ExamGecko
Search Search Login
Home Home / Amazon / SCS-C01

Amazon SCS-C01 Practice Test - Questions Answers, Page 34

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A security engineer needs to configure monitoring and auditing for AWS Lambda. Which combination of actions using AWS services should the security engineer take to accomplish this goal? (Select TWO.)
A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance. What should the security engineer do to resolve this error?
A company has two AW5 accounts within AWS Organizations. In Account-1. Amazon EC2 Auto Scaling is launched using a service-linked role. In Account-2. Amazon EBS volumes are encrypted with an AWS KMS key A Security Engineer needs to ensure that the service-linked role can launch instances with these encrypted volumes Which combination of steps should the Security Engineer take in both accounts? (Select TWO.)
A company’s information security team wants to analyze Amazon EC2 performance and utilization data in the near-real time for anomalies. A Sec Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company’s AWS accounts in centralized location to perform the analysis. How should the Security Engineer do this? Log in to each account four te a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?
A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1 the company cannot access the key that was used to encrypt the original database. What should the company do to set up the snapshot in us-west-1 with proper encryption?
A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)
Your current setup in AWS consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup Please select:

Question 331

Report
Export
Collapse

A customer has an instance hosted in the AWS Public Cloud. The VPC and subnet used to host the Instance have been created with the default settings for the Network Access Control Lists. They need to provide an IT Administrator secure access to the underlying instance. How can this be accomplished.

Please select:

A.
Ensure the Network Access Control Lists allow Inbound SSH traffic from the IT Administrator's Workstation
A.
Ensure the Network Access Control Lists allow Inbound SSH traffic from the IT Administrator's Workstation
Answers
B.
Ensure the Network Access Control Lists allow Outbound SSH traffic from the IT Administrator's Workstation
B.
Ensure the Network Access Control Lists allow Outbound SSH traffic from the IT Administrator's Workstation
Answers
C.
Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation
C.
Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation
Answers
D.
Ensure that the security group allows Outbound SSH traffic from the IT Administrator's Workstation
D.
Ensure that the security group allows Outbound SSH traffic from the IT Administrator's Workstation
Answers
Suggested answer: C

Explanation:

Options A & B are invalid as default NACL rule will allow all inbound and outbound traffic.

The requirement is that the IT administrator should be able to access this EC2 instance from his workstation. For that we need to enable the Security Group of EC2 instance to allow traffic from the IT administrator's workstation. Hence option C is correct.

Option D is incorrect as we need to enable the Inbound SSH traffic on the EC2 instance Security Group since the traffic originate' , from the IT admin's workstation. The correct answer is: Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation Submit your Feedback/Queries to our Experts

Question 332

Report
Export
Collapse

A company is planning to run a number of Admin related scripts using the AWS Lambda service.

There is a need to understand if there are any errors encountered when the script run. How can this be accomplished in the most effective manner. Please select:

A.
Use Cloudwatch metrics and logs to watch for errors
A.
Use Cloudwatch metrics and logs to watch for errors
Answers
B.
Use Cloudtrail to monitor for errors
B.
Use Cloudtrail to monitor for errors
Answers
C.
Use the AWS Config service to monitor for errors
C.
Use the AWS Config service to monitor for errors
Answers
D.
Use the AWS inspector service to monitor for errors
D.
Use the AWS inspector service to monitor for errors
Answers
Suggested answer: A

Explanation:

The AWS Documentation mentions the following

AWS Lambda automatically monitors Lambda functions on your behalf, reporting metrics through Amazon CloudWatch. To help you troubleshoot failures in a function. Lambda logs all requests handled by your function and also automatically stores logs generated by your code through Amazon CloudWatch Logs.

Option B,C and D are all invalid because these services cannot be used to monitor for errors.

I

For more information on Monitoring Lambda functions, please visit the following URL:

https://docs.aws.amazon.com/lambda/latest/dg/monitorine-functions-loes.htmllThe correct answer is: Use Cloudwatch metrics and logs to watch for errors Submit yourFeedback/Queries to our Experts

Question 333

Report
Export
Collapse

A company hosts data in S3. There is now a mandate that going forward all data in the S3 bucket needs to encrypt at rest. How can this be achieved? Please select:

A.
Use AWS Access keys to encrypt the data
A.
Use AWS Access keys to encrypt the data
Answers
B.
Use SSL certificates to encrypt the data
B.
Use SSL certificates to encrypt the data
Answers
C.
Enable server side encryption on the S3 bucket
C.
Enable server side encryption on the S3 bucket
Answers
D.
Enable MFA on the S3 bucket
D.
Enable MFA on the S3 bucket
Answers
Suggested answer: C

Explanation:

The AWS Documentation mentions the following

Server-side encryption is about data encryption at rest—that is, Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects. Options A and B are invalid because neither Access Keys nor SSL certificates can be used to encrypt data. Option D is invalid because MFA is just used as an extra level of security for S3 buckets For more information on S3 server side encryption, please refer to the below Link:

https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.htmlSubmit your Feedback/Queries to our Experts

Question 334

Report
Export
Collapse

You have a set of application , database and web servers hosted in AWS. The web servers are placed behind an ELB. There are separate security groups for the application, database and web servers. The network security groups have been defined accordingly. There is an issue with the communication between the application and database servers. In order to troubleshoot the issue between just the application and database server, what is the ideal set of MINIMAL steps you would take?

Please select:

A.
Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group
A.
Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group
Answers
B.
Check the Outbound security rules for the database security groupI Check the inbound security rules for the application security group
B.
Check the Outbound security rules for the database security groupI Check the inbound security rules for the application security group
Answers
C.
Check the both the Inbound and Outbound security rules for the database security group Check the inbound security rules for the application security group
C.
Check the both the Inbound and Outbound security rules for the database security group Check the inbound security rules for the application security group
Answers
D.
Check the Outbound security rules for the database security groupCheck the both the Inbound and Outbound security rules for the application security group
D.
Check the Outbound security rules for the database security groupCheck the both the Inbound and Outbound security rules for the application security group
Answers
Suggested answer: A

Explanation:

Here since the communication would be established inward to the database server and outward from the application server, you need to ensure that just the Outbound rules for application server security groups are checked. And then just the Inbound rules for database server security groups are checked.

Option B can't be the correct answer. It says that we need to check the outbound security group which is not needed. We need to check the inbound for DB SG and outbound of Application SG. Because, this two group need to communicate with each other to function properly. Option C is invalid because you don't need to check for Outbound security rules for the database security group Option D is invalid because you don't need to check for Inbound security rules for the application security group For more information on Security Groups, please refer to below URL:

The correct answer is: Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group Submit your Feedback/Queries to our Experts

Question 335

Report
Export
Collapse

Your company has a requirement to work with a DynamoDB table. There is a security mandate that all data should be encrypted at rest. What is the easiest way to accomplish this for DynamoDB. Please select:

A.
Use the AWS SDK to encrypt the data before sending it to the DynamoDB table
A.
Use the AWS SDK to encrypt the data before sending it to the DynamoDB table
Answers
B.
Encrypt the DynamoDB table using KMS during its creation
B.
Encrypt the DynamoDB table using KMS during its creation
Answers
C.
Encrypt the table using AWS KMS after it is created
C.
Encrypt the table using AWS KMS after it is created
Answers
D.
Use S3 buckets to encrypt the data before sending it to DynamoDB
D.
Use S3 buckets to encrypt the data before sending it to DynamoDB
Answers
Suggested answer: B

Explanation:

The most easiest option is to enable encryption when the DynamoDB table is created.

