ExamGecko
Search Search Login
Home Home / Amazon / SCS-C01

Amazon SCS-C01 Practice Test - Questions Answers, Page 36

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A security engineer needs to configure monitoring and auditing for AWS Lambda. Which combination of actions using AWS services should the security engineer take to accomplish this goal? (Select TWO.)
A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance. What should the security engineer do to resolve this error?
A company has two AW5 accounts within AWS Organizations. In Account-1. Amazon EC2 Auto Scaling is launched using a service-linked role. In Account-2. Amazon EBS volumes are encrypted with an AWS KMS key A Security Engineer needs to ensure that the service-linked role can launch instances with these encrypted volumes Which combination of steps should the Security Engineer take in both accounts? (Select TWO.)
A company’s information security team wants to analyze Amazon EC2 performance and utilization data in the near-real time for anomalies. A Sec Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company’s AWS accounts in centralized location to perform the analysis. How should the Security Engineer do this? Log in to each account four te a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?
A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1 the company cannot access the key that was used to encrypt the original database. What should the company do to set up the snapshot in us-west-1 with proper encryption?
A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)
Your current setup in AWS consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup Please select:

Question 351

Report
Export
Collapse

Your company has just started using AWS and created an AWS account. They are aware of the potential issues when root access is enabled. How can they best safeguard the account when it comes to root access? Choose 2 answers fro the options given below Please select:

A.
Delete the root access account
A.
Delete the root access account
Answers
B.
Create an Admin IAM user with the necessary permissions
B.
Create an Admin IAM user with the necessary permissions
Answers
C.
Change the password for the root account.
C.
Change the password for the root account.
Answers
D.
Delete the root access keys
D.
Delete the root access keys
Answers
Suggested answer: B, D

Explanation:

The AWS Documentation mentions the following

All AWS accounts have root user credentials (that is, the credentials of the account owner). These credentials allow full access to all resources in the account. Because you cant restrict permissions for root user credentials, we recommend that you delete your root user access keys. Then create AWS Identity and Access Management (IAM) user credentials for everyday interaction with AWS. Option A is incorrect since you cannot delete the root access account

Option C is partially correct but cannot be used as the ideal solution for safeguarding the account For more information on root access vs admin IAM users, please refer to below URL:

https://docs.aws.amazon.com/eeneral/latest/er/root-vs-iam.htmlThe correct answers are: Create an Admin IAM user with the necessary permissions. Delete the rootaccess keys Submit your Feedback/Queries to our Experts

Question 352

Report
Export
Collapse

You need to create a Linux EC2 instance in AWS. Which of the following steps is used to ensure secure authentication the EC2 instance from a windows machine. Choose 2 answers from the options given below. Please select:

A.
Ensure to create a strong password for logging into the EC2 Instance
A.
Ensure to create a strong password for logging into the EC2 Instance
Answers
B.
Create a key pair using putty
B.
Create a key pair using putty
Answers
C.
Use the private key to log into the instance
C.
Use the private key to log into the instance
Answers
D.
Ensure the password is passed securely using SSL
D.
Ensure the password is passed securely using SSL
Answers
Suggested answer: B, C

Explanation:

The AWS Documentation mentions the following

You can use Amazon EC2 to create your key pair. Alternatively, you could use a third-party tool and then import the public key to Amazon EC2. Each key pair requires a name. Be sure to choose a name that is easy to remember. Amazon EC2 associates the public key with the name that you specify as the key name.

Amazon EC2 stores the public key only, and you store the private key. Anyone who possesses your private key can decrypt login information, so it's important that you store your private keys in a secure place. Options A and D are incorrect since you should use key pairs for secure access to Ec2 Instances For more information on EC2 key pairs, please refer to below URL:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.htmlThe correct answers are: Create a key pair using putty. Use the private key to log into the instanceSubmit your Feedback/Queries to our Experts

Question 353

Report
Export
Collapse


You have just developed a new mobile application that handles analytics workloads on large scale datasets that are stored on Amazon Redshift. Consequently, the application needs to access Amazon Redshift tables. Which of the belov methods would be the best both practically and security-wise, to access the tables? Choose the correct answer from the options below Please select:

A.
Create an IAM user and generate encryption keys for that user. Create a policy for Redshift readonly access. Embed th keys in the application.
A.
Create an IAM user and generate encryption keys for that user. Create a policy for Redshift readonly access. Embed th keys in the application.
Answers
B.
Create an HSM client certificate in Redshift and authenticate using this certificate.
B.
Create an HSM client certificate in Redshift and authenticate using this certificate.
Answers
C.
Create a Redshift read-only access policy in IAM and embed those credentials in the application.
C.
Create a Redshift read-only access policy in IAM and embed those credentials in the application.
Answers
D.
Use roles that allow a web identity federated user to assume a role that allows access to the Redshift table by providing temporary credentials.
D.
Use roles that allow a web identity federated user to assume a role that allows access to the Redshift table by providing temporary credentials.
Answers
Suggested answer: D

Explanation:

The AWS Documentation mentions the following

"When you write such an app, you'll make requests to AWS services that must be signed with an AWS access key. However, we strongly recommend that you do not embed or distribute long-term AWS credentials with apps that a user downloads t device, even in an encrypted store. Instead, build your app so that it requests temporary AWS security credentials dynamica when needed using web identify federation. The supplied temporary credentials map to an AWS role that has only the permissioi needed to perform the tasks required by the mobile app".

Option A.B and C are all automatically incorrect because you need to use IAM Roles for Secure access to services For more information on web identity federation please refer to the below Link: http://docs.aws.amazon.com/IAM/latest/ UserGuide/id_roles_providers_oidc.html The correct answer is: Use roles that allow a web identity federated user to assume a role that allows access to the RedShift table by providing temporary credentials. Submit your Feedback/Queries to our Experts

Question 354

Report
Export
Collapse

Your team is designing a web application. The users for this web application would need to sign in via an external ID provider such asfacebook or Google. Which of the following AWS service would you use for authentication? Please select:

A.
AWS Cognito
A.
AWS Cognito
Answers
B.
AWS SAML
B.
AWS SAML
Answers
C.
AWS IAM
C.
AWS IAM
Answers
D.
AWS Config
D.
AWS Config
Answers
Suggested answer: A

Explanation:

The AWS Documentation mentions the following

Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users ca sign in directly with a user name and password, or through a third party such as Facebook, Amazon, or Google. Option B is incorrect since this is used for identity federation

Option C is incorrect since this is pure Identity and Access management

Option D is incorrect since AWS is a configuration service For more information on AWS Cognito please refer to the below Link:

https://docs.aws.amazon.com/coenito/latest/developerguide/what-is-amazon-cognito.htmlThe correct answer is: AWS CognitoSubmit your Feedback/Queries to our Experts

Question 355

Report
Export
Collapse

Your application currently use AWS Cognito for authenticating users. Your application consists of different types of users. Some users are only allowed read access to the application and others are given contributor access. How wou you manage the access effectively?

Please select:

A.
Create different cognito endpoints, one for the readers and the other for the contributors.
A.
Create different cognito endpoints, one for the readers and the other for the contributors.
Answers
B.
Create different cognito groups, one for the readers and the other for the contributors.
B.
Create different cognito groups, one for the readers and the other for the contributors.
Answers
C.
You need to manage this within the application itself
C.
You need to manage this within the application itself
Answers
D.
This needs to be managed via Web security tokens
D.
This needs to be managed via Web security tokens
Answers
Suggested answer: B

Explanation:

The AWS Documentation mentions the following

You can use groups to create a collection of users in a user pool, which is often done to set the permissions for those users. For example, you can create separate groups for users who are readers, contributors, and editors of your website and app.

Option A is incorrect since you need to create cognito groups and not endpoints Options C and D are incorrect since these would be overheads when you can use AWS Cognito For more information on AWS Cognito user groups please refer to the below Link:

https://docs.aws.amazon.com/coenito/latest/developersuide/cognito-user-pools-user-groups.htmllThe correct answer is: Create different cognito groups, one for the readers and the other for thecontributors. Submit your Feedback/Queries to our Experts

Question 356

Report
Export
Collapse

DDoS attacks that happen at the application layer commonly target web applications with lower volumes of traffic compared to infrastructure attacks. To mitigate these types of attacks, you should probably want to include a WAF (Web Application Firewall) as part of your infrastructure. To inspect all HTTP requests, WAFs sit in-line with your application traffic. Unfortunately, this creates a scenario where WAFs can become a point of failure or bottleneck. To mitigate this problem, you need the ability to run multiple WAFs on demand during traffic spikes. This type of scaling for WAF is done via a "WAF sandwich." Which of the following statements best describes what a "WAF sandwich" is? Choose the correct answer from the options below

Please select:

A.
The EC2 instance running your WAF software is placed between your private subnets and any NATed connections to the internet.
A.
The EC2 instance running your WAF software is placed between your private subnets and any NATed connections to the internet.
Answers
B.
The EC2 instance running your WAF software is placed between your public subnets and your Internet Gateway.
B.
The EC2 instance running your WAF software is placed between your public subnets and your Internet Gateway.
Answers
C.
The EC2 instance running your WAF software is placed between your public subnets and your private subnets.
C.
The EC2 instance running your WAF software is placed between your public subnets and your private subnets.
Answers
D.
The EC2 instance running your WAF software is included in an Auto Scaling group and placed in between two Elastic load balancers.
D.
The EC2 instance running your WAF software is included in an Auto Scaling group and placed in between two Elastic load balancers.
Answers
Suggested answer: D

Explanation:

The below diagram shows how a WAF sandwich is created. Its the concept of placing the Ec2 instance which hosts the WAF software in between 2 elastic load balancers.

Option A.B and C are incorrect since the EC2 Instance with the WAF software needs to be placed in an Autoscaling Group For more information on a WAF sandwich please refer to the below Link:

https://www.cloudaxis.eom/2016/11/2l/waf-sandwich/lThe correct answer is: The EC2 instance running your WAF software is included in an Auto Scalinggroup and placed in between two Elastic load balancers. Submit your Feedback/Queries to our Experts

Question 357

Report
Export
Collapse

A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below Please select:

A.
Create a role that has the required permissions for the auditor.
A.
Create a role that has the required permissions for the auditor.
Answers
B.
Create an SNS notification that sends the CloudTrail log files to the auditor's email when CIoudTrail delivers the logs to S3, but do not allow the auditor access to the AWS environment.
B.
Create an SNS notification that sends the CloudTrail log files to the auditor's email when CIoudTrail delivers the logs to S3, but do not allow the auditor access to the AWS environment.
Answers
C.
The company should contact AWS as part of the shared responsibility model, and AWS will grant required access to th^ third-party auditor.
C.
The company should contact AWS as part of the shared responsibility model, and AWS will grant required access to th^ third-party auditor.
Answers
D.
Enable CloudTrail logging and create an IAM user who has read-only permissions to the required AWS resources, including the bucket containing the CloudTrail logs.
D.
Enable CloudTrail logging and create an IAM user who has read-only permissions to the required AWS resources, including the bucket containing the CloudTrail logs.
Answers
Suggested answer: D

Explanation:

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS infrastructure. CloudTrail provides a history of AWS API calls for your account including API calls made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This history simplifies security analysis, resource change tracking, and troubleshooting.

Option A and C are incorrect since Cloudtrail needs to be used as part of the solution

Option B is incorrect since the auditor needs to have access to Cloudtrail For more information on cloudtrail, please visit the below URL:

https://aws.amazon.com/cloudtraiLThe correct answer is: Enable CloudTrail logging and create an IAM user who has read-onlypermissions to the required AWS resources, including the bucket containing the CloudTrail logs. Submit your Feedback/Queries to our Experts

Question 358

Report
Export
Collapse

An auditor needs access to logs that record all API events on AWS. The auditor only needs read-only access to the log files and does not need access to each AWS account. The company has multiple AWS accounts, and the auditor needs access to all the logs for all the accounts. What is the best way to configure access for the auditor to view event logs from all accounts? Choose the correct answer from the options below Please select:

