ExamGecko
Login
Home / Amazon / SCS-C01 / List of questions
Ask Question

Amazon SCS-C01 Practice Test - Questions Answers, Page 14

List of questions

Question 131

Report
Export
Collapse

A water utility company uses a number of Amazon EC2 instances to manage updates to a fleet of 2,000 Internet of Things (IoT) field devices that monitor water quality. These devices each have unique access credentials. An operational safety policy requires that access to specific credentials is independently auditable. What is the MOST cost-effective way to manage the storage of credentials?

Use AWS Systems Manager to store the credentials as Secure Strings Parameters. Secure by using an AWS KMS key.
Use AWS Systems Manager to store the credentials as Secure Strings Parameters. Secure by using an AWS KMS key.
Use AWS Key Management System to store a master key, which is used to encrypt the credentials.The encrypted credentials are stored in an Amazon RDS instance.
Use AWS Key Management System to store a master key, which is used to encrypt the credentials.The encrypted credentials are stored in an Amazon RDS instance.
Use AWS Secrets Manager to store the credentials.
Use AWS Secrets Manager to store the credentials.
Store the credentials in a JSON file on Amazon S3 with server-side encryption.
Store the credentials in a JSON file on Amazon S3 with server-side encryption.
Suggested answer: A

Explanation:

https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-advancedparameters.html

asked 16/09/2024
Tomasz Woloszczak
36 questions

Question 132

Report
Export
Collapse

An organization is using Amazon CloudWatch Logs with agents deployed on its Linux Amazon EC2 instances. The agent configuration files have been checked and the application log files to be pushed are configured correctly. A review has identified that logging from specific instances is missing.

Which steps should be taken to troubleshoot the issue? (Choose two.)

Use an EC2 run command to confirm that the “awslogs” service is running on all instances.
Use an EC2 run command to confirm that the “awslogs” service is running on all instances.
Verify that the permissions used by the agent allow creation of log groups/streams and to put log events.
Verify that the permissions used by the agent allow creation of log groups/streams and to put log events.
Check whether any application log entries were rejected because of invalid time stamps by reviewing /var/cwlogs/rejects.log.
Check whether any application log entries were rejected because of invalid time stamps by reviewing /var/cwlogs/rejects.log.
Check that the trust relationship grants the service “cwlogs.amazonaws.com” permission to write objects to the Amazon S3 staging bucket.
Check that the trust relationship grants the service “cwlogs.amazonaws.com” permission to write objects to the Amazon S3 staging bucket.
Verify that the time zone on the application servers is in UTC.
Verify that the time zone on the application servers is in UTC.
Suggested answer: A, B

Explanation:

EC2 run command - can run scripts, install software, collect metrics and log files, manage patches and more. Bringing these two services together - can create CloudWatch Events rules that use EC2 Run Command to perform actions on EC2 instances or on-premises servers.

asked 16/09/2024
ABDUL AZEEZ
36 questions

Question 133

Report
Export
Collapse

A Security Engineer must design a solution that enables the Incident Response team to audit for changes to a user’s IAM permissions in the case of a security incident. How can this be accomplished?

Use AWS Config to review the IAM policy assigned to users before and after the incident.
Use AWS Config to review the IAM policy assigned to users before and after the incident.
Run the GenerateCredentialReport via the AWS CLI, and copy the output to Amazon S3 daily for auditing purposes.
Run the GenerateCredentialReport via the AWS CLI, and copy the output to Amazon S3 daily for auditing purposes.
Copy AWS CloudFormation templates to S3, and audit for changes from the template.
Copy AWS CloudFormation templates to S3, and audit for changes from the template.
Use Amazon EC2 Systems Manager to deploy images, and review AWS CloudTrail logs for changes.
Use Amazon EC2 Systems Manager to deploy images, and review AWS CloudTrail logs for changes.
Suggested answer: A

Explanation:

https://aws.amazon.com/blogs/security/how-to-record-and-govern-your-iam-resourceconfigurations-using-aws-config/

asked 16/09/2024
Karim Barakat
43 questions

Question 134

Report
Export
Collapse

A company has complex connectivity rules governing ingress, egress, and communications between Amazon EC2 instances. The rules are so complex that they cannot be implemented within the limits of the maximum number of security groups and network access control lists (network ACLs).

What mechanism will allow the company to implement all required network rules without incurring additional cost?

Configure AWS WAF rules to implement the required rules.
Configure AWS WAF rules to implement the required rules.
Use the operating system built-in, host-based firewall to implement the required rules.
Use the operating system built-in, host-based firewall to implement the required rules.
Use a NAT gateway to control ingress and egress according to the requirements.
Use a NAT gateway to control ingress and egress according to the requirements.
Launch an EC2-based firewall product from the AWS Marketplace, and implement the required rules in that product.
Launch an EC2-based firewall product from the AWS Marketplace, and implement the required rules in that product.
Suggested answer: B
asked 16/09/2024
Tomislav Bodrozic
37 questions

Question 135

Report
Export
Collapse

An IAM user with fill EC2 permissions could bot start an Amazon EC2 instance after it was stopped for a maintenance task. Upon starting the instance, the instance state would change to “Pending”, but after a few seconds, it would switch back to “Stopped”.

An inspection revealed that the instance has attached Amazon EBS volumes that were encrypted by using a Customer Master Key (CMK). When these encrypted volumes were detached, the IAM user was able to start the EC2 instances. The IAM user policy is as follows:

Amazon SCS-C01 image Question 135 7253 09162024005923000000

What additional items need to be added to the IAM user policy? (Choose two.)

kms:GenerateDataKey
kms:GenerateDataKey
kms:Decrypt
kms:Decrypt
kms:CreateGrant
kms:CreateGrant
“Condition”: {“Bool”: {“kms:ViaService”: “ec2.us-west-2.amazonaws.com”}}
“Condition”: {“Bool”: {“kms:ViaService”: “ec2.us-west-2.amazonaws.com”}}
“Condition”: {“Bool”: {“kms:GrantIsForAWSResource”: true}}
“Condition”: {“Bool”: {“kms:GrantIsForAWSResource”: true}}
Suggested answer: C, E

Explanation:

The EBS which is AWS resource service is encrypted with CMK and to allow EC2 to decrypt , the IAM user should create a grant ( action) and a boolean condition for the AWs resource . This link explains how AWS keys works. https:// docs.aws.amazon.com/kms/latest/developerguide/key-policies.html

asked 16/09/2024
Ayanda Zwane
32 questions

Question 136

Report
Export
Collapse

A Security Administrator has a website hosted in Amazon S3. The Administrator has been given the following requirements:

Users may access the website by using an Amazon CloudFront distribution.

Users may not access the website directly by using an Amazon S3 URL.

Which configurations will support these requirements? (Choose two.)

Associate an origin access identity with the CloudFront distribution.
Associate an origin access identity with the CloudFront distribution.
Implement a “Principal”: “cloudfront.amazonaws.com” condition in the S3 bucket policy.
Implement a “Principal”: “cloudfront.amazonaws.com” condition in the S3 bucket policy.
Modify the S3 bucket permissions so that only the origin access identity can access the bucket contents.
Modify the S3 bucket permissions so that only the origin access identity can access the bucket contents.
Implement security groups so that the S3 bucket can be accessed only by using the intended CloudFront distribution.
Implement security groups so that the S3 bucket can be accessed only by using the intended CloudFront distribution.
Configure the S3 bucket policy so that it is accessible only through VPC endpoints, and place the CloudFront distribution into the specified VPC.
Configure the S3 bucket policy so that it is accessible only through VPC endpoints, and place the CloudFront distribution into the specified VPC.
Suggested answer: A, C
asked 16/09/2024
Loris Pastro
38 questions

Question 137

Report
Export
Collapse

A Security Engineer has created an Amazon CloudWatch event that invokes an AWS Lambda function daily. The Lambda function runs an Amazon Athena query that checks AWS CloudTrail logs in Amazon S3 to detect whether any IAM user accounts or credentials have been created in the past 30 days.

The results of the Athena query are created in the same S3 bucket. The Engineer runs a test execution of the Lambda function via the AWS Console, and the function runs successfully. After several minutes, the Engineer finds that his Athena query has failed with the error message:

“Insufficient Permissions”. The IAM permissions of the Security Engineer and the Lambda function are shown below:

Security Engineer

Amazon SCS-C01 image Question 137 7255 09162024005923000000

Lambda function execution role

Amazon SCS-C01 image Question 137 7255 09162024005923000000

What is causing the error?

The Lambda function does not have permissions to start the Athena query execution.
The Lambda function does not have permissions to start the Athena query execution.
The Security Engineer does not have permissions to start the Athena query execution.
The Security Engineer does not have permissions to start the Athena query execution.
The Athena service does not support invocation through Lambda.
The Athena service does not support invocation through Lambda.
The Lambda function does not have permissions to access the CloudTrail S3 bucket.
The Lambda function does not have permissions to access the CloudTrail S3 bucket.
Suggested answer: D
asked 16/09/2024
Chien-Chung Chen
36 questions

Question 138

Report
Export
Collapse

A company requires that IP packet data be inspected for invalid or malicious content.

Which of the following approaches achieve this requirement? (Choose two.)

Configure a proxy solution on Amazon EC2 and route all outbound VPC traffic through it. Perform inspection within proxy software on the EC2 instance.
Configure a proxy solution on Amazon EC2 and route all outbound VPC traffic through it. Perform inspection within proxy software on the EC2 instance.
Configure the host-based agent on each EC2 instance within the VPC. Perform inspection within the host-based agent.
Configure the host-based agent on each EC2 instance within the VPC. Perform inspection within the host-based agent.
Enable VPC Flow Logs for all subnets in the VPC. Perform inspection from the Flow Log data within Amazon CloudWatch Logs.
Enable VPC Flow Logs for all subnets in the VPC. Perform inspection from the Flow Log data within Amazon CloudWatch Logs.
Configure Elastic Load Balancing (ELB) access logs. Perform inspection from the log data within the ELB access log files.
Configure Elastic Load Balancing (ELB) access logs. Perform inspection from the log data within the ELB access log files.
Configure the CloudWatch Logs agent on each EC2 instance within the VPC. Perform inspection from the log data within CloudWatch Logs.
Configure the CloudWatch Logs agent on each EC2 instance within the VPC. Perform inspection from the log data within CloudWatch Logs.
Suggested answer: A, B

Explanation:

“EC2 Instance IDS/IPS solutions offer key features to help protect your EC2 instances. This includes alerting administrators of malicious activity and policy violations, as well as identifying and taking action against attacks. You can use AWS services and third party IDS/IPS solutions offered in AWS Marketplace to stay one step ahead of potential attackers.”

asked 16/09/2024
Cesar Castillo
43 questions

Question 139

Report
Export
Collapse

An organization has a system in AWS that allows a large number of remote workers to submit data files. File sizes vary from a few kilobytes to several megabytes. A recent audit highlighted a concern that data files are not encrypted while in transit over untrusted networks.

Which solution would remediate the audit finding while minimizing the effort required?

Upload an SSL certificate to IAM, and configure Amazon CloudFront with the passphrase for the private key.
Upload an SSL certificate to IAM, and configure Amazon CloudFront with the passphrase for the private key.
Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() serverside.
Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() serverside.
Use AWS Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service’s servers.
Use AWS Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service’s servers.
Create a new VPC with an Amazon VPC VPN endpoint, and update the web service’s DNS record.
Create a new VPC with an Amazon VPC VPN endpoint, and update the web service’s DNS record.
Suggested answer: C
asked 16/09/2024
David Brun
36 questions

Question 140

Report
Export
Collapse

Which option for the use of the AWS Key Management Service (KMS) supports key management best practices that focus on minimizing the potential scope of data exposed by a possible future key compromise?

Use KMS automatic key rotation to replace the master key, and use this new master key for future encryption operations without re-encrypting previously encrypted data.
Use KMS automatic key rotation to replace the master key, and use this new master key for future encryption operations without re-encrypting previously encrypted data.
Generate a new Customer Master Key (CMK), re-encrypt all existing data with the new CMK, and use it for all future encryption operations.
Generate a new Customer Master Key (CMK), re-encrypt all existing data with the new CMK, and use it for all future encryption operations.
Change the CMK alias every 90 days, and update key-calling applications with the new key alias.
Change the CMK alias every 90 days, and update key-calling applications with the new key alias.
Change the CMK permissions to ensure that individuals who can provision keys are not the same individuals who can use the keys.
Change the CMK permissions to ensure that individuals who can provision keys are not the same individuals who can use the keys.
Suggested answer: A

Explanation:

"automatic key rotation has no effect on the data that the CMK protects. It does not rotate the data keys that the CMK generated or re-encrypt any data protected by the CMK, and it will not mitigate the effect of a compromised data key. You might decide to create a new CMK and use it in place of the original CMK. This has the same effect as rotating the key material in an existing CMK, so it's often thought of as manually rotating the key." https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manuallyfor AWS standards

asked 16/09/2024
Chet Camlin
33 questions
Total 590 questions
Go to page: of 59
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture: 1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets. 3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other 4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols 5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required Which of the following accurately reflects the access control mechanisms the Architect should verify1?
A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances. Which solution will meet this requirement with the LEAST operational effort?
A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution. Which solution will meet these requirements MOST securely?
A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below Please select:
A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents. A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly. Which combination of actions would build the required solution? (Choose three.)
After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised. How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of “Sensitive,” “Confidential,” and “Restricted.” The security solution must meet all of the following requirements: Each object must be encrypted using a unique key. Items that are stored in the “Restricted” bucket require two-factor authentication for decryption. AWS KMS must automatically rotate encryption keys annually. Which of the following meets these requirements?