ExamGecko
Login
Home / Amazon / SCS-C01 / List of questions
Ask Question

Amazon SCS-C01 Practice Test - Questions Answers, Page 34

List of questions

Question 331

Report
Export
Collapse

A customer has an instance hosted in the AWS Public Cloud. The VPC and subnet used to host the Instance have been created with the default settings for the Network Access Control Lists. They need to provide an IT Administrator secure access to the underlying instance. How can this be accomplished.

Please select:

Ensure the Network Access Control Lists allow Inbound SSH traffic from the IT Administrator's Workstation
Ensure the Network Access Control Lists allow Inbound SSH traffic from the IT Administrator's Workstation
Ensure the Network Access Control Lists allow Outbound SSH traffic from the IT Administrator's Workstation
Ensure the Network Access Control Lists allow Outbound SSH traffic from the IT Administrator's Workstation
Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation
Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation
Ensure that the security group allows Outbound SSH traffic from the IT Administrator's Workstation
Ensure that the security group allows Outbound SSH traffic from the IT Administrator's Workstation
Suggested answer: C

Explanation:

Options A & B are invalid as default NACL rule will allow all inbound and outbound traffic.

The requirement is that the IT administrator should be able to access this EC2 instance from his workstation. For that we need to enable the Security Group of EC2 instance to allow traffic from the IT administrator's workstation. Hence option C is correct.

Option D is incorrect as we need to enable the Inbound SSH traffic on the EC2 instance Security Group since the traffic originate' , from the IT admin's workstation. The correct answer is: Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation Submit your Feedback/Queries to our Experts

asked 16/09/2024
Morris Djavaheri
29 questions

Question 332

Report
Export
Collapse

A company is planning to run a number of Admin related scripts using the AWS Lambda service.

There is a need to understand if there are any errors encountered when the script run. How can this be accomplished in the most effective manner. Please select:

Use Cloudwatch metrics and logs to watch for errors
Use Cloudwatch metrics and logs to watch for errors
Use Cloudtrail to monitor for errors
Use Cloudtrail to monitor for errors
Use the AWS Config service to monitor for errors
Use the AWS Config service to monitor for errors
Use the AWS inspector service to monitor for errors
Use the AWS inspector service to monitor for errors
Suggested answer: A

Explanation:

The AWS Documentation mentions the following

AWS Lambda automatically monitors Lambda functions on your behalf, reporting metrics through Amazon CloudWatch. To help you troubleshoot failures in a function. Lambda logs all requests handled by your function and also automatically stores logs generated by your code through Amazon CloudWatch Logs.

Option B,C and D are all invalid because these services cannot be used to monitor for errors.

I

For more information on Monitoring Lambda functions, please visit the following URL:

https://docs.aws.amazon.com/lambda/latest/dg/monitorine-functions-loes.htmllThe correct answer is: Use Cloudwatch metrics and logs to watch for errors Submit yourFeedback/Queries to our Experts

asked 16/09/2024
Terence Coates
33 questions

Question 333

Report
Export
Collapse

A company hosts data in S3. There is now a mandate that going forward all data in the S3 bucket needs to encrypt at rest. How can this be achieved? Please select:

Use AWS Access keys to encrypt the data
Use AWS Access keys to encrypt the data
Use SSL certificates to encrypt the data
Use SSL certificates to encrypt the data
Enable server side encryption on the S3 bucket
Enable server side encryption on the S3 bucket
Enable MFA on the S3 bucket
Enable MFA on the S3 bucket
Suggested answer: C

Explanation:

The AWS Documentation mentions the following

Server-side encryption is about data encryption at rest—that is, Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects. Options A and B are invalid because neither Access Keys nor SSL certificates can be used to encrypt data. Option D is invalid because MFA is just used as an extra level of security for S3 buckets For more information on S3 server side encryption, please refer to the below Link:

https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.htmlSubmit your Feedback/Queries to our Experts

asked 16/09/2024
Jose Alberto Vecino Pacheco
31 questions

Question 334

Report
Export
Collapse

You have a set of application , database and web servers hosted in AWS. The web servers are placed behind an ELB. There are separate security groups for the application, database and web servers. The network security groups have been defined accordingly. There is an issue with the communication between the application and database servers. In order to troubleshoot the issue between just the application and database server, what is the ideal set of MINIMAL steps you would take?

Please select:

Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group
Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group
Check the Outbound security rules for the database security groupI Check the inbound security rules for the application security group
Check the Outbound security rules for the database security groupI Check the inbound security rules for the application security group
Check the both the Inbound and Outbound security rules for the database security group Check the inbound security rules for the application security group
Check the both the Inbound and Outbound security rules for the database security group Check the inbound security rules for the application security group
Check the Outbound security rules for the database security groupCheck the both the Inbound and Outbound security rules for the application security group
Check the Outbound security rules for the database security groupCheck the both the Inbound and Outbound security rules for the application security group
Suggested answer: A

Explanation:

Here since the communication would be established inward to the database server and outward from the application server, you need to ensure that just the Outbound rules for application server security groups are checked. And then just the Inbound rules for database server security groups are checked.