A.
Configure the CloudTrail service in each AWS account, and have the logs delivered to an AWS bucket on each account, while granting the auditor permissions to the bucket via roles in the secondary accounts and a single primary IAM account that can assume a read-only role in the secondary AWS accounts.
A.
Configure the CloudTrail service in each AWS account, and have the logs delivered to an AWS bucket on each account, while granting the auditor permissions to the bucket via roles in the secondary accounts and a single primary IAM account that can assume a read-only role in the secondary AWS accounts.
Answers
B.
Configure the CloudTrail service in the primary AWS account and configure consolidated billing for all the secondary accounts. Then grant the auditor access to the S3 bucket that receives the CloudTrail log files.
B.
Configure the CloudTrail service in the primary AWS account and configure consolidated billing for all the secondary accounts. Then grant the auditor access to the S3 bucket that receives the CloudTrail log files.
Answers
C.
Configure the CloudTrail service in each AWS account and enable consolidated logging inside of CloudTrail.
C.
Configure the CloudTrail service in each AWS account and enable consolidated logging inside of CloudTrail.
Answers
D.
Configure the CloudTrail service in each AWS account and have the logs delivered to a single AWS bucket in the primary account and erant the auditor access to that single bucket in the orimarv account.
D.
Configure the CloudTrail service in each AWS account and have the logs delivered to a single AWS bucket in the primary account and erant the auditor access to that single bucket in the orimarv account.
Answers
Suggested answer: D

Explanation:

Given the current requirements, assume the method of "least privilege" security design and only allow the auditor access to the minimum amount of AWS resources as possibli AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS infrastructure. CloudTrail provides a history of AWS API calls for your account including API calls made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This history simplifies security analysis, resource change tracking, and troubleshooting only be granted access in one location Option

Option A is incorrect since the auditor should B is incorrect since consolidated billing is not a key requirement as part of the question Option C is incorrect since there is not consolidated logging For more information on Cloudtrail please refer to the below URL:

https://aws.amazon.com/cloudtraiL

( The correct answer is: Configure the CloudTrail service in each AWS account and have the logs delivered to a single AWS bud in the primary account and grant the auditor access to that single bucket in the primary account. Submit your Feedback/Queries to our Experts

Question 359

Report
Export
Collapse

Your company has a hybrid environment, with on-premise servers and servers hosted in the AWS cloud. They are planning to use the Systems Manager for patching servers. Which of the following is a pre-requisite for this to work; Please select:

A.
Ensure that the on-premise servers are running on Hyper-V.
A.
Ensure that the on-premise servers are running on Hyper-V.
Answers
B.
Ensure that an IAM service role is created
B.
Ensure that an IAM service role is created
Answers
C.
Ensure that an IAM User is created
C.
Ensure that an IAM User is created
Answers
D.
Ensure that an IAM Group is created for the on-premise servers
D.
Ensure that an IAM Group is created for the on-premise servers
Answers
Suggested answer: B

Explanation:

You need to ensure that an IAM service role is created for allowing the on-premise servers to communicate with the AWS Systems Manager. Option A is incorrect since it is not necessary that servers should only be running Hyper-V Options C and D are incorrect since it is not necessary that IAM users and groups are created For more information on the Systems Manager role please refer to the below URL:

.com/systems-rnanaeer/latest/usereuide/sysman-!

The correct answer is: Ensure that an IAM service role is created

Submit your Feedback/Queries to our Experts

Question 360

Report
Export
Collapse

You have several S3 buckets defined in your AWS account. You need to give access to external AWS accounts to these S3 buckets. Which of the following can allow you to define the permissions for the external accounts? Choose 2 answers from the options given below Please select:

A.
IAM policies
A.
IAM policies
Answers
B.
Buckets ACL's
B.
Buckets ACL's
Answers
C.
IAM users
C.
IAM users
Answers
D.
Bucket policies
D.
Bucket policies
Answers
Suggested answer: B, D

Explanation:

The AWS Security whitepaper gives the type of access control and to what level the control can be given

Options A and C are incorrect since for external access to buckets, you need to use either Bucket policies or Bucket ACL's or more information on Security for storage services role please refer to the below URL:

https://d1.awsstatic.com/whitepapers/Security/Security Storage Services Whitepaper.pdfThe correct answers are: Buckets ACL's, Bucket policiesSubmit your Feedback/Queries to our Experts

Total 590 questions
Go to page: of 59
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms