ExamGecko
Search Search Login
Home Home / Amazon / SCS-C01

Amazon SCS-C01 Practice Test - Questions Answers, Page 27

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A security engineer needs to configure monitoring and auditing for AWS Lambda. Which combination of actions using AWS services should the security engineer take to accomplish this goal? (Select TWO.)
A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance. What should the security engineer do to resolve this error?
A company has two AW5 accounts within AWS Organizations. In Account-1. Amazon EC2 Auto Scaling is launched using a service-linked role. In Account-2. Amazon EBS volumes are encrypted with an AWS KMS key A Security Engineer needs to ensure that the service-linked role can launch instances with these encrypted volumes Which combination of steps should the Security Engineer take in both accounts? (Select TWO.)
A company’s information security team wants to analyze Amazon EC2 performance and utilization data in the near-real time for anomalies. A Sec Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company’s AWS accounts in centralized location to perform the analysis. How should the Security Engineer do this? Log in to each account four te a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?
A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1 the company cannot access the key that was used to encrypt the original database. What should the company do to set up the snapshot in us-west-1 with proper encryption?
A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)
Your current setup in AWS consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup Please select:

Question 261

Report
Export
Collapse

Your IT Security team has advised to carry out a penetration test on the resources in their company's AWS Account. This is as part of their capability to analyze the security of the Infrastructure. What should be done first in this regard? Please select:

A.
Turn on Cloud trail and carry out the penetration test
A.
Turn on Cloud trail and carry out the penetration test
Answers
B.
Turn on VPC Flow Logs and carry out the penetration test
B.
Turn on VPC Flow Logs and carry out the penetration test
Answers
C.
Submit a request to AWS Support
C.
Submit a request to AWS Support
Answers
D.
Use a custom AWS Marketplace solution for conducting the penetration test
D.
Use a custom AWS Marketplace solution for conducting the penetration test
Answers
Suggested answer: C

Explanation:

This concept is given in the AWS Documentation

How do I submit a penetration testing request for my AWS resources?

Issue

I want to run a penetration test or other simulated event on my AWS architecture. How do I get permission from AWS to do that? Resolution

Before performing security testing on AWS resources, you must obtain approval from AWS. After you submit your request AWS will reply in about two business days. AWS might have additional questions about your test which can extend the approval process, so plan accordingly and be sure that your initial request is as detailed as possible. If your request is approved, you'll receive an authorization number.

Option A.B and D are all invalid because the first step is to get prior authorization from AWS for penetration tests For more information on penetration testing, please visit the below URL * https://aws.amazon.com/security/penetration-testing/ * https://aws.amazon.com/premiumsupport/knowledge-center/penetration-testing/

( The correct answer is: Submit a request to AWS Support Submit your Feedback/Queries to our Experts

Question 262

Report
Export
Collapse

Your company is planning on hosting an internal network in AWS. They want machines in the VPC to authenticate using private certificates. They want to minimize the work and maintenance in working with certificates. What is the ideal way to fulfil this requirement.

Please select:

A.
Consider using Windows Server 2016 Certificate Manager
A.
Consider using Windows Server 2016 Certificate Manager
Answers
B.
Consider using AWS Certificate Manager
B.
Consider using AWS Certificate Manager
Answers
C.
Consider using AWS Access keys to generate the certificates
C.
Consider using AWS Access keys to generate the certificates
Answers
D.
Consider using AWS Trusted Advisor for managing the certificates
D.
Consider using AWS Trusted Advisor for managing the certificates
Answers
Suggested answer: B

Explanation:

The AWS Documentation mentions the following

ACM is tightly linked with AWS Certificate Manager Private Certificate Authority. You can use ACM PCA to create a private certificate authority (CA) and then use ACM to issue private certificates. These are SSL/TLS X.509 certificates that identify users, computers, applications, services, servers, and other devices internally. Private certificates cannot be publicly trusted Option A is partially invalid. Windows Server 2016 Certificate Manager can be used but since there is a requirement to "minimize the work and maintenance", AWS Certificate Manager should be used Option C and D are invalid because these cannot be used for managing certificates. For more information on ACM, please visit the below URL:

https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.htmlThe correct answer is: Consider using AWS Certificate Manager Submit your Feedback/Queries to ourExperts

Question 263

Report
Export
Collapse

You have enabled Cloudtrail logs for your company's AWS account. In addition, the IT Security department has mentioned that the logs need to be encrypted. How can this be achieved? Please select:

A.
Enable SSL certificates for the Cloudtrail logs
A.
Enable SSL certificates for the Cloudtrail logs
Answers
B.
There is no need to do anything since the logs will already be encrypted
B.
There is no need to do anything since the logs will already be encrypted
Answers
C.
Enable Server side encryption for the trail
C.
Enable Server side encryption for the trail
Answers
D.
Enable Server side encryption for the destination S3 bucket
D.
Enable Server side encryption for the destination S3 bucket
Answers
Suggested answer: B

Explanation:

The AWS Documentation mentions the following.

By default CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE). You can also choose to encryption your log files with an AWS Key Management Service (AWS KMS) key. You can store your log files in your bucket for as long as you want. You can also define Amazon S3 lifecycle rules to archive or delete log files automatically. If you want notifications about lo file delivery and validation, you can set up Amazon SNS notifications.

Option A.C and D are not valid since logs will already be encrypted

For more information on how Cloudtrail works, please visit the following URL:

https://docs.aws.amazon.com/awscloudtrail/latest/usereuide/how-cloudtrail-works.htmllThe correct answer is: There is no need to do anything since the logs will already be encryptedSubmit your Feedback/Queries to our Experts

Question 264

Report
Export
Collapse

You have just recently set up a web and database tier in a VPC and hosted the application. When testing the app , you are not able to reach the home page for the app. You have verified the security groups. What can help you diagnose the issue.

Please select:

A.
Use the AWS Trusted Advisor to see what can be done.
A.
Use the AWS Trusted Advisor to see what can be done.
Answers
B.
Use VPC Flow logs to diagnose the traffic
B.
Use VPC Flow logs to diagnose the traffic
Answers
C.
Use AWS WAF to analyze the traffic
C.
Use AWS WAF to analyze the traffic
Answers
D.
Use AWS Guard Duty to analyze the traffic
D.
Use AWS Guard Duty to analyze the traffic
Answers
Suggested answer: B

Explanation:

Option A is invalid because this can be used to check for security issues in your account, but not verify as to why you cannot reach the home page for your application Option C is invalid because this used to protect your app against application layer attacks, but not verify as to why you cannot reach the home page for your application Option D is invalid because this used to protect your instance against attacks, but not verify as to why you cannot reach the home page for your application The AWS Documentation mentions the following VPC Flow Logs capture network flow information for a VPC, subnet or network interface and stores it in Amazon CloudWatch Logs. Flow log data can help customers troubleshoot network issues; for example, to diagnose why specific traffic is not reaching an instance, which might be a result of overly restrictive security group rules. Customers can also use flow logs as a security toi to monitor the traffic that reaches their instances, to profile network traffic, and to look for abnormal traffic behaviors. For more information on AWS Security, please visit the following URL:

https://aws.amazon.com/answers/networking/vpc-security-capabilities>The correct answer is: Use VPC Flow logs to diagnose the traffic Submit your Feedback/Queries toour Experts

Question 265

Report
Export
Collapse

A security team is creating a response plan in the event an employee executes unauthorized actions on AWS infrastructure. They want to include steps to determine if the employee's IAM permissions changed as part of the incident. What steps should the team document in the plan?

Please select:

A.
Use AWS Config to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
A.
Use AWS Config to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
Answers
B.
Use Made to examine the employee's IAM permissions prior to the incident and compare them to the employee's A current IAM permissions.
B.
Use Made to examine the employee's IAM permissions prior to the incident and compare them to the employee's A current IAM permissions.
Answers
C.
Use CloudTrail to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
C.
Use CloudTrail to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
Answers
D.
Use Trusted Advisor to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
D.
Use Trusted Advisor to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
Answers
Suggested answer: A

Explanation:

You can use the AWSConfig history to see the history of a particular item.

The below snapshot shows an example configuration for a user in AWS Config

Option B,C and D are all invalid because these services cannot be used to see the history of a particular configuration item. This can only be accomplished by AWS Config. For more information on tracking changes in AWS Config, please visit the below URL:

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/TrackineChanees.htmllThe correct answer is: Use AWS Config to examine the employee's IAM permissions prior to theincident and compare them the employee's current IAM permissions.

Submit your Feedback/Queries to our Experts

Question 266

Report
Export
Collapse

A security team must present a daily briefing to the CISO that includes a report of which of the company's thousands of EC2 instances and on-premises servers are missing the latest security patches. All instances/servers must be brought into compliance within 24 hours so they do not show up on the next day's report. How can the security team fulfill these requirements? Please select:

A.
Use Amazon QuickSight and Cloud Trail to generate the report of out of compliance instances/servers. Redeploy all out of compliance instances/servers using an AMI with the latest patches.
A.
Use Amazon QuickSight and Cloud Trail to generate the report of out of compliance instances/servers. Redeploy all out of compliance instances/servers using an AMI with the latest patches.
Answers
B.
Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers.Use Systems Manager Patch Manger to install the missing patches.
B.
Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers.Use Systems Manager Patch Manger to install the missing patches.
Answers
C.
Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers.Redeploy all out of1 compliance instances/servers using an AMI with the latest patches.
C.
Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers.Redeploy all out of1 compliance instances/servers using an AMI with the latest patches.
Answers
D.
Use Trusted Advisor to generate the report of out of compliance instances/servers. Use Systems Manger Patch Manger to install the missing patches.
D.
Use Trusted Advisor to generate the report of out of compliance instances/servers. Use Systems Manger Patch Manger to install the missing patches.
Answers
Suggested answer: B

Explanation:

Use the Systems Manger Patch Manger to generate the report and also install the missing patches The AWS Documentation mentions the following AWS Systems Manager Patch Manager automates the process of patching managed instances with security-related updates. For Linux-based instances, you can also install patches for non-security updates. You can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type. This includes supported versions of Windows, Ubuntu Server, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), and Amazon Linux. You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches.

Option A is invalid because Amazon QuickSight and Cloud Trail cannot be used to generate the list of servers that don't meet compliance needs. Option C is wrong because deploying instances via new AMI'S would impact the applications hosted on these servers Option D is invalid because Amazon Trusted Advisor cannot be used to generate the list of servers that don't meet compliance needs.

For more information on the AWS Patch Manager, please visit the below URL:

https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html

( The correct answer is: Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Use Systems Manager Patch Manger to install the missing patches. Submit your Feedback/Queries to our Experts

Question 267

Report
Export
Collapse

Your development team has started using AWS resources for development purposes. The AWS account has just been created. Your IT Security team is worried about possible leakage of AWS keys. What is the first level of measure that should be taken to protect the AWS account.

Please select:

A.
Delete the AWS keys for the root account
A.
Delete the AWS keys for the root account
Answers
B.
Create IAM Groups
B.
Create IAM Groups
Answers
C.
Create IAM Roles
C.
Create IAM Roles
Answers
D.
Restrict access using IAM policies
D.
Restrict access using IAM policies
Answers
Suggested answer: A

Explanation:

The first level or measure that should be taken is to delete the keys for the IAM root user When you log into your account and go to your Security Access dashboard, this is the first step that can be seen

Option B and C are wrong because creation of IAM groups and roles will not change the impact of leakage of AWS root access keys Option D is wrong because the first key aspect is to protect the access keys for the root account For more information on best practises for Security Access keys, please visit the below URL:

https://docs.aws.amazon.com/eeneral/latest/gr/aws-access-keys-best-practices.htmlThe correct answer is: Delete the AWS keys for the root account Submit your Feedback/Queries toour Experts

Question 268

Report
Export
Collapse

Which of the following is not a best practice for carrying out a security audit?

Please select:

A.
Conduct an audit on a yearly basis
A.
Conduct an audit on a yearly basis
Answers
B.
Conduct an audit if application instances have been added to your account
B.
Conduct an audit if application instances have been added to your account
Answers
C.
Conduct an audit if you ever suspect that an unauthorized person might have accessed your account
C.
Conduct an audit if you ever suspect that an unauthorized person might have accessed your account
Answers
D.
Whenever there are changes in your organization
D.
Whenever there are changes in your organization
Answers
Suggested answer: A

Explanation:

A year's time is generally too long a gap for conducting security audits The AWS Documentation mentions the following You should audit your security configuration in the following situations:

On a periodic basis.

If there are changes in your organization, such as people leaving.

If you have stopped using one or more individual AWS services. This is important for removing permissions that users in your account no longer need. If you've added or removed software in your accounts, such as applications on Amazon EC2 instances, AWS OpsWor stacks, AWS CloudFormation templates, etc. If you ever suspect that an unauthorized person might have accessed your account.

Option B, C and D are all the right ways and recommended best practices when it comes to conducting audits For more information on Security Audit guideline, please visit the below URL:

https://docs.aws.amazon.com/eeneral/latest/gr/aws-security-audit-euide.htmlThe correct answer is: Conduct an audit on a yearly basis Submit your Feedback/Queries to ourExperts

Question 269

Report
Export
Collapse

Which of the following is used as a secure way to log into an EC2 Linux Instance?

Please select:

A.
IAM User name and password
A.
IAM User name and password
Answers
B.
Key pairs
B.
Key pairs
Answers
C.
AWS Access keys
C.
AWS Access keys
Answers
D.
AWS SDK keys
D.
AWS SDK keys
Answers
Suggested answer: B

Explanation:

The AWS Documentation mentions the following

Key pairs consist of a public key and a private key. You use the private key to create a digital signature, and then AWS uses the corresponding public key to validate the signature. Key pairs are used only for Amazon EC2 and Amazon CloudFront.

Option A.C and D are all wrong because these are not used to log into EC2 Linux Instances For more information on AWS Security credentials, please visit the below URL:

https://docs.aws.amazon.com/eeneral/latest/er/aws-sec-cred-types.htmlThe correct answer is: Key pairsSubmit your Feedback/Queries to our Experts

Question 270

Report
Export
Collapse

A company hosts a critical web application on the AWS Cloud. This is a key revenue generating application for the company. The IT Security team is worried about potential DDos attacks against the web site. The senior management has also specified that immediate action needs to be taken in case of a potential DDos attack. What should be done in this regard? Please select:

A.
Consider using the AWS Shield Service
A.
Consider using the AWS Shield Service
Answers
B.
Consider using VPC Flow logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack.
B.
Consider using VPC Flow logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack.
Answers
C.
Consider using the AWS Shield Advanced Service
C.
Consider using the AWS Shield Advanced Service
Answers
D.
Consider using Cloudwatch logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack.
D.
Consider using Cloudwatch logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack.
Answers
Suggested answer: C

Explanation:

Option A is invalid because the normal AWS Shield Service will not help in immediate action against a DDos attack. This can be done via the AWS Shield Advanced Service Option B is invalid because this is a logging service for VPCs traffic flow but cannot specifically protect against DDos attacks.

Option D is invalid because this is a logging service for AWS Services but cannot specifically protect against DDos attacks. The AWS Documentation mentions the following AWS Shield Advanced provides enhanced protections for your applications running on Amazon EC2.

Elastic Load Balancing (ELB), Amazon CloudFront and Route 53 against larger and more sophisticated attacks. AWS Shield Advanced is available to AWS Business Support and AWS Enterprise Support customers. AWS Shield Advanced protection provides always-on, flow-based monitoring of network traffic and active application monitoring to provide near real-time notifications of DDoS attacks. AWS Shield Advanced also gives customers highly flexible controls over attack mitigations to take actions instantly. Customers can also engage the DDoS Response Team (DRT) 24X7 to manage and mitigate their application layer DDoS attacks. For more information on AWS Shield, please visit the below URL:

https://aws.amazon.com/shield/faqs;The correct answer is: Consider using the AWS Shield Advanced Service Submit yourFeedback/Queries to our Experts Topic 3, Exam Pool C

Total 590 questions
Go to page: of 59
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms