ExamGecko
Search Search Login
Home Home / Amazon / SCS-C01

Amazon SCS-C01 Practice Test - Questions Answers, Page 39

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A security engineer needs to configure monitoring and auditing for AWS Lambda. Which combination of actions using AWS services should the security engineer take to accomplish this goal? (Select TWO.)
A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance. What should the security engineer do to resolve this error?
A company has two AW5 accounts within AWS Organizations. In Account-1. Amazon EC2 Auto Scaling is launched using a service-linked role. In Account-2. Amazon EBS volumes are encrypted with an AWS KMS key A Security Engineer needs to ensure that the service-linked role can launch instances with these encrypted volumes Which combination of steps should the Security Engineer take in both accounts? (Select TWO.)
A company’s information security team wants to analyze Amazon EC2 performance and utilization data in the near-real time for anomalies. A Sec Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company’s AWS accounts in centralized location to perform the analysis. How should the Security Engineer do this? Log in to each account four te a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.
A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1 the company cannot access the key that was used to encrypt the original database. What should the company do to set up the snapshot in us-west-1 with proper encryption?
A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)
A company's web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs. The operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The operations team needs to view log information to determine if the company is being attacked. Which set of actions will identify the suspect attacker's IP address for future occurrences?
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?

Question 381

Report
Export
Collapse


Your company has an external web site. This web site needs to access the objects in an S3 bucket.

Which of the following would allow the web site to access the objects in the most secure manner?

Please select:

A.
Grant public access for the bucket via the bucket policy
A.
Grant public access for the bucket via the bucket policy
Answers
B.
Use the aws:Referer key in the condition clause for the bucket policy
B.
Use the aws:Referer key in the condition clause for the bucket policy
Answers
C.
Use the aws:sites key in the condition clause for the bucket policy
C.
Use the aws:sites key in the condition clause for the bucket policy
Answers
D.
Grant a role that can be assumed by the web site
D.
Grant a role that can be assumed by the web site
Answers
Suggested answer: B

Explanation:

An example of this is given intheAWS Documentatioi

Restricting Access to a Specific HTTP Referrer

Suppose you have a website with domain name (www.example.com or example.com) with links to photos and videos stored in your S3 bucket examplebucket. By default, all the S3 resources are private, so only the AWS account that created the resources can access them. To allow read access to these objects from your website, you can add a bucket policy that allows s3:GetObject permission with a condition, using the aws:referer key, that the get request must originate from specific webpages. The following policy specifies the StringLike condition with the aws:Referer condition key.

Option A is invalid because giving public access is not a secure way to provide access

Option C is invalid because aws:sites is not a valid condition key

Option D is invalid because IAM roles will not be assigned to web sites For more information on example bucket policies please visit the below Link:

1 https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.htmlThe correct answer is: Use the aws:Referer key in the condition clause for the bucket policy Submityour Feedback/Queries to our Experts

Question 382

Report
Export
Collapse

Your IT Security team has identified a number of vulnerabilities across critical EC2 Instances in the company's AWS Account. Which would be the easiest way to ensure these vulnerabilities are remediated? Please select:

A.
Create AWS Lambda functions to download the updates and patch the servers.
A.
Create AWS Lambda functions to download the updates and patch the servers.
Answers
B.
Use AWS CLI commands to download the updates and patch the servers.
B.
Use AWS CLI commands to download the updates and patch the servers.
Answers
C.
Use AWS inspector to patch the servers
C.
Use AWS inspector to patch the servers
Answers
D.
Use AWS Systems Manager to patch the servers
D.
Use AWS Systems Manager to patch the servers
Answers
Suggested answer: D

Explanation:

The AWS Documentation mentions the following

You can quickly remediate patch and association compliance issues by using Systems Manager Run Command. You can tat either instance IDs or Amazon EC2 tags and execute the AWSRefreshAssociation document or the AWS- RunPatchBaseline document. If refreshing the association or re-running the patch baseline fails to resolve the compliance issue, then you need to investigate your associations, patch baselines, or instance configurations to understand why the Run Command executions did not resolve the problem Options A and B are invalid because even though this is possible, still from a maintenance perspective it would be difficult to maintain the Lambda functions Option C is invalid because this service cannot be used to patch servers For more information on using Systems Manager for compliance remediation please visit the below Link:

https://docs.aws.amazon.com/systems-manaeer/latest/usereuide/sysman-compliance-fixing.htmlThe correct answer is: Use AWS Systems Manager to patch the servers Submit yourFeedback/Queries to our Experts

Question 383

Report
Export
Collapse

An organization has launched 5 instances: 2 for production and 3 for testing. The organization wants that one particular group of IAM users should only access the test instances and not the production ones. How can the organization set that as a part of the policy?

Please select:

A.
Launch the test and production instances in separate regions and allow region wise access to the group
A.
Launch the test and production instances in separate regions and allow region wise access to the group
Answers
B.
Define the IAM policy which allows access based on the instance ID
B.
Define the IAM policy which allows access based on the instance ID
Answers
C.
Create an IAM policy with a condition which allows access to only small instances
C.
Create an IAM policy with a condition which allows access to only small instances
Answers
D.
Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specification tags
D.
Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specification tags
Answers
Suggested answer: D

Explanation:

Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type — you can quickly identify a specific resource based on the tags you've assigned to it

Option A is invalid because this is not a recommended practices

Option B is invalid because this is an overhead to maintain this in policies

Option C is invalid because the instance type will not resolve the requirement For information on resource tagging, please visit the below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Usine_Tags.htmll The correct answer is:

Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specific tags Submit your Feedback/Queries to our Experts

Question 384

Report
Export
Collapse

Your company is planning on AWS on hosting its AWS resources. There is a company policy which mandates that all security keys are completely managed within the company itself. Which of the following is the correct measure of following this policy?

Please select:

A.
Using the AWS KMS service for creation of the keys and the company managing the key lifecycle thereafter.
A.
Using the AWS KMS service for creation of the keys and the company managing the key lifecycle thereafter.
Answers
B.
Generating the key pairs for the EC2 Instances using puttygen
B.
Generating the key pairs for the EC2 Instances using puttygen
Answers
C.
Use the EC2 Key pairs that come with AWS
C.
Use the EC2 Key pairs that come with AWS
Answers
D.
Use S3 server-side encryption
D.
Use S3 server-side encryption
Answers
Suggested answer: B

Explanation:

Explanation: y ensuring that you generate the key pairs for EC2 Instances, you will have complete control of the access keys. Options A,C and D are invalid because all of these processes means that AWS has ownership of the keys. And the question specifically mentions that you need ownership of the keys For information on security for Compute Resources, please visit the below URL:

https://d1.awsstatic.com/whitepapers/Security/Security Compute Services Whitepaper.pdflThe correct answer is: Generating the key pairs for the EC2 Instances using puttygen Submit yourFeedback/Queries to our Experts

Question 385

Report
Export
Collapse

A company has a set of EC2 instances hosted in AWS. These instances have EBS volumes for storing critical information. There is a business continuity requirement and in order to boost the agility of the business and to ensure data durability which of the following options are not required.

Please select:

A.
Use lifecycle policies for the EBS volumes
A.
Use lifecycle policies for the EBS volumes
Answers
B.
Use EBS Snapshots
B.
Use EBS Snapshots
Answers
C.
Use EBS volume replication
C.
Use EBS volume replication
Answers
D.
Use EBS volume encryption
D.
Use EBS volume encryption
Answers
Suggested answer: C, D

Explanation:

Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations as part of normal operation of those services and at no additional charge. However, Amazon EBS replication is stored within the same availability zone, not across multiple zones; therefore, it is highly recommended that you conduct regular snapshots to Amazon S3 for long-term data durability. You can use Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes. With lifecycle management, you can be sure that snapshots are cleaned up regularly and keep costs under control. EBS Lifecycle Policies

A lifecycle policy consists of these core settings:

• Resource type—The AWS resource managed by the policy, in this case, EBS volumes.

• Target tag—The tag that must be associated with an EBS volume for it to be managed by the policy.

• Schedule—Defines how often to create snapshots and the maximum number of snapshots to keep. Snapshot creation starts within an hour of the specified start time. If creating a new snapshot exceeds the maximum number of snapshots to keep for the volume, the oldest snapshot is deleted.

Option C is correct. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. But it does not have an explicit feature like that. Option D is correct Encryption does not ensure data durability

For information on security for Compute Resources, please visit the below URL

https://d1.awsstatic.com/whitepapers/Security/Security Compute Services Whitepaper.pdlThe correct answers are: Use EBS volume replication. Use EBS volume encryption Submit yourFeedback/Queries to our Experts

Question 386

Report
Export
Collapse

The CFO of a company wants to allow one of his employees to view only the AWS usage report page.

Which of the below mentioned IAM policy statements allows the user to have access to the AWS usage report page? Please select:

A.
"Effect": "Allow". "Action": ["Describe"], "Resource": "Billing"
A.
"Effect": "Allow". "Action": ["Describe"], "Resource": "Billing"
Answers
B.
"Effect": "Allow", "Action": ["AccountUsage], "Resource": "*"
B.
"Effect": "Allow", "Action": ["AccountUsage], "Resource": "*"
Answers
C.
"Effect': "Allow", "Action": ["aws-portal:ViewUsage"," aws-portal:ViewBilling"], "Resource": "*"
C.
"Effect': "Allow", "Action": ["aws-portal:ViewUsage"," aws-portal:ViewBilling"], "Resource": "*"
Answers
D.
"Effect": "Allow", "Action": ["aws-portal: ViewBilling"], "Resource": "*"
D.
"Effect": "Allow", "Action": ["aws-portal: ViewBilling"], "Resource": "*"
Answers
Suggested answer: C

Explanation:

Explanation: the aws documentation, below is the access required for a user to access the Usage reports page and as per this, Option C is the right answer.

Question 387

Report
Export
Collapse

Your company has the following setup in AWS a. A set of EC2 Instances hosting a web application b. An application load balancer placed in front of the EC2 Instances There seems to be a set of malicious requests coming from a set of IP addresses. Which of the following can be used to protect against these requests?

Please select:

A.
Use Security Groups to block the IP addresses
A.
Use Security Groups to block the IP addresses
Answers
B.
Use VPC Flow Logs to block the IP addresses
B.
Use VPC Flow Logs to block the IP addresses
Answers
C.
Use AWS inspector to block the IP addresses
C.
Use AWS inspector to block the IP addresses
Answers
D.
Use AWS WAF to block the IP addresses
D.
Use AWS WAF to block the IP addresses
Answers
Suggested answer: D

Explanation:

Your answer is incorrect

Answer -D

The AWS Documentation mentions the following on AWS WAF which can be used to protect Application Load Balancers and Cloud front A web access control list (web ACL) gives you fine-grained control over the web requests that your Amazon CloudFront distributions or Application Load Balancers respond to. You can allow or block the following types of requests:

Originate from an IP address or a range of IP addresses

Originate from a specific country or countries

Contain a specified string or match a regular expression (regex) pattern in a particular part of requests Exceed a specified length Appear to contain malicious SQL code (known as SQL injection) Appear to contain malicious scripts (known as cross-site scripting)

Option A is invalid because by default Security Groups have the Deny policy Options B and C are invalid because these services cannot be used to block IP addresses For information on AWS WAF, please visit the below URL:

https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.htmlThe correct answer is: Use AWS WAF to block the IP addressesSubmit your Feedback/Queries to our Experts

Question 388

Report
Export
Collapse

An organization has setup multiple IAM users. The organization wants that each IAM user accesses the IAM console only within the organization and not from outside. How can it achieve this? Please select:

