ExamGecko
Login
Home / Amazon / SCS-C01 / List of questions
Ask Question

Amazon SCS-C01 Practice Test - Questions Answers, Page 36

List of questions

Question 351

Report
Export
Collapse

Your company has just started using AWS and created an AWS account. They are aware of the potential issues when root access is enabled. How can they best safeguard the account when it comes to root access? Choose 2 answers fro the options given below Please select:

Delete the root access account
Delete the root access account
Create an Admin IAM user with the necessary permissions
Create an Admin IAM user with the necessary permissions
Change the password for the root account.
Change the password for the root account.
Delete the root access keys
Delete the root access keys
Suggested answer: B, D

Explanation:

The AWS Documentation mentions the following

All AWS accounts have root user credentials (that is, the credentials of the account owner). These credentials allow full access to all resources in the account. Because you cant restrict permissions for root user credentials, we recommend that you delete your root user access keys. Then create AWS Identity and Access Management (IAM) user credentials for everyday interaction with AWS. Option A is incorrect since you cannot delete the root access account

Option C is partially correct but cannot be used as the ideal solution for safeguarding the account For more information on root access vs admin IAM users, please refer to below URL:

https://docs.aws.amazon.com/eeneral/latest/er/root-vs-iam.htmlThe correct answers are: Create an Admin IAM user with the necessary permissions. Delete the rootaccess keys Submit your Feedback/Queries to our Experts

asked 16/09/2024
Keona Campbell
34 questions

Question 352

Report
Export
Collapse

You need to create a Linux EC2 instance in AWS. Which of the following steps is used to ensure secure authentication the EC2 instance from a windows machine. Choose 2 answers from the options given below. Please select:

Ensure to create a strong password for logging into the EC2 Instance
Ensure to create a strong password for logging into the EC2 Instance
Create a key pair using putty
Create a key pair using putty
Use the private key to log into the instance
Use the private key to log into the instance
Ensure the password is passed securely using SSL
Ensure the password is passed securely using SSL
Suggested answer: B, C

Explanation:

The AWS Documentation mentions the following

You can use Amazon EC2 to create your key pair. Alternatively, you could use a third-party tool and then import the public key to Amazon EC2. Each key pair requires a name. Be sure to choose a name that is easy to remember. Amazon EC2 associates the public key with the name that you specify as the key name.

Amazon EC2 stores the public key only, and you store the private key. Anyone who possesses your private key can decrypt login information, so it's important that you store your private keys in a secure place. Options A and D are incorrect since you should use key pairs for secure access to Ec2 Instances For more information on EC2 key pairs, please refer to below URL:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.htmlThe correct answers are: Create a key pair using putty. Use the private key to log into the instanceSubmit your Feedback/Queries to our Experts

asked 16/09/2024
Mark Chow
43 questions

Question 353

Report
Export
Collapse


You have just developed a new mobile application that handles analytics workloads on large scale datasets that are stored on Amazon Redshift. Consequently, the application needs to access Amazon Redshift tables. Which of the belov methods would be the best both practically and security-wise, to access the tables? Choose the correct answer from the options below Please select:

Create an IAM user and generate encryption keys for that user. Create a policy for Redshift readonly access. Embed th keys in the application.
Create an IAM user and generate encryption keys for that user. Create a policy for Redshift readonly access. Embed th keys in the application.
Create an HSM client certificate in Redshift and authenticate using this certificate.
Create an HSM client certificate in Redshift and authenticate using this certificate.
Create a Redshift read-only access policy in IAM and embed those credentials in the application.
Create a Redshift read-only access policy in IAM and embed those credentials in the application.
Use roles that allow a web identity federated user to assume a role that allows access to the Redshift table by providing temporary credentials.
Use roles that allow a web identity federated user to assume a role that allows access to the Redshift table by providing temporary credentials.
Suggested answer: D

Explanation:

The AWS Documentation mentions the following

"When you write such an app, you'll make requests to AWS services that must be signed with an AWS access key. However, we strongly recommend that you do not embed or distribute long-term AWS credentials with apps that a user downloads t device, even in an encrypted store. Instead, build your app so that it requests temporary AWS security credentials dynamica when needed using web identify federation. The supplied temporary credentials map to an AWS role that has only the permissioi needed to perform the tasks required by the mobile app".

Option A.B and C are all automatically incorrect because you need to use IAM Roles for Secure access to services For more information on web identity federation please refer to the below Link: http://docs.aws.amazon.com/IAM/latest/ UserGuide/id_roles_providers_oidc.html The correct answer is: Use roles that allow a web identity federated user to assume a role that allows access to the RedShift table by providing temporary credentials. Submit your Feedback/Queries to our Experts

asked 16/09/2024
Rey Geric Villafranca
43 questions

Question 354

Report
Export
Collapse

Your team is designing a web application. The users for this web application would need to sign in via an external ID provider such asfacebook or Google. Which of the following AWS service would you use for authentication? Please select:

AWS Cognito
AWS Cognito
AWS SAML
AWS SAML
AWS IAM
AWS IAM
AWS Config
AWS Config
Suggested answer: A

Explanation:

The AWS Documentation mentions the following

Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users ca sign in directly with a user name and password, or through a third party such as Facebook, Amazon, or Google. Option B is incorrect since this is used for identity federation

Option C is incorrect since this is pure Identity and Access management

Option D is incorrect since AWS is a configuration service For more information on AWS Cognito please refer to the below Link:

https://docs.aws.amazon.com/coenito/latest/developerguide/what-is-amazon-cognito.htmlThe correct answer is: AWS CognitoSubmit your Feedback/Queries to our Experts

asked 16/09/2024
Edwin Lebron
38 questions

Question 355

Report
Export
Collapse

Your application currently use AWS Cognito for authenticating users. Your application consists of different types of users. Some users are only allowed read access to the application and others are given contributor access. How wou you manage the access effectively?

Please select:

Create different cognito endpoints, one for the readers and the other for the contributors.
Create different cognito endpoints, one for the readers and the other for the contributors.
Create different cognito groups, one for the readers and the other for the contributors.
Create different cognito groups, one for the readers and the other for the contributors.
You need to manage this within the application itself
You need to manage this within the application itself
This needs to be managed via Web security tokens
This needs to be managed via Web security tokens
Suggested answer: B

Explanation:

The AWS Documentation mentions the following

You can use groups to create a collection of users in a user pool, which is often done to set the permissions for those users. For example, you can create separate groups for users who are readers, contributors, and editors of your website and app.

Option A is incorrect since you need to create cognito groups and not endpoints Options C and D are incorrect since these would be overheads when you can use AWS Cognito For more information on AWS Cognito user groups please refer to the below Link:

https://docs.aws.amazon.com/coenito/latest/developersuide/cognito-user-pools-user-groups.htmllThe correct answer is: Create different cognito groups, one for the readers and the other for thecontributors. Submit your Feedback/Queries to our Experts

asked 16/09/2024
Nicola Grossi
38 questions

Question 356

Report
Export
Collapse

DDoS attacks that happen at the application layer commonly target web applications with lower volumes of traffic compared to infrastructure attacks. To mitigate these types of attacks, you should probably want to include a WAF (Web Application Firewall) as part of your infrastructure. To inspect all HTTP requests, WAFs sit in-line with your application traffic. Unfortunately, this creates a scenario where WAFs can become a point of failure or bottleneck. To mitigate this problem, you need the ability to run multiple WAFs on demand during traffic spikes. This type of scaling for WAF is done via a "WAF sandwich." Which of the following statements best describes what a "WAF sandwich" is? Choose the correct answer from the options below

Please select:

The EC2 instance running your WAF software is placed between your private subnets and any NATed connections to the internet.
The EC2 instance running your WAF software is placed between your private subnets and any NATed connections to the internet.
The EC2 instance running your WAF software is placed between your public subnets and your Internet Gateway.
The EC2 instance running your WAF software is placed between your public subnets and your Internet Gateway.
The EC2 instance running your WAF software is placed between your public subnets and your private subnets.
The EC2 instance running your WAF software is placed between your public subnets and your private subnets.
The EC2 instance running your WAF software is included in an Auto Scaling group and placed in between two Elastic load balancers.
The EC2 instance running your WAF software is included in an Auto Scaling group and placed in between two Elastic load balancers.
Suggested answer: D

Explanation:

The below diagram shows how a WAF sandwich is created. Its the concept of placing the Ec2 instance which hosts the WAF software in between 2 elastic load balancers.

Option A.B and C are incorrect since the EC2 Instance with the WAF software needs to be placed in an Autoscaling Group For more information on a WAF sandwich please refer to the below Link:

https://www.cloudaxis.eom/2016/11/2l/waf-sandwich/lThe correct answer is: The EC2 instance running your WAF software is included in an Auto Scalinggroup and placed in between two Elastic load balancers. Submit your Feedback/Queries to our Experts

asked 16/09/2024
Jurriaan van Ingen
33 questions

Question 357

Report
Export
Collapse

A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below Please select:

Create a role that has the required permissions for the auditor.
Create a role that has the required permissions for the auditor.
Create an SNS notification that sends the CloudTrail log files to the auditor's email when CIoudTrail delivers the logs to S3, but do not allow the auditor access to the AWS environment.
Create an SNS notification that sends the CloudTrail log files to the auditor's email when CIoudTrail delivers the logs to S3, but do not allow the auditor access to the AWS environment.
The company should contact AWS as part of the shared responsibility model, and AWS will grant required access to th^ third-party auditor.
The company should contact AWS as part of the shared responsibility model, and AWS will grant required access to th^ third-party auditor.
Enable CloudTrail logging and create an IAM user who has read-only permissions to the required AWS resources, including the bucket containing the CloudTrail logs.
Enable CloudTrail logging and create an IAM user who has read-only permissions to the required AWS resources, including the bucket containing the CloudTrail logs.
Suggested answer: D

Explanation:

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS infrastructure. CloudTrail provides a history of AWS API calls for your account including API calls made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This history simplifies security analysis, resource change tracking, and troubleshooting.

Option A and C are incorrect since Cloudtrail needs to be used as part of the solution

Option B is incorrect since the auditor needs to have access to Cloudtrail For more information on cloudtrail, please visit the below URL:

https://aws.amazon.com/cloudtraiLThe correct answer is: Enable CloudTrail logging and create an IAM user who has read-onlypermissions to the required AWS resources, including the bucket containing the CloudTrail logs. Submit your Feedback/Queries to our Experts

asked 16/09/2024
MIGUEL PARADA VAZQUEZ
34 questions

Question 358

Report
Export
Collapse

An auditor needs access to logs that record all API events on AWS. The auditor only needs read-only access to the log files and does not need access to each AWS account. The company has multiple AWS accounts, and the auditor needs access to all the logs for all the accounts. What is the best way to configure access for the auditor to view event logs from all accounts? Choose the correct answer from the options below Please select:

Configure the CloudTrail service in each AWS account, and have the logs delivered to an AWS bucket on each account, while granting the auditor permissions to the bucket via roles in the secondary accounts and a single primary IAM account that can assume a read-only role in the secondary AWS accounts.
Configure the CloudTrail service in each AWS account, and have the logs delivered to an AWS bucket on each account, while granting the auditor permissions to the bucket via roles in the secondary accounts and a single primary IAM account that can assume a read-only role in the secondary AWS accounts.
Configure the CloudTrail service in the primary AWS account and configure consolidated billing for all the secondary accounts. Then grant the auditor access to the S3 bucket that receives the CloudTrail log files.
Configure the CloudTrail service in the primary AWS account and configure consolidated billing for all the secondary accounts. Then grant the auditor access to the S3 bucket that receives the CloudTrail log files.
Configure the CloudTrail service in each AWS account and enable consolidated logging inside of CloudTrail.
Configure the CloudTrail service in each AWS account and enable consolidated logging inside of CloudTrail.
Configure the CloudTrail service in each AWS account and have the logs delivered to a single AWS bucket in the primary account and erant the auditor access to that single bucket in the orimarv account.
Configure the CloudTrail service in each AWS account and have the logs delivered to a single AWS bucket in the primary account and erant the auditor access to that single bucket in the orimarv account.
Suggested answer: D

Explanation:

Given the current requirements, assume the method of "least privilege" security design and only allow the auditor access to the minimum amount of AWS resources as possibli AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS infrastructure. CloudTrail provides a history of AWS API calls for your account including API calls made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This history simplifies security analysis, resource change tracking, and troubleshooting only be granted access in one location Option

Option A is incorrect since the auditor should B is incorrect since consolidated billing is not a key requirement as part of the question Option C is incorrect since there is not consolidated logging For more information on Cloudtrail please refer to the below URL:

https://aws.amazon.com/cloudtraiL

( The correct answer is: Configure the CloudTrail service in each AWS account and have the logs delivered to a single AWS bud in the primary account and grant the auditor access to that single bucket in the primary account. Submit your Feedback/Queries to our Experts

asked 16/09/2024
Wanicha Inburan
37 questions

Question 359

Report
Export
Collapse

Your company has a hybrid environment, with on-premise servers and servers hosted in the AWS cloud. They are planning to use the Systems Manager for patching servers. Which of the following is a pre-requisite for this to work; Please select:

Ensure that the on-premise servers are running on Hyper-V.
Ensure that the on-premise servers are running on Hyper-V.
Ensure that an IAM service role is created
Ensure that an IAM service role is created
Ensure that an IAM User is created
Ensure that an IAM User is created
Ensure that an IAM Group is created for the on-premise servers
Ensure that an IAM Group is created for the on-premise servers
Suggested answer: B

Explanation:

You need to ensure that an IAM service role is created for allowing the on-premise servers to communicate with the AWS Systems Manager. Option A is incorrect since it is not necessary that servers should only be running Hyper-V Options C and D are incorrect since it is not necessary that IAM users and groups are created For more information on the Systems Manager role please refer to the below URL:

.com/systems-rnanaeer/latest/usereuide/sysman-!

The correct answer is: Ensure that an IAM service role is created

Submit your Feedback/Queries to our Experts

asked 16/09/2024
Harri rrapaj
32 questions

Question 360

Report
Export
Collapse

You have several S3 buckets defined in your AWS account. You need to give access to external AWS accounts to these S3 buckets. Which of the following can allow you to define the permissions for the external accounts? Choose 2 answers from the options given below Please select:

IAM policies
IAM policies
Buckets ACL's
Buckets ACL's
IAM users
IAM users
Bucket policies
Bucket policies
Suggested answer: B, D

Explanation:

The AWS Security whitepaper gives the type of access control and to what level the control can be given

Amazon SCS-C01 image Question 360 explanation 7478 09162024005924000000

Options A and C are incorrect since for external access to buckets, you need to use either Bucket policies or Bucket ACL's or more information on Security for storage services role please refer to the below URL:

https://d1.awsstatic.com/whitepapers/Security/Security Storage Services Whitepaper.pdfThe correct answers are: Buckets ACL's, Bucket policiesSubmit your Feedback/Queries to our Experts

asked 16/09/2024
Abel Galleguillos
39 questions
Total 590 questions
Go to page: of 59
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture: 1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets. 3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other 4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols 5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required Which of the following accurately reflects the access control mechanisms the Architect should verify1?
A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances. Which solution will meet this requirement with the LEAST operational effort?
A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution. Which solution will meet these requirements MOST securely?
A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below Please select:
A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents. A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly. Which combination of actions would build the required solution? (Choose three.)
After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised. How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of “Sensitive,” “Confidential,” and “Restricted.” The security solution must meet all of the following requirements: Each object must be encrypted using a unique key. Items that are stored in the “Restricted” bucket require two-factor authentication for decryption. AWS KMS must automatically rotate encryption keys annually. Which of the following meets these requirements?