ExamGecko
Login
Home / Amazon / SCS-C01 / List of questions
Ask Question

Amazon SCS-C01 Practice Test - Questions Answers, Page 28

List of questions

Question 271

Report
Export
Collapse

You have setup a set of applications across 2 VPC's. You have also setup VPC Peering. The applications are still not able to communicate across the Peering connection. Which network troubleshooting steps should be taken to resolve the issue?

Please select:

Ensure the applications are hosted in a public subnet
Ensure the applications are hosted in a public subnet
Check to see if the VPC has an Internet gateway attached.
Check to see if the VPC has an Internet gateway attached.
Check to see if the VPC has a NAT gateway attached.
Check to see if the VPC has a NAT gateway attached.
Check the Route tables for the VPC's
Check the Route tables for the VPC's
Suggested answer: D

Explanation:

After the VPC peering connection is established, you need to ensure that the route tables are modified to ensure traffic can between the VPCs Option A ,B and C are invalid because allowing access the Internet gateway and usage of public subnets can help for Inter, access, but not for VPC Peering.

For more information on VPC peering routing, please visit the below URL:

.com/AmazonVPC/latest/Peeri

The correct answer is: Check the Route tables for the VPCs Submit your Feedback/Queries to our Experts

asked 16/09/2024
Nick Daniel
37 questions

Question 272

Report
Export
Collapse

A company requires that data stored in AWS be encrypted at rest. Which of the following approaches achieve this requirement? Select 2 answers from the options given below. Please select:

When storing data in Amazon EBS, use only EBS-optimized Amazon EC2 instances.
When storing data in Amazon EBS, use only EBS-optimized Amazon EC2 instances.
When storing data in EBS, encrypt the volume by using AWS KMS.
When storing data in EBS, encrypt the volume by using AWS KMS.
When storing data in Amazon S3, use object versioning and MFA Delete.
When storing data in Amazon S3, use object versioning and MFA Delete.
When storing data in Amazon EC2 Instance Store, encrypt the volume by using KMS.
When storing data in Amazon EC2 Instance Store, encrypt the volume by using KMS.
When storing data in S3, enable server-side encryption.
When storing data in S3, enable server-side encryption.
Suggested answer: B, E

Explanation:

The AWS Documentation mentions the following

To create an encrypted Amazon EBS volume, select the appropriate box in the Amazon EBS section of the Amazon EC2 console. You can use a custom customer master key (CMK) by choosing one from the list that appears below the encryption box. If you do not specify a custom CMK, Amazon EBS uses the AWS-managed CMK for Amazon EBS in your account. If there is no AWS-managed CMK for Amazon EBS in your account, Amazon EBS creates one. Data protection refers to protecting data while in-transit (as it travels to and from Amazon S3) and at rest (while it is stored on disks in Amazon S3 data centers). You can protect data in transit by using SSL or by using client-side encryption. You have the following options of protecting data at rest in Amazon S3.

• Use Server-Side Encryption - You request Amazon S3 to encrypt your object before saving it on disks in its data centers and decrypt it when you download the objects.

• Use Client-Side Encryption - You can encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.

Option A is invalid because using EBS-optimized Amazon EC2 instances alone will not guarantee protection of instances at rest. Option C is invalid because this will not encrypt data at rest for S3 objects. Option D is invalid because you don't store data in Instance store. For more information on EBS encryption, please visit the below URL:

https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.htmlFor more information on S3 encryption, please visit the below URL:

https://docs.aws.amazon.com/AmazonS3/latest/dev/UsinEEncryption.htmlThe correct answers are: When storing data in EBS, encrypt the volume by using AWS KMS. Whenstoring data in S3, enable server-side encryption. Submit your Feedback/Queries to our Experts

asked 16/09/2024
Gerald Saraci
36 questions

Question 273

Report
Export
Collapse

You need to ensure that objects in an S3 bucket are available in another region. This is because of the criticality of the data that is hosted in the S3 bucket. How can you achieve this in the easiest way possible? Please select:

Enable cross region replication for the bucket
Enable cross region replication for the bucket
Write a script to copy the objects to another bucket in the destination region
Write a script to copy the objects to another bucket in the destination region
Create an S3 snapshot in the destination region
Create an S3 snapshot in the destination region
Enable versioning which will copy the objects to the destination region
Enable versioning which will copy the objects to the destination region
Suggested answer: A

Explanation:

Option B is partially correct but a big maintenance over head to create and maintain a script when the functionality is already available in S3 Option C is invalid because snapshots are not available in S3 Option D is invalid because versioning will not replicate objects The AWS Documentation mentions the following Cross-region replication is a bucket-level configuration that enables automatic, asynchronous copying of objects across buck in different AWS Regions. For more information on Cross region replication in the Simple Storage Service, please visit the below URL:

https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.htmlThe correct answer is: Enable cross region replication for the bucket Submit your Feedback/Queriesto our Experts

asked 16/09/2024
Justin Kim
37 questions

Question 274

Report
Export
Collapse

You want to ensure that you keep a check on the Active EBS Volumes, Active snapshots and Elastic IP addresses you use so that you don't go beyond the service limit. Which of the below services can help in this regard? Please select:

AWS Cloudwatch
AWS Cloudwatch
AWS EC2
AWS EC2
AWS Trusted Advisor
AWS Trusted Advisor
AWS SNS
AWS SNS
Suggested answer: C

Explanation:

Below is a snapshot of the service limits that the Trusted Advisor can monitor

Amazon SCS-C01 image Question 274 explanation 7392 09162024005924000000

Option A is invalid because even though you can monitor resources, it cannot be checked against the service limit.

Option B is invalid because this is the Elastic Compute cloud service Option D is invalid because it can be send notification but not check on service limit For more information on the Trusted Advisor monitoring, please visit the below URL:

https://aws.amazon.com/premiumsupport/ta-faqs>The correct answer is: AWS Trusted AdvisorSubmit your Feedback/Queries to our Experts

asked 16/09/2024
Francisco Julian Mota Fraile
41 questions

Question 275

Report
Export
Collapse

A company has a legacy application that outputs all logs to a local text file. Logs from all applications running on AWS must be continually monitored for security related messages. What can be done to allow the company to deploy the legacy application on Amazon EC2 and still meet the monitoring requirement? Please select:

Create a Lambda function that mounts the EBS volume with the logs and scans the logs for security incidents. Trigger the function every 5 minutes with a scheduled Cloudwatch event.
Create a Lambda function that mounts the EBS volume with the logs and scans the logs for security incidents. Trigger the function every 5 minutes with a scheduled Cloudwatch event.
Send the local text log files to CloudWatch Logs and configure a CloudWatch metric filter. Trigger cloudwatch alarms based on the metrics.
Send the local text log files to CloudWatch Logs and configure a CloudWatch metric filter. Trigger cloudwatch alarms based on the metrics.
Install the Amazon inspector agent on any EC2 instance running the legacy application. Generate CloudWatch alerts a based on any Amazon inspector findings.
Install the Amazon inspector agent on any EC2 instance running the legacy application. Generate CloudWatch alerts a based on any Amazon inspector findings.
Export the local text log files to CloudTrail. Create a Lambda function that queries the CloudTrail logs for security ' incidents using Athena.
Export the local text log files to CloudTrail. Create a Lambda function that queries the CloudTrail logs for security ' incidents using Athena.
Suggested answer: B

Explanation:

One can send the log files to Cloudwatch Logs. Log files can also be sent from On-premise servers.

You can then specify metrii to search the logs for any specific values. And then create alarms based on these metrics. Option A is invalid because this will be just a long over drawn process to achieve this requirement Option C is invalid because AWS Inspector cannot be used to monitor for security related messages. Option D is invalid because files cannot be exported to AWS Cloudtrail For more information on Cloudwatch logs agent please visit the below URL:

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2lnstance.htiThe correct answer is: Send the local text log files to Cloudwatch Logs and configure a Cloudwatchmetric filter. Trigger cloudwatch alarms based on the metrics.

Submit your Feedback/Queries to our Experts

asked 16/09/2024
Lara Umemoto
49 questions

Question 276

Report
Export
Collapse

Every application in a company's portfolio has a separate AWS account for development and production. The security team wants to prevent the root user and all IAM users in the production accounts from accessing a specific set of unneeded services. How can they control this functionality?

Please select:

Create a Service Control Policy that denies access to the services. Assemble all production accounts in an organizational unit. Apply the policy to that organizational unit.
Create a Service Control Policy that denies access to the services. Assemble all production accounts in an organizational unit. Apply the policy to that organizational unit.
Create a Service Control Policy that denies access to the services. Apply the policy to the root account.
Create a Service Control Policy that denies access to the services. Apply the policy to the root account.
Create an IAM policy that denies access to the services. Associate the policy with an IAM group and enlist all users and the root users in this group.
Create an IAM policy that denies access to the services. Associate the policy with an IAM group and enlist all users and the root users in this group.
Create an IAM policy that denies access to the services. Create a Config Rule that checks that all users have the policy m assigned. Trigger a Lambda function that adds the policy when found missing.
Create an IAM policy that denies access to the services. Create a Config Rule that checks that all users have the policy m assigned. Trigger a Lambda function that adds the policy when found missing.
Suggested answer: A

Explanation:

As an administrator of the master account of an organization, you can restrict which AWS services and individual API actions the users and roles in each member account can access. This restriction even overrides the administrators of member accounts in the organization. When AWS Organizations blocks access to a service or API action for a member account a user or role in that account can't access any prohibited service or API action, even if an administrator of a member account explicitly grants such permissions in an IAM policy. Organization permissions overrule account permissions. Option B is invalid because service policies cannot be assigned to the root account at the account level. Option C and D are invalid because IAM policies alone at the account level would not be able to suffice the requirement For more information, please visit the below URL id=docs_orgs_console https://docs.aws.amazon.com/IAM/latest/UserGimanage attach-policy.htmlThe correct answer is: Create a Service Control Policy that denies access to the services. Assemble allproduction accounts in an organizational unit. Apply the policy to that organizational unitSubmit your Feedback/Queries to our Experts

asked 16/09/2024
Tiziano Riezzo
47 questions

Question 277

Report
Export
Collapse

An application running on EC2 instances in a VPC must call an external web service via TLS (port 443). The instances run in public subnets.

Which configurations below allow the application to function and minimize the exposure of the instances? Select 2 answers from the options given below Please select:

A network ACL with a rule that allows outgoing traffic on port 443.
A network ACL with a rule that allows outgoing traffic on port 443.
A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports
A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports
A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.
A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.
A security group with a rule that allows outgoing traffic on port 443
A security group with a rule that allows outgoing traffic on port 443
A security group with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports.
A security group with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports.
A security group with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.
A security group with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.
Suggested answer: B, D

Explanation:

Since here the traffic needs to flow outbound from the Instance to a web service on Port 443, the outbound rules on both the Network and Security Groups need to allow outbound traffic. The Incoming traffic should be allowed on ephermal ports for the Operating System on the Instance to allow a connection to be established on any desired or available port. Option A is invalid because this rule alone is not enough. You also need to ensure incoming traffic on ephemeral ports Option C is invalid because need to ensure incoming traffic on ephemeral ports and not only port 443 Option E and F are invalid since here you are allowing additional ports on Security groups which are not required For more information on VPC Security Groups, please visit the below URL:

https://docs.aws.amazon.com/AmazonVPC/latest/UserGuideA/PC_SecurityGroups.htmll

The correct answers are: A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports, A security group with a rule that allows outgoing traffic on port443Submit your Feedback/Queries to our Experts

asked 16/09/2024
Mpho Ntshontsi
40 questions

Question 278

Report
Export
Collapse


A company is deploying a new web application on AWS. Based on their other web applications, they anticipate being the target of frequent DDoS attacks. Which steps can the company use to protect their application? Select 2 answers from the options given below.

Please select:

Associate the EC2 instances with a security group that blocks traffic from blacklisted IP addresses.
Associate the EC2 instances with a security group that blocks traffic from blacklisted IP addresses.
Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic.
Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic.
Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious traffic.
Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious traffic.
Use CloudFront and AWS WAF to prevent malicious traffic from reaching the application
Use CloudFront and AWS WAF to prevent malicious traffic from reaching the application
Enable GuardDuty to block malicious traffic from reaching the application
Enable GuardDuty to block malicious traffic from reaching the application
Suggested answer: B, D

Explanation:

The below diagram from AWS shows the best case scenario for avoiding DDos attacks using services such as AWS Cloudfro WAF, ELB and Autoscaling

Amazon SCS-C01 image Question 278 explanation 7396 09162024005924000000

Option A is invalid because by default security groups don't allow access

Option C is invalid because AWS Inspector cannot be used to examine traffic

Option E is invalid because this can be used for attacks on EC2 Instances but not against DDos attacks on the entire application For more information on DDos mitigation from AWS, please visit the below URL:

https://aws.amazon.com/answers/networking/aws-ddos-attack-mitieationiThe correct answers are: Use an ELB Application Load Balancer and Auto Scaling group to scale toabsorb application layer traffic., Use CloudFront and AWS WAF to prevent malicious traffic fromreaching the applicationSubmit your Feedback/Queries to our Experts

asked 16/09/2024
Oleksii Ivanov
45 questions

Question 279

Report
Export
Collapse

You are working in the media industry and you have created a web application where users will be able to upload photos they create to your website. This web application must be able to call the S3 API in order to be able to function. Where should you store your API credentials whilst maintaining the maximum level of security?

Please select:

Save the API credentials to your PHP files.
Save the API credentials to your PHP files.
Don't save your API credentials, instead create a role in IAM and assign this role to an EC2 instance when you first create it.
Don't save your API credentials, instead create a role in IAM and assign this role to an EC2 instance when you first create it.
Save your API credentials in a public Github repository.
Save your API credentials in a public Github repository.
Pass API credentials to the instance using instance userdata.
Pass API credentials to the instance using instance userdata.
Suggested answer: B

Explanation:

Applications must sign their API requests with AWS credentials. Therefore, if you are an application developer, you need a strategy for managing credentials for your applications that run on EC2 instances. For example, you can securely distribute your AWS credentials to the instances, enabling the applications on those instances to use your credentials to sign requests, while protecting your credentials from other users. However, it's challenging to securely distribute credentials to each instance. especially those that AWS creates on your behalf, such as Spot Instances or instances in Auto Scaling groups. You must also be able to update the credentials on each instance when you rotate your AWS credentials.

IAM roles are designed so that your applications can securely make API requests from your instances, without requiring you manage the security credentials that the applications use. Option A.C and D are invalid because using AWS Credentials in an application in production is a direct no recommendation 1 secure access For more information on IAM Roles, please visit the below URL: http://docs.aws.amazon.com/ AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html The correct answer is: Don't save your API credentials. Instead create a role in IAM and assign this role to an EC2 instance when you first create it Submit your Feedback/Queries to our Experts

asked 16/09/2024
shylashri selvamani
46 questions

Question 280

Report
Export
Collapse

A company has a set of resources defined in AWS. It is mandated that all API calls to the resources be monitored. Also all API calls must be stored for lookup purposes. Any log data greater than 6 months must be archived. Which of the following meets these requirements? Choose 2 answers from the options given below. Each answer forms part of the solution. Please select:

Enable CloudTrail logging in all accounts into S3 buckets
Enable CloudTrail logging in all accounts into S3 buckets
Enable CloudTrail logging in all accounts into Amazon Glacier
Enable CloudTrail logging in all accounts into Amazon Glacier
Ensure a lifecycle policy is defined on the S3 bucket to move the data to EBS volumes after 6 months.
Ensure a lifecycle policy is defined on the S3 bucket to move the data to EBS volumes after 6 months.
Ensure a lifecycle policy is defined on the S3 bucket to move the data to Amazon Glacier after 6 months.
Ensure a lifecycle policy is defined on the S3 bucket to move the data to Amazon Glacier after 6 months.
Suggested answer: A, D

Explanation:

Cloudtrail publishes the trail of API logs to an S3 bucket

Option B is invalid because you cannot put the logs into Glacier from CloudTrail

Option C is invalid because lifecycle policies cannot be used to move data to EBS volumes For more information on Cloudtrail logging, please visit the below URL:

https://docs.aws.amazon.com/awscloudtrail/latest/usereuide/cloudtrail-find-log-files.htmllYou can then use Lifecycle policies to transfer data to Amazon Glacier after 6 months For moreinformation on S3 lifecycle policies, please visit the below URL:

https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.htmlThe correct answers are: Enable CloudTrail logging in all accounts into S3 buckets. Ensure a lifecyclepolicy is defined on the bucket to move the data to Amazon Glacier after 6 months.

Submit your Feedback/Queries to our Experts

asked 16/09/2024
Alajauan Adams
35 questions
Total 590 questions
Go to page: of 59
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture: 1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets. 3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other 4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols 5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required Which of the following accurately reflects the access control mechanisms the Architect should verify1?
A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances. Which solution will meet this requirement with the LEAST operational effort?
A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution. Which solution will meet these requirements MOST securely?
A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below Please select:
A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents. A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly. Which combination of actions would build the required solution? (Choose three.)
After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised. How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of “Sensitive,” “Confidential,” and “Restricted.” The security solution must meet all of the following requirements: Each object must be encrypted using a unique key. Items that are stored in the “Restricted” bucket require two-factor authentication for decryption. AWS KMS must automatically rotate encryption keys annually. Which of the following meets these requirements?