A.
Create an IAM policy with the security group and use that security group for AWS console login
A.
Create an IAM policy with the security group and use that security group for AWS console login
Answers
B.
Create an IAM policy with a condition which denies access when the IP address range is not from the organization
B.
Create an IAM policy with a condition which denies access when the IP address range is not from the organization
Answers
C.
Configure the EC2 instance security group which allows traffic only from the organization's IP range
C.
Configure the EC2 instance security group which allows traffic only from the organization's IP range
Answers
D.
Create an IAM policy with VPC and allow a secure gateway between the organization and AWS Console
D.
Create an IAM policy with VPC and allow a secure gateway between the organization and AWS Console
Answers
Suggested answer: B

Explanation:

You can actually use a Deny condition which will not allow the person to log in from outside. The below example shows the Deny condition to ensure that any address specified in the source address is not allowed to access the resources in aws.

Option A is invalid because you don't mention the security group in the IAM policy

Option C is invalid because security groups by default don't allow traffic

Option D is invalid because the IAM policy does not have such an option For more information on IAM policy conditions, please visit the URL: http://docs.aws.amazon.com/IAM/latest/UserGuide/access pol examples.htm l#iam-policy- example-ec2-two-condition! The correct answer is: Create an IAM policy with a condition which denies access when the IP address range is not from the organization Submit your Feedback/Queries to our Experts

Question 389

Report
Export
Collapse

You are creating a Lambda function which will be triggered by a Cloudwatch Event. The data from these events needs to be stored in a DynamoDB table. How should the Lambda function be given access to the DynamoDB table? Please select:

A.
Put the AWS Access keys in the Lambda function since the Lambda function by default is secure
A.
Put the AWS Access keys in the Lambda function since the Lambda function by default is secure
Answers
B.
Use an IAM role which has permissions to the DynamoDB table and attach it to the Lambda function.
B.
Use an IAM role which has permissions to the DynamoDB table and attach it to the Lambda function.
Answers
C.
Use the AWS Access keys which has access to DynamoDB and then place it in an S3 bucket.
C.
Use the AWS Access keys which has access to DynamoDB and then place it in an S3 bucket.
Answers
D.
Create a VPC endpoint for the DynamoDB table. Access the VPC endpoint from the Lambda function.
D.
Create a VPC endpoint for the DynamoDB table. Access the VPC endpoint from the Lambda function.
Answers
Suggested answer: B

Explanation:

AWS Lambda functions uses roles to interact with other AWS services. So use an IAM role which has permissions to the DynamoDB table and attach it to the Lambda function. Options A and C are all invalid because you should never use AWS keys for access.

Option D is invalid because the VPC endpoint is used for VPCs

For more information on Lambda function Permission model, please visit the URL

https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.htmlThe correct answer is: Use an IAM role which has permissions to the DynamoDB table and attach it tothe Lambda function. Submit your Feedback/Queries to our Experts

Question 390

Report
Export
Collapse

There is a set of Ec2 Instances in a private subnet. The application hosted on these EC2 Instances need to access a DynamoDB table. It needs to be ensured that traffic does not flow out to the internet. How can this be achieved?

Please select:

A.
Use a VPC endpoint to the DynamoDB table
A.
Use a VPC endpoint to the DynamoDB table
Answers
B.
Use a VPN connection from the VPC
B.
Use a VPN connection from the VPC
Answers
C.
Use a VPC gateway from the VPC
C.
Use a VPC gateway from the VPC
Answers
D.
Use a VPC Peering connection to the DynamoDB table
D.
Use a VPC Peering connection to the DynamoDB table
Answers
Suggested answer: A

Explanation:

The following diagram from the AWS Documentation shows how you can access the DynamoDB service from within a V without going to the Internet This can be done with the help of a VPC endpoint

Option B is invalid because this is used for connection between an on-premise solution and AWS

Option C is invalid because there is no such option

Option D is invalid because this is used to connect 2 VPCs For more information on VPC endpointsfor DynamoDB, please visit the URL:

The correct answer is: Use a VPC endpoint to the DynamoDB table Submit your Feedback/Queries to our Experts

Total 590 questions
Go to page: of 59
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms