ExamGecko
Search Search Login
Home Home / Amazon / SCS-C01

Amazon SCS-C01 Practice Test - Questions Answers, Page 26

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A security engineer needs to configure monitoring and auditing for AWS Lambda. Which combination of actions using AWS services should the security engineer take to accomplish this goal? (Select TWO.)
A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance. What should the security engineer do to resolve this error?
A company has two AW5 accounts within AWS Organizations. In Account-1. Amazon EC2 Auto Scaling is launched using a service-linked role. In Account-2. Amazon EBS volumes are encrypted with an AWS KMS key A Security Engineer needs to ensure that the service-linked role can launch instances with these encrypted volumes Which combination of steps should the Security Engineer take in both accounts? (Select TWO.)
A company’s information security team wants to analyze Amazon EC2 performance and utilization data in the near-real time for anomalies. A Sec Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company’s AWS accounts in centralized location to perform the analysis. How should the Security Engineer do this? Log in to each account four te a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?
A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1 the company cannot access the key that was used to encrypt the original database. What should the company do to set up the snapshot in us-west-1 with proper encryption?
A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)
Your current setup in AWS consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup Please select:

Question 251

Report
Export
Collapse

You are deivising a policy to allow users to have the ability to access objects in a bucket called appbucket. You define the below custom bucket policy

But when you try to apply the policy you get the error "Action does not apply to any resource(s) in statement." What should be done to rectify the error Please select:

A.
Change the IAM permissions by applying PutBucketPolicy permissions.
A.
Change the IAM permissions by applying PutBucketPolicy permissions.
Answers
B.
Verify that the policy has the same name as the bucket name. If not. make it the same.
B.
Verify that the policy has the same name as the bucket name. If not. make it the same.
Answers
C.
Change the Resource section to "arn:aws:s3:::appbucket/*'.
C.
Change the Resource section to "arn:aws:s3:::appbucket/*'.
Answers
D.
Create the bucket "appbucket" and then apply the policy.
D.
Create the bucket "appbucket" and then apply the policy.
Answers
Suggested answer: C

Explanation:

When you define access to objects in a bucket you need to ensure that you specify to which objects in the bucket access needs to be given to. In this case, the * can be used to assign the permission to all objects in the bucket Option A is invalid because the right permissions are already provided as per the question requirement Option B is invalid because it is not necessary that the policy has the same name as the bucket

Option D is invalid because this should be the default flow for applying the policy For more information on bucket policies please visit the below URL:

https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.htmllThe correct answer is: Change the Resource section to "arn:aws:s3:::appbucket/" Submit yourFeedback/Queries to our Experts

Question 252

Report
Export
Collapse

A company wants to have an Intrusion detection system available for their VPC in AWS. They want to have complete control over the system. Which of the following would be ideal to implement? Please select:

A.
Use AWS WAF to catch all intrusions occurring on the systems in the VPC
A.
Use AWS WAF to catch all intrusions occurring on the systems in the VPC
Answers
B.
Use a custom solution available in the AWS Marketplace
B.
Use a custom solution available in the AWS Marketplace
Answers
C.
Use VPC Flow logs to detect the issues and flag them accordingly.
C.
Use VPC Flow logs to detect the issues and flag them accordingly.
Answers
D.
Use AWS Cloudwatch to monitor all traffic
D.
Use AWS Cloudwatch to monitor all traffic
Answers
Suggested answer: B

Explanation:

Sometimes companies want to have custom solutions in place for monitoring Intrusions to their systems. In such a case, you can use the AWS Marketplace for looking at custom solutions.

Option A.C and D are all invalid because they cannot be used to conduct intrusion detection or prevention.

For more information on using custom security solutions please visit the below URL

https://d1.awsstatic.com/Marketplace/security/AWSMP_Security_Solution%200verview.pdfFor more information on using custom security solutions please visit the below URL:

https://d1 .awsstatic.com/Marketplace/security/AWSMP Security Solution%20Overview.pd1The correct answer is: Use a custom solution available in the AWS Marketplace Submit yourFeedback/Queries to our Experts

Question 253

Report
Export
Collapse

Your IT Security department has mandated that all data on EBS volumes created for underlying EC2 Instances need to be encrypted. Which of the following can help achieve this? Please select:

A.
AWS KMS API
A.
AWS KMS API
Answers
B.
AWS Certificate Manager
B.
AWS Certificate Manager
Answers
C.
API Gateway with STS
C.
API Gateway with STS
Answers
D.
IAM Access Key
D.
IAM Access Key
Answers
Suggested answer: A

Explanation:

The AWS Documentation mentions the following on AWS KMS

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. AWS KMS is integrated with other AWS services including Amazon Elastic Block Store (Amazon EBS), Amazon Simple Storage Service (Amazon S3), Amazon Redshift Amazon Elastic Transcoder, Amazon WorkMail, Amazon Relational Database Service (Amazon RDS), and others to make it simple to encrypt your data with encryption keys that you manage Option B is incorrect - The AWS Certificate manager can be used to generate SSL certificates that can be used to encrypt traffic transit, but not at rest Option C is incorrect is again used for issuing tokens when using API gateway for traffic in transit. Option D is used for secure access to EC2 Instances

For more information on AWS KMS, please visit the following URL:

https://docs.aws.amazon.com/kms/latest/developereuide/overview.htmllThe correct answer is: AWS KMS APISubmit your Feedback/Queries to our Experts

Question 254

Report
Export
Collapse

You have an S3 bucket hosted in AWS. This is used to host promotional videos uploaded by yourself.

You need to provide access to users for a limited duration of time. How can this be achieved?

Please select:

A.
Use versioning and enable a timestamp for each version
A.
Use versioning and enable a timestamp for each version
Answers
B.
Use Pre-signed URL's
B.
Use Pre-signed URL's
Answers
C.
Use IAM Roles with a timestamp to limit the access
C.
Use IAM Roles with a timestamp to limit the access
Answers
D.
Use IAM policies with a timestamp to limit the access
D.
Use IAM policies with a timestamp to limit the access
Answers
Suggested answer: B

Explanation:

The AWS Documentation mentions the following

All objects by default are private. Only the object owner has permission to access these objects.

However, the object owner can optionally share objects with others by creating a pre-signed URL using their own security credentials, to grant time-limited permission to download the objects. Option A is invalid because this can be used to prevent accidental deletion of objects Option C is invalid because timestamps are not possible for Roles Option D is invalid because policies is not the right way to limit access based on time For more information on pre-signed URL's, please visit the URL:

https://docs.aws.ama2on.com/AmazonS3/latest/dev/ShareObiectPreSisnedURL.htmlThe correct answer is: Use Pre-signed URL's Submit your Feedback/Queries to our Experts

Question 255

Report
Export
Collapse

Your company has mandated that all calls to the AWS KMS service be recorded. How can this be achieved? Please select:

A.
Enable logging on the KMS service
A.
Enable logging on the KMS service
Answers
B.
Enable a trail in Cloudtrail
B.
Enable a trail in Cloudtrail
Answers
C.
Enable Cloudwatch logs
C.
Enable Cloudwatch logs
Answers
D.
Use Cloudwatch metrics
D.
Use Cloudwatch metrics
Answers
Suggested answer: B

Explanation:

The AWS Documentation states the following

AWS KMS is integrated with CloudTrail, a service that captures API calls made by or on behalf of AWS KMS in your AWS account and delivers the log files to an Amazon S3 bucket that you specify. CloudTrail captures API calls from the AWS KMS console or from the AWS KMS API. Using the information collected by CloudTrail, you can determine what request was made, the source IP address from which the request was made, who made the request when it was made, and so on.

Option A is invalid because logging is not possible in the KMS service Option C and D are invalid because Cloudwatch cannot be used to monitor API calls For more information on logging using Cloudtrail please visit the below URL https://docs.aws.amazon.com/kms/latest/developerguide/loeeing-usine-cloudtrail.htmlThe correct answer is: Enable a trail in CloudtrailJubmit your Feedback/Queries to our Experts

Question 256

Report
Export
Collapse

You want to get a list of vulnerabilities for an EC2 Instance as per the guidelines set by the Center of Internet Security. How can you go about doing this? Please select:

A.
Enable AWS Guard Duty for the Instance
A.
Enable AWS Guard Duty for the Instance
Answers
B.
Use AWS Trusted Advisor
B.
Use AWS Trusted Advisor
Answers
C.
Use AWS inspector
C.
Use AWS inspector
Answers
D.
UseAWSMacie
D.
UseAWSMacie
Answers
Suggested answer: C

Explanation:

The AWS Inspector service can inspect EC2 Instances based on specific Rules. One of the rules packages is based on the guidelines set by the Center of Internet Security Center for Internet security (CIS) Benchmarks The CIS Security Benchmarks program provides well-defined, un-biased and consensus-based industry best practices to help organizations assess and improve their security. Amazon Web Services is a CIS Security Benchmarks Member company and the list of Amazon Inspector certifications can be viewed nere.

Option A is invalid because this can be used to protect an instance but not give the list of vulnerabilities Options B and D are invalid because these services cannot give a list of vulnerabilities For more information on the guidelines, please visit the below URL:

* https://docs.aws.amazon.com/inspector/latest/userguide/inspector_cis.html The correct answeris: Use AWS InspectorSubmit your Feedback/Queries to our Experts

Question 257

Report
Export
Collapse

You have an instance setup in a test environment in AWS. You installed the required application and the promoted the server to a production environment. Your IT Security team has advised that there maybe traffic flowing in from an unknown IP address to port 22. How can this be mitigated immediately?

Please select:

A.
Shutdown the instance
A.
Shutdown the instance
Answers
B.
Remove the rule for incoming traffic on port 22 for the Security Group
B.
Remove the rule for incoming traffic on port 22 for the Security Group
Answers
C.
Change the AMI for the instance
C.
Change the AMI for the instance
Answers
D.
Change the Instance type for the instance
D.
Change the Instance type for the instance
Answers
Suggested answer: B

Explanation:

In the test environment the security groups might have been opened to all IP addresses for testing purpose. Always to ensure to remove this rule once all testing is completed. Option A, C and D are all invalid because this would affect the application running on the server. The easiest way is just to remove the rule for access on port 22. For more information on authorizing access to an instance, please visit the below URL:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.htmllThe correct answer is: Remove the rule for incoming traffic on port 22 for the Security Group Submityour Feedback/Queries to our Experts

Question 258

Report
Export
Collapse

Your company has defined a number of EC2 Instances over a period of 6 months. They want to know if any of the security groups allow unrestricted access to a resource. What is the best option to accomplish this requirement? Please select:

A.
Use AWS Inspector to inspect all the security Groups
A.
Use AWS Inspector to inspect all the security Groups
Answers
B.
Use the AWS Trusted Advisor to see which security groups have compromised access.
B.
Use the AWS Trusted Advisor to see which security groups have compromised access.
Answers
C.
Use AWS Config to see which security groups have compromised access.
C.
Use AWS Config to see which security groups have compromised access.
Answers
D.
Use the AWS CLI to query the security groups and then filter for the rules which have unrestricted accessd
D.
Use the AWS CLI to query the security groups and then filter for the rules which have unrestricted accessd
Answers
Suggested answer: B

Explanation:

The AWS Trusted Advisor can check security groups for rules that allow unrestricted access to a resource. Unrestricted access increases opportunities for malicious activity (hacking, denial-ofservice attacks, loss of data). If you go to AWS Trusted Advisor, you can see the details

Option A is invalid because AWS Inspector is used to detect security vulnerabilities in instances and not for security groups.

Option C is invalid because this can be used to detect changes in security groups but not show you security groups that have compromised access.

Option Dis partially valid but would just be a maintenance overhead

For more information on the AWS Trusted Advisor, please visit the below URL:

https://aws.amazon.com/premiumsupport/trustedadvisor/best-practices;The correct answer is: Use the AWS Trusted Advisor to see which security groups have compromisedaccess. Submit your Feedback/Queries to our Experts

Question 259

Report
Export
Collapse

A company is using CloudTrail to log all AWS API activity for all regions in all of its accounts. The CISO has asked that additional steps be taken to protect the integrity of the log files. What combination of steps will protect the log files from intentional or unintentional alteration?

Choose 2 answers from the options given below

Please select:

A.
Create an S3 bucket in a dedicated log account and grant the other accounts write only access.Deliver all log files from every account to this S3 bucket.
A.
Create an S3 bucket in a dedicated log account and grant the other accounts write only access.Deliver all log files from every account to this S3 bucket.
Answers
B.
Write a Lambda function that queries the Trusted Advisor Cloud Trail checks. Run the function every 10 minutes.
B.
Write a Lambda function that queries the Trusted Advisor Cloud Trail checks. Run the function every 10 minutes.
Answers
C.
Enable CloudTrail log file integrity validation
C.
Enable CloudTrail log file integrity validation
Answers
D.
Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs.
D.
Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs.
Answers
E.
Create a Security Group that blocks all traffic except calls from the CloudTrail service. Associate the security group with) all the Cloud Trail destination S3 buckets.
E.
Create a Security Group that blocks all traffic except calls from the CloudTrail service. Associate the security group with) all the Cloud Trail destination S3 buckets.
Answers
Suggested answer: A, C

Explanation:

The AWS Documentation mentions the following

To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it you can use CloudTrail log fill integrity validation. This feature is built using industry standard algorithms:

SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. Option B is invalid because there is no such thing as Trusted Advisor Cloud Trail checks Option D is invalid because Systems Manager cannot be used for this purpose. Option E is invalid because Security Groups cannot be used to block calls from other services For more information on Cloudtrail log file validation, please visit the below URL:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-loe-file-validationintro.htmllFor more information on delivering Cloudtrail logs from multiple accounts, please visit the belowURL:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multipleaccounts.htmlThe correct answers are: Create an S3 bucket in a dedicated log account and grant the other accountswrite only access. Deliver all log files from every account to this S3 bucket, Enable Cloud Trail log fileintegrity validationSubmit your Feedback/Queries to our Experts

Question 260

Report
Export
Collapse

You have just received an email from AWS Support stating that your AWS account might have been compromised. Which of the following steps would you look to carry out immediately. Choose 3 answers from the options below. Please select:

A.
Change the root account password.
A.
Change the root account password.
Answers
B.
Rotate all IAM access keys
B.
Rotate all IAM access keys
Answers
C.
Keep all resources running to avoid disruption
C.
Keep all resources running to avoid disruption
Answers
D.
Change the password for all IAM users.
D.
Change the password for all IAM users.
Answers
Suggested answer: A, B, D

Explanation:

One of the articles from AWS mentions what should be done in such a scenario If you suspect that your account has been compromised, or if you have received a notification from AWS that the account has been compromised, perform the following tasks:

Change your AWS root account password and the passwords of any IAM users.

Delete or rotate all root and AWS Identity and Access Management (IAM) access keys.

Delete any resources on your account you didn't create, especially running EC2 instances, EC2 spot bids, or IAM users. Respond to any notifications you received from AWS Support through the AWS Support Center.

Option C is invalid because there could be compromised instances or resources running on your environment. They should be shutdown or stopped immediately. For more information on the article, please visit the below URL:

https://aws.amazon.com/premiumsupport/knowledee-center/potential-account-compromise>The correct answers are: Change the root account password. Rotate all IAM access keys. Change thepassword for all IAM users. Submit your Feedback/Queries to our Experts

Total 590 questions
Go to page: of 59
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms