Amazon SCS-C01 Practice Test - Questions Answers, Page 36
List of questions
Question 351
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
Your company has just started using AWS and created an AWS account. They are aware of the potential issues when root access is enabled. How can they best safeguard the account when it comes to root access? Choose 2 answers fro the options given below Please select:
Explanation:
The AWS Documentation mentions the following
All AWS accounts have root user credentials (that is, the credentials of the account owner). These credentials allow full access to all resources in the account. Because you cant restrict permissions for root user credentials, we recommend that you delete your root user access keys. Then create AWS Identity and Access Management (IAM) user credentials for everyday interaction with AWS. Option A is incorrect since you cannot delete the root access account
Option C is partially correct but cannot be used as the ideal solution for safeguarding the account For more information on root access vs admin IAM users, please refer to below URL:
https://docs.aws.amazon.com/eeneral/latest/er/root-vs-iam.htmlThe correct answers are: Create an Admin IAM user with the necessary permissions. Delete the rootaccess keys Submit your Feedback/Queries to our Experts
Question 352
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
You need to create a Linux EC2 instance in AWS. Which of the following steps is used to ensure secure authentication the EC2 instance from a windows machine. Choose 2 answers from the options given below. Please select:
Explanation:
The AWS Documentation mentions the following
You can use Amazon EC2 to create your key pair. Alternatively, you could use a third-party tool and then import the public key to Amazon EC2. Each key pair requires a name. Be sure to choose a name that is easy to remember. Amazon EC2 associates the public key with the name that you specify as the key name.
Amazon EC2 stores the public key only, and you store the private key. Anyone who possesses your private key can decrypt login information, so it's important that you store your private keys in a secure place. Options A and D are incorrect since you should use key pairs for secure access to Ec2 Instances For more information on EC2 key pairs, please refer to below URL:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.htmlThe correct answers are: Create a key pair using putty. Use the private key to log into the instanceSubmit your Feedback/Queries to our Experts
Question 353
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
You have just developed a new mobile application that handles analytics workloads on large scale datasets that are stored on Amazon Redshift. Consequently, the application needs to access Amazon Redshift tables. Which of the belov methods would be the best both practically and security-wise, to access the tables? Choose the correct answer from the options below Please select:
Explanation:
The AWS Documentation mentions the following
"When you write such an app, you'll make requests to AWS services that must be signed with an AWS access key. However, we strongly recommend that you do not embed or distribute long-term AWS credentials with apps that a user downloads t device, even in an encrypted store. Instead, build your app so that it requests temporary AWS security credentials dynamica when needed using web identify federation. The supplied temporary credentials map to an AWS role that has only the permissioi needed to perform the tasks required by the mobile app".
Option A.B and C are all automatically incorrect because you need to use IAM Roles for Secure access to services For more information on web identity federation please refer to the below Link: http://docs.aws.amazon.com/IAM/latest/ UserGuide/id_roles_providers_oidc.html The correct answer is: Use roles that allow a web identity federated user to assume a role that allows access to the RedShift table by providing temporary credentials. Submit your Feedback/Queries to our Experts
Question 354
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
Your team is designing a web application. The users for this web application would need to sign in via an external ID provider such asfacebook or Google. Which of the following AWS service would you use for authentication? Please select:
Explanation:
The AWS Documentation mentions the following
Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users ca sign in directly with a user name and password, or through a third party such as Facebook, Amazon, or Google. Option B is incorrect since this is used for identity federation
Option C is incorrect since this is pure Identity and Access management
Option D is incorrect since AWS is a configuration service For more information on AWS Cognito please refer to the below Link:
https://docs.aws.amazon.com/coenito/latest/developerguide/what-is-amazon-cognito.htmlThe correct answer is: AWS CognitoSubmit your Feedback/Queries to our Experts
Question 355
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
Your application currently use AWS Cognito for authenticating users. Your application consists of different types of users. Some users are only allowed read access to the application and others are given contributor access. How wou you manage the access effectively?
Please select:
Explanation:
The AWS Documentation mentions the following
You can use groups to create a collection of users in a user pool, which is often done to set the permissions for those users. For example, you can create separate groups for users who are readers, contributors, and editors of your website and app.
Option A is incorrect since you need to create cognito groups and not endpoints Options C and D are incorrect since these would be overheads when you can use AWS Cognito For more information on AWS Cognito user groups please refer to the below Link:
https://docs.aws.amazon.com/coenito/latest/developersuide/cognito-user-pools-user-groups.htmllThe correct answer is: Create different cognito groups, one for the readers and the other for thecontributors. Submit your Feedback/Queries to our Experts
Question 356
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
DDoS attacks that happen at the application layer commonly target web applications with lower volumes of traffic compared to infrastructure attacks. To mitigate these types of attacks, you should probably want to include a WAF (Web Application Firewall) as part of your infrastructure. To inspect all HTTP requests, WAFs sit in-line with your application traffic. Unfortunately, this creates a scenario where WAFs can become a point of failure or bottleneck. To mitigate this problem, you need the ability to run multiple WAFs on demand during traffic spikes. This type of scaling for WAF is done via a "WAF sandwich." Which of the following statements best describes what a "WAF sandwich" is? Choose the correct answer from the options below
Please select:
Explanation:
The below diagram shows how a WAF sandwich is created. Its the concept of placing the Ec2 instance which hosts the WAF software in between 2 elastic load balancers.
Option A.B and C are incorrect since the EC2 Instance with the WAF software needs to be placed in an Autoscaling Group For more information on a WAF sandwich please refer to the below Link:
https://www.cloudaxis.eom/2016/11/2l/waf-sandwich/lThe correct answer is: The EC2 instance running your WAF software is included in an Auto Scalinggroup and placed in between two Elastic load balancers. Submit your Feedback/Queries to our Experts
Question 357
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below Please select:
Explanation:
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS infrastructure. CloudTrail provides a history of AWS API calls for your account including API calls made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This history simplifies security analysis, resource change tracking, and troubleshooting.
Option A and C are incorrect since Cloudtrail needs to be used as part of the solution
Option B is incorrect since the auditor needs to have access to Cloudtrail For more information on cloudtrail, please visit the below URL:
https://aws.amazon.com/cloudtraiLThe correct answer is: Enable CloudTrail logging and create an IAM user who has read-onlypermissions to the required AWS resources, including the bucket containing the CloudTrail logs. Submit your Feedback/Queries to our Experts
Question 358
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
An auditor needs access to logs that record all API events on AWS. The auditor only needs read-only access to the log files and does not need access to each AWS account. The company has multiple AWS accounts, and the auditor needs access to all the logs for all the accounts. What is the best way to configure access for the auditor to view event logs from all accounts? Choose the correct answer from the options below Please select:
Explanation:
Given the current requirements, assume the method of "least privilege" security design and only allow the auditor access to the minimum amount of AWS resources as possibli AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS infrastructure. CloudTrail provides a history of AWS API calls for your account including API calls made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This history simplifies security analysis, resource change tracking, and troubleshooting only be granted access in one location Option
Option A is incorrect since the auditor should B is incorrect since consolidated billing is not a key requirement as part of the question Option C is incorrect since there is not consolidated logging For more information on Cloudtrail please refer to the below URL:
https://aws.amazon.com/cloudtraiL
( The correct answer is: Configure the CloudTrail service in each AWS account and have the logs delivered to a single AWS bud in the primary account and grant the auditor access to that single bucket in the primary account. Submit your Feedback/Queries to our Experts
Question 359
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
Your company has a hybrid environment, with on-premise servers and servers hosted in the AWS cloud. They are planning to use the Systems Manager for patching servers. Which of the following is a pre-requisite for this to work; Please select:
Explanation:
You need to ensure that an IAM service role is created for allowing the on-premise servers to communicate with the AWS Systems Manager. Option A is incorrect since it is not necessary that servers should only be running Hyper-V Options C and D are incorrect since it is not necessary that IAM users and groups are created For more information on the Systems Manager role please refer to the below URL:
.com/systems-rnanaeer/latest/usereuide/sysman-!
The correct answer is: Ensure that an IAM service role is created
Submit your Feedback/Queries to our Experts
Question 360
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
You have several S3 buckets defined in your AWS account. You need to give access to external AWS accounts to these S3 buckets. Which of the following can allow you to define the permissions for the external accounts? Choose 2 answers from the options given below Please select:
Explanation:
The AWS Security whitepaper gives the type of access control and to what level the control can be given
Options A and C are incorrect since for external access to buckets, you need to use either Bucket policies or Bucket ACL's or more information on Security for storage services role please refer to the below URL:
https://d1.awsstatic.com/whitepapers/Security/Security Storage Services Whitepaper.pdfThe correct answers are: Buckets ACL's, Bucket policiesSubmit your Feedback/Queries to our Experts
Question