ExamGecko
Search Search Login
Home Home / Amazon / SCS-C01

Amazon SCS-C01 Practice Test - Questions Answers, Page 12

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A security engineer needs to configure monitoring and auditing for AWS Lambda. Which combination of actions using AWS services should the security engineer take to accomplish this goal? (Select TWO.)
A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance. What should the security engineer do to resolve this error?
A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1 the company cannot access the key that was used to encrypt the original database. What should the company do to set up the snapshot in us-west-1 with proper encryption?
A company's web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs. The operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The operations team needs to view log information to determine if the company is being attacked. Which set of actions will identify the suspect attacker's IP address for future occurrences?
A company’s information security team wants to analyze Amazon EC2 performance and utilization data in the near-real time for anomalies. A Sec Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company’s AWS accounts in centralized location to perform the analysis. How should the Security Engineer do this? Log in to each account four te a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?
A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)
Your current setup in AWS consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup Please select:

Question 111

Report
Export
Collapse

An external Auditor finds that a company's user passwords have no minimum length. The company is currently using two identity providers:

• AWS IAM federated with on-premises Active Directory

• Amazon Cognito user pools to accessing an AWS Cloud application developed by the company Which combination o1 actions should the Security Engineer take to solve this issue? (Select TWO.)

A.
Update the password length policy In the on-premises Active Directory configuration.
A.
Update the password length policy In the on-premises Active Directory configuration.
Answers
B.
Update the password length policy In the IAM configuration.
B.
Update the password length policy In the IAM configuration.
Answers
C.
Enforce an IAM policy In Amazon Cognito and AWS IAM with a minimum password length condition.
C.
Enforce an IAM policy In Amazon Cognito and AWS IAM with a minimum password length condition.
Answers
D.
Update the password length policy in the Amazon Cognito configuration.
D.
Update the password length policy in the Amazon Cognito configuration.
Answers
E.
Create an SCP with AWS Organizations that enforces a minimum password length for AWS IAM and Amazon Cognito.
E.
Create an SCP with AWS Organizations that enforces a minimum password length for AWS IAM and Amazon Cognito.
Answers
Suggested answer: A, D

Question 112

Report
Export
Collapse

A company has hundreds of AWS accounts, and a centralized Amazon S3 bucket used to collect AWS CloudTrail for all of these accounts. A security engineer wants to create a solution that will enable the company to run ad hoc queues against its CloudTrail logs dating back 3 years from when the trails were first enabled in the company’s AWS account. How should the company accomplish this with the least amount of administrative overhead?

A.
Run an Amazon EMP cluster that uses a MapReduce job to be examine the CloudTrail trails.
A.
Run an Amazon EMP cluster that uses a MapReduce job to be examine the CloudTrail trails.
Answers
B.
Use the events history/feature of the CloudTrail console to query the CloudTrail trails.
B.
Use the events history/feature of the CloudTrail console to query the CloudTrail trails.
Answers
C.
Write an AWS Lambda function to query the CloudTrail trails Configure the Lambda function to be executed whenever a new file is created in the CloudTrail S3 bucket.
C.
Write an AWS Lambda function to query the CloudTrail trails Configure the Lambda function to be executed whenever a new file is created in the CloudTrail S3 bucket.
Answers
D.
Create an Amazon Athena table that tools at the S3 bucket the CloudTrail trails are being written to Use Athena to run queries against the trails.
D.
Create an Amazon Athena table that tools at the S3 bucket the CloudTrail trails are being written to Use Athena to run queries against the trails.
Answers
Suggested answer: D

Question 113

Report
Export
Collapse

A recent security audit identified that a company's application team injects database credentials into the environment variables of an AWS Fargate task. The company's security policy mandates that all sensitive data be encrypted at rest and in transit.

When combination of actions should the security team take to make the application compliant within the security policy? (Select THREE)

A.
Store the credentials securely in a file in an Amazon S3 bucket with restricted access to the application team IAM role Ask the application team to read the credentials from the S3 object instead
A.
Store the credentials securely in a file in an Amazon S3 bucket with restricted access to the application team IAM role Ask the application team to read the credentials from the S3 object instead
Answers
B.
Create an AWS Secrets Manager secret and specify the key/value pairs to be stored in this secret
B.
Create an AWS Secrets Manager secret and specify the key/value pairs to be stored in this secret
Answers
C.
Modify the application to pull credentials from the AWS Secrets Manager secret instead of the environment variables.
C.
Modify the application to pull credentials from the AWS Secrets Manager secret instead of the environment variables.
Answers
D.
Add the following statement to the container instance IAM role policy
D.
Add the following statement to the container instance IAM role policy
Answers
E.
Add the following statement to the execution role policy.
E.
Add the following statement to the execution role policy.
Answers
F.
Log in to the AWS Fargate instance, create a script to read the secret value from AWS Secret Manager, and inject the environment variables. Ask the application team to redeploy the application.
F.
Log in to the AWS Fargate instance, create a script to read the secret value from AWS Secret Manager, and inject the environment variables. Ask the application team to redeploy the application.
Answers
Suggested answer: B, E, F

Question 114

Report
Export
Collapse

A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee Even after updating the policy the employee still receives an access denied message.

What is the likely cause of this access denial?

A.
The ACL in the bucket needs to be updated.
A.
The ACL in the bucket needs to be updated.
Answers
B.
The IAM policy does not allow the user to access the bucket
B.
The IAM policy does not allow the user to access the bucket
Answers
C.
It takes a few minutes for a bucket policy to take effect
C.
It takes a few minutes for a bucket policy to take effect
Answers
D.
The allow permission is being overridden by the deny.
D.
The allow permission is being overridden by the deny.
Answers
Suggested answer: D

Question 115

Report
Export
Collapse

A Security Engineer is setting up an AWS CloudTrail trail for all regions in an AWS account. For added security, the logs are stored using server-side encryption with AWS KMS-managed keys (SSE-KMS) and have log integrity validation enabled.

While testing the solution, the Security Engineer discovers that the digest files are readable, but the log files are not. What is the MOST likely cause?

A.
The log files fail integrity validation and automatically are marked as unavailable.
A.
The log files fail integrity validation and automatically are marked as unavailable.
Answers
B.
The KMS key policy does not grant the Security Engineer's IAM user or role permissions to decrypt with it.
B.
The KMS key policy does not grant the Security Engineer's IAM user or role permissions to decrypt with it.
Answers
C.
The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.
C.
The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.
Answers
D.
An IAM policy applicable to the Security Engineer’s IAM user or role denies access to the "CloudTrail/" prefix in the Amazon S3 bucket
D.
An IAM policy applicable to the Security Engineer’s IAM user or role denies access to the "CloudTrail/" prefix in the Amazon S3 bucket
Answers
Suggested answer: B

Explanation:

Enabling server-side encryption encrypts the log files but not the digest files with SSE-KMS. Digest files are encrypted with Amazon S3-managed encryption keys (SSE-S3). https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-withaws-kms.html

Question 116

Report
Export
Collapse

A security engineer has noticed that VPC Flow Logs are getting a lot REJECT traffic originating from a single Amazon EC2 instance in an Auto Scaling group. The security engineer is concerned that this EC2 instance may be compromised. What immediate action should the security engineer take?

What immediate action should the security engineer take?

A.
Remove me instance from the Auto Seating group Close me security group mm ingress only from a single forensic P address to perform an analysis.
A.
Remove me instance from the Auto Seating group Close me security group mm ingress only from a single forensic P address to perform an analysis.
Answers
B.
Remove me instance from the Auto Seating group Change me network ACL rules to allow traffic only from a single forensic IP address to perform en analysis Add a rule to deny all other traffic.
B.
Remove me instance from the Auto Seating group Change me network ACL rules to allow traffic only from a single forensic IP address to perform en analysis Add a rule to deny all other traffic.
Answers
C.
Remove the instance from the Auto Scaling group Enable Amazon GuardDuty in that AWS account Install the Amazon Inspector agent cm the suspicious EC 2 instance to perform a scan.
C.
Remove the instance from the Auto Scaling group Enable Amazon GuardDuty in that AWS account Install the Amazon Inspector agent cm the suspicious EC 2 instance to perform a scan.
Answers
D.
Take a snapshot of the suspicious EC2 instance. Create a new EC2 instance from me snapshot in a closed security group with ingress only from a single forensic IP address to perform an analysis
D.
Take a snapshot of the suspicious EC2 instance. Create a new EC2 instance from me snapshot in a closed security group with ingress only from a single forensic IP address to perform an analysis
Answers
Suggested answer: B

Question 117

Report
Export
Collapse

A company needs its Amazon Elastic Block Store (Amazon EBS) volumes to be encrypted at all times.

During a security incident. EBS snapshots of suspicious instances are shared to a forensics account for analysis A security engineer attempting to share a suspicious EBS snapshot to the forensics account receives the following error "Unable to share snapshot: An error occurred (OperationNotPermitted) when calling the ModifySnapshotAttribute operation: Encrypted snapshots with EBS default key cannot be shared. Which combination of steps should the security engineer take in the incident account to complete the sharing operation? (Select THREE )

A.
Create a customer managed CMK Copy the EBS snapshot encrypting the destination snapshot using the new CMK.
A.
Create a customer managed CMK Copy the EBS snapshot encrypting the destination snapshot using the new CMK.
Answers
B.
Allow forensics accounting principals to use the CMK by modifying its policy.
B.
Allow forensics accounting principals to use the CMK by modifying its policy.
Answers
C.
Create an Amazon EC2 instance. Attach the encrypted and suspicious EBS volume. Copy data from the suspicious volume to an unencrypted volume. Snapshot the unencrypted volume
C.
Create an Amazon EC2 instance. Attach the encrypted and suspicious EBS volume. Copy data from the suspicious volume to an unencrypted volume. Snapshot the unencrypted volume
Answers
D.
Copy the EBS snapshot to the new decrypted snapshot
D.
Copy the EBS snapshot to the new decrypted snapshot
Answers
E.
Restore a volume from the suspicious EBS snapshot. Create an unencrypted EBS volume of the same size.
E.
Restore a volume from the suspicious EBS snapshot. Create an unencrypted EBS volume of the same size.
Answers
F.
Share the target EBS snapshot with the forensics account.
F.
Share the target EBS snapshot with the forensics account.
Answers
Suggested answer: A, B, F

Question 118

Report
Export
Collapse

A company uses a third-party identity provider and SAML-based SSO for its AWS accounts After the third-party identity provider renewed an expired signing certificate users saw the following message when trying to log in:

A security engineer needs to provide a solution that corrects the error and minimizes operational overhead Which solution meets these requirements?

A.
Upload the third-party signing certificate's new private key to the AWS identity provider entity defined in AWS identity and Access Management (IAM) by using the AWS Management Console
A.
Upload the third-party signing certificate's new private key to the AWS identity provider entity defined in AWS identity and Access Management (IAM) by using the AWS Management Console
Answers
B.
Sign the identity provider's metadata file with the new public key Upload the signature to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CLI.
B.
Sign the identity provider's metadata file with the new public key Upload the signature to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CLI.
Answers
C.
Download the updated SAML metadata tile from the identity service provider Update the file in the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CLI
C.
Download the updated SAML metadata tile from the identity service provider Update the file in the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CLI
Answers
D.
Configure the AWS identity provider entity defined in AWS Identity and Access Management (IAM) to synchronously fetch the new public key by using the AWS Management Console.
D.
Configure the AWS identity provider entity defined in AWS Identity and Access Management (IAM) to synchronously fetch the new public key by using the AWS Management Console.
Answers
Suggested answer: C

Question 119

Report
Export
Collapse

A company's application runs on Amazon EC2 and stores data in an Amazon S3 bucket The company wants additional security controls in place to limit the likelihood of accidental exposure of data to external parties Which combination of actions will meet this requirement? (Select THREE.)

A.
Encrypt the data in Amazon S3 using server-side encryption with Amazon S3 managed encryption keys (SSE-S3)
A.
Encrypt the data in Amazon S3 using server-side encryption with Amazon S3 managed encryption keys (SSE-S3)
Answers
B.
Encrypt the data in Amazon S3 using server-side encryption with AWS KMS managed encryption keys (SSE-KMS)
B.
Encrypt the data in Amazon S3 using server-side encryption with AWS KMS managed encryption keys (SSE-KMS)
Answers
C.
Create a new Amazon S3 VPC endpoint and modify the VPC's routing tables to use the new endpoint
C.
Create a new Amazon S3 VPC endpoint and modify the VPC's routing tables to use the new endpoint
Answers
D.
Use the Amazon S3 Block Public Access feature.
D.
Use the Amazon S3 Block Public Access feature.
Answers
E.
Configure the bucket policy to allow access from the application instances only
E.
Configure the bucket policy to allow access from the application instances only
Answers
F.
Use a NACL to filter traffic to Amazon S3
F.
Use a NACL to filter traffic to Amazon S3
Answers
Suggested answer: B, C, E

Explanation:

Topic 2, Exam Pool B

Question 120

Report
Export
Collapse

The Security team believes that a former employee may have gained unauthorized access to AWS resources sometime in the past 3 months by using an identified access key. What approach would enable the Security team to find out what the former employee may have done within AWS?

A.
Use the AWS CloudTrail console to search for user activity.
A.
Use the AWS CloudTrail console to search for user activity.
Answers
B.
Use the Amazon CloudWatch Logs console to filter CloudTrail data by user.
B.
Use the Amazon CloudWatch Logs console to filter CloudTrail data by user.
Answers
C.
Use AWS Config to see what actions were taken by the user.
C.
Use AWS Config to see what actions were taken by the user.
Answers
D.
Use Amazon Athena to query CloudTrail logs stored in Amazon S3.
D.
Use Amazon Athena to query CloudTrail logs stored in Amazon S3.
Answers
Suggested answer: A

Explanation:

You can use CloudTrail to search event history for the last 90 days. You can use CloudWatch queries to search API history beyond the last 90 days. You can use Athena to query CloudTrail logs over the last 90 days. https:// aws.amazon.com/premiumsupport/knowledge-center/view-iam-history/

Total 590 questions
Go to page: of 59
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms