ExamGecko
Login
Home / Amazon / SCS-C01 / List of questions
Ask Question

Amazon SCS-C01 Practice Test - Questions Answers, Page 10

List of questions

Question 91

Report
Export
Collapse

A Security Engineer is setting up a new AWS account. The Engineer has been asked to continuously monitor the company's AWS account using automated compliance checks based on AWS best practices and Center for Internet Security (CIS) AWS Foundations Benchmarks How can the Security Engineer accomplish this using AWS services?

Enable AWS Config and set it to record all resources in all Regions and global resources. Then enable AWS Security Hub and confirm that the CIS AWS Foundations compliance standard is enabled
Enable AWS Config and set it to record all resources in all Regions and global resources. Then enable AWS Security Hub and confirm that the CIS AWS Foundations compliance standard is enabled
Enable Amazon Inspector and configure it to scan all Regions for the CIS AWS Foundations Benchmarks. Then enable AWS Security Hub and configure it to ingest the Amazon Inspector findings
Enable Amazon Inspector and configure it to scan all Regions for the CIS AWS Foundations Benchmarks. Then enable AWS Security Hub and configure it to ingest the Amazon Inspector findings
Enable Amazon Inspector and configure it to scan all Regions for the CIS AWS Foundations Benchmarks. Then enable AWS Shield in all Regions to protect the account from DDoS attacks.
Enable Amazon Inspector and configure it to scan all Regions for the CIS AWS Foundations Benchmarks. Then enable AWS Shield in all Regions to protect the account from DDoS attacks.
Enable AWS Config and set it to record all resources in all Regions and global resources Then enable Amazon Inspector and configure it to enforce CIS AWS Foundations Benchmarks using AWS Config rules.
Enable AWS Config and set it to record all resources in all Regions and global resources Then enable Amazon Inspector and configure it to enforce CIS AWS Foundations Benchmarks using AWS Config rules.
Suggested answer: A

Explanation:

https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis-configresources.html

asked 16/09/2024
Demilson Mantegazine
37 questions

Question 92

Report
Export
Collapse

A Web Administrator for the website example.com has created an Amazon CloudFront distribution for dev.example.com, with a requirement to configure HTTPS using a custom TLS certificate imported to AWS Certificate Manager. Which combination of steps is required to ensure availability of the certificate in the CloudFront console? (Choose two.)

Call UploadServerCertificate with /cloudfront/dev/ in the path parameter.
Call UploadServerCertificate with /cloudfront/dev/ in the path parameter.
Import the certificate with a 4,096-bit RSA public key.
Import the certificate with a 4,096-bit RSA public key.
Ensure that the certificate, private key, and certificate chain are PKCS #12-encoded.
Ensure that the certificate, private key, and certificate chain are PKCS #12-encoded.
Import the certificate in the us-east-1 (N. Virginia) Region.
Import the certificate in the us-east-1 (N. Virginia) Region.
Ensure that the certificate, private key, and certificate chain are PEM-encoded.
Ensure that the certificate, private key, and certificate chain are PEM-encoded.
Suggested answer: D, E
asked 16/09/2024
Jean Ducasse
40 questions

Question 93

Report
Export
Collapse

A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents.

A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly. Which combination of actions would build the required solution? (Choose three.)

Configure Amazon CloudWatch Events in the production accounts to send all S3 events to the security account event bus.
Configure Amazon CloudWatch Events in the production accounts to send all S3 events to the security account event bus.
Enable Amazon GuardDuty in the security account. and join the production accounts as members.
Enable Amazon GuardDuty in the security account. and join the production accounts as members.
Configure an Amazon CloudWatch Events rule in the security account to detect S3 bucket creation or modification events.
Configure an Amazon CloudWatch Events rule in the security account to detect S3 bucket creation or modification events.
Enable AWS Trusted Advisor and activate email notifications for an email address assigned to the security contact.
Enable AWS Trusted Advisor and activate email notifications for an email address assigned to the security contact.
Invoke an AWS Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team.
Invoke an AWS Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team.
Configure event notifications on S3 buckets for PUT; POST, and DELETE events.
Configure event notifications on S3 buckets for PUT; POST, and DELETE events.
Suggested answer: D, E, F
asked 16/09/2024
Alex Fill
30 questions

Question 94

Report
Export
Collapse

An employee accidentally exposed an AWS access key and secret access key during a public presentation. The company Security Engineer immediately disabled the key. How can the Engineer assess the impact of the key exposure and ensure that the credentials were not misused? (Choose two.)

