ExamGecko
Search Search Login
Home Home / Amazon / SCS-C01

Amazon SCS-C01 Practice Test - Questions Answers, Page 13

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A security engineer needs to configure monitoring and auditing for AWS Lambda. Which combination of actions using AWS services should the security engineer take to accomplish this goal? (Select TWO.)
A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance. What should the security engineer do to resolve this error?
A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1 the company cannot access the key that was used to encrypt the original database. What should the company do to set up the snapshot in us-west-1 with proper encryption?
A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)
A company's web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs. The operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The operations team needs to view log information to determine if the company is being attacked. Which set of actions will identify the suspect attacker's IP address for future occurrences?
A company’s information security team wants to analyze Amazon EC2 performance and utilization data in the near-real time for anomalies. A Sec Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company’s AWS accounts in centralized location to perform the analysis. How should the Security Engineer do this? Log in to each account four te a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?
Your current setup in AWS consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup Please select:

Question 121

Report
Export
Collapse

The Security Engineer implemented a new vault lock policy for 10TB of data and called initiate-vaultlock 12 hours ago. The Audit team identified a typo that is allowing incorrect access to the vault. What is the MOST cost-effective way to correct this?

A.
Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again.
A.
Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again.
Answers
B.
Copy the vault data to Amazon S3, delete the vault, and create a new vault with the data.
B.
Copy the vault data to Amazon S3, delete the vault, and create a new vault with the data.
Answers
C.
Update the policy, keeping the vault lock in place.
C.
Update the policy, keeping the vault lock in place.
Answers
D.
Update the policy and call initiate-vault-lock again to apply the new policy.
D.
Update the policy and call initiate-vault-lock again to apply the new policy.
Answers
Suggested answer: A

Explanation:

Initiate the lock by attaching a vault lock policy to your vault, which sets the lock to an in-progress state and returns a lock ID. While in the in-progress state, you have 24 hours to validate your vault lock policy before the lock ID expires. Use the lock ID to complete the lock process. If the vault lock policy doesn't work as expected, you can abort the lock and restart from the beginning. For information on how to use the S3 Glacier API to lock a vault, see Locking a Vault by Using the Amazon S3 Glacier API. https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock-policy.html

Question 122

Report
Export
Collapse

A company wants to control access to its AWS resources by using identities and groups that are defined in its existing Microsoft Active Directory. What must the company create in its AWS account to map permissions for AWS services to Active Directory user attributes?

A.
AWS IAM groups
A.
AWS IAM groups
Answers
B.
AWS IAM users
B.
AWS IAM users
Answers
C.
AWS IAM roles
C.
AWS IAM roles
Answers
D.
AWS IAM access keys
D.
AWS IAM access keys
Answers
Suggested answer: C

Explanation:

Prerequisites to establish Federation Services in AWS - You have a working AD directory and AD FS server. - You have created an identity provider (IdP) in your AWS account using your XML file from your AD FS server. Remember the name of your IdP because you will use it later in this solution. -You have created the appropriate IAM roles in your AWS account, which will be used for federated access. https://aws.amazon.com/blogs/security/how-to-establish-federated- access-to-your-awsresources- by-using-active-directory-user-attributes/

Question 123

Report
Export
Collapse

A company has contracted with a third party to audit several AWS accounts. To enable the audit, cross-account IAM roles have been created in each account targeted for audit. The Auditor is having trouble accessing some of the accounts. Which of the following may be causing this problem? (Choose three.)

A.
The external ID used by the Auditor is missing or incorrect.
A.
The external ID used by the Auditor is missing or incorrect.
Answers
B.
The Auditor is using the incorrect password.
B.
The Auditor is using the incorrect password.
Answers
C.
The Auditor has not been granted sts:AssumeRole for the role in the destination account.
C.
The Auditor has not been granted sts:AssumeRole for the role in the destination account.
Answers
D.
The Amazon EC2 role used by the Auditor must be set to the destination account role.
D.
The Amazon EC2 role used by the Auditor must be set to the destination account role.
Answers
E.
The secret key used by the Auditor is missing or incorrect.
E.
The secret key used by the Auditor is missing or incorrect.
Answers
F.
The role ARN used by the Auditor is missing or incorrect.
F.
The role ARN used by the Auditor is missing or incorrect.
Answers
Suggested answer: A, C, F

Explanation:

Using IAM to grant access to a Third-Party Account 1) Create a role to provide access to the require resources 1.1) Create a role policy that specifies the AWS Account ID to be accessed, "sts:AssumeRole" as action, and "sts:ExternalID" as condition 1.2) Create a role using the role policy just created 1.3) Assign a resouce policy to the role. This will provide permission to access resource ARNs to the auditor 2) Repeat steps 1 and 2 on all AWS accounts 3) The auditor connects to the AWS account AWS Security Token Service (STS). The auditor must provide its ExternalID from step 1.2, the ARN of the role he is trying to assume from step 1.3, sts:ExternalID 4) STS provide the auditor with temporary credentials that provides the role access from step 1

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html

https://aws.amazon.com/blogs/security/how-to-audit-cross-account-roles-using-aws-cloudtrail-andamazon-cloudwatch-events/

Question 124

Report
Export
Collapse

Compliance requirements state that all communications between company on-premises hosts and EC2 instances be encrypted in transit. Hosts use custom proprietary protocols for their communication, and EC2 instances need to be fronted by a load balancer for increased availability.

Which of the following solutions will meet these requirements?

A.
Offload SSL termination onto an SSL listener on a Classic Load Balancer, and use a TCP connection between the load balancer and the EC2 instances.
A.
Offload SSL termination onto an SSL listener on a Classic Load Balancer, and use a TCP connection between the load balancer and the EC2 instances.
Answers
B.
Route all traffic through a TCP listener on a Classic Load Balancer, and terminate the TLS connection on the EC2 instances.
B.
Route all traffic through a TCP listener on a Classic Load Balancer, and terminate the TLS connection on the EC2 instances.
Answers
C.
Create an HTTPS listener using an Application Load Balancer, and route all of the communicationthrough that load balancer.
C.
Create an HTTPS listener using an Application Load Balancer, and route all of the communicationthrough that load balancer.
Answers
D.
Offload SSL termination onto an SSL listener using an Application Load Balancer, and re-spawn and SSL connection between the load balancer and the EC2 instances.
D.
Offload SSL termination onto an SSL listener using an Application Load Balancer, and re-spawn and SSL connection between the load balancer and the EC2 instances.
Answers
Suggested answer: B

Explanation:

https://aws.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to-yourcontainer-using-the-network-load-balancer-with-amazon-ecs/

Question 125

Report
Export
Collapse

A Security Administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has enabled it for all feature sets, including consolidated billing. The top-level account is used for billing and administrative purposes, not for operational AWS resource purposes.

How can the Administrator restrict usage of member root user accounts across the organization?

A.
Disable the use of the root user account at the organizational root. Enable multi-factor authentication of the root user account for each organizational member account.
A.
Disable the use of the root user account at the organizational root. Enable multi-factor authentication of the root user account for each organizational member account.
Answers
B.
Configure IAM user policies to restrict root account capabilities for each Organizations member account.
B.
Configure IAM user policies to restrict root account capabilities for each Organizations member account.
Answers
C.
Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU.
C.
Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU.
Answers
D.
Configure AWS CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric filter for RootAccountUsage.
D.
Configure AWS CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric filter for RootAccountUsage.
Answers
Suggested answer: C

Explanation:

Applying a "Control Policy" in your organization. A policy applied to: 1) root applies to all accounts in the organization 2) OU applies to all accounts in the OU and to any child OUs 3) account applies to one account only Note- this requires that Acquirements: -all features are enabled for the organization in AWS Organizations -Only service control policy (SCP) are supported https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html

Question 126

Report
Export
Collapse

A Systems Engineer has been tasked with configuring outbound mail through Simple Email Service (SES) and requires compliance with current TLS standards.

The mail application should be configured to connect to which of the following endpoints and corresponding ports?

A.
email.us-east-1.amazonaws.com over port 8080
A.
email.us-east-1.amazonaws.com over port 8080
Answers
B.
email-pop3.us-east-1.amazonaws.com over port 995
B.
email-pop3.us-east-1.amazonaws.com over port 995
Answers
C.
email-smtp.us-east-1.amazonaws.com over port 587
C.
email-smtp.us-east-1.amazonaws.com over port 587
Answers
D.
email-imap.us-east-1.amazonaws.com over port 993
D.
email-imap.us-east-1.amazonaws.com over port 993
Answers
Suggested answer: C

Explanation:

https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-connect.html

Question 127

Report
Export
Collapse

A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data from production host running inside AWS (Account 1). The threat was documented as follows:

Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials for an AWS account (Account 2) they control and uploading data to an Amazon S3 bucket within their control. Server X has outbound internet access configured via a proxy server. Legitimate access to S3 is required so that the application can upload encrypted files to an S3 bucket. Server X is currently using an IAM instance role. The proxy server is not able to inspect any of the server communication due to TLS encryption.

Which of the following options will mitigate the threat? (Choose two.)

A.
Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.
A.
Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.
Answers
B.
Block outbound access to public S3 endpoints on the proxy server.
B.
Block outbound access to public S3 endpoints on the proxy server.
Answers
C.
Configure Network ACLs on Server X to deny access to S3 endpoints.
C.
Configure Network ACLs on Server X to deny access to S3 endpoints.
Answers
D.
Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application server.
D.
Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application server.
Answers
E.
Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted application config file.
E.
Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted application config file.
Answers
Suggested answer: A, B

Question 128

Report
Export
Collapse

A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of “Sensitive,” “Confidential,” and “Restricted.” The security solution must meet all of the following requirements:

Each object must be encrypted using a unique key.

Items that are stored in the “Restricted” bucket require two-factor authentication for decryption.

AWS KMS must automatically rotate encryption keys annually.

Which of the following meets these requirements?

A.
Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the “Restricted” CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.
A.
Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the “Restricted” CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.
Answers
B.
Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK.
B.
Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK.
Answers
C.
Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket.
C.
Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket.
Answers
D.
Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the “Restricted” key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.
D.
Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the “Restricted” key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.
Answers
Suggested answer: A

Explanation:

CMKs that are not eligible for automatic key rotation, including asymmetric CMKs, CMKs in custom key stores, and CMKs with imported key material.

Question 129

Report
Export
Collapse

An organization wants to deploy a three-tier web application whereby the application servers run on Amazon EC2 instances. These EC2 instances need access to credentials that they will use to authenticate their SQL connections to an Amazon RDS DB instance. Also, AWS Lambda functions must issue queries to the RDS database by using the same database credentials. The credentials must be stored so that the EC2 instances and the Lambda functions can access them.

No other access is allowed. The access logs must record when the credentials were accessed and by whom. What should the Security Engineer do to meet these requirements?

A.
Store the database credentials in AWS Key Management Service (AWS KMS). Create an IAM role with access to AWS KMS by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.
A.
Store the database credentials in AWS Key Management Service (AWS KMS). Create an IAM role with access to AWS KMS by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.
Answers
B.
Store the database credentials in AWS KMS. Create an IAM role with access to KMS by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function.
B.
Store the database credentials in AWS KMS. Create an IAM role with access to KMS by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function.
Answers
C.
Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function.
C.
Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function.
Answers
D.
Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.
D.
Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.
Answers
Suggested answer: D

Question 130

Report
Export
Collapse

A company has a customer master key (CMK) with imported key materials. Company policy requires that all encryption keys must be rotated every year. What can be done to implement the above policy?

A.
Enable automatic key rotation annually for the CMK.
A.
Enable automatic key rotation annually for the CMK.
Answers
B.
Use AWS Command Line Interface to create an AWS Lambda function to rotate the existing CMK annually.
B.
Use AWS Command Line Interface to create an AWS Lambda function to rotate the existing CMK annually.
Answers
C.
Import new key material to the existing CMK and manually rotate the CMK.
C.
Import new key material to the existing CMK and manually rotate the CMK.
Answers
D.
Create a new CMK, import new key material to it, and point the key alias to the new CMK.
D.
Create a new CMK, import new key material to it, and point the key alias to the new CMK.
Answers
Suggested answer: D

Explanation:

https://docs.aws.amazon.com/en_pv/kms/latest/developerguide/rotate-keys.html#rotate-keysmanually"You might prefer to rotate keys manually so you can control the rotation frequency. It's also a goodsolution for CMKs that are not eligible for automatic key rotation, such as asymmetric CMKs, CMKs incustom key stores and CMKs with imported key material. Because the new CMK is a differentresource from the current CMK, it has a different key ID and ARN. When you change CMKs, you needto update references to the CMK ID or ARN in your applications. Aliases, which associate a friendlyname with a CMK, make this process easier. Use an alias to refer to a CMK in your applications. Then,when you want to change the CMK that the application uses, change the target CMK of the alias. Toupdate the target CMK of an alias, use UpdateAlias operation in the AWS KMS API. "

Total 590 questions
Go to page: of 59
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms