ExamGecko
Search Search Login
Home Home / Amazon / SCS-C01

Amazon SCS-C01 Practice Test - Questions Answers, Page 21

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A security engineer needs to configure monitoring and auditing for AWS Lambda. Which combination of actions using AWS services should the security engineer take to accomplish this goal? (Select TWO.)
A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance. What should the security engineer do to resolve this error?
A company has two AW5 accounts within AWS Organizations. In Account-1. Amazon EC2 Auto Scaling is launched using a service-linked role. In Account-2. Amazon EBS volumes are encrypted with an AWS KMS key A Security Engineer needs to ensure that the service-linked role can launch instances with these encrypted volumes Which combination of steps should the Security Engineer take in both accounts? (Select TWO.)
A company’s information security team wants to analyze Amazon EC2 performance and utilization data in the near-real time for anomalies. A Sec Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company’s AWS accounts in centralized location to perform the analysis. How should the Security Engineer do this? Log in to each account four te a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.
A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1 the company cannot access the key that was used to encrypt the original database. What should the company do to set up the snapshot in us-west-1 with proper encryption?
A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)
A company's web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs. The operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The operations team needs to view log information to determine if the company is being attacked. Which set of actions will identify the suspect attacker's IP address for future occurrences?
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?

Question 201

Report
Export
Collapse

A company has two AWS accounts, each containing one VPC. The first VPC has a VPN connection with its corporate network. The second VPC, without a VPN, hosts an Amazon Aurora database cluster in private subnets. Developers manage the Aurora database from a bastion host in a public subnet as shown in the image.

A security review has flagged this architecture as vulnerable, and a Security Engineer has been asked to make this design more secure. The company has a short deadline and a second VPN connection to the Aurora account is not possible. How can a Security Engineer securely set up the bastion host?

A.
Move the bastion host to the VPC with VPN connectivity. Create a VPC peering relationship between the bastion host VPC and Aurora VPC.
A.
Move the bastion host to the VPC with VPN connectivity. Create a VPC peering relationship between the bastion host VPC and Aurora VPC.
Answers
B.
Create a SSH port forwarding tunnel on the Developer’s workstation to the bastion host to ensure that only authorized SSH clients can access the bastion host.
B.
Create a SSH port forwarding tunnel on the Developer’s workstation to the bastion host to ensure that only authorized SSH clients can access the bastion host.
Answers
C.
Move the bastion host to the VPC with VPN connectivity. Create a cross-account trust relationship between the bastion VPC and Aurora VPC, and update the Aurora security group for the relationship.
C.
Move the bastion host to the VPC with VPN connectivity. Create a cross-account trust relationship between the bastion VPC and Aurora VPC, and update the Aurora security group for the relationship.
Answers
D.
Create an AWS Direct Connect connection between the corporate network and the Aurora account, and adjust the Aurora security group for this connection.
D.
Create an AWS Direct Connect connection between the corporate network and the Aurora account, and adjust the Aurora security group for this connection.
Answers
Suggested answer: A

Question 202

Report
Export
Collapse

An organization operates a web application that serves users globally. The application runs on Amazon EC2 instances behind an Application Load Balancer. There is an Amazon CloudFront distribution in front of the load balancer, and the organization uses AWS WAF. The application is currently experiencing a volumetric attack whereby the attacker is exploiting a bug in a popular mobile game. The application is being flooded with HTTP requests from all over the world with the User-Agent setto the following string: Mozilla/5.0 (compatible; ExampleCorp; ExampleGame/1.22; Mobile/1.0)What mitigation can be applied to block attacks resulting from this bug while continuing to servicelegitimate requests?

A.
Create a rule in AWS WAF rules with conditions that block requests based on the presence of ExampleGame/1.22 in the User-Agent header
A.
Create a rule in AWS WAF rules with conditions that block requests based on the presence of ExampleGame/1.22 in the User-Agent header
Answers
B.
Create a geographic restriction on the CloudFront distribution to prevent access to the application from most geographic regions
B.
Create a geographic restriction on the CloudFront distribution to prevent access to the application from most geographic regions
Answers
C.
Create a rate-based rule in AWS WAF to limit the total number of requests that the web application services.
C.
Create a rate-based rule in AWS WAF to limit the total number of requests that the web application services.
Answers
D.
Create an IP-based blacklist in AWS WAF to block the IP addresses that are originating from requests that contain ExampleGame/1.22 in the User-Agent header.
D.
Create an IP-based blacklist in AWS WAF to block the IP addresses that are originating from requests that contain ExampleGame/1.22 in the User-Agent header.
Answers
Suggested answer: A

Explanation:

Since all the attack has http header- User-Agent set to string: Mozilla/5.0 (compatible; ExampleCorp;)it would be much more easier to block these attack by simply denying traffic with the header match . HTH ExampleGame/1.22; Mobile/1.0)

Question 203

Report
Export
Collapse

Some highly sensitive analytics workloads are to be moved to Amazon EC2 hosts. Threat modeling has found that a risk exists where a subnet could be maliciously or accidentally exposed to the internet. Which of the following mitigations should be recommended?

A.
Use AWS Config to detect whether an Internet Gateway is added and use an AWS Lambda function to provide auto-remediation.
A.
Use AWS Config to detect whether an Internet Gateway is added and use an AWS Lambda function to provide auto-remediation.
Answers
B.
Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses.
B.
Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses.
Answers
C.
Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet.
C.
Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet.
Answers
D.
Move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.
D.
Move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.
Answers
Suggested answer: A

Explanation:

By default, Private instance has a private IP address, but no public IP address. These instances can communicate with each other, but can't access the Internet. You can enable Internet access for an instance launched into a nondefault subnet by attaching an Internet gateway to its VPC (if its VPC is not a default VPC) and associating an Elastic IP address with the instance. Alternatively, to allow an instance in your VPC to initiate outbound connections to the Internet but prevent unsolicited inbound connections from the Internet, you can use a network address translation (NAT) instance. NAT maps multiple private IP addresses to a single public IP address. A NAT instance has an Elastic IP address and is connected to the Internet through an Internet gateway.You can connect an instance in a private subnet to the Internet through the NAT instance, which routes traffic from the instance to the Internet gateway, and routes any responses to the instance.

Question 204

Report
Export
Collapse

A Developer who is following AWS best practices for secure code development requires an application to encrypt sensitive data to be stored at rest, locally in the application, using AWS KMS. What is the simplest and MOST secure way to decrypt this data when required?

A.
Request KMS to provide the stored unencrypted data key and then use the retrieved data key to decrypt the data.
A.
Request KMS to provide the stored unencrypted data key and then use the retrieved data key to decrypt the data.
Answers
B.
Keep the plaintext data key stored in Amazon DynamoDB protected with IAM policies. Query DynamoDB to retrieve the data key to decrypt the data
B.
Keep the plaintext data key stored in Amazon DynamoDB protected with IAM policies. Query DynamoDB to retrieve the data key to decrypt the data
Answers
C.
Use the Encrypt API to store an encrypted version of the data key with another customer managed key. Decrypt the data key and use it to decrypt the data when required.
C.
Use the Encrypt API to store an encrypted version of the data key with another customer managed key. Decrypt the data key and use it to decrypt the data when required.
Answers
D.
Store the encrypted data key alongside the encrypted data. Use the Decrypt API to retrieve the data key to decrypt the data when required.
D.
Store the encrypted data key alongside the encrypted data. Use the Decrypt API to retrieve the data key to decrypt the data when required.
Answers
Suggested answer: D

Explanation:

We recommend that you use the following pattern to locally encrypt data: call the GenerateDataKey API, use the key returned in the Plaintext response field to locally encrypt data, and then erase the plaintext data key from memory. Store the encrypted data key (contained in the CiphertextBlob field) alongside of the locally encrypted data. The Decrypt API returns the plaintext key from the encrypted key. https://docs.aws.amazon.com/sdkfornet/latest/apidocs/items/MKeyManagementServiceKeyManagementServiceGenerateDataKeyGenerateDataKeyRequestNET45.html

Question 205

Report
Export
Collapse

An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised. What techniques will limit lateral movement and allow evidence gathering?

A.
Remove the instance from the load balancer and terminate it.
A.
Remove the instance from the load balancer and terminate it.
Answers
B.
Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.
B.
Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.
Answers
C.
Reboot the instance and check for any Amazon CloudWatch alarms.
C.
Reboot the instance and check for any Amazon CloudWatch alarms.
Answers
D.
Stop the instance and make a snapshot of the root EBS volume.
D.
Stop the instance and make a snapshot of the root EBS volume.
Answers
Suggested answer: B

Explanation:

https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf

Question 206

Report
Export
Collapse

A Development team has asked for help configuring the IAM roles and policies in a new AWS account. The team using the account expects to have hundreds of master keys and therefore does not want to manage access control for customer master keys (CMKs).

Which of the following will allow the team to manage AWS KMS permissions in IAM without the complexity of editing individual key policies?

A.
The account’s CMK key policy must allow the account’s IAM roles to perform KMS EnableKey.
A.
The account’s CMK key policy must allow the account’s IAM roles to perform KMS EnableKey.
Answers
B.
Newly created CMKs must have a key policy that allows the root principal to perform all actions.
B.
Newly created CMKs must have a key policy that allows the root principal to perform all actions.
Answers
C.
Newly created CMKs must allow the root principal to perform the kms CreateGrant API operation.
C.
Newly created CMKs must allow the root principal to perform the kms CreateGrant API operation.
Answers
D.
Newly created CMKs must mirror the IAM policy of the KMS key administrator.
D.
Newly created CMKs must mirror the IAM policy of the KMS key administrator.
Answers
Suggested answer: B

Explanation:

https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-defaultallow-root-enable-iam

Question 207

Report
Export
Collapse

An Amazon EC2 instance is part of an EC2 Auto Scaling group that is behind an Application Load Balancer (ALB). It is suspected that the EC2 instance has been compromised. Which steps should be taken to investigate the suspected compromise? (Choose three.)

A.
Detach the elastic network interface from the EC2 instance.
A.
Detach the elastic network interface from the EC2 instance.
Answers
B.
Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.
B.
Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.
Answers
C.
Disable any Amazon Route 53 health checks associated with the EC2 instance.
C.
Disable any Amazon Route 53 health checks associated with the EC2 instance.
Answers
D.
De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.
D.
De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.
Answers
E.
Attach a security group that has restrictive ingress and egress rules to the EC2 instance.
E.
Attach a security group that has restrictive ingress and egress rules to the EC2 instance.
Answers
F.
Add a rule to an AWS WAF to block access to the EC2 instance.
F.
Add a rule to an AWS WAF to block access to the EC2 instance.
Answers
Suggested answer: B, D, E

Explanation:

https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf

Question 208

Report
Export
Collapse


A company has five AWS accounts and wants to use AWS CloudTrail to log API calls. The log files must be stored in an Amazon S3 bucket that resides in a new account specifically built for centralized services with a unique top-level prefix for each trail. The configuration must also enable detection of any modification to the logs.

Which of the following steps will implement these requirements? (Choose three.)

A.
Create a new S3 bucket in a separate AWS account for centralized storage of CloudTrail logs, and enable “Log File Validation” on all trails.
A.
Create a new S3 bucket in a separate AWS account for centralized storage of CloudTrail logs, and enable “Log File Validation” on all trails.
Answers
B.
Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
B.
Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
Answers
C.
Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
C.
Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
Answers
D.
Use unique log file prefixes for trails in each AWS account.
D.
Use unique log file prefixes for trails in each AWS account.
Answers
E.
Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.
E.
Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.
Answers
F.
Enable encryption of the log files by using AWS Key Management Service
F.
Enable encryption of the log files by using AWS Key Management Service
Answers
Suggested answer: A, C, E

Explanation:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.htmlIf you have created an organization in AWS Organizations, you can create a trail that will log allevents for all AWS accounts in that organization. This is sometimes referred to as an organizationtrail. You can also choose to edit an existing trail in the master account and apply it to anorganization, making it an organization trail. Organization trails log events for the master account andall member accounts in the organization. For more information about AWS Organizations, seeOrganizations Terminology and Concepts. Note Reference:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html Youmust be logged in with the master account for the organization in order to create an organizationtrail. You must also have sufficient permissions for the IAM user or role in the master account inorder to successfully create an organization trail. If you do not have sufficient permissions, you willnot see the option to apply a trail to an organization.

Question 209

Report
Export
Collapse

A Security Engineer is implementing a solution to allow users to seamlessly encrypt Amazon S3 objects without having to touch the keys directly. The solution must be highly scalable without requiring continual management. Additionally, the organization must be able to immediately delete the encryption keys.

Which solution meets these requirements?

A.
Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary.
A.
Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary.
Answers
B.
Use KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.
B.
Use KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.
Answers
C.
Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.
C.
Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.
Answers
D.
Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the key if necessary.
D.
Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the key if necessary.
Answers
Suggested answer: B

Explanation:

https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-delete-key-material.html

Question 210

Report
Export
Collapse

An application uses Amazon Cognito to manage end users’ permissions when directly accessing AWS resources, including Amazon DynamoDB. A new feature request reads as follows:

Provide a mechanism to mark customers as suspended pending investigation or suspended permanently. Customers should still be able to log in when suspended, but should not be able to make changes. The priorities are to reduce complexity and avoid potential for future security issues.

Which approach will meet these requirements and priorities?

A.
Create a new database field “suspended_status” and modify the application logic to validate that field when processing requests.
A.
Create a new database field “suspended_status” and modify the application logic to validate that field when processing requests.
Answers
B.
Add suspended customers to second Cognito user pool and update the application login flow to check both user pools.
B.
Add suspended customers to second Cognito user pool and update the application login flow to check both user pools.
Answers
C.
Use Amazon Cognito Sync to push out a “suspension_status” parameter and split the lAM policy into normal users and suspended users.
C.
Use Amazon Cognito Sync to push out a “suspension_status” parameter and split the lAM policy into normal users and suspended users.
Answers
D.
Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.
D.
Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.
Answers
Suggested answer: D

Explanation:

https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-basedaccess-control-2/

Total 590 questions
Go to page: of 59
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms