ExamGecko
Search Search Login
Home Home / Amazon / SCS-C01

Amazon SCS-C01 Practice Test - Questions Answers, Page 24

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A security engineer needs to configure monitoring and auditing for AWS Lambda. Which combination of actions using AWS services should the security engineer take to accomplish this goal? (Select TWO.)
A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance. What should the security engineer do to resolve this error?
A company has two AW5 accounts within AWS Organizations. In Account-1. Amazon EC2 Auto Scaling is launched using a service-linked role. In Account-2. Amazon EBS volumes are encrypted with an AWS KMS key A Security Engineer needs to ensure that the service-linked role can launch instances with these encrypted volumes Which combination of steps should the Security Engineer take in both accounts? (Select TWO.)
A company’s information security team wants to analyze Amazon EC2 performance and utilization data in the near-real time for anomalies. A Sec Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company’s AWS accounts in centralized location to perform the analysis. How should the Security Engineer do this? Log in to each account four te a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?
A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1 the company cannot access the key that was used to encrypt the original database. What should the company do to set up the snapshot in us-west-1 with proper encryption?
A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)
Your current setup in AWS consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup Please select:

Question 231

Report
Export
Collapse

A company uses user data scripts that contain sensitive information to bootstrap Amazon EC2 instances. A Security Engineer discovers that this sensitive information is viewable by people who should not have access to it. What is the MOST secure way to protect the sensitive information used to bootstrap the instances?

A.
Store the scripts in the AMI and encrypt the sensitive data using AWS KMS Use the instance role profile to control access to the KMS keys needed to decrypt the data.
A.
Store the scripts in the AMI and encrypt the sensitive data using AWS KMS Use the instance role profile to control access to the KMS keys needed to decrypt the data.
Answers
B.
Store the sensitive data in AWS Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role.
B.
Store the sensitive data in AWS Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role.
Answers
C.
Externalize the bootstrap scripts in Amazon S3 and encrypt them using AWS KMS. Remove the scripts from the instance and clear the logs after the instance is configured.
C.
Externalize the bootstrap scripts in Amazon S3 and encrypt them using AWS KMS. Remove the scripts from the instance and clear the logs after the instance is configured.
Answers
D.
Block user access of the EC2 instance's metadata service using IAM policies. Remove all scripts and clear the logs after execution.
D.
Block user access of the EC2 instance's metadata service using IAM policies. Remove all scripts and clear the logs after execution.
Answers
Suggested answer: B

Question 232

Report
Export
Collapse

An Amazon EC2 instance is denied access to a newly created AWS KMS CMK used for decrypt actions.

The environment has the following configuration:

The instance is allowed the kms:Decrypt action in its IAM role for all resources The AWS KMS CMK status is set to enabled The instance can communicate with the KMS API using a configured VPC endpoint What is causing the issue?

A.
The kms:GenerateDataKey permission is missing from the EC2 instance’s IAM role
A.
The kms:GenerateDataKey permission is missing from the EC2 instance’s IAM role
Answers
B.
The ARN tag on the CMK contains the EC2 instance’s ID instead of the instance’s ARN
B.
The ARN tag on the CMK contains the EC2 instance’s ID instead of the instance’s ARN
Answers
C.
The kms:Encrypt permission is missing from the EC2 IAM role
C.
The kms:Encrypt permission is missing from the EC2 IAM role
Answers
D.
The KMS CMK key policy that enables IAM user permissions is missing
D.
The KMS CMK key policy that enables IAM user permissions is missing
Answers
Suggested answer: D

Explanation:

In a key policy, you use "*" for the resource, which means "this CMK." A key policy applies only to the CMK it is attached to References:

Question 233

Report
Export
Collapse

A company has enabled Amazon GuardDuty in all Regions as part of its security monitoring strategy.

In one of the VPCs, the company hosts an Amazon EC2 instance working as an FTP server that is contacted by a high number of clients from multiple locations. This is identified by GuardDuty as a brute force attack due to the high number of connections that happen every hour.

The finding has been flagged as a false positive. However, GuardDuty keeps raising the issue. A Security Engineer has been asked to improve the signal-to-noise ratio. The Engineer needs to ensure that changes do not compromise the visibility of potential anomalous behavior.

How can the Security Engineer address the issue?

A.
Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed
A.
Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed
Answers
B.
Add the FTP server to a trusted IP list and deploy it to GuardDuty to stop receiving the notifications
B.
Add the FTP server to a trusted IP list and deploy it to GuardDuty to stop receiving the notifications
Answers
C.
Use GuardDuty filters with auto archiving enabled to close the findings
C.
Use GuardDuty filters with auto archiving enabled to close the findings
Answers
D.
Create an AWS Lambda function that closes the finding whenever a new occurrence is reported
D.
Create an AWS Lambda function that closes the finding whenever a new occurrence is reported
Answers
Suggested answer: B

Explanation:

Trusted IP lists consist of IP addresses that you have whitelisted for secure communication with your AWS infrastructure and applications. GuardDuty does not generate findings for IP addresses on trusted IP lists. At any given time, you can have only one uploaded trusted IP list per AWS account per region.

References:

Question 234

Report
Export
Collapse

What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account? (Choose two.)

A.
Use the AWS account root user access keys instead of the AWS Management Console
A.
Use the AWS account root user access keys instead of the AWS Management Console
Answers
B.
Enable multi-factor authentication for the AWS IAM users with the AdministratorAccess managed policy attached to them
B.
Enable multi-factor authentication for the AWS IAM users with the AdministratorAccess managed policy attached to them
Answers
C.
Enable multi-factor authentication for the AWS account root user
C.
Enable multi-factor authentication for the AWS account root user
Answers
D.
Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days
D.
Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days
Answers
E.
Do not create access keys for the AWS account root user; instead, create AWS IAM users
E.
Do not create access keys for the AWS account root user; instead, create AWS IAM users
Answers
Suggested answer: C, E

Question 235

Report
Export
Collapse

A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a private VPC subnet that was created with default ACL settings. The IT Security department has a suspicion that a DDos attack is coming from a suspecting IP. How can you protect the subnets from this attack?

Please select:

A.
Change the Inbound Security Groups to deny access from the suspecting IP
A.
Change the Inbound Security Groups to deny access from the suspecting IP
Answers
B.
Change the Outbound Security Groups to deny access from the suspecting IP
B.
Change the Outbound Security Groups to deny access from the suspecting IP
Answers
C.
Change the Inbound NACL to deny access from the suspecting IP
C.
Change the Inbound NACL to deny access from the suspecting IP
Answers
D.
Change the Outbound NACL to deny access from the suspecting IP
D.
Change the Outbound NACL to deny access from the suspecting IP
Answers
Suggested answer: C

Explanation:

Option A and B are invalid because by default the Security Groups already block traffic. You can use NACL's as an additional security layer for the subnet to deny traffic. Option D is invalid since just changing the Inbound Rules is sufficient The AWS Documentation mentions the following A network access control list (ACLJ is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC. The correct answer is: Change the Inbound NACL to deny access from the suspecting IP

Question 236

Report
Export
Collapse

You are designing a custom IAM policy that would allow uses to list buckets in S3 only if they are MFA authenticated. Which of the following would best match this requirement?

A.
A.
Answers
B.
B.
Answers
C.
C.
Answers
D.
Option D
D.
Option D
Answers
Suggested answer: A

Explanation:

The Condition clause can be used to ensure users can only work with resources if they are MFA authenticated. Option B and C are wrong since the aws:MultiFactorAuthPresent clause should be marked as true.

Here you are saying that onl if the user has been MFA activated, that means it is true, then allow access. Option D is invalid because the "boor clause is missing in the evaluation for the condition clause.

Boolean conditions let you construct Condition elements that restrict access based on comparing a key to "true" or "false." Here in this scenario the boot attribute in the condition element will return a value True for option A which will ensure that access is allowed on S3 resources.

For more information on an example on such a policy, please visit the following URL:

Question 237

Report
Export
Collapse

You are hosting a web site via website hosting on an S3 bucket - http://demo.s3-website-us-east-l.amazonaws.com. You have some web pages that use Javascript that access resources in anotherbucket which has web site hosting also enabled. But when users access the web pages , they aregetting a blocked Javascript error. How can you rectify this? Please select:

A.
Enable CORS for the bucket
A.
Enable CORS for the bucket
Answers
B.
Enable versioning for the bucket
B.
Enable versioning for the bucket
Answers
C.
Enable MFA for the bucket
C.
Enable MFA for the bucket
Answers
D.
Enable CRR for the bucket
D.
Enable CRR for the bucket
Answers
Suggested answer: A

Explanation:

Your answer is incorrect

Answer-A

Such a scenario is also given in the AWS Documentation Cross-Origin Resource Sharing: Use-case Scenarios The following are example scenarios for using CORS:

• Scenario 1: Suppose that you are hosting a website in an Amazon S3 bucket named website as described in Hosting a Static Website on Amazon S3. Your users load the website endpoint http://website.s3-website-us-east-1 .amazonaws.com. Now you want to use JavaScript on the webpages that are stored in this bucket to be able to make authenticated GET and PUT requests against the same bucket by using the Amazon S3 API endpoint for the bucket website.s3.amazonaws.com. A browser would normally block JavaScript from allowing those requests, but with CORS you can configure your bucket to explicitly enable cross-origin requests from website.s3-website-us-east-1 .amazonaws.com.

• Scenario 2: Suppose that you want to host a web font from your S3 bucket. Again, browsers require a CORS check (also called a preflight check) for loading web fonts. You would configure the bucket that is hosting the web font to allow any origin to make these requests.

Option Bis invalid because versioning is only to create multiple versions of an object and can help in accidental deletion of objects Option C is invalid because this is used as an extra measure of caution for deletion of objects Option D is invalid because this is used for Cross region replication of objects For more information on Cross Origin Resource sharing, please visit the following URL • ittps://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html

The correct answer is: Enable CORS for the bucket

Submit your Feedback/Queries to our Experts

Question 238

Report
Export
Collapse

You have a vendor that needs access to an AWS resource. You create an AWS user account. You want to restrict access to the resource using a policy for just that user over a brief period. Which of the following would be an ideal policy to use?

Please select:

A.
An AWS Managed Policy
A.
An AWS Managed Policy
Answers
B.
An Inline Policy
B.
An Inline Policy
Answers
C.
A Bucket Policy
C.
A Bucket Policy
Answers
D.
A bucket ACL
D.
A bucket ACL
Answers
Suggested answer: B

Explanation:

The AWS Documentation gives an example on such a case

Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the principal entity that if s applied to. For example, you want to be sure that the permissions in a policy are not inadvertently assigned to a principal entity other than the one they're intended for.

When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong principal entity. In addition, when you use the AWS Management Console to delete that principal entit the policies embedded in the principal entity are deleted as well. That's because they are part of the principal entity.

Option A is invalid because AWS Managed Polices are ok for a group of users, but for individual users, inline policies are better. Option C and D are invalid because they are specifically meant for access to S3 buckets For more information on policies, please visit the following URL:

https://docs.aws.amazon.com/IAM/latest/UserGuide/access managed-vs-inlineThe correct answer is: An Inline Policy Submit your Feedback/Queries to our Experts

Question 239

Report
Export
Collapse

Your company has a requirement to monitor all root user activity by notification. How can this best be achieved? Choose 2 answers from the options given below. Each answer forms part of the solution Please select:

A.
Create a Cloudwatch Events Rule s
A.
Create a Cloudwatch Events Rule s
Answers
B.
Create a Cloudwatch Logs Rule
B.
Create a Cloudwatch Logs Rule
Answers
C.
Use a Lambda function
C.
Use a Lambda function
Answers
D.
Use Cloudtrail API call
D.
Use Cloudtrail API call
Answers
Suggested answer: A, C

Explanation:

Below is a snippet from the AWS blogs on a solution

Option B is invalid because you need to create a Cloudwatch Events Rule and there is such thing as a Cloudwatch Logs Rule Option D is invalid because Cloud Trail API calls can be recorded but cannot be used to send across notifications For more information on this blog article, please visit the following URL:

https://aws.amazon.com/blogs/mt/monitor-and-notify-on-aws-account-root-user-activityyThe correct answers are: Create a Cloudwatch Events Rule, Use a Lambda functionSubmit your Feedback/Queries to our Experts

Question 240

Report
Export
Collapse

A company wants to have a secure way of generating, storing and managing cryptographic exclusive access for the keys. Which of the following can be used for this purpose?

Please select:

A.
Use KMS and the normal KMS encryption keys
A.
Use KMS and the normal KMS encryption keys
Answers
B.
Use KMS and use an external key material
B.
Use KMS and use an external key material
Answers
C.
Use S3 Server Side encryption
C.
Use S3 Server Side encryption
Answers
D.
Use Cloud HSM
D.
Use Cloud HSM
Answers
Suggested answer: D

Explanation:

The AWS Documentation mentions the following

The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) instances within the AWS cloud. AWS and AWS Marketplace partners offer a variety of solutions for protecting sensitive data within the AWS platform, but for some applications and data subject to contractual or regulatory mandates for managing cryptographic keys, additional protection may be necessary.

CloudHSM complements existing data protection solutions and allows you to protect your encryption keys within HSMs that are desigr and validated to government standards for secure key management. CloudHSM allows you to securely generate, store and manage cryptographic keys used for data encryption in a way that keys are accessible only by you. Option A.B and Care invalid because in all of these cases, the management of the key will be with AWS. Here the question specifically mentions that you want to have exclusive access over the keys. This can be achieved with Cloud HSM

For more information on CloudHSM, please visit the following URL:

https://aws.amazon.com/cloudhsm/faq:

The correct answer is: Use Cloud HSM Submit your Feedback/Queries to our Experts

Total 590 questions
Go to page: of 59
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms