ExamGecko
Login
Home / Amazon / SCS-C01 / List of questions
Ask Question

Amazon SCS-C01 Practice Test - Questions Answers, Page 24

List of questions

Question 231

Report
Export
Collapse

A company uses user data scripts that contain sensitive information to bootstrap Amazon EC2 instances. A Security Engineer discovers that this sensitive information is viewable by people who should not have access to it. What is the MOST secure way to protect the sensitive information used to bootstrap the instances?

Store the scripts in the AMI and encrypt the sensitive data using AWS KMS Use the instance role profile to control access to the KMS keys needed to decrypt the data.
Store the scripts in the AMI and encrypt the sensitive data using AWS KMS Use the instance role profile to control access to the KMS keys needed to decrypt the data.
Store the sensitive data in AWS Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role.
Store the sensitive data in AWS Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role.
Externalize the bootstrap scripts in Amazon S3 and encrypt them using AWS KMS. Remove the scripts from the instance and clear the logs after the instance is configured.
Externalize the bootstrap scripts in Amazon S3 and encrypt them using AWS KMS. Remove the scripts from the instance and clear the logs after the instance is configured.
Block user access of the EC2 instance's metadata service using IAM policies. Remove all scripts and clear the logs after execution.
Block user access of the EC2 instance's metadata service using IAM policies. Remove all scripts and clear the logs after execution.
Suggested answer: B
asked 16/09/2024
souhaib chabchoub
37 questions

Question 232

Report
Export
Collapse

An Amazon EC2 instance is denied access to a newly created AWS KMS CMK used for decrypt actions.

The environment has the following configuration:

The instance is allowed the kms:Decrypt action in its IAM role for all resources The AWS KMS CMK status is set to enabled The instance can communicate with the KMS API using a configured VPC endpoint What is causing the issue?

The kms:GenerateDataKey permission is missing from the EC2 instance’s IAM role
The kms:GenerateDataKey permission is missing from the EC2 instance’s IAM role
The ARN tag on the CMK contains the EC2 instance’s ID instead of the instance’s ARN
The ARN tag on the CMK contains the EC2 instance’s ID instead of the instance’s ARN
The kms:Encrypt permission is missing from the EC2 IAM role
The kms:Encrypt permission is missing from the EC2 IAM role
The KMS CMK key policy that enables IAM user permissions is missing
The KMS CMK key policy that enables IAM user permissions is missing
Suggested answer: D

Explanation:

In a key policy, you use "*" for the resource, which means "this CMK." A key policy applies only to the CMK it is attached to References:

asked 16/09/2024
Koh Renbin
35 questions

Question 233

Report
Export
Collapse

A company has enabled Amazon GuardDuty in all Regions as part of its security monitoring strategy.

In one of the VPCs, the company hosts an Amazon EC2 instance working as an FTP server that is contacted by a high number of clients from multiple locations. This is identified by GuardDuty as a brute force attack due to the high number of connections that happen every hour.

The finding has been flagged as a false positive. However, GuardDuty keeps raising the issue. A Security Engineer has been asked to improve the signal-to-noise ratio. The Engineer needs to ensure that changes do not compromise the visibility of potential anomalous behavior.

How can the Security Engineer address the issue?

Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed
Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed
Add the FTP server to a trusted IP list and deploy it to GuardDuty to stop receiving the notifications
Add the FTP server to a trusted IP list and deploy it to GuardDuty to stop receiving the notifications
Use GuardDuty filters with auto archiving enabled to close the findings
Use GuardDuty filters with auto archiving enabled to close the findings
Create an AWS Lambda function that closes the finding whenever a new occurrence is reported
Create an AWS Lambda function that closes the finding whenever a new occurrence is reported
Suggested answer: B

Explanation:

Trusted IP lists consist of IP addresses that you have whitelisted for secure communication with your AWS infrastructure and applications. GuardDuty does not generate findings for IP addresses on trusted IP lists. At any given time, you can have only one uploaded trusted IP list per AWS account per region.

References:

asked 16/09/2024
Nisanka Mandara
30 questions

Question 234

Report
Export
Collapse

What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account? (Choose two.)

Use the AWS account root user access keys instead of the AWS Management Console
Use the AWS account root user access keys instead of the AWS Management Console
Enable multi-factor authentication for the AWS IAM users with the AdministratorAccess managed policy attached to them
Enable multi-factor authentication for the AWS IAM users with the AdministratorAccess managed policy attached to them
Enable multi-factor authentication for the AWS account root user
Enable multi-factor authentication for the AWS account root user
Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days
Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days
Do not create access keys for the AWS account root user; instead, create AWS IAM users
Do not create access keys for the AWS account root user; instead, create AWS IAM users
Suggested answer: C, E
asked 16/09/2024
Serhan Azdiken
37 questions

Question 235

Report
Export
Collapse

A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a private VPC subnet that was created with default ACL settings. The IT Security department has a suspicion that a DDos attack is coming from a suspecting IP. How can you protect the subnets from this attack?

Please select:

Change the Inbound Security Groups to deny access from the suspecting IP
Change the Inbound Security Groups to deny access from the suspecting IP
Change the Outbound Security Groups to deny access from the suspecting IP
Change the Outbound Security Groups to deny access from the suspecting IP
Change the Inbound NACL to deny access from the suspecting IP
Change the Inbound NACL to deny access from the suspecting IP
Change the Outbound NACL to deny access from the suspecting IP
Change the Outbound NACL to deny access from the suspecting IP
Suggested answer: C

Explanation:

Option A and B are invalid because by default the Security Groups already block traffic. You can use NACL's as an additional security layer for the subnet to deny traffic. Option D is invalid since just changing the Inbound Rules is sufficient The AWS Documentation mentions the following A network access control list (ACLJ is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC. The correct answer is: Change the Inbound NACL to deny access from the suspecting IP

asked 16/09/2024
Giorgio Bertocchi
39 questions

Question 236

Report
Export
Collapse

You are designing a custom IAM policy that would allow uses to list buckets in S3 only if they are MFA authenticated. Which of the following would best match this requirement?

Option D
Option D
Suggested answer: A

Explanation:

The Condition clause can be used to ensure users can only work with resources if they are MFA authenticated. Option B and C are wrong since the aws:MultiFactorAuthPresent clause should be marked as true.

Here you are saying that onl if the user has been MFA activated, that means it is true, then allow access. Option D is invalid because the "boor clause is missing in the evaluation for the condition clause.

Boolean conditions let you construct Condition elements that restrict access based on comparing a key to "true" or "false." Here in this scenario the boot attribute in the condition element will return a value True for option A which will ensure that access is allowed on S3 resources.

For more information on an example on such a policy, please visit the following URL:

asked 16/09/2024
Scott Albee
34 questions

Question 237

Report
Export
Collapse

You are hosting a web site via website hosting on an S3 bucket - http://demo.s3-website-us-east-l.amazonaws.com. You have some web pages that use Javascript that access resources in anotherbucket which has web site hosting also enabled. But when users access the web pages , they aregetting a blocked Javascript error. How can you rectify this? Please select:

Enable CORS for the bucket
Enable CORS for the bucket
Enable versioning for the bucket
Enable versioning for the bucket
Enable MFA for the bucket
Enable MFA for the bucket
Enable CRR for the bucket
Enable CRR for the bucket
Suggested answer: A

Explanation:

Your answer is incorrect

Answer-A

Such a scenario is also given in the AWS Documentation Cross-Origin Resource Sharing: Use-case Scenarios The following are example scenarios for using CORS:

• Scenario 1: Suppose that you are hosting a website in an Amazon S3 bucket named website as described in Hosting a Static Website on Amazon S3. Your users load the website endpoint http://website.s3-website-us-east-1 .amazonaws.com. Now you want to use JavaScript on the webpages that are stored in this bucket to be able to make authenticated GET and PUT requests against the same bucket by using the Amazon S3 API endpoint for the bucket website.s3.amazonaws.com. A browser would normally block JavaScript from allowing those requests, but with CORS you can configure your bucket to explicitly enable cross-origin requests from website.s3-website-us-east-1 .amazonaws.com.

• Scenario 2: Suppose that you want to host a web font from your S3 bucket. Again, browsers require a CORS check (also called a preflight check) for loading web fonts. You would configure the bucket that is hosting the web font to allow any origin to make these requests.

Option Bis invalid because versioning is only to create multiple versions of an object and can help in accidental deletion of objects Option C is invalid because this is used as an extra measure of caution for deletion of objects Option D is invalid because this is used for Cross region replication of objects For more information on Cross Origin Resource sharing, please visit the following URL • ittps://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html

The correct answer is: Enable CORS for the bucket

Submit your Feedback/Queries to our Experts

asked 16/09/2024
rafael Flores
52 questions

Question 238

Report
Export
Collapse

You have a vendor that needs access to an AWS resource. You create an AWS user account. You want to restrict access to the resource using a policy for just that user over a brief period. Which of the following would be an ideal policy to use?

Please select:

An AWS Managed Policy
An AWS Managed Policy
An Inline Policy
An Inline Policy
A Bucket Policy
A Bucket Policy
A bucket ACL
A bucket ACL
Suggested answer: B

Explanation:

The AWS Documentation gives an example on such a case

Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the principal entity that if s applied to. For example, you want to be sure that the permissions in a policy are not inadvertently assigned to a principal entity other than the one they're intended for.

When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong principal entity. In addition, when you use the AWS Management Console to delete that principal entit the policies embedded in the principal entity are deleted as well. That's because they are part of the principal entity.

Option A is invalid because AWS Managed Polices are ok for a group of users, but for individual users, inline policies are better. Option C and D are invalid because they are specifically meant for access to S3 buckets For more information on policies, please visit the following URL:

https://docs.aws.amazon.com/IAM/latest/UserGuide/access managed-vs-inlineThe correct answer is: An Inline Policy Submit your Feedback/Queries to our Experts

asked 16/09/2024
Chakravarthy Sankaranarayanan
34 questions

Question 239

Report
Export
Collapse

Your company has a requirement to monitor all root user activity by notification. How can this best be achieved? Choose 2 answers from the options given below. Each answer forms part of the solution Please select:

Create a Cloudwatch Events Rule s
Create a Cloudwatch Events Rule s
Create a Cloudwatch Logs Rule
Create a Cloudwatch Logs Rule
Use a Lambda function
Use a Lambda function
Use Cloudtrail API call
Use Cloudtrail API call
Suggested answer: A, C

Explanation:

Below is a snippet from the AWS blogs on a solution

Amazon SCS-C01 image Question 239 explanation 7357 09162024005923000000

Option B is invalid because you need to create a Cloudwatch Events Rule and there is such thing as a Cloudwatch Logs Rule Option D is invalid because Cloud Trail API calls can be recorded but cannot be used to send across notifications For more information on this blog article, please visit the following URL:

https://aws.amazon.com/blogs/mt/monitor-and-notify-on-aws-account-root-user-activityyThe correct answers are: Create a Cloudwatch Events Rule, Use a Lambda functionSubmit your Feedback/Queries to our Experts

asked 16/09/2024
Sandor Alayon
27 questions

Question 240

Report
Export
Collapse

A company wants to have a secure way of generating, storing and managing cryptographic exclusive access for the keys. Which of the following can be used for this purpose?

Please select:

Use KMS and the normal KMS encryption keys
Use KMS and the normal KMS encryption keys
Use KMS and use an external key material
Use KMS and use an external key material
Use S3 Server Side encryption
Use S3 Server Side encryption
Use Cloud HSM
Use Cloud HSM
Suggested answer: D

Explanation:

The AWS Documentation mentions the following

The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) instances within the AWS cloud. AWS and AWS Marketplace partners offer a variety of solutions for protecting sensitive data within the AWS platform, but for some applications and data subject to contractual or regulatory mandates for managing cryptographic keys, additional protection may be necessary.

CloudHSM complements existing data protection solutions and allows you to protect your encryption keys within HSMs that are desigr and validated to government standards for secure key management. CloudHSM allows you to securely generate, store and manage cryptographic keys used for data encryption in a way that keys are accessible only by you. Option A.B and Care invalid because in all of these cases, the management of the key will be with AWS. Here the question specifically mentions that you want to have exclusive access over the keys. This can be achieved with Cloud HSM

For more information on CloudHSM, please visit the following URL:

https://aws.amazon.com/cloudhsm/faq:

The correct answer is: Use Cloud HSM Submit your Feedback/Queries to our Experts

asked 16/09/2024
Arun Lailamony
38 questions
Total 590 questions
Go to page: of 59
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture: 1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets. 3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other 4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols 5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required Which of the following accurately reflects the access control mechanisms the Architect should verify1?
A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances. Which solution will meet this requirement with the LEAST operational effort?
A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution. Which solution will meet these requirements MOST securely?
A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below Please select:
A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents. A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly. Which combination of actions would build the required solution? (Choose three.)
After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised. How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of “Sensitive,” “Confidential,” and “Restricted.” The security solution must meet all of the following requirements: Each object must be encrypted using a unique key. Items that are stored in the “Restricted” bucket require two-factor authentication for decryption. AWS KMS must automatically rotate encryption keys annually. Which of the following meets these requirements?