Analyze AWS CloudTrail for activity.
Analyze AWS CloudTrail for activity.
Analyze Amazon CloudWatch Logs for activity.
Analyze Amazon CloudWatch Logs for activity.
Download and analyze the IAM Use report from AWS Trusted Advisor.
Download and analyze the IAM Use report from AWS Trusted Advisor.
Analyze the resource inventory in AWS Config for IAM user activity.
Analyze the resource inventory in AWS Config for IAM user activity.
Download and analyze a credential report from IAM.
Download and analyze a credential report from IAM.
Suggested answer: A, D

Explanation:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html

asked 16/09/2024
Raza Todorovac
44 questions

Question 95

Report
Export
Collapse

A company’s security engineer is configuring Amazon S3 permissions to ban all current and future public buckets However, the company hosts several websites directly off S3 buckets with public access enabled The engineer needs to bock me pubic S3 buckets without causing any outages on me easting websites The engineer has set up an Amazon CloudFrom distribution (or each website Which set or steps should the security engineer implement next?

Configure an S3 bucket as the origin an origin access identity (OAI) for the CloudFront distribution Switch the DNS records from websites to point to the CloudFront distribution Enable Nock public access settings at the account level
Configure an S3 bucket as the origin an origin access identity (OAI) for the CloudFront distribution Switch the DNS records from websites to point to the CloudFront distribution Enable Nock public access settings at the account level
Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Switch the ONS records tor the websites to point to the CloudFront disinfection Then, tor each S3 bucket enable block public access settings
Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Switch the ONS records tor the websites to point to the CloudFront disinfection Then, tor each S3 bucket enable block public access settings
Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Enable block public access settings at the account level
Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Enable block public access settings at the account level
Configure an S3 bucket as the origin for me CloudFront distribution Configure the S3 bucket policy to accept connections from the CloudFront points of presence only Switch the DNS records for the websites to point to the CloudFront distribution Enable block public access settings at me account level
Configure an S3 bucket as the origin for me CloudFront distribution Configure the S3 bucket policy to accept connections from the CloudFront points of presence only Switch the DNS records for the websites to point to the CloudFront distribution Enable block public access settings at me account level
Suggested answer: A
asked 16/09/2024
SCOTTIE EASTER
40 questions

Question 96

Report
Export
Collapse

A convoys data lake uses Amazon S3 and Amazon Athen a. The company's security engineer has been asked to design an encryption solution that meets the company's data protection requirements. The encryption solution must work with Amazon S3 and keys managed by the company. The encryption solution must be protected in a hardware security module that is validated id Federal information Processing Standards (FPS) 140-2 Level 3. Which solution meets these requirements?

Use client-side encryption with an AWS KMS customer-managed key implemented with the AWS Encryption SDK
Use client-side encryption with an AWS KMS customer-managed key implemented with the AWS Encryption SDK
Use AWS CloudHSM to store the keys and perform cryptographic operations Save the encrypted text in Amazon S3
Use AWS CloudHSM to store the keys and perform cryptographic operations Save the encrypted text in Amazon S3
Use an AWS KMS customer-managed key that is backed by a custom key store using AWS CloudHSM
Use an AWS KMS customer-managed key that is backed by a custom key store using AWS CloudHSM
Use an AWS KMS customer-managed key with the bring your own key (BYOK) feature to import a key stored in AWS CloudHSM
Use an AWS KMS customer-managed key with the bring your own key (BYOK) feature to import a key stored in AWS CloudHSM
Suggested answer: B
asked 16/09/2024
Glenn Abdoelkarim
36 questions

Question 97

Report
Export
Collapse

A website currently runs on Amazon EC2 with mostly static content on the site. Recently, the site was subjected to a ODoS attack, and a Security Engineer was tasked with redesigning the edge security to help mitigate this risk in the future What are some ways the Engineer could achieve this? (Select THREE )

Use AWS X-Ray to inspect the traffic going 10 the EC2 instances
Use AWS X-Ray to inspect the traffic going 10 the EC2 instances
Move the state content to Amazon S3 and font this with an Amazon CloudFront distribution
Move the state content to Amazon S3 and font this with an Amazon CloudFront distribution
Change the security group configuration to block the source of the attack traffic
Change the security group configuration to block the source of the attack traffic
Use AWS WAF security rules to inspect the inbound traffic
Use AWS WAF security rules to inspect the inbound traffic
Use Amazon inspector assessment templates to inspect the inbound traffic
Use Amazon inspector assessment templates to inspect the inbound traffic
Use Amazon Route 53 to distribute traffic
Use Amazon Route 53 to distribute traffic
Suggested answer: B, D, F
asked 16/09/2024
Tim Klein
37 questions

Question 98

Report
Export
Collapse

A Security Engineer accidentally deleted the imported key material in an AWS KMS CMK. What should the Security Engineer do to restore the deleted key material?

Create a new CMK. Download a new wrapping key and a new import token to import the original key material
Create a new CMK. Download a new wrapping key and a new import token to import the original key material
Create a new CMK Use the original wrapping key and import token to import the original key material.
Create a new CMK Use the original wrapping key and import token to import the original key material.
Download a new wrapping key and a new import token Import the original key material into the existing CMK.
Download a new wrapping key and a new import token Import the original key material into the existing CMK.
Use the original wrapping key and import token Import the original key material into the existing CMK
Use the original wrapping key and import token Import the original key material into the existing CMK
Suggested answer: C
asked 16/09/2024
Jason Potter
45 questions

Question 99

Report
Export
Collapse

A company is developing a new mobile app for social media sharing. The company's development team has decided to use Amazon S3 to store at media files generated by mobile app users The company wants to allow users to control whether their own tiles are public, private, of shared with other users in their social network what should the development team do to implement the type of access control with the LEAST administrative effort?

Use individual ACLs on each S3 object.
Use individual ACLs on each S3 object.
Use IAM groups tor sharing files between application social network users
Use IAM groups tor sharing files between application social network users
Store each user's files in a separate S3 bucket and apery a bucket policy based on the user's sharing settings
Store each user's files in a separate S3 bucket and apery a bucket policy based on the user's sharing settings
Generate presigned UPLs for each file access
Generate presigned UPLs for each file access
Suggested answer: A
asked 16/09/2024
EDDIE LIN
43 questions

Question 100

Report
Export
Collapse


A Security Engineer noticed an anomaly within a company EC2 instance as shown in the image. The Engineer must now investigate what e causing the anomaly. What are the MOST effective steps to take lo ensure that the instance is not further manipulated while allowing the Engineer to understand what happened?

Amazon SCS-C01 image Question 100 7218 09162024005923000000

Remove the instance from the Auto Scaling group Place the instance within an isolation security group, detach the EBS volume launch an EC2 instance with a forensic toolkit and attach the E8S volume to investigate
Remove the instance from the Auto Scaling group Place the instance within an isolation security group, detach the EBS volume launch an EC2 instance with a forensic toolkit and attach the E8S volume to investigate
Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious Instance to perform the Investigation.
Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious Instance to perform the Investigation.
Remove the instance from the Auto Scaling group Place the Instance within an isolation security group, launch an EC2 Instance with a forensic toolkit and use the forensic toolkit imago to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance.
Remove the instance from the Auto Scaling group Place the Instance within an isolation security group, launch an EC2 Instance with a forensic toolkit and use the forensic toolkit imago to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance.
Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 Instance with a forensic toolkit and attach the copy of the EBS volume to investigate.
Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 Instance with a forensic toolkit and attach the copy of the EBS volume to investigate.
Suggested answer: B
asked 16/09/2024
Carlo Hearne
44 questions
Total 590 questions
Go to page: of 59
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture: 1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets. 3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other 4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols 5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required Which of the following accurately reflects the access control mechanisms the Architect should verify1?
A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances. Which solution will meet this requirement with the LEAST operational effort?
A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution. Which solution will meet these requirements MOST securely?
A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below Please select:
A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents. A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly. Which combination of actions would build the required solution? (Choose three.)
After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised. How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of “Sensitive,” “Confidential,” and “Restricted.” The security solution must meet all of the following requirements: Each object must be encrypted using a unique key. Items that are stored in the “Restricted” bucket require two-factor authentication for decryption. AWS KMS must automatically rotate encryption keys annually. Which of the following meets these requirements?