ExamGecko
Search Search Login
Home Home / Amazon / SCS-C01

Amazon SCS-C01 Practice Test - Questions Answers, Page 19

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A security engineer needs to configure monitoring and auditing for AWS Lambda. Which combination of actions using AWS services should the security engineer take to accomplish this goal? (Select TWO.)
A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance. What should the security engineer do to resolve this error?
A company’s information security team wants to analyze Amazon EC2 performance and utilization data in the near-real time for anomalies. A Sec Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company’s AWS accounts in centralized location to perform the analysis. How should the Security Engineer do this? Log in to each account four te a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.
A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1 the company cannot access the key that was used to encrypt the original database. What should the company do to set up the snapshot in us-west-1 with proper encryption?
A company has two AW5 accounts within AWS Organizations. In Account-1. Amazon EC2 Auto Scaling is launched using a service-linked role. In Account-2. Amazon EBS volumes are encrypted with an AWS KMS key A Security Engineer needs to ensure that the service-linked role can launch instances with these encrypted volumes Which combination of steps should the Security Engineer take in both accounts? (Select TWO.)
A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)
A company's web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs. The operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The operations team needs to view log information to determine if the company is being attacked. Which set of actions will identify the suspect attacker's IP address for future occurrences?
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?

Question 181

Report
Export
Collapse

A Security Engineer must add additional protection to a legacy web application by adding the following HTTP security headers:

-Content Security-Policy

-X-Frame-Options

-X-XSS-Protection

The Engineer does not have access to the source code of the legacy web application.

Which of the following approaches would meet this requirement?

A.
Configure an Amazon Route 53 routing policy to send all web traffic that does not include the required headers to a black hole.
A.
Configure an Amazon Route 53 routing policy to send all web traffic that does not include the required headers to a black hole.
Answers
B.
Implement an AWS Lambda@Edge origin response function that inserts the required headers.
B.
Implement an AWS Lambda@Edge origin response function that inserts the required headers.
Answers
C.
Migrate the legacy application to an Amazon S3 static website and front it with an Amazon CloudFront distribution.
C.
Migrate the legacy application to an Amazon S3 static website and front it with an Amazon CloudFront distribution.
Answers
D.
Construct an AWS WAF rule to replace existing HTTP headers with the required security headersby using regular expressions.
D.
Construct an AWS WAF rule to replace existing HTTP headers with the required security headersby using regular expressions.
Answers
Suggested answer: B

Question 182

Report
Export
Collapse

During a security event, it is discovered that some Amazon EC2 instances have not been sending Amazon CloudWatch logs. Which steps can the Security Engineer take to troubleshoot this issue? (Select two.)

A.
Connect to the EC2 instances that are not sending the appropriate logs and verify that the CloudWatch Logs agent is running.
A.
Connect to the EC2 instances that are not sending the appropriate logs and verify that the CloudWatch Logs agent is running.
Answers
B.
Log in to the AWS account and select CloudWatch Logs. Check for any monitored EC2 instances that are in the “Alerting” state and restart them using the EC2 console.
B.
Log in to the AWS account and select CloudWatch Logs. Check for any monitored EC2 instances that are in the “Alerting” state and restart them using the EC2 console.
Answers
C.
Verify that the EC2 instances have a route to the public AWS API endpoints.
C.
Verify that the EC2 instances have a route to the public AWS API endpoints.
Answers
D.
Connect to the EC2 instances that are not sending logs. Use the command prompt to verify that the right permissions have been set for the Amazon SNS topic.
D.
Connect to the EC2 instances that are not sending logs. Use the command prompt to verify that the right permissions have been set for the Amazon SNS topic.
Answers
E.
Verify that the network access control lists and security groups of the EC2 instances have the access to send logs over SNMP.
E.
Verify that the network access control lists and security groups of the EC2 instances have the access to send logs over SNMP.
Answers
Suggested answer: A, C

Explanation:

https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-and-interface-VPC.html

Question 183

Report
Export
Collapse

A Security Engineer discovers that developers have been adding rules to security groups that allow SSH and RDP traffic from 0.0.0.0/0 instead of the organization firewall IP. What is the most efficient way to remediate the risk of this activity?

A.
Delete the internet gateway associated with the VPC.
A.
Delete the internet gateway associated with the VPC.
Answers
B.
Use network access control lists to block source IP addresses matching 0.0.0.0/0.
B.
Use network access control lists to block source IP addresses matching 0.0.0.0/0.
Answers
C.
Use a host-based firewall to prevent access from all but the organization’s firewall IP.
C.
Use a host-based firewall to prevent access from all but the organization’s firewall IP.
Answers
D.
Use AWS Config rules to detect 0.0.0.0/0 and invoke an AWS Lambda function to update the security group with the organization's firewall IP.
D.
Use AWS Config rules to detect 0.0.0.0/0 and invoke an AWS Lambda function to update the security group with the organization's firewall IP.
Answers
Suggested answer: D

Question 184

Report
Export
Collapse

In response to the past DDoS attack experiences, a Security Engineer has set up an Amazon CloudFront distribution for an Amazon S3 bucket. There is concern that some users may bypass the CloudFront distribution and access the S3 bucket directly.

What must be done to prevent users from accessing the S3 objects directly by using URLs?

A.
Change the S3 bucket/object permission so that only the bucket owner has access.
A.
Change the S3 bucket/object permission so that only the bucket owner has access.
Answers
B.
Set up a CloudFront origin access identity (OAI), and change the S3 bucket/object permission so that only the OAI has access.
B.
Set up a CloudFront origin access identity (OAI), and change the S3 bucket/object permission so that only the OAI has access.
Answers
C.
Create IAM roles for CloudFront, and change the S3 bucket/object permission so that only the IAM role has access.
C.
Create IAM roles for CloudFront, and change the S3 bucket/object permission so that only the IAM role has access.
Answers
D.
Redirect S3 bucket access to the corresponding CloudFront distribution.
D.
Redirect S3 bucket access to the corresponding CloudFront distribution.
Answers
Suggested answer: B

Explanation:

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-contentrestricting-access-to-s3.html

Question 185

Report
Export
Collapse

A company plans to move most of its IT infrastructure to AWS. The company wants to leverage its existing on-premises Active Directory as an identity provider for AWS. Which steps should be taken to authenticate to AWS services using the company's on-premises Active Directory? (Choose three).

A.
Create IAM roles with permissions corresponding to each Active Directory group.
A.
Create IAM roles with permissions corresponding to each Active Directory group.
Answers
B.
Create IAM groups with permissions corresponding to each Active Directory group.
B.
Create IAM groups with permissions corresponding to each Active Directory group.
Answers
C.
Create a SAML provider with IAM.
C.
Create a SAML provider with IAM.
Answers
D.
Create a SAML provider with Amazon Cloud Directory.
D.
Create a SAML provider with Amazon Cloud Directory.
Answers
E.
Configure AWS as a trusted relying party for the Active Directory
E.
Configure AWS as a trusted relying party for the Active Directory
Answers
F.
Configure IAM as a trusted relying party for Amazon Cloud Directory.
F.
Configure IAM as a trusted relying party for Amazon Cloud Directory.
Answers
Suggested answer: A, C, E

Explanation:

https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directoryfederation-services-ad-fs/

Question 186

Report
Export
Collapse


A Security Analyst attempted to troubleshoot the monitoring of suspicious security group changes.

The Analyst was told that there is an Amazon CloudWatch alarm in place for these AWS CloudTrail log events. The Analyst tested the monitoring setup by making a configuration change to the security group but did not receive any alerts. Which of the following troubleshooting steps should the Analyst perform?

A.
Ensure that CloudTrail and S3 bucket access logging is enabled for the Analyst's AWS account.
A.
Ensure that CloudTrail and S3 bucket access logging is enabled for the Analyst's AWS account.
Answers
B.
Verify that a metric filter was created and then mapped to an alarm. Check the alarm notification action.
B.
Verify that a metric filter was created and then mapped to an alarm. Check the alarm notification action.
Answers
C.
Check the CloudWatch dashboards to ensure that there is a metric configured with an appropriate dimension for security group changes.
C.
Check the CloudWatch dashboards to ensure that there is a metric configured with an appropriate dimension for security group changes.
Answers
D.
Verify that the Analyst's account is mapped to an IAM policy that includes permissions for cloudwatch: GetMetricStatistics and Cloudwatch: ListMetrics.
D.
Verify that the Analyst's account is mapped to an IAM policy that includes permissions for cloudwatch: GetMetricStatistics and Cloudwatch: ListMetrics.
Answers
Suggested answer: B

Explanation:

MetricFilter:

Type: 'AWS::Logs::MetricFilter'

Properties:

LogGroupName: ''

FilterPattern: >-

{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName =

AuthorizeSecurityGroupEgress) || ($.eventName =

RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) } MetricTransformations:

- MetricValue: '1'

MetricNamespace: CloudTrailMetrics

MetricName: SecurityGroupEventCount

Question 187

Report
Export
Collapse

Example.com hosts its internal document repository on Amazon EC2 instances. The application runs on EC2 instances and previously stored the documents on encrypted Amazon EBS volumes. To optimize the application for scale, example.com has moved the files to Amazon S3. The security team has mandated that all the files are securely deleted from the EBS volume, and it must certify that the data is unreadable before releasing the underlying disks. Which of the following methods will ensure that the data is unreadable by anyone else?

A.
Change the volume encryption on the EBS volume to use a different encryption mechanism. Then, release the EBS volumes back to AWS.
A.
Change the volume encryption on the EBS volume to use a different encryption mechanism. Then, release the EBS volumes back to AWS.
Answers
B.
Release the volumes back to AWS. AWS immediately wipes the disk after it is deprovisioned.
B.
Release the volumes back to AWS. AWS immediately wipes the disk after it is deprovisioned.
Answers
C.
Delete the encryption key used to encrypt the EBS volume. Then, release the EBS volumes back to AWS.
C.
Delete the encryption key used to encrypt the EBS volume. Then, release the EBS volumes back to AWS.
Answers
D.
Delete the data by using the operating system delete commands. Run Quick Format on the drive and then release the EBS volumes back to AWS.
D.
Delete the data by using the operating system delete commands. Run Quick Format on the drive and then release the EBS volumes back to AWS.
Answers
Suggested answer: D

Explanation:

Amazon EBS volumes are presented to you as raw unformatted block devices that have been wiped prior to being made available for use. Wiping occurs immediately before reuse so that you can be assured that the wipe process completed. If you have procedures requiring that all data be wiped via a specific method, such as those detailed in NIST 800-88 (“Guidelines for Media Sanitization”), you have the ability to do so on Amazon EBS. You should conduct a specialized wipe procedure prior to deleting the volume for compliance with your established requirements.

https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf

Question 188

Report
Export
Collapse

A Systems Administrator has written the following Amazon S3 bucket policy designed to allow access to an S3 bucket for only an authorized AWS IAM user from the IP address range 10.10.10.0/24:

When trying to download an object from the S3 bucket from 10.10.10.40, the IAM user receives an access denied message. What does the Administrator need to change to grant access to the user?

A.
Change the “Resource” from “arn: aws:s3:::Bucket” to “arn:aws:s3:::Bucket/*”.
A.
Change the “Resource” from “arn: aws:s3:::Bucket” to “arn:aws:s3:::Bucket/*”.
Answers
B.
Change the “Principal” from “*” to {AWS:”arn:aws:iam: : account-number: user/username”}
B.
Change the “Principal” from “*” to {AWS:”arn:aws:iam: : account-number: user/username”}
Answers
C.
Change the “Version” from “2012-10-17” to the last revised date of the policy
C.
Change the “Version” from “2012-10-17” to the last revised date of the policy
Answers
D.
Change the “Action” from [“s3:*”] to [“s3:GetObject”, “s3:ListBucket”]
D.
Change the “Action” from [“s3:*”] to [“s3:GetObject”, “s3:ListBucket”]
Answers
Suggested answer: A

Question 189

Report
Export
Collapse

The Security Engineer has discovered that a new application that deals with highly sensitive data is storing Amazon S3 objects with the following key pattern, which itself contains highly sensitive data. Pattern:

"randomID_datestamp_PII.csv"

Example:

"1234567_12302017_000-00-0000 csv"

The bucket where these objects are being stored is using server-side encryption (SSE).

Which solution is the most secure and cost-effective option to protect the sensitive data?

A.
Remove the sensitive data from the object name, and store the sensitive data using S3 userdefined metadata.
A.
Remove the sensitive data from the object name, and store the sensitive data using S3 userdefined metadata.
Answers
B.
Add an S3 bucket policy that denies the action s3:GetObject
B.
Add an S3 bucket policy that denies the action s3:GetObject
Answers
C.
Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes.
C.
Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes.
Answers
D.
Store all sensitive objects in Binary Large Objects (BLOBS) in an encrypted Amazon RDS instance.
D.
Store all sensitive objects in Binary Large Objects (BLOBS) in an encrypted Amazon RDS instance.
Answers
Suggested answer: C

Explanation:

https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html

https://aws.amazon.com/blogs/database/best-practices-for-securing-sensitive-data-in-aws-datastores/

Question 190

Report
Export
Collapse

AWS CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected. What initial actions should be taken to allow delivery of CloudTrail events to S3? (Select two.)

A.
Verify that the S3 bucket policy allow CloudTrail to write objects.
A.
Verify that the S3 bucket policy allow CloudTrail to write objects.
Answers
B.
Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs.
B.
Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs.
Answers
C.
Remove any lifecycle policies on the S3 bucket that are archiving objects to Amazon Glacier.
C.
Remove any lifecycle policies on the S3 bucket that are archiving objects to Amazon Glacier.
Answers
D.
Verify that the S3 bucket defined in CloudTrail exists.
D.
Verify that the S3 bucket defined in CloudTrail exists.
Answers
E.
Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.
E.
Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.
Answers
Suggested answer: B, D

Explanation:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-forcloudtrail.html

Total 590 questions
Go to page: of 59
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms