ExamGecko
Search Search Login
Home Home / Amazon / SCS-C01

Amazon SCS-C01 Practice Test - Questions Answers, Page 16

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A security engineer needs to configure monitoring and auditing for AWS Lambda. Which combination of actions using AWS services should the security engineer take to accomplish this goal? (Select TWO.)
A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance. What should the security engineer do to resolve this error?
A company’s information security team wants to analyze Amazon EC2 performance and utilization data in the near-real time for anomalies. A Sec Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company’s AWS accounts in centralized location to perform the analysis. How should the Security Engineer do this? Log in to each account four te a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.
A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1 the company cannot access the key that was used to encrypt the original database. What should the company do to set up the snapshot in us-west-1 with proper encryption?
A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)
A company's web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs. The operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The operations team needs to view log information to determine if the company is being attacked. Which set of actions will identify the suspect attacker's IP address for future occurrences?
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?
A company has two AW5 accounts within AWS Organizations. In Account-1. Amazon EC2 Auto Scaling is launched using a service-linked role. In Account-2. Amazon EBS volumes are encrypted with an AWS KMS key A Security Engineer needs to ensure that the service-linked role can launch instances with these encrypted volumes Which combination of steps should the Security Engineer take in both accounts? (Select TWO.)

Question 151

Report
Export
Collapse

A Security Engineer received an AWS Abuse Notice listing EC2 instance IDs that are reportedly abusing other hosts. Which action should the Engineer take based on this situation? (Choose three.)

A.
Use AWS Artifact to capture an exact image of the state of each instance.
A.
Use AWS Artifact to capture an exact image of the state of each instance.
Answers
B.
Create EBS Snapshots of each of the volumes attached to the compromised instances.
B.
Create EBS Snapshots of each of the volumes attached to the compromised instances.
Answers
C.
Capture a memory dump.
C.
Capture a memory dump.
Answers
D.
Log in to each instance with administrative credentials to restart the instance.
D.
Log in to each instance with administrative credentials to restart the instance.
Answers
E.
Revoke all network ingress and egress except for to/from a forensics workstation.
E.
Revoke all network ingress and egress except for to/from a forensics workstation.
Answers
F.
Run Auto Recovery for Amazon EC2.
F.
Run Auto Recovery for Amazon EC2.
Answers
Suggested answer: B, E, F

Question 152

Report
Export
Collapse

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements:

Encryption in transit

Encryption at rest

Logging of all object retrievals in AWS CloudTrail

Which of the following meet these security requirements? (Choose three.)

A.
Specify “aws:SecureTransport”: “true” within a condition in the S3 bucket policy.
A.
Specify “aws:SecureTransport”: “true” within a condition in the S3 bucket policy.
Answers
B.
Enable a security group for the S3 bucket that allows port 443, but not port 80.
B.
Enable a security group for the S3 bucket that allows port 443, but not port 80.
Answers
C.
Set up default encryption for the S3 bucket.
C.
Set up default encryption for the S3 bucket.
Answers
D.
Enable Amazon CloudWatch Logs for the AWS account.
D.
Enable Amazon CloudWatch Logs for the AWS account.
Answers
E.
Enable API logging of data events for all S3 objects.
E.
Enable API logging of data events for all S3 objects.
Answers
F.
Enable S3 object versioning for the S3 bucket.
F.
Enable S3 object versioning for the S3 bucket.
Answers
Suggested answer: A, C, E

Question 153

Report
Export
Collapse

What is the function of the following AWS Key Management Service (KMS) key policy attached to a customer master key (CMK)?

A.
The Amazon WorkMail and Amazon SES services have delegated KMS encrypt and decrypt permissions to the ExampleUser principal in the 111122223333 account.
A.
The Amazon WorkMail and Amazon SES services have delegated KMS encrypt and decrypt permissions to the ExampleUser principal in the 111122223333 account.
Answers
B.
The ExampleUser principal can transparently encrypt and decrypt email exchanges specifically between ExampleUser and AWS.
B.
The ExampleUser principal can transparently encrypt and decrypt email exchanges specifically between ExampleUser and AWS.
Answers
C.
The CMK is to be used for encrypting and decrypting only when the principal is ExampleUser and the request comes from WorkMail or SES in the specified region.
C.
The CMK is to be used for encrypting and decrypting only when the principal is ExampleUser and the request comes from WorkMail or SES in the specified region.
Answers
D.
The key policy allows WorkMail or SES to encrypt or decrypt on behalf of the user for any CMK in the account.
D.
The key policy allows WorkMail or SES to encrypt or decrypt on behalf of the user for any CMK in the account.
Answers
Suggested answer: C

Question 154

Report
Export
Collapse


A Security Engineer who was reviewing AWS Key Management Service (AWS KMS) key policies found this statement in each key policy in the company AWS account.

What does the statement allow?

A.
All principals from all AWS accounts to use the key.
A.
All principals from all AWS accounts to use the key.
Answers
B.
Only the root user from account 111122223333 to use the key.
B.
Only the root user from account 111122223333 to use the key.
Answers
C.
All principals from account 111122223333 to use the key but only on Amazon S3.
C.
All principals from account 111122223333 to use the key but only on Amazon S3.
Answers
D.
Only principals from account 111122223333 that have an IAM policy applied that grants access to this key to use the key.
D.
Only principals from account 111122223333 that have an IAM policy applied that grants access to this key to use the key.
Answers
Suggested answer: D

Question 155

Report
Export
Collapse

A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2 instances. The company security policy states that application logs for the reporting service must be centrally collected. What is the MOST efficient way to meet these requirements?

A.
Write an AWS Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket.
A.
Write an AWS Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket.
Answers
B.
Enable AWS CloudTrail logging for the AWS account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail.
B.
Enable AWS CloudTrail logging for the AWS account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail.
Answers
C.
Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync.
C.
Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync.
Answers
D.
Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.
D.
Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.
Answers
Suggested answer: D

Explanation:

https://aws.amazon.com/blogs/aws/cloudwatch-log-service/

Question 156

Report
Export
Collapse

A Security Engineer is trying to determine whether the encryption keys used in an AWS service are in compliance with certain regulatory standards. Which of the following actions should the Engineer perform to get further guidance?

A.
Read the AWS Customer Agreement.
A.
Read the AWS Customer Agreement.
Answers
B.
Use AWS Artifact to access AWS compliance reports.
B.
Use AWS Artifact to access AWS compliance reports.
Answers
C.
Post the question on the AWS Discussion Forums.
C.
Post the question on the AWS Discussion Forums.
Answers
D.
Run AWS Config and evaluate the configuration outputs.
D.
Run AWS Config and evaluate the configuration outputs.
Answers
Suggested answer: B

Explanation:

https://aws.amazon.com/artifact/Third-party auditors assess the security and compliance of AWS Key Management Service as part ofmultiple AWS compliance programs. These include SOC, PCI, FedRAMP, HIPPA, and others. Thecompliance document is found in AWS Artifact.

Question 157

Report
Export
Collapse

An application has been written that publishes custom metrics to Amazon CloudWatch. Recently, IAM changes have been made on the account and the metrics are no longer being reported. Which of the following is the LEAST permissive solution that will allow the metrics to be delivered?

A.
Add a statement to the IAM policy used by the application to allow logs:putLogEvents and logs:createLogStream
A.
Add a statement to the IAM policy used by the application to allow logs:putLogEvents and logs:createLogStream
Answers
B.
Modify the IAM role used by the application by adding the CloudWatchFullAccess managed policy.
B.
Modify the IAM role used by the application by adding the CloudWatchFullAccess managed policy.
Answers
C.
Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData.
C.
Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData.
Answers
D.
Add a trust relationship to the IAM role used by the application for cloudwatch.amazonaws.com.
D.
Add a trust relationship to the IAM role used by the application for cloudwatch.amazonaws.com.
Answers
Suggested answer: C

Explanation:

https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/permissions-referencecw.html

Question 158

Report
Export
Collapse

A Developer’s laptop was stolen. The laptop was not encrypted, and it contained the SSH key used to access multiple Amazon EC2 instances. A Security Engineer has verified that the key has not been used, and has blocked port 22 to all EC2 instances while developing a response plan.

How can the Security Engineer further protect currently running instances?

A.
Delete the key-pair key from the EC2 console, then create a new key pair.
A.
Delete the key-pair key from the EC2 console, then create a new key pair.
Answers
B.
Use the modify-instance-attribute API to change the key on any EC2 instance that is using the key.
B.
Use the modify-instance-attribute API to change the key on any EC2 instance that is using the key.
Answers
C.
Use the EC2 RunCommand to modify the authorized_keys file on any EC2 instance that is using the key.
C.
Use the EC2 RunCommand to modify the authorized_keys file on any EC2 instance that is using the key.
Answers
D.
Update the key pair in any AMI used to launch the EC2 instances, then restart the EC2 instances.
D.
Update the key pair in any AMI used to launch the EC2 instances, then restart the EC2 instances.
Answers
Suggested answer: C

Question 159

Report
Export
Collapse

An organization has tens of applications deployed on thousands of Amazon EC2 instances. During testing, the Application team needs information to let them know whether the network access control lists (network ACLs) and security groups are working as expected.

How can the Application team’s requirements be met?

A.
Turn on VPC Flow Logs, send the logs to Amazon S3, and use Amazon Athena to query the logs.
A.
Turn on VPC Flow Logs, send the logs to Amazon S3, and use Amazon Athena to query the logs.
Answers
B.
Install an Amazon Inspector agent on each EC2 instance, send the logs to Amazon S3, and use Amazon EMR to query the logs.
B.
Install an Amazon Inspector agent on each EC2 instance, send the logs to Amazon S3, and use Amazon EMR to query the logs.
Answers
C.
Create an AWS Config rule for each network ACL and security group configuration, send the logs to Amazon S3, and use Amazon Athena to query the logs.
C.
Create an AWS Config rule for each network ACL and security group configuration, send the logs to Amazon S3, and use Amazon Athena to query the logs.
Answers
D.
Turn on AWS CloudTrail, send the trails to Amazon S3, and use AWS Lambda to query the trails.
D.
Turn on AWS CloudTrail, send the trails to Amazon S3, and use AWS Lambda to query the trails.
Answers
Suggested answer: A

Question 160

Report
Export
Collapse

An application outputs logs to a text file. The logs must be continuously monitored for security incidents. Which design will meet the requirements with MINIMUM effort?

A.
Create a scheduled process to copy the component’s logs into Amazon S3. Use S3 events to trigger a Lambda function that updates Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
A.
Create a scheduled process to copy the component’s logs into Amazon S3. Use S3 events to trigger a Lambda function that updates Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
Answers
B.
Install and configure the Amazon CloudWatch Logs agent on the application’s EC2 instance. Create a CloudWatch metric filter to monitor the application logs. Set up CloudWatch alerts based on the metrics.
B.
Install and configure the Amazon CloudWatch Logs agent on the application’s EC2 instance. Create a CloudWatch metric filter to monitor the application logs. Set up CloudWatch alerts based on the metrics.
Answers
C.
Create a scheduled process to copy the application log files to AWS CloudTrail. Use S3 events to trigger Lambda functions that update CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
C.
Create a scheduled process to copy the application log files to AWS CloudTrail. Use S3 events to trigger Lambda functions that update CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
Answers
D.
Create a file watcher that copies data to Amazon Kinesis when the application writes to the log file. Have Kinesis trigger a Lambda function to update Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
D.
Create a file watcher that copies data to Amazon Kinesis when the application writes to the log file. Have Kinesis trigger a Lambda function to update Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
Answers
Suggested answer: B

Explanation:

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html

Total 590 questions
Go to page: of 59
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms