Amazon SCS-C01 Practice Test - Questions Answers, Page 23
List of questions
Question 221
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
While analyzing a company's security solution, a Security Engineer wants to secure the AWS account root user. What should the Security Engineer do to provide the highest level of security for the account?
Explanation:
If you continue to use the root user credentials, we recommend that you follow the security best practice to enable multi-factor authentication (MFA) for your account. Because your root user can perform sensitive operations in your account, adding an additional layer of authentication helps you to better secure your account. Multiple types of MFA are available.
Question 222
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A Security Engineer is working with a Product team building a web application on AWS. The application uses Amazon S3 to host the static content, Amazon API Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider.
Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)
Question 223
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password. Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)
Question 224
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A company plans to migrate a sensitive dataset to Amazon S3. A Security Engineer must ensure that the data is encrypted at rest. The encryption solution must enable the company to generate its own keys without needing to manage key storage or the encryption process.
What should the Security Engineer use to accomplish this?
Explanation:
Reference https://aws.amazon.com/s3/faqs/
Question 225
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A Security Engineer is defining the logging solution for a newly developed product. Systems Administrators and Developers need to have appropriate access to event log files in AWS CloudTrail to support and troubleshoot the product. Which combination of controls should be used to protect against tampering with and unauthorized access to log files? (Choose two.)
Question 226
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A company has a few dozen application servers in private subnets behind an Elastic Load Balancer
(ELB) in an AWS Auto Scaling group. The application is accessed from the web over HTTPS. The datamust always be encrypted in transit. The Security Engineer is worried about potential key exposuredue to vulnerabilities in the application software.
Which approach will meet these requirements while protecting the external certificate during a breach?
Question 227
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
Which of the following are valid event sources that are associated with web access control lists that trigger AWS WAF rules? (Choose two.)
Explanation:
A web access control list (web ACL) gives you fine-grained control over the web requests that your Amazon API Gateway API, Amazon CloudFront distribution or Application Load Balancer responds to.
Question 228
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A company uses identity federation to authenticate users into an identity account (987654321987) where the users assume an IAM role named IdentityRole. The users then assume an IAM role named JobFunctionRole in the target AWS account (123456789123) to perform their job functions.
A user is unable to assume the IAM role in the target account. The policy attached to the role in the identity account is:
What should be done to enable the user to assume the appropriate role in the target account?
Question 229
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A Security Engineer is working with the development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an AWS KMS customer master key (CMK) to encrypt the data on Amazon S3. The inventory data on Amazon S3 will be shared of vendors. All vendors will use AWS principals from their own AWS accounts to access the data on Amazon S3. The vendor list may change weekly, and the solution must support cross-account access.
What is the MOST efficient way to manage access control for the KMS CMK7?
Question 230
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A corporate cloud security policy states that communications between the company's VPC and KMS must travel entirely within the AWS network and not use public service endpoints. Which combination of the following actions MOST satisfies this requirement? (Choose two.)
Explanation:
An IAM policy can deny access to KMS except through your VPC endpoint with the following condition statement:
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-0295a3caf8414c94a"
}
}
I f you select the Enable Private DNS Name option, the standard AWS KMS DNS hostname
(Error! Hyperlink reference not valid.) resolves to your VPC endpoint.
Question