ExamGecko
Search Search Login
Home Home / Amazon / SCS-C01

Amazon SCS-C01 Practice Test - Questions Answers, Page 4

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance. What should the security engineer do to resolve this error?
A security engineer needs to configure monitoring and auditing for AWS Lambda. Which combination of actions using AWS services should the security engineer take to accomplish this goal? (Select TWO.)
A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1 the company cannot access the key that was used to encrypt the original database. What should the company do to set up the snapshot in us-west-1 with proper encryption?
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?
A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)
Your current setup in AWS consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup Please select:
A company's web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs. The operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The operations team needs to view log information to determine if the company is being attacked. Which set of actions will identify the suspect attacker's IP address for future occurrences?
A company’s information security team wants to analyze Amazon EC2 performance and utilization data in the near-real time for anomalies. A Sec Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company’s AWS accounts in centralized location to perform the analysis. How should the Security Engineer do this? Log in to each account four te a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.

Question 31

Report
Export
Collapse

A city is implementing an election results reporting website that will use Amazon GoudFront The website runs on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. Election results are updated hourly and are stored as .pdf tiles in an Amazon S3 bucket. A Security Engineer needs to ensure that all external access to the website goes through CloudFront. Which solution meets these requirements?

A.
Create an IAM role that allows CloudFront to access the specific S3 bucket. Modify the S3 bucket policy to allow only the new IAM role to access its contents. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB.
A.
Create an IAM role that allows CloudFront to access the specific S3 bucket. Modify the S3 bucket policy to allow only the new IAM role to access its contents. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB.
Answers
B.
Create an IAM role that allows CloudFront to access the specific S3 bucket. Modify the S3 bucket policy to allow only the new IAM role to access its contents. Associate the ALB with a security group that allows only incoming traffic from the CloudFront service to communicate with the ALB.
B.
Create an IAM role that allows CloudFront to access the specific S3 bucket. Modify the S3 bucket policy to allow only the new IAM role to access its contents. Associate the ALB with a security group that allows only incoming traffic from the CloudFront service to communicate with the ALB.
Answers
C.
Create an origin access identity (OAI) in CloudFront. Modify the S3 bucket policy to allow only the new OAI to access the bucket contents. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB.
C.
Create an origin access identity (OAI) in CloudFront. Modify the S3 bucket policy to allow only the new OAI to access the bucket contents. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB.
Answers
D.
Create an origin access identity (OAI) in CloudFront. Modify the S3 bucket policy to allow only the new OAI to access the bucket contents. Associate the ALB with a security group that allows only incoming traffic from the CloudFront service to communicate with the ALB.
D.
Create an origin access identity (OAI) in CloudFront. Modify the S3 bucket policy to allow only the new OAI to access the bucket contents. Associate the ALB with a security group that allows only incoming traffic from the CloudFront service to communicate with the ALB.
Answers
Suggested answer: C

Question 32

Report
Export
Collapse

A company is using AWS Organizations to manage multiple AWS accounts. The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an AWS KMS CMK However when users try to access the files in the S3 bucket they get an access denied error.

What should a Security Engineer do to troubleshoot this error? (Select THREE )

A.
Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK
A.
Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK
Answers
B.
Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket
B.
Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket
Answers
C.
Ensure the CMK was created before the S3 bucket.
C.
Ensure the CMK was created before the S3 bucket.
Answers
D.
Ensure the S3 block public access feature is enabled for the S3 bucket.
D.
Ensure the S3 block public access feature is enabled for the S3 bucket.
Answers
E.
Ensure that automatic key rotation is disabled for the CMK
E.
Ensure that automatic key rotation is disabled for the CMK
Answers
F.
Ensure the SCPs within Organizations allow access to the S3 bucket.
F.
Ensure the SCPs within Organizations allow access to the S3 bucket.
Answers
Suggested answer: A, B, F

Question 33

Report
Export
Collapse

A company recently performed an annual security assessment of its AWS environment. The assessment showed that audit logs are not available beyond 90 days and that unauthorized changes to IAM policies are made without detection. How should a security engineer resolve these issues?

A.
Create an Amazon S3 lifecycle policy that archives AWS CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources.
A.
Create an Amazon S3 lifecycle policy that archives AWS CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources.
Answers
B.
Configure AWS Artifact to archive AWS CloudTrail logs Configure AWS Trusted Advisor to provide a notification when a policy change is made to resources.
B.
Configure AWS Artifact to archive AWS CloudTrail logs Configure AWS Trusted Advisor to provide a notification when a policy change is made to resources.
Answers
C.
Configure Amazon CloudWatch to export log groups to Amazon S3. Configure AWS CloudTrail to provide a notification when a policy change is made to resources.
C.
Configure Amazon CloudWatch to export log groups to Amazon S3. Configure AWS CloudTrail to provide a notification when a policy change is made to resources.
Answers
D.
Create an AWS CloudTrail trail that stores audit logs in Amazon S3. Configure an AWS Config rule to provide a notification when a policy change is made to resources.
D.
Create an AWS CloudTrail trail that stores audit logs in Amazon S3. Configure an AWS Config rule to provide a notification when a policy change is made to resources.
Answers
Suggested answer: D

Explanation:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html"For an ongoing record of events in your AWS account, you must create a trail. Although CloudTrailprovides 90 days of event history information for management events in the CloudTrail consolewithout creating a trail, it is not a permanent record, and it does not provide information about allpossible types of events. For an ongoing record, and for a record that contains all the event types youspecify, you must create a trail, which delivers log files to an Amazon S3 bucket that you specify." https://aws.amazon.com/blogs/security/how-to-record-and-govern-your-iam-resourceconfigurations-using-aws-config/

Question 34

Report
Export
Collapse

An application running on Amazon EC2 instances generates log files in a folder on a Linux file system. The instances block access to the console and file transfer utilities, such as Secure Copy Protocol

(SCP) and Secure File Transfer Protocol (SFTP). The Application Support team wants to automatically monitor the application log files so the team can set up notifications in the future. A Security Engineer must design a solution that meets the following requirements:

• Make the log files available through an AWS managed service.

• Allow for automatic monitoring of the logs.

• Provide an Interlace for analyzing logs.

• Minimize effort.

Which approach meets these requirements^

A.
Modify the application to use the AWS SDK. Write the application logs lo an Amazon S3 bucket
A.
Modify the application to use the AWS SDK. Write the application logs lo an Amazon S3 bucket
Answers
B.
install the unified Amazon CloudWatch agent on the instances Configure the agent to collect the application log dies on the EC2 tile system and send them to Amazon CloudWatch Logs
B.
install the unified Amazon CloudWatch agent on the instances Configure the agent to collect the application log dies on the EC2 tile system and send them to Amazon CloudWatch Logs
Answers
C.
Install AWS Systems Manager Agent on the instances Configure an automation document to copy the application log files to AWS DeepLens
C.
Install AWS Systems Manager Agent on the instances Configure an automation document to copy the application log files to AWS DeepLens
Answers
D.
Install Amazon Kinesis Agent on the instances Stream the application log files to Amazon Kinesis Data Firehose and sot the destination to Amazon Elasticsearch Service
D.
Install Amazon Kinesis Agent on the instances Stream the application log files to Amazon Kinesis Data Firehose and sot the destination to Amazon Elasticsearch Service
Answers
Suggested answer: D

Question 35

Report
Export
Collapse

A company's web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs.

The operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The operations team needs to view log information to determine if the company is being attacked. Which set of actions will identify the suspect attacker's IP address for future occurrences?

A.
Configure VPC Flow Logs on the subnet where the ALB is located, and stream the data CloudWatch. Search for the new-user-creation.php occurrences in CloudWatch.
A.
Configure VPC Flow Logs on the subnet where the ALB is located, and stream the data CloudWatch. Search for the new-user-creation.php occurrences in CloudWatch.
Answers
B.
Configure the CloudWatch agent on the ALB Configure the agent to send application logs to CloudWatch Update the instance role to allow CloudWatch Logs access. Export the logs to CloudWatch Search for the new-user-creation.php occurrences in CloudWatch.
B.
Configure the CloudWatch agent on the ALB Configure the agent to send application logs to CloudWatch Update the instance role to allow CloudWatch Logs access. Export the logs to CloudWatch Search for the new-user-creation.php occurrences in CloudWatch.
Answers
C.
Configure the ALB to export access logs to an Amazon Elasticsearch Service cluster, and use the service to search for the new-user-creation.php occurrences.
C.
Configure the ALB to export access logs to an Amazon Elasticsearch Service cluster, and use the service to search for the new-user-creation.php occurrences.
Answers
D.
Configure the web ACL to send logs to Amazon Kinesis Data Firehose, which delivers the logs to an S3 bucket Use Amazon Athena to query the logs and find the new-user-creation php occurrences.
D.
Configure the web ACL to send logs to Amazon Kinesis Data Firehose, which delivers the logs to an S3 bucket Use Amazon Athena to query the logs and find the new-user-creation php occurrences.
Answers
Suggested answer: D

Explanation:

You send logs from your web ACL to an Amazon Kinesis Data Firehose with a configured storage destination. After you enable logging, AWS WAF delivers logs to your storage destination through the HTTPS endpoint of Kinesis Data Firehose.

https://docs.aws.amazon.com/waf/latest/developerguide/logging.html

Question 36

Report
Export
Collapse

A company has a compliance requirement to rotate its encryption keys on an annual basis. A Security Engineer needs a process to rotate the KMS Customer Master Keys (CMKs) that were created using imported key material. How can the Engineer perform the key rotation process MOST efficiently?

A.
Create a new CMK, and redirect the existing Key Alias to the new CMK
A.
Create a new CMK, and redirect the existing Key Alias to the new CMK
Answers
B.
Select the option to auto-rotate the key
B.
Select the option to auto-rotate the key
Answers
C.
Upload new key material into the existing CMK.
C.
Upload new key material into the existing CMK.
Answers
D.
Create a new CMK, and change the application to point to the new CMK
D.
Create a new CMK, and change the application to point to the new CMK
Answers
Suggested answer: A

Question 37

Report
Export
Collapse

A Security Engineer manages AWS Organizations for a company. The Engineer would like to restrict AWS usage to allow Amazon S3 only in one of the organizational units (OUs). The Engineer adds the following SCP to the OU:

The next day. API calls to AWS IAM appear in AWS CloudTrail logs In an account under that OU. How should the Security Engineer resolve this issue?

A.
Move the account to a new OU and deny IAM:* permissions.
A.
Move the account to a new OU and deny IAM:* permissions.
Answers
B.
Add a Deny policy for all non-S3 services at the account level.
B.
Add a Deny policy for all non-S3 services at the account level.
Answers
C.
Change the policy to:{“Version”: “2012-10-17”,“Statement”: [{“Sid”: “AllowS3”,"Effect": "Allow","Action": "s3:*","Resource": "*/*»}]}
C.
Change the policy to:{“Version”: “2012-10-17”,“Statement”: [{“Sid”: “AllowS3”,"Effect": "Allow","Action": "s3:*","Resource": "*/*»}]}
Answers
D.
Detach the default FullAWSAccess SCP
D.
Detach the default FullAWSAccess SCP
Answers
Suggested answer: C

Question 38

Report
Export
Collapse

A company is configuring three Amazon EC2 instances with each instance in a separate Availability Zone. The EC2 instances wilt be used as transparent proxies for outbound internet traffic for ports 80 and 443 so the proxies can block traffic to certain internet destinations as required by the company's security policies. A Security Engineer completed the following:

• Set up the proxy software on the EC2 instances.

• Modified the route tables on the private subnets to use the proxy EC2 instances as the default route. • Created a security group rule opening inbound port 80 and 443 TCP protocols on the proxy EC2 instance security group. However, the proxy EC2 instances are not successfully forwarding traffic to the internet.

What should the Security Engineer do to make the proxy EC2 instances route traffic to the internet?

A.
Put all the proxy EC2 instances in a cluster placement group.
A.
Put all the proxy EC2 instances in a cluster placement group.
Answers
B.
Disable source and destination checks on the proxy EC2 instances.
B.
Disable source and destination checks on the proxy EC2 instances.
Answers
C.
Open all inbound ports on the proxy EC2 instance security group.
C.
Open all inbound ports on the proxy EC2 instance security group.
Answers
D.
Change the VPC's DHCP domain-name-servers options set to the IP addresses of proxy EC2 instances.
D.
Change the VPC's DHCP domain-name-servers options set to the IP addresses of proxy EC2 instances.
Answers
Suggested answer: B

Question 39

Report
Export
Collapse

The Development team receives an error message each time the team members attempt to encrypt or decrypt a Secure String parameter from the SSM Parameter Store by using an AWS KMS customer managed key (CMK). Which CMK-related issues could be responsible? (Choose two.)

A.
The CMK specified in the application does not exist.
A.
The CMK specified in the application does not exist.
Answers
B.
The CMK specified in the application is currently in use.
B.
The CMK specified in the application is currently in use.
Answers
C.
The CMK specified in the application is using the CMK KeyID instead of CMK Amazon Resource Name.
C.
The CMK specified in the application is using the CMK KeyID instead of CMK Amazon Resource Name.
Answers
D.
The CMK specified in the application is not enabled.
D.
The CMK specified in the application is not enabled.
Answers
E.
The CMK specified in the application is using an alias.
E.
The CMK specified in the application is using an alias.
Answers
Suggested answer: A, D

Explanation:

https://docs.amazonaws.cn/en_us/kms/latest/developerguide/services-parameter-store.html

Question 40

Report
Export
Collapse

An AWS account administrator created an IAM group and applied the following managed policy to require that each individual user authenticate using multi-factor authentication:

After implementing the policy, the administrator receives reports that users are unable to perform Amazon EC2 commands using the AWS CLI. What should the administrator do to resolve this problem while still enforcing multi-factor authentication?

A.
Change the value of aws MultiFactorAuthPresent to true.
A.
Change the value of aws MultiFactorAuthPresent to true.
Answers
B.
Instruct users to run the aws sts get-session-token CLI command and pass the multi-factor authentication —serial-number and —token-code parameters. Use these resulting values to make API/CLI calls
B.
Instruct users to run the aws sts get-session-token CLI command and pass the multi-factor authentication