Option B can't be the correct answer. It says that we need to check the outbound security group which is not needed. We need to check the inbound for DB SG and outbound of Application SG. Because, this two group need to communicate with each other to function properly. Option C is invalid because you don't need to check for Outbound security rules for the database security group Option D is invalid because you don't need to check for Inbound security rules for the application security group For more information on Security Groups, please refer to below URL:

The correct answer is: Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group Submit your Feedback/Queries to our Experts

asked 16/09/2024
Erik de Bont
39 questions

Question 335

Report
Export
Collapse

Your company has a requirement to work with a DynamoDB table. There is a security mandate that all data should be encrypted at rest. What is the easiest way to accomplish this for DynamoDB. Please select:

Use the AWS SDK to encrypt the data before sending it to the DynamoDB table
Use the AWS SDK to encrypt the data before sending it to the DynamoDB table
Encrypt the DynamoDB table using KMS during its creation
Encrypt the DynamoDB table using KMS during its creation
Encrypt the table using AWS KMS after it is created
Encrypt the table using AWS KMS after it is created
Use S3 buckets to encrypt the data before sending it to DynamoDB
Use S3 buckets to encrypt the data before sending it to DynamoDB
Suggested answer: B

Explanation:

The most easiest option is to enable encryption when the DynamoDB table is created.

The AWS Documentation mentions the following

Amazon DynamoDB offers fully managed encryption at rest. DynamoDB encryption at rest provides enhanced security by encrypting your data at rest using an AWS Key Management Service (AWS KMS) managed encryption key for DynamoDB. This functionality eliminates the operational burden and complexity involved in protecting sensitive data. Option A is partially correct, you can use the AWS SDK to encrypt the data, but the easier option would be to encrypt the table before hand. Option C is invalid because you cannot encrypt the table after it is created

Option D is invalid because encryption for S3 buckets is for the objects in S3 only.

For more information on securing data at rest for DynamoDB please refer to below URL:

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.htmllThe correct answer is: Encrypt the DynamoDB table using KMS during its creation Submit yourFeedback/Queries to our Experts

asked 16/09/2024
Jean-Bosco Muganza
42 questions

Question 336

Report
Export
Collapse

Your company hosts critical data in an S3 bucket. There is a requirement to ensure that all data is encrypted. There is also metadata about the information stored in the bucket that needs to be encrypted as well. Which of the below measures would you take to ensure that the metadata is encrypted?

Please select:

Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server side encryption.
Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server side encryption.
Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server KMS encryption.
Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server KMS encryption.
Put the metadata in a DynamoDB table and ensure the table is encrypted during creation time.
Put the metadata in a DynamoDB table and ensure the table is encrypted during creation time.
Put thp metadata in thp S3 hurkpf itself.
Put thp metadata in thp S3 hurkpf itself.
Suggested answer: C

Explanation:

Option A ,B and D are all invalid because the metadata will not be encrypted in any case and this is a key requirement from the question. One key thing to note is that when the S3 bucket objects are encrypted, the meta data is not encrypted. So the best option is to use an encrypted DynamoDB table Important All GET and PUT requests for an object protected by AWS KMS will fail if they are not made via SSL or by using SigV4. SSE-KMS encrypts only the object data. Any object metadata is not encrypted. For more information on using KMS encryption for S3, please refer to below URL: 1 https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.htmlThe correct answer is: Put the metadata in a DynamoDB table and ensure the table is encryptedduring creation time. Submit your Feedback/Queries to our Experts

asked 16/09/2024
JUAN LUIS BERMUDEZ MAYORAL
27 questions

Question 337

Report
Export
Collapse

One of the EC2 Instances in your company has been compromised. What steps would you take to ensure that you could apply digital forensics on the Instance. Select 2 answers from the options given below Please select:

Remove the role applied to the Ec2 Instance
Remove the role applied to the Ec2 Instance
Create a separate forensic instance
Create a separate forensic instance
Ensure that the security groups only allow communication to this forensic instance
Ensure that the security groups only allow communication to this forensic instance
Terminate the instance
Terminate the instance
Suggested answer: B, C

Explanation:

Option A is invalid because removing the role will not help completely in such a situation Option D is invalid because terminating the instance means that you cannot conduct forensic analysis on the instance One way to isolate an affected EC2 instance for investigation is to place it in a Security Group that only the forensic investigators can access. Close all ports except to receive inbound SSH or RDP traffic from one single IP address from which the investigators can safely examine the instance.

For more information on security scenarios for your EC2 Instance, please refer to below URL:

https://d1.awsstatic.com/Marketplace/scenarios/security/SEC 11 TSB Final.pd1The correct answers are: Create a separate forensic instance. Ensure that the security groups onlyallow communication to this forensic instanceSubmit your Feedback/Queries to our Experts

asked 16/09/2024
Miguel Triebel
36 questions

Question 338

Report
Export
Collapse

One of your company's EC2 Instances have been compromised. The company has strict po thorough investigation on finding the culprit for the security breach. What would you do in from the options given below. Please select:

Take a snapshot of the EBS volume
Take a snapshot of the EBS volume
Isolate the machine from the network
Isolate the machine from the network
Make sure that logs are stored securely for auditing and troubleshooting purpose
Make sure that logs are stored securely for auditing and troubleshooting purpose
Ensure all passwords for all IAM users are changed
Ensure all passwords for all IAM users are changed
Ensure that all access kevs are rotated.
Ensure that all access kevs are rotated.
Suggested answer: A, B, C

Explanation:

Some of the important aspects in such a situation are

1) First isolate the instance so that no further security harm can occur on other AWS resources 2) Take a snapshot of the EBS volume for further investigation. This is incase if you need to shutdown the initial instance and do a separate investigation on the data 3) Next is Option C. This indicates that we have already got logs and we need to make sure that it is stored securely so that n unauthorised person can access it and manipulate it. Option D and E are invalid because they could have adverse effects for the other IAM users.

For more information on adopting a security framework, please refer to below URL

https://d1 .awsstatic.com/whitepapers/compliance/NIST Cybersecurity FrameworkNote:

In the question we have been asked to take actions to find the culprit and to help the investigation or to further reduce the damage that has happened due to the security breach. So by keeping logs secure is one way of helping the investigation.

The correct answers are: Take a snapshot of the EBS volume. Isolate the machine from the network.

Make sure that logs are stored securely for auditing and troubleshooting purpose Submit your Feedback/Queries to our Experts

asked 16/09/2024
Natcha Koopipat
42 questions

Question 339

Report
Export
Collapse

Your company has a set of EC2 Instances that are placed behind an ELB. Some of the applications hosted on these instances communicate via a legacy protocol. There is a security mandate that all traffic between the client and the EC2 Instances need to be secure. How would you accomplish this?

Please select:

Use an Application Load balancer and terminate the SSL connection at the ELB
Use an Application Load balancer and terminate the SSL connection at the ELB
Use a Classic Load balancer and terminate the SSL connection at the ELB
Use a Classic Load balancer and terminate the SSL connection at the ELB
Use an Application Load balancer and terminate the SSL connection at the EC2 Instances
Use an Application Load balancer and terminate the SSL connection at the EC2 Instances
Use a Classic Load balancer and terminate the SSL connection at the EC2 Instances
Use a Classic Load balancer and terminate the SSL connection at the EC2 Instances
Suggested answer: D

Explanation:

Since there are applications which work on legacy protocols, you need to ensure that the ELB can be used at the network layer as well and hence you should choose the Classic ELB. Since the traffic needs to be secure till the EC2 Instances, the SSL termination should occur on the Ec2 Instances.

Option A and C are invalid because you need to use a Classic Load balancer since this is a legacy application. Option B is incorrect since encryption is required until the EC2 Instance For more information on HTTPS listeners for classic load balancers, please refer to below URL https://docs.aws.ama20n.com/elasticloadbalancing/latest/classic/elb-https-load-balancers.htmllThe correct answer is: Use a Classic Load balancer and terminate the SSL connection at the EC2InstancesSubmit your Feedback/Queries to our Experts

asked 16/09/2024
David Kimovec
33 questions

Question 340

Report
Export
Collapse

A company has a large set of keys defined in AWS KMS. Their developers frequently use the keys for the applications being developed. What is one of the ways that can be used to reduce the cost of accessing the keys in the AWS KMS service.

Please select:

Enable rotation of the keys
Enable rotation of the keys
Use Data key caching
Use Data key caching
Create an alias of the key
Create an alias of the key
Use the right key policy
Use the right key policy
Suggested answer: B

Explanation:

The AWS Documentation mentions the following

Data key caching stores data keys and related cryptographic material in a cache. When you encrypt or decrypt data, the AWS Encryption SDK looks for a matching data key in the cache. If it finds a match, it uses the cached data key rather than generatir a new one. Data key caching can improve performance, reduce cost, and help you stay within service limits as your application scales. Option A.C and D are all incorrect since these options will not impact how the key is used.

For more information on data key caching, please refer to below URL:

https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/data-key-cachine.htmllThe correct answer is: Use Data key caching Submit your Feedback/Queries to our Experts

asked 16/09/2024
Sacha CONTI
43 questions
Total 590 questions
Go to page: of 59
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture: 1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets. 3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other 4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols 5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required Which of the following accurately reflects the access control mechanisms the Architect should verify1?
A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances. Which solution will meet this requirement with the LEAST operational effort?
A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution. Which solution will meet these requirements MOST securely?
A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below Please select:
A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents. A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly. Which combination of actions would build the required solution? (Choose three.)
After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised. How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of “Sensitive,” “Confidential,” and “Restricted.” The security solution must meet all of the following requirements: Each object must be encrypted using a unique key. Items that are stored in the “Restricted” bucket require two-factor authentication for decryption. AWS KMS must automatically rotate encryption keys annually. Which of the following meets these requirements?