security (CIS) AWS Foundations Benchmarks How can the Security Engineer accomplish this using AWS services?

Accepted Answer

Enable AWS Config and set it to record all resources in all Regions and global resources. Then enable AWS Security Hub and confirm that the CIS AWS Foundations compliance standard is enabled

Answer

Enable Amazon Inspector and configure it to scan all Regions for the CIS AWS Foundations Benchmarks. Then enable AWS Security Hub and configure it to ingest the Amazon Inspector findings

Answer

Enable Amazon Inspector and configure it to scan all Regions for the CIS AWS Foundations Benchmarks. Then enable AWS Shield in all Regions to protect the account from DDoS attacks.

Answer

Enable AWS Config and set it to record all resources in all Regions and global resources Then enable Amazon Inspector and configure it to enforce CIS AWS Foundations Benchmarks using AWS Config rules.

Question 12

A Web Administrator for the website example.com has created an Amazon CloudFront distribution for dev.example.com, with a requirement to configure HTTPS using a custom TLS certificate imported to AWS Certificate Manager. Which combination of steps is required to ensure availability of the certificate in the CloudFront console? (Choose two.)

Accepted Answer

Import the certificate in the us-east-1 (N. Virginia) Region.

Accepted Answer

Ensure that the certificate, private key, and certificate chain are PEM-encoded.

Answer

Call UploadServerCertificate with /cloudfront/dev/ in the path parameter.

Answer

Import the certificate with a 4,096-bit RSA public key.

Answer

Ensure that the certificate, private key, and certificate chain are PKCS #12-encoded.

Question 13

A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents.A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly. Which combination of actions would build the required solution? (Choose three.)

Accepted Answer

Enable AWS Trusted Advisor and activate email notifications for an email address assigned to the security contact.

Accepted Answer

Invoke an AWS Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team.

Accepted Answer

Configure event notifications on S3 buckets for PUT; POST, and DELETE events.

Answer

Configure Amazon CloudWatch Events in the production accounts to send all S3 events to the security account event bus.

Answer

Enable Amazon GuardDuty in the security account. and join the production accounts as members.

Answer

Configure an Amazon CloudWatch Events rule in the security account to detect S3 bucket creation or modification events.

Question 14

An employee accidentally exposed an AWS access key and secret access key during a public presentation. The company Security Engineer immediately disabled the key. How can the Engineer assess the impact of the key exposure and ensure that the credentials were not misused? (Choose two.)

Accepted Answer

Analyze AWS CloudTrail for activity.

Accepted Answer

Analyze the resource inventory in AWS Config for IAM user activity.

Answer

Analyze Amazon CloudWatch Logs for activity.

Answer

Download and analyze the IAM Use report from AWS Trusted Advisor.

Answer

Download and analyze a credential report from IAM.

Question 15

A company’s security engineer is configuring Amazon S3 permissions to ban all current and future public buckets However, the company hosts several websites directly off S3 buckets with public access enabled The engineer needs to bock me pubic S3 buckets without causing any outages on me easting websites The engineer has set up an Amazon CloudFrom distribution (or each website Which set or steps should the security engineer implement next?

Accepted Answer

Configure an S3 bucket as the origin an origin access identity (OAI) for the CloudFront distribution Switch the DNS records from websites to point to the CloudFront distribution Enable Nock public access settings at the account level

Answer

Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Switch the ONS records tor the websites to point to the CloudFront disinfection Then, tor each S3 bucket enable block public access settings

Answer

Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Enable block public access settings at the account level

Answer

Configure an S3 bucket as the origin for me CloudFront distribution Configure the S3 bucket policy to accept connections from the CloudFront points of presence only Switch the DNS records for the websites to point to the CloudFront distribution Enable block public access settings at me account level

Question 16

A convoys data lake uses Amazon S3 and Amazon Athen a. The company's security engineer has been asked to design an encryption solution that meets the company's data protection requirements. The encryption solution must work with Amazon S3 and keys managed by the company. The encryption solution must be protected in a hardware security module that is validated id Federal information Processing Standards (FPS) 140-2 Level 3. Which solution meets these requirements?

Accepted Answer

Use AWS CloudHSM to store the keys and perform cryptographic operations Save the encrypted text in Amazon S3

Answer

Use client-side encryption with an AWS KMS customer-managed key implemented with the AWS Encryption SDK

Answer

Use an AWS KMS customer-managed key that is backed by a custom key store using AWS CloudHSM

Answer

Use an AWS KMS customer-managed key with the bring your own key (BYOK) feature to import a key stored in AWS CloudHSM

Question 17

A website currently runs on Amazon EC2 with mostly static content on the site. Recently, the site was subjected to a ODoS attack, and a Security Engineer was tasked with redesigning the edge security to help mitigate this risk in the future What are some ways the Engineer could achieve this? (Select THREE )

Accepted Answer

Move the state content to Amazon S3 and font this with an Amazon CloudFront distribution

Accepted Answer

Use AWS WAF security rules to inspect the inbound traffic

Accepted Answer

Use Amazon Route 53 to distribute traffic

Answer

Use AWS X-Ray to inspect the traffic going 10 the EC2 instances

Answer

Change the security group configuration to block the source of the attack traffic

Answer

Use Amazon inspector assessment templates to inspect the inbound traffic

Question 18

A Security Engineer accidentally deleted the imported key material in an AWS KMS CMK. What should the Security Engineer do to restore the deleted key material?

Accepted Answer

Download a new wrapping key and a new import token Import the original key material into the existing CMK.

Answer

Create a new CMK. Download a new wrapping key and a new import token to import the original key material

Answer

Create a new CMK Use the original wrapping key and import token to import the original key material.

Answer

Use the original wrapping key and import token Import the original key material into the existing CMK

Question 19

A company is developing a new mobile app for social media sharing. The company's development team has decided to use Amazon S3 to store at media files generated by mobile app users The company wants to allow users to control whether their own tiles are public, private, of shared with other users in their social network what should the development team do to implement the type of access control with the LEAST administrative effort?

Accepted Answer

Use individual ACLs on each S3 object.

Answer

Use IAM groups tor sharing files between application social network users

Answer

Store each user's files in a separate S3 bucket and apery a bucket policy based on the user's sharing settings

Answer

Generate presigned UPLs for each file access

Question 20

A Security Engineer noticed an anomaly within a company EC2 instance as shown in the image. The Engineer must now investigate what e causing the anomaly. What are the MOST effective steps to take lo ensure that the instance is not further manipulated while allowing the Engineer to understand what happened?<img alt="Amazon SCS-C01 image Question 100 7218 09162024005923000000"   width="652" height="410" src="https://examgecko.com/getfile/01106f0a-098d-4502-af28-d6b781c35b49">

Accepted Answer

Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious Instance to perform the Investigation.

Answer

Remove the instance from the Auto Scaling group Place the instance within an isolation security group, detach the EBS volume launch an EC2 instance with a forensic toolkit and attach the E8S volume to investigate

Answer

Remove the instance from the Auto Scaling group Place the Instance within an isolation security group, launch an EC2 Instance with a forensic toolkit and use the forensic toolkit imago to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance.

Answer

Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 Instance with a forensic toolkit and attach the copy of the EBS volume to investigate.

Question 21

A security engineer need to ensure their company’s uses of AWS meets AWS security best practices.As part of this, the AWS account root user must not be used for daily work. The root user must be monitored for use, and the Security team must be alerted as quickly as possible if the root user is used. Which solution meets these requirements?

Accepted Answer

Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification.

Answer

Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification logs from S3 and generate notifications using Amazon SNS.

Answer

Set up a rule in AWS config to trigger root user events. Trigger an AWS Lambda function and generate notifications using Amazon SNS.

Answer

Use Amazon Inspector to monitor the usage of the root user and generate notifications using Amazon SNS

Question 22

To meet regulatory requirements, a Security Engineer needs to implement an IAM policy that restricts the use of AWS services to the us-east-1 Region. What policy should the Engineer implement? Amazon SCS-C01 image Question 102 7220 09162024005923000000

Amazon SCS-C01 image Question 102 7220 09162024005923000000

Accepted Answer

Option B

Answer

Option A

Answer

Option C

Answer

Option D

Question 23

A company is outsourcing its operational support 1o an external company. The company’s security officer must implement an access solution fen delegating operational support that minimizes overhead. Which approach should the security officer take to meet these requirements?

Accepted Answer

Federate AWS identity and Access Management (IAM) with the external company's identity provider Create an IAM role and attach a policy with the necessary permissions

Answer

implement Amazon Cognito identity pools with a role that uses a policy that denies the actions related to Amazon Cognito API management Allow the external company to federate through its identity provider

Answer

Create an IAM group for me external company Add a policy to the group that denies IAM modifications Securely provide the credentials to the eternal company.

Answer

Use AWS SSO with the external company's identity provider. Create an IAM group to map to the identity provider user group, and attach a policy with the necessary permissions.

Question 24

A company wants to encrypt data locally while meeting regulatory requirements related to key exhaustion. The encryption key can be no more than 10 days old or encrypt more than 2" 16 objects Any encryption key must be generated on a FlPS-validated hardware security module (HSM). The company is cost-conscious, as plans to upload an average of 100 objects to Amazon S3 each second for sustained operations across 5 data producers When approach MOST efficiently meets the company's needs?

Accepted Answer

Use the AWS Encryption SDK and set the maximum age to 10 days and the minimum number of messages encrypted to 3" 16. Use AWS Key Management Service (AWS KMS) to generate the master key and data key Use data key caching with the Encryption SDk during the encryption process.

Answer

Use AWS Key Management Service (AWS KMS) to generate an AWS managed CMK. Then use Amazon S3 client-side encryption configured to automatically rotate with every object

Answer

Use AWS CloudHSM to generate the master key and data keys. Then use Boto 3 and Python to locally encrypt data before uploading the object Rotate the data key every 10 days or after 2" 16 objects have been Uploaded to Amazon 33

Answer

Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3) and set the master key to automatically rotate.

Question 25

A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon POS cluster a recent report suggests this software platform is vulnerable to SQL injection attacks. with samples of attacks provided. The company's security engineer must secure this system against SQL injection attacks within 24 hours. The secure, engineer's solution involve the least amount of effort and maintain normal operations during implementation. What should the security engineer do to meet these requirements?

Accepted Answer

Create an Application Load Balancer with the existing EC2 instances as a target group Create an AWS WAF web ACL containing rules mat protect the application from this attach. then apply it to the ALB Test to ensure me vulnerability has been mitigated, then redirect thee Route 53 records to point to the ALB Update security groups on the EC 2 instances to prevent direct access from the internet

Answer

Create an Amazon CloudFront distribution specifying one EC2 instance as an origin Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to me distribution Test to ensure the vulnerability has mitigated, then redirect the Route 53 records to point to CloudFront

Answer

Obtain me latest source code for the platform and make ire necessary updates Test me updated code to ensure that the vulnerability has been irrigated, then deploy me patched version of the platform to the EC2 instances

Answer

Update the security group mat is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database Create an AWS WAF web ACL containing rules mat protect me application from this attack, men apply it to the EC2 instances Test to ensure me vulnerability has been mitigated. then restore the security group to me onginal setting

Question 26

A company is designing the securely architecture (or a global latency-sensitive web application it plans to deploy to AWS. A Security Engineer needs to configure a highly available and secure two-tier architecture. The security design must include controls to prevent common attacks such as DDoS, cross-site scripting, and SQL injection.Which solution meets these requirements?

Accepted Answer

Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.

Answer

Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.

Answer

Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate AWS WAF ACLs and enable them on the ALB.

Answer

Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate AWS WAF ACLs and enable them on the ALB.

Question 27

A security engineer is responsible for providing secure access to AWS resources for thousands of developer in a company’s corporate identity provider (idp). The developers access a set of AWS services from the corporate premises using IAM credential. Due to the velum of require for provisioning new IAM users, it is taking a long time to grant access permissions. The security engineer receives reports that developer are sharing their IAM credentials with others to avoid provisioning delays. The causes concern about overall security for the security engineer.Which actions will meet the program requirements that address security?

Accepted Answer

Create a federation between AWS and the existing corporate IdP Leverage IAM roles to provide federated access to AWS resources

Answer

Create an Amazon CloudWatch alarm for AWS CloudTrail Events Create a metric filter to send a notification when me same set of IAM credentials is used by multiple developer

Answer

Create a VPN tunnel between the corporate premises and the VPC Allow permissions to all AWS services only if it originates from corporate premises.

Answer

Create multiple IAM rotes for each IAM user Ensure that users who use the same IAM credentials cannot assume the same IAM role at the same time.

Question 28

A Security Engineer has discovered that, although encryption was enabled on the Amazon S3 bucket example bucket, anyone who has access to the bucket has the ability to retrieve the files. The Engineer wants to limit access to each IAM user can access an assigned folder only.What should the Security Engineer do to achieve this?

Accepted Answer

Create a customer-managed CMK with a key policy granting “kms:Decrypt” based on the “${aws:username}” variable.

Answer

Use envelope encryption with the AWS-managed CMK aws/s3.

Answer

Create a customer-managed CMK for each user. Add each user as a key user in their corresponding key policy.

Answer

Change the applicable IAM policy to grant S3 access to “Resource”:“arn:aws:s3:::examplebucket/${aws:username}/*”

Question 29

A company requires that SSH commands used to access its AWS instance be traceable to the user who executed each command. How should a Security Engineer accomplish this?

Accepted Answer

Deny inbound access on port 22 at the security group attached to the instance Use AWS Systems Manager Session Manager tor shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging for Systems Manager sessions

Answer

Allow inbound access on port 22 at the security group attached to the instance Use AWS Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging tor Systems Manager sessions

Answer

Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each user Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on port 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance

Answer

Use Amazon S3 to securely store one Privacy Enhanced Mall Certificate (PEM fie) for each team or group Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on pod 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance

Question 30

An organization policy states that all encryption keys must be automatically rotated every 12 months. Which AWS Key Management Service (KMS) key type should be used to meet this requirement?

Accepted Answer

Customer managed CMK with AWS generated key material

Answer

AWS managed Customer Master Key (CMK)

Answer

Customer managed CMK with imported key material

Answer

AWS managed data key

Question 31

An external Auditor finds that a company's user passwords have no minimum length. The company is currently using two identity providers:• AWS IAM federated with on-premises Active Directory• Amazon Cognito user pools to accessing an AWS Cloud application developed by the company Which combination o1 actions should the Security Engineer take to solve this issue? (Select TWO.)

Accepted Answer

Update the password length policy In the on-premises Active Directory configuration.

Accepted Answer

Update the password length policy in the Amazon Cognito configuration.

Answer

Update the password length policy In the IAM configuration.

Answer

Enforce an IAM policy In Amazon Cognito and AWS IAM with a minimum password length condition.

Answer

Create an SCP with AWS Organizations that enforces a minimum password length for AWS IAM and Amazon Cognito.

Question 32

A company has hundreds of AWS accounts, and a centralized Amazon S3 bucket used to collect AWS CloudTrail for all of these accounts. A security engineer wants to create a solution that will enable the company to run ad hoc queues against its CloudTrail logs dating back 3 years from when the trails were first enabled in the company’s AWS account. How should the company accomplish this with the least amount of administrative overhead?

Accepted Answer

Create an Amazon Athena table that tools at the S3 bucket the CloudTrail trails are being written to Use Athena to run queries against the trails.

Answer

Run an Amazon EMP cluster that uses a MapReduce job to be examine the CloudTrail trails.

Answer

Use the events history/feature of the CloudTrail console to query the CloudTrail trails.

Answer

Write an AWS Lambda function to query the CloudTrail trails Configure the Lambda function to be executed whenever a new file is created in the CloudTrail S3 bucket.

Question 33

A recent security audit identified that a company's application team injects database credentials into the environment variables of an AWS Fargate task. The company's security policy mandates that all sensitive data be encrypted at rest and in transit.When combination of actions should the security team take to make the application compliant within the security policy? (Select THREE)

Accepted Answer

Create an AWS Secrets Manager secret and specify the key/value pairs to be stored in this secret

Accepted Answer

Add the following statement to the execution role policy.

Accepted Answer

Log in to the AWS Fargate instance, create a script to read the secret value from AWS Secret Manager, and inject the environment variables. Ask the application team to redeploy the application.

Answer

Store the credentials securely in a file in an Amazon S3 bucket with restricted access to the application team IAM role Ask the application team to read the credentials from the S3 object instead

Answer

Modify the application to pull credentials from the AWS Secrets Manager secret instead of the environment variables.

Answer

Add the following statement to the container instance IAM role policy

Question 34

A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee Even after updating the policy the employee still receives an access denied message.What is the likely cause of this access denial?

Accepted Answer

The allow permission is being overridden by the deny.

Answer

The ACL in the bucket needs to be updated.

Answer

The IAM policy does not allow the user to access the bucket

Answer

It takes a few minutes for a bucket policy to take effect

Question 35

A Security Engineer is setting up an AWS CloudTrail trail for all regions in an AWS account. For added security, the logs are stored using server-side encryption with AWS KMS-managed keys (SSE-KMS) and have log integrity validation enabled.While testing the solution, the Security Engineer discovers that the digest files are readable, but the log files are not. What is the MOST likely cause?

Accepted Answer

The KMS key policy does not grant the Security Engineer's IAM user or role permissions to decrypt with it.

Answer

The log files fail integrity validation and automatically are marked as unavailable.

Answer

The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.

Answer

An IAM policy applicable to the Security Engineer’s IAM user or role denies access to the "CloudTrail/" prefix in the Amazon S3 bucket

Question 36

A security engineer has noticed that VPC Flow Logs are getting a lot REJECT traffic originating from a single Amazon EC2 instance in an Auto Scaling group. The security engineer is concerned that this EC2 instance may be compromised. What immediate action should the security engineer take?What immediate action should the security engineer take?

Accepted Answer

Remove me instance from the Auto Seating group Change me network ACL rules to allow traffic only from a single forensic IP address to perform en analysis Add a rule to deny all other traffic.

Answer

Remove me instance from the Auto Seating group Close me security group mm ingress only from a single forensic P address to perform an analysis.

Answer

Remove the instance from the Auto Scaling group Enable Amazon GuardDuty in that AWS account Install the Amazon Inspector agent cm the suspicious EC 2 instance to perform a scan.

Answer

Take a snapshot of the suspicious EC2 instance. Create a new EC2 instance from me snapshot in a closed security group with ingress only from a single forensic IP address to perform an analysis

Question 37

A company needs its Amazon Elastic Block Store (Amazon EBS) volumes to be encrypted at all times.During a security incident. EBS snapshots of suspicious instances are shared to a forensics account for analysis A security engineer attempting to share a suspicious EBS snapshot to the forensics account receives the following error "Unable to share snapshot: An error occurred (OperationNotPermitted) when calling the ModifySnapshotAttribute operation: Encrypted snapshots with EBS default key cannot be shared. Which combination of steps should the security engineer take in the incident account to complete the sharing operation? (Select THREE )

Accepted Answer

Create a customer managed CMK Copy the EBS snapshot encrypting the destination snapshot using the new CMK.

Accepted Answer

Allow forensics accounting principals to use the CMK by modifying its policy.

Accepted Answer

Share the target EBS snapshot with the forensics account.

Answer

Create an Amazon EC2 instance. Attach the encrypted and suspicious EBS volume. Copy data from the suspicious volume to an unencrypted volume. Snapshot the unencrypted volume

Answer

Copy the EBS snapshot to the new decrypted snapshot

Answer

Restore a volume from the suspicious EBS snapshot. Create an unencrypted EBS volume of the same size.

Question 38

A company uses a third-party identity provider and SAML-based SSO for its AWS accounts After the third-party identity provider renewed an expired signing certificate users saw the following message when trying to log in:<img alt="Amazon SCS-C01 image Question 118 7236 09162024005923000000"   width="1648" height="40" src="https://examgecko.com/getfile/ab68de90-8487-4512-851c-992ba1977ae2">A security engineer needs to provide a solution that corrects the error and minimizes operational overhead Which solution meets these requirements?

Accepted Answer

Download the updated SAML metadata tile from the identity service provider Update the file in the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CLI

Answer

Upload the third-party signing certificate's new private key to the AWS identity provider entity defined in AWS identity and Access Management (IAM) by using the AWS Management Console

Answer

Sign the identity provider's metadata file with the new public key Upload the signature to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CLI.

Answer

Configure the AWS identity provider entity defined in AWS Identity and Access Management (IAM) to synchronously fetch the new public key by using the AWS Management Console.

Question 39

A company's application runs on Amazon EC2 and stores data in an Amazon S3 bucket The company wants additional security controls in place to limit the likelihood of accidental exposure of data to external parties Which combination of actions will meet this requirement? (Select THREE.)

Accepted Answer

Encrypt the data in Amazon S3 using server-side encryption with AWS KMS managed encryption keys (SSE-KMS)

Accepted Answer

Create a new Amazon S3 VPC endpoint and modify the VPC's routing tables to use the new endpoint

Accepted Answer

Configure the bucket policy to allow access from the application instances only

Answer

Encrypt the data in Amazon S3 using server-side encryption with Amazon S3 managed encryption keys (SSE-S3)

Answer

Use the Amazon S3 Block Public Access feature.

Answer

Use a NACL to filter traffic to Amazon S3

Question 40

The Security team believes that a former employee may have gained unauthorized access to AWS resources sometime in the past 3 months by using an identified access key. What approach would enable the Security team to find out what the former employee may have done within AWS?

Accepted Answer

Use the AWS CloudTrail console to search for user activity.

Answer

Use the Amazon CloudWatch Logs console to filter CloudTrail data by user.

Answer

Use AWS Config to see what actions were taken by the user.

Answer

Use Amazon Athena to query CloudTrail logs stored in Amazon S3.

Amazon SCS-C01 Practice Test 3

Amazon SCS-C01 Practice Tests