The AWS Documentation mentions the following

Amazon DynamoDB offers fully managed encryption at rest. DynamoDB encryption at rest provides enhanced security by encrypting your data at rest using an AWS Key Management Service (AWS KMS) managed encryption key for DynamoDB. This functionality eliminates the operational burden and complexity involved in protecting sensitive data. Option A is partially correct, you can use the AWS SDK to encrypt the data, but the easier option would be to encrypt the table before hand. Option C is invalid because you cannot encrypt the table after it is created

Option D is invalid because encryption for S3 buckets is for the objects in S3 only.

For more information on securing data at rest for DynamoDB please refer to below URL:

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.htmllThe correct answer is: Encrypt the DynamoDB table using KMS during its creation Submit yourFeedback/Queries to our Experts

Question 336

Report
Export
Collapse

Your company hosts critical data in an S3 bucket. There is a requirement to ensure that all data is encrypted. There is also metadata about the information stored in the bucket that needs to be encrypted as well. Which of the below measures would you take to ensure that the metadata is encrypted?

Please select:

A.
Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server side encryption.
A.
Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server side encryption.
Answers
B.
Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server KMS encryption.
B.
Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server KMS encryption.
Answers
C.
Put the metadata in a DynamoDB table and ensure the table is encrypted during creation time.
C.
Put the metadata in a DynamoDB table and ensure the table is encrypted during creation time.
Answers
D.
Put thp metadata in thp S3 hurkpf itself.
D.
Put thp metadata in thp S3 hurkpf itself.
Answers
Suggested answer: C

Explanation:

Option A ,B and D are all invalid because the metadata will not be encrypted in any case and this is a key requirement from the question. One key thing to note is that when the S3 bucket objects are encrypted, the meta data is not encrypted. So the best option is to use an encrypted DynamoDB table Important All GET and PUT requests for an object protected by AWS KMS will fail if they are not made via SSL or by using SigV4. SSE-KMS encrypts only the object data. Any object metadata is not encrypted. For more information on using KMS encryption for S3, please refer to below URL: 1 https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.htmlThe correct answer is: Put the metadata in a DynamoDB table and ensure the table is encryptedduring creation time. Submit your Feedback/Queries to our Experts

Question 337

Report
Export
Collapse

One of the EC2 Instances in your company has been compromised. What steps would you take to ensure that you could apply digital forensics on the Instance. Select 2 answers from the options given below Please select:

A.
Remove the role applied to the Ec2 Instance
A.
Remove the role applied to the Ec2 Instance
Answers
B.
Create a separate forensic instance
B.
Create a separate forensic instance
Answers
C.
Ensure that the security groups only allow communication to this forensic instance
C.
Ensure that the security groups only allow communication to this forensic instance
Answers
D.
Terminate the instance
D.
Terminate the instance
Answers
Suggested answer: B, C

Explanation:

Option A is invalid because removing the role will not help completely in such a situation Option D is invalid because terminating the instance means that you cannot conduct forensic analysis on the instance One way to isolate an affected EC2 instance for investigation is to place it in a Security Group that only the forensic investigators can access. Close all ports except to receive inbound SSH or RDP traffic from one single IP address from which the investigators can safely examine the instance.

For more information on security scenarios for your EC2 Instance, please refer to below URL:

https://d1.awsstatic.com/Marketplace/scenarios/security/SEC 11 TSB Final.pd1The correct answers are: Create a separate forensic instance. Ensure that the security groups onlyallow communication to this forensic instanceSubmit your Feedback/Queries to our Experts

Question 338

Report
Export
Collapse

One of your company's EC2 Instances have been compromised. The company has strict po thorough investigation on finding the culprit for the security breach. What would you do in from the options given below. Please select:

A.
Take a snapshot of the EBS volume
A.
Take a snapshot of the EBS volume
Answers
B.
Isolate the machine from the network
B.
Isolate the machine from the network
Answers
C.
Make sure that logs are stored securely for auditing and troubleshooting purpose
C.
Make sure that logs are stored securely for auditing and troubleshooting purpose
Answers
D.
Ensure all passwords for all IAM users are changed
D.
Ensure all passwords for all IAM users are changed
Answers
E.
Ensure that all access kevs are rotated.
E.
Ensure that all access kevs are rotated.
Answers
Suggested answer: A, B, C

Explanation:

Some of the important aspects in such a situation are

1) First isolate the instance so that no further security harm can occur on other AWS resources 2) Take a snapshot of the EBS volume for further investigation. This is incase if you need to shutdown the initial instance and do a separate investigation on the data 3) Next is Option C. This indicates that we have already got logs and we need to make sure that it is stored securely so that n unauthorised person can access it and manipulate it. Option D and E are invalid because they could have adverse effects for the other IAM users.

For more information on adopting a security framework, please refer to below URL

https://d1 .awsstatic.com/whitepapers/compliance/NIST Cybersecurity FrameworkNote:

In the question we have been asked to take actions to find the culprit and to help the investigation or to further reduce the damage that has happened due to the security breach. So by keeping logs secure is one way of helping the investigation.

The correct answers are: Take a snapshot of the EBS volume. Isolate the machine from the network.

Make sure that logs are stored securely for auditing and troubleshooting purpose Submit your Feedback/Queries to our Experts

Question 339

Report
Export
Collapse

Your company has a set of EC2 Instances that are placed behind an ELB. Some of the applications hosted on these instances communicate via a legacy protocol. There is a security mandate that all traffic between the client and the EC2 Instances need to be secure. How would you accomplish this?

Please select:

A.
Use an Application Load balancer and terminate the SSL connection at the ELB
A.
Use an Application Load balancer and terminate the SSL connection at the ELB
Answers
B.
Use a Classic Load balancer and terminate the SSL connection at the ELB
B.
Use a Classic Load balancer and terminate the SSL connection at the ELB
Answers
C.
Use an Application Load balancer and terminate the SSL connection at the EC2 Instances
C.
Use an Application Load balancer and terminate the SSL connection at the EC2 Instances
Answers
D.
Use a Classic Load balancer and terminate the SSL connection at the EC2 Instances
D.
Use a Classic Load balancer and terminate the SSL connection at the EC2 Instances
Answers
Suggested answer: D

Explanation:

Since there are applications which work on legacy protocols, you need to ensure that the ELB can be used at the network layer as well and hence you should choose the Classic ELB. Since the traffic needs to be secure till the EC2 Instances, the SSL termination should occur on the Ec2 Instances.

Option A and C are invalid because you need to use a Classic Load balancer since this is a legacy application. Option B is incorrect since encryption is required until the EC2 Instance For more information on HTTPS listeners for classic load balancers, please refer to below URL https://docs.aws.ama20n.com/elasticloadbalancing/latest/classic/elb-https-load-balancers.htmllThe correct answer is: Use a Classic Load balancer and terminate the SSL connection at the EC2InstancesSubmit your Feedback/Queries to our Experts

Question 340

Report
Export
Collapse

A company has a large set of keys defined in AWS KMS. Their developers frequently use the keys for the applications being developed. What is one of the ways that can be used to reduce the cost of accessing the keys in the AWS KMS service.

Please select:

A.
Enable rotation of the keys
A.
Enable rotation of the keys
Answers
B.
Use Data key caching
B.
Use Data key caching
Answers
C.
Create an alias of the key
C.
Create an alias of the key
Answers
D.
Use the right key policy
D.
Use the right key policy
Answers
Suggested answer: B

Explanation:

The AWS Documentation mentions the following

Data key caching stores data keys and related cryptographic material in a cache. When you encrypt or decrypt data, the AWS Encryption SDK looks for a matching data key in the cache. If it finds a match, it uses the cached data key rather than generatir a new one. Data key caching can improve performance, reduce cost, and help you stay within service limits as your application scales. Option A.C and D are all incorrect since these options will not impact how the key is used.

For more information on data key caching, please refer to below URL:

https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/data-key-cachine.htmllThe correct answer is: Use Data key caching Submit your Feedback/Queries to our Experts

Total 590 questions
Go to page: of 59
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms