ExamGecko
Login
Home / Amazon / SCS-C01 / List of questions
Ask Question

Amazon SCS-C01 Practice Test - Questions Answers, Page 32

List of questions

Question 311

Report
Export
Collapse

Which technique can be used to integrate AWS IAM (Identity and Access Management) with an onpremise LDAP (Lightweight Directory Access Protocol) directory service? Please select:

Use an IAM policy that references the LDAP account identifiers and the AWS credentials.
Use an IAM policy that references the LDAP account identifiers and the AWS credentials.
Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP.
Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP.
Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials.
Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials.
Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated.
Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated.
Suggested answer: B

Explanation:

On the AWS Blog site the following information is present to help on this context The newly released whitepaper. Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth, will help you integrate your existing LDAP-based user directory with AWS. When you integrate your existing directory with AWS, your users can access AWS by using their existing credentials. This means that your users don't need to maintain yet another user name and password just to access AWS resources.

Option A.C and D are all invalid because in this sort of configuration, you have to use SAML to enable single sign on. For more information on integrating AWS with LDAP for Single Sign-On, please visit the following URL:

https://aws.amazon.eom/blogs/security/new-whitepaper-sinEle-sign-on-inteErating-aws-openldapand-shibboleth/lThe correct answer is: Use SAML (Security Assertion Markup Language) to enable single sign-onbetween AWS and LDAP. Submit your Feedback/Queries to our Experts

asked 16/09/2024
Andrew dela Cruz
35 questions

Question 312

Report
Export
Collapse

You have an EBS volume attached to an EC2 Instance which uses KMS for Encryption. Someone has now gone ahead and deleted the Customer Key which was used for the EBS encryption. What should be done to ensure the data can be decrypted.

Please select:

Create a new Customer Key using KMS and attach it to the existing volume
Create a new Customer Key using KMS and attach it to the existing volume
You cannot decrypt the data that was encrypted under the CMK, and the data is not recoverable.
You cannot decrypt the data that was encrypted under the CMK, and the data is not recoverable.
Request AWS Support to recover the key
Request AWS Support to recover the key
Use AWS Config to recover the key
Use AWS Config to recover the key
Suggested answer: B

Explanation:

Deleting a customer master key (CMK) in AWS Key Management Service (AWS KMS) is destructive and potentially dangerous. It deletes the key material and all metadata associated with the CMK, and is irreversible. After a CMK is deleted you can no longer decrypt the data that was encrypted under that CMK, which means that data becomes unrecoverable. You should delete a CMK only when you are sure that you don't need to use it anymore. If you are not sure, consider disabling the CMK instead of deleting it. You can re-enable a disabled CMK if you need to use it again later, but you cannot recover a deleted CMK. https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.htmlA is incorrect because Creating a new CMK and attaching it to the exiting volume will not allow thedata to be decrypted, you cannot attach customer master keys after the volume is encryptedOption C and D are invalid because once the key has been deleted, you cannot recover it For moreinformation on EBS Encryption with KMS, please visit the following URL:

https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.htmlThe correct answer is: You cannot decrypt the data that was encrypted under the CMK, and the datais not recoverable. Submit your Feedback/Queries to our Experts

asked 16/09/2024
Darshak Ramdevputra
31 questions

Question 313

Report
Export
Collapse

You work as an administrator for a company. The company hosts a number of resources using AWS.

There is an incident of a suspicious API activity which occurred 11 days ago. The Security Admin has asked to get the API activity from that point in time. How can this be achieved? Please select:

Search the Cloud Watch logs to find for the suspicious activity which occurred 11 days ago
Search the Cloud Watch logs to find for the suspicious activity which occurred 11 days ago
Search the Cloudtrail event history on the API events which occurred 11 days ago.
Search the Cloudtrail event history on the API events which occurred 11 days ago.
Search the Cloud Watch metrics to find for the suspicious activity which occurred 11 days ago
Search the Cloud Watch metrics to find for the suspicious activity which occurred 11 days ago
Use AWS Config to get the API calls which were made 11 days ago.
Use AWS Config to get the API calls which were made 11 days ago.
Suggested answer: B

Explanation:

The Cloud Trail event history allows to view events which are recorded for 90 days. So one can use a metric filter to gather the API calls from 11 days ago. Option A and C is invalid because Cloudwatch is used for logging and not for monitoring API activity

Option D is invalid because AWSConfig is a configuration service and not for monitoring API activity For more information on AWS Cloudtrail, please visit the following URL:

https://docs.aws.amazon.com/awscloudtrail/latest/usereuide/how-cloudtrail-works.htmlNote:

In this question we assume that the customer has enabled cloud trail service.

AWS CloudTrail is enabled by default for ALL CUSTOMERS and will provide visibility into the past seven days of account activity without the need for you to configure a trail in the service to get started. So for an activity that happened 11 days ago to be stored in the cloud trail we need to configure the trail manually to ensure that it is stored in the events history. • https://aws.amazon.com/blogs/aws/new-amazon-web-services-extends-cloudtrail-to-all-awscustomers/The correct answer is: Search the Cloudtrail event history on the API events which occurred 11 daysago.

asked 16/09/2024
Babatunde Badiru
40 questions

Question 314

Report
Export
Collapse

You need to ensure that the cloudtrail logs which are being delivered in your AWS account is encrypted. How can this be achieved in the easiest way possible? Please select:

Don't do anything since CloudTrail logs are automatically encrypted.
Don't do anything since CloudTrail logs are automatically encrypted.
Enable S3-SSE for the underlying bucket which receives the log files
Enable S3-SSE for the underlying bucket which receives the log files
Enable S3-KMS for the underlying bucket which receives the log files
Enable S3-KMS for the underlying bucket which receives the log files
Enable KMS encryption for the logs which are sent to Cloudwatch
Enable KMS encryption for the logs which are sent to Cloudwatch
Suggested answer: A

Explanation:

The AWS Documentation mentions the following

By default the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3) Option B,C and D are all invalid because by default all logs are encrypted when they sent by Cloudtrail to S3 buckets For more information on AWS Cloudtrail log encryption, please visit the following URL:

https://docs.aws.amazon.com/awscloudtrail/latest/usereuide/encryptine-cloudtrail-loe-files-withaws-kms.htmllThe correct answer is: Don't do anything since CloudTrail logs are automatically encrypted. Submityour Feedback/Queries to our Experts

asked 16/09/2024
ozgur yilmaz
30 questions

Question 315

Report
Export
Collapse

You have a requirement to serve up private content using the keys available with Cloudfront. How can this be achieved? Please select:

Add the keys to the backend distribution.
Add the keys to the backend distribution.
Add the keys to the S3 bucket
Add the keys to the S3 bucket
Create pre-signed URL's
Create pre-signed URL's
Use AWS Access keys
Use AWS Access keys
Suggested answer: C

Explanation:

Option A and B are invalid because you will not add keys to either the backend distribution or the S3 bucket. Option D is invalid because this is used for programmatic access to AWS resources You can use Cloudfront key pairs to create a trusted pre-signed URL which can be distributed to users Specifying the AWS Accounts That Can Create Signed URLs and Signed Cookies (Trusted Signers) Topics

• Creating CloudFront Key Pairs for Your Trusted Signers

• Reformatting the CloudFront Private Key (.NET and Java Only)

• Adding Trusted Signers to Your Distribution

• Verifying that Trusted Signers Are Active (Optional) 1 Rotating CloudFront Key Pairs To create signed URLs or signed cookies, you need at least one AWS account that has an active CloudFront key pair. This accou is known as a trusted signer. The trusted signer has two purposes:

• As soon as you add the AWS account ID for your trusted signer to your distribution, CloudFront starts to require that users us signed URLs or signed cookies to access your objects. ' When you create signed URLs or signed cookies, you use the private key from the trusted signer's key pair to sign a portion of the URL or the cookie. When someone requests a restricted object CloudFront compares the signed portion of the URL or cookie with the unsigned portion to verify that the URL or cookie hasn't been tampered with. CloudFront also verifies that the URL or cookie is valid, meaning, for example, that the expiration date and time hasn't passed. For more information on Cloudfront private trusted content please visit the following URL:

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-contenttrusted-sThe correct answer is: Create pre-signed URL's Submit your Feedback/Queries to our Experts

asked 16/09/2024
Ibiyemi Araoye
39 questions

Question 316

Report
Export
Collapse

Your company currently has a set of EC2 Instances hosted in a VPC. The IT Security department is suspecting a possible DDos attack on the instances. What can you do to zero in on the IP addresses which are receiving a flurry of requests. Please select:

Use VPC Flow logs to get the IP addresses accessing the EC2 Instances
Use VPC Flow logs to get the IP addresses accessing the EC2 Instances
Use AWS Cloud trail to get the IP addresses accessing the EC2 Instances
Use AWS Cloud trail to get the IP addresses accessing the EC2 Instances
Use AWS Config to get the IP addresses accessing the EC2 Instances
Use AWS Config to get the IP addresses accessing the EC2 Instances
Use AWS Trusted Advisor to get the IP addresses accessing the EC2 Instances
Use AWS Trusted Advisor to get the IP addresses accessing the EC2 Instances
Suggested answer: A

Explanation:

With VPC Flow logs you can get the list of IP addresses which are hitting the Instances in your VPC You can then use the information in the logs to see which external IP addresses are sending a flurry of requests which could be the potential threat foi a DDos attack.

Option B is incorrect Cloud Trail records AWS API calls for your account. VPC FLowlogs logs network traffic for VPC, subnets. Network interfaces etc. As per AWS,

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC where as AWS CloudTrail, is a service that captures API calls and delivers the log files to an Amazon S3 bucket that you specify.

Option C is invalid this is a config service and will not be able to get the IP addresses

Option D is invalid because this is a recommendation service and will not be able to get the IP addresses For more information on VPC Flow Logs, please visit the following URL:

https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.htmlThe correct answer is: Use VPC Flow logs to get the IP addresses accessing the EC2 Instances Submityour Feedback/Queries to our Experts

asked 16/09/2024
Dinu Jose Varghese
38 questions

Question 317

Report
Export
Collapse

You are building a system to distribute confidential training videos to employees. Using CloudFront, what method could be used to serve content that is stored in S3, but not publicly accessible from S3 directly? Please select:

Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAl.
Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAl.
Add the CloudFront account security group "amazon-cf/amazon-cf-sg" to the appropriate S3 bucket policy.
Add the CloudFront account security group "amazon-cf/amazon-cf-sg" to the appropriate S3 bucket policy.
Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User.
Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User.
Create a S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).
Create a S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).
Suggested answer: A

Explanation:

You can optionally secure the content in your Amazon S3 bucket so users can access it through CloudFront but cannot access it directly by using Amazon S3 URLs. This prevents anyone from bypassing CloudFront and using the Amazon S3 URL to get content that you want to restrict access to. This step isn't required to use signed URLs, but we recommend it To require that users access your content through CloudFront URLs, you perform the following tasks:

Create a special CloudFront user called an origin access identity.

Give the origin access identity permission to read the objects in your bucket.

Remove permission for anyone else to use Amazon S3 URLs to read the objects.

Option B,C and D are all automatically invalid, because the right way is to ensure to create Origin Access Identity (OAI) for CloudFront and grant access accordingly. For more information on serving private content via Cloudfront, please visit the following URL:

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.htmllThe correct answer is: Create an Origin Access Identity (OAI) for CloudFront and grant access to theobjects in your S3 bucket t that OAI. You can optionally secure the content in your Amazon S3 bucket so users can access it through CloudFront but cannot access it directly by using Amazon S3 URLs. This prevents anyone from bypassing CloudFront and using the Amazon S3 URL to get content that you want to restrict access to. This step isn't required to use signed URLs, but we recommend it To require that users access your content through CloudFront URLs, you perform the following tasks:

Create a special CloudFront user called an origin access identity.

Give the origin access identity permission to read the objects in your bucket.

Remove permission for anyone else to use Amazon S3 URLs to read the objects.

Option B,C and D are all automatically invalid, because the right way is to ensure to create Origin Access Identity (OAI) for CloudFront and grant access accordingly. For more information on serving private content via Cloudfront, please visit the following URL:

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.htmllThe correct answer is: Create an Origin Access Identity (OAI) for CloudFront and grant access to theobjects in your S3 bucket t that OAI. Submit your Feedback/Queries to our Experts

Submit your Feedback/Queries to our Experts

asked 16/09/2024
Alvaro Peralta
24 questions

Question 318

Report
Export
Collapse

A company has an existing AWS account and a set of critical resources hosted in that account. The employee who was in-charge of the root account has left the company. What must be now done to secure the account. Choose 3 answers from the options given below.

Please select:

Change the access keys for all IAM users.
Change the access keys for all IAM users.
Delete all custom created IAM policies
Delete all custom created IAM policies
Delete the access keys for the root account
Delete the access keys for the root account
Confirm MFAtoa secure device
Confirm MFAtoa secure device
Change the password for the root account
Change the password for the root account
Change the password for all IAM users
Change the password for all IAM users
Suggested answer: C, D, E

Explanation:

Now if the root account has a chance to be compromised, then you have to carry out the below steps 1. Delete the access keys for the root account 2. Confirm MFA to a secure device 3. Change the password for the root account This will ensure the employee who has left has no change to compromise the resources in AWS.

Option A is invalid because this would hamper the working of the current IAM users

Option B is invalid because this could hamper the current working of services in your AWS account

Option F is invalid because this would hamper the working of the current IAM users For more information on IAM root user, please visit the following URL:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id root-user.html The correct answers are: Delete the access keys for the root account Confirm MFA to a secure device. Change the password for the root account

Submit Your Feedback/Queries to our Experts

asked 16/09/2024
Jeremiah Hutchins
45 questions

Question 319

Report
Export
Collapse

A company had developed an incident response plan 18 months ago. Regular implementations of the response plan are carried out. No changes have been made to the response plan have been made since its creation. Which of the following is a right statement with regards to the plan?

Please select:

It places too much emphasis on already implemented security controls.
It places too much emphasis on already implemented security controls.
The response plan is not implemented on a regular basis
The response plan is not implemented on a regular basis
The response plan does not cater to new services
The response plan does not cater to new services
The response plan is complete in its entirety
The response plan is complete in its entirety
Suggested answer: C

Explanation:

So definitely the case here is that the incident response plan is not catering to newly created services. AWS keeps on changing and adding new services and hence the response plan must cater to these new services. Option A and B are invalid because we don't know this for a fact.

Option D is invalid because we know that the response plan is not complete, because it does not cater to new features of AWS For more information on incident response plan please visit the following URL:

https://aws.amazon.com/blogs/publicsector/buildins-a-cloud-specific-incident-response-plan;The correct answer is: The response plan does not cater to new services Submit yourFeedback/Queries to our Experts

asked 16/09/2024
Francisco Jesús Cano Hinarejos
53 questions

Question 320

Report
Export
Collapse

Your application currently uses customer keys which are generated via AWS KMS in the US east region. You now want to use the same set of keys from the EU-Central region. How can this be accomplished? Please select:

Export the key from the US east region and import them into the EU-Central region
Export the key from the US east region and import them into the EU-Central region
Use key rotation and rotate the existing keys to the EU-Central region
Use key rotation and rotate the existing keys to the EU-Central region
Use the backing key from the US east region and use it in the EU-Central region
Use the backing key from the US east region and use it in the EU-Central region
This is not possible since keys from KMS are region specific
This is not possible since keys from KMS are region specific
Suggested answer: D

Explanation:

Option A is invalid because keys cannot be exported and imported across regions.

Option B is invalid because key rotation cannot be used to export keys

Option C is invalid because the backing key cannot be used to export keys This is mentioned in the AWS documentation What geographic region are my keys stored in? Keys are only stored and used in the region in which they are created. They cannot be transferred to another region. For example; keys created in the EU-Central (Frankfurt) region are only stored and used within the EU-Central (Frankfurt) region For more information on KMS please visit the following URL:

https://aws.amazon.com/kms/faqs/The correct answer is: This is not possible since keys from KMS are region specific Submit your Feedback/Queries to our Experts

asked 16/09/2024
law ryan
30 questions
Total 590 questions
Go to page: of 59
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture: 1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets. 3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other 4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols 5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required Which of the following accurately reflects the access control mechanisms the Architect should verify1?
A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances. Which solution will meet this requirement with the LEAST operational effort?
A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution. Which solution will meet these requirements MOST securely?
A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below Please select:
A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents. A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly. Which combination of actions would build the required solution? (Choose three.)
After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised. How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of “Sensitive,” “Confidential,” and “Restricted.” The security solution must meet all of the following requirements: Each object must be encrypted using a unique key. Items that are stored in the “Restricted” bucket require two-factor authentication for decryption. AWS KMS must automatically rotate encryption keys annually. Which of the following meets these requirements?