ExamGecko
Login
Home / Amazon / SCS-C01 / List of questions
Ask Question

Amazon SCS-C01 Practice Test - Questions Answers, Page 23

List of questions

Question 221

Report
Export
Collapse

While analyzing a company's security solution, a Security Engineer wants to secure the AWS account root user. What should the Security Engineer do to provide the highest level of security for the account?

Create a new IAM user that has administrator permissions in the AWS account. Delete the password for the AWS account root user.
Create a new IAM user that has administrator permissions in the AWS account. Delete the password for the AWS account root user.
Create a new IAM user that has administrator permissions in the AWS account. Modify the permissions for the existing IAM users.
Create a new IAM user that has administrator permissions in the AWS account. Modify the permissions for the existing IAM users.
Replace the access key for the AWS account root user. Delete the password for the AWS account root user.
Replace the access key for the AWS account root user. Delete the password for the AWS account root user.
Create a new IAM user that has administrator permissions in the AWS account. Enable multifactor authentication for the AWS account root user.
Create a new IAM user that has administrator permissions in the AWS account. Enable multifactor authentication for the AWS account root user.
Suggested answer: D

Explanation:

If you continue to use the root user credentials, we recommend that you follow the security best practice to enable multi-factor authentication (MFA) for your account. Because your root user can perform sensitive operations in your account, adding an additional layer of authentication helps you to better secure your account. Multiple types of MFA are available.

asked 16/09/2024
Farshin Golpad
38 questions

Question 222

Report
Export
Collapse

A Security Engineer is working with a Product team building a web application on AWS. The application uses Amazon S3 to host the static content, Amazon API Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider.

Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)

Create a custom authorization service using AWS Lambda.
Create a custom authorization service using AWS Lambda.
Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.
Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.
Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.
Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.
Configure an Amazon Cognito identity pool to integrate with social login providers.
Configure an Amazon Cognito identity pool to integrate with social login providers.
Update DynamoDB to store the user email addresses and passwords.
Update DynamoDB to store the user email addresses and passwords.
Update API Gateway to use a COGNITO_USER_POOLS authorizer.
Update API Gateway to use a COGNITO_USER_POOLS authorizer.
Suggested answer: B, D, E
asked 16/09/2024
Yannik Huith blu Systems GmbH
31 questions

Question 223

Report
Export
Collapse

A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password. Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)

Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3.Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.
Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3.Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.
Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.
Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.
Configure automatic rotation of credentials in AWS Secrets Manager.
Configure automatic rotation of credentials in AWS Secrets Manager.
Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Store.Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it.
Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Store.Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it.
Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.
Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.
Suggested answer: C, E
asked 16/09/2024
Website Subscription
37 questions

Question 224

Report
Export
Collapse

A company plans to migrate a sensitive dataset to Amazon S3. A Security Engineer must ensure that the data is encrypted at rest. The encryption solution must enable the company to generate its own keys without needing to manage key storage or the encryption process.

What should the Security Engineer use to accomplish this?

Server-side encryption with Amazon S3-managed keys (SSE-S3)
Server-side encryption with Amazon S3-managed keys (SSE-S3)
Server-side encryption with AWS KMS-managed keys (SSE-KMS)
Server-side encryption with AWS KMS-managed keys (SSE-KMS)
Server-side encryption with customer-provided keys (SSE-C)
Server-side encryption with customer-provided keys (SSE-C)
Client-side encryption with an AWS KMS-managed CMK
Client-side encryption with an AWS KMS-managed CMK
Suggested answer: B

Explanation:

Reference https://aws.amazon.com/s3/faqs/

asked 16/09/2024
Arun Pandian
40 questions

Question 225

Report
Export
Collapse

A Security Engineer is defining the logging solution for a newly developed product. Systems Administrators and Developers need to have appropriate access to event log files in AWS CloudTrail to support and troubleshoot the product. Which combination of controls should be used to protect against tampering with and unauthorized access to log files? (Choose two.)

Ensure that the log file integrity validation mechanism is enabled.
Ensure that the log file integrity validation mechanism is enabled.
Ensure that all log files are written to at least two separate Amazon S3 buckets in the same account.
Ensure that all log files are written to at least two separate Amazon S3 buckets in the same account.
Ensure that Systems Administrators and Developers can edit log files, but prevent any other access.
Ensure that Systems Administrators and Developers can edit log files, but prevent any other access.
Ensure that Systems Administrators and Developers with job-related need-to-know requirements only are capable of viewing—but not modifying—the log files.
Ensure that Systems Administrators and Developers with job-related need-to-know requirements only are capable of viewing—but not modifying—the log files.
Ensure that all log files are stored on Amazon EC2 instances that allow SSH access from the internal corporate network only.
Ensure that all log files are stored on Amazon EC2 instances that allow SSH access from the internal corporate network only.
Suggested answer: A, D
asked 16/09/2024
Anthony Agbale
46 questions

Question 226

Report
Export
Collapse

A company has a few dozen application servers in private subnets behind an Elastic Load Balancer

(ELB) in an AWS Auto Scaling group. The application is accessed from the web over HTTPS. The datamust always be encrypted in transit. The Security Engineer is worried about potential key exposuredue to vulnerabilities in the application software.

Which approach will meet these requirements while protecting the external certificate during a breach?

Use a Network Load Balancer (NLB) to pass through traffic on port 443 from the internet to port 443 on the instances.
Use a Network Load Balancer (NLB) to pass through traffic on port 443 from the internet to port 443 on the instances.
Purchase an external certificate, and upload it to the AWS Certificate Manager (for use with the ELB) and to the instances. Have the ELB decrypt traffic, and route and re-encrypt with the same certificate.
Purchase an external certificate, and upload it to the AWS Certificate Manager (for use with the ELB) and to the instances. Have the ELB decrypt traffic, and route and re-encrypt with the same certificate.
Generate an internal self-signed certificate and apply it to the instances. Use AWS Certificate Manager to generate a new external certificate for the ELB. Have the ELB decrypt traffic, and route and re-encrypt with the internal certificate.
Generate an internal self-signed certificate and apply it to the instances. Use AWS Certificate Manager to generate a new external certificate for the ELB. Have the ELB decrypt traffic, and route and re-encrypt with the internal certificate.
Upload a new external certificate to the load balancer. Have the ELB decrypt the traffic and forward it on port 80 to the instances.
Upload a new external certificate to the load balancer. Have the ELB decrypt the traffic and forward it on port 80 to the instances.
Suggested answer: C
asked 16/09/2024
Mariusz Szczubelek
35 questions

Question 227

Report
Export
Collapse

Which of the following are valid event sources that are associated with web access control lists that trigger AWS WAF rules? (Choose two.)

Amazon S3 static web hosting
Amazon S3 static web hosting
Amazon CloudFront distribution
Amazon CloudFront distribution
Application Load Balancer
Application Load Balancer
Amazon Route 53
Amazon Route 53
VPC Flow Logs
VPC Flow Logs
Suggested answer: B, C

Explanation:

A web access control list (web ACL) gives you fine-grained control over the web requests that your Amazon API Gateway API, Amazon CloudFront distribution or Application Load Balancer responds to.

asked 16/09/2024
Carsten Recker
29 questions

Question 228

Report
Export
Collapse

A company uses identity federation to authenticate users into an identity account (987654321987) where the users assume an IAM role named IdentityRole. The users then assume an IAM role named JobFunctionRole in the target AWS account (123456789123) to perform their job functions.

A user is unable to assume the IAM role in the target account. The policy attached to the role in the identity account is:

Amazon SCS-C01 image Question 228 7346 09162024005923000000

What should be done to enable the user to assume the appropriate role in the target account?

Amazon SCS-C01 image Question 228 7346 09162024005923000000

Amazon SCS-C01 image Question 228 7346 09162024005923000000

Option A
Option A
Option B
Option B
Option C
Option C
Option D
Option D
Suggested answer: A
asked 16/09/2024
Zaccheri Brown
34 questions

Question 229

Report
Export
Collapse

A Security Engineer is working with the development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an AWS KMS customer master key (CMK) to encrypt the data on Amazon S3. The inventory data on Amazon S3 will be shared of vendors. All vendors will use AWS principals from their own AWS accounts to access the data on Amazon S3. The vendor list may change weekly, and the solution must support cross-account access.

What is the MOST efficient way to manage access control for the KMS CMK7?

Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.
Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.
Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.
Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.
Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access.
Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access.
Use delegated access across AWS accounts by using IAM roles to manage key access.Programmatically update the IAM trust policy to manage cross-account vendor access.
Use delegated access across AWS accounts by using IAM roles to manage key access.Programmatically update the IAM trust policy to manage cross-account vendor access.
Suggested answer: A
asked 16/09/2024
Beena Sagayaraj
42 questions

Question 230

Report
Export
Collapse

A corporate cloud security policy states that communications between the company's VPC and KMS must travel entirely within the AWS network and not use public service endpoints. Which combination of the following actions MOST satisfies this requirement? (Choose two.)

Add the aws:sourceVpce condition to the AWS KMS key policy referencing the company's VPC endpoint ID.
Add the aws:sourceVpce condition to the AWS KMS key policy referencing the company's VPC endpoint ID.
Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.
Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.
Create a VPC endpoint for AWS KMS with private DNS enabled.
Create a VPC endpoint for AWS KMS with private DNS enabled.
Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN.
Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN.
Add the following condition to the AWS KMS key policy: "aws:SourceIp": "10.0.0.0/16".
Add the following condition to the AWS KMS key policy: "aws:SourceIp": "10.0.0.0/16".
Suggested answer: A, C

Explanation:

An IAM policy can deny access to KMS except through your VPC endpoint with the following condition statement:

"Condition": {

"StringNotEquals": {

"aws:sourceVpce": "vpce-0295a3caf8414c94a"

}

}

I f you select the Enable Private DNS Name option, the standard AWS KMS DNS hostname

(Error! Hyperlink reference not valid.) resolves to your VPC endpoint.

asked 16/09/2024
Sam Krupesh
38 questions
Total 590 questions
Go to page: of 59
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture: 1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets. 3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other 4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols 5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required Which of the following accurately reflects the access control mechanisms the Architect should verify1?
A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances. Which solution will meet this requirement with the LEAST operational effort?
A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution. Which solution will meet these requirements MOST securely?
A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below Please select:
A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents. A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly. Which combination of actions would build the required solution? (Choose three.)
After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised. How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of “Sensitive,” “Confidential,” and “Restricted.” The security solution must meet all of the following requirements: Each object must be encrypted using a unique key. Items that are stored in the “Restricted” bucket require two-factor authentication for decryption. AWS KMS must automatically rotate encryption keys annually. Which of the following meets these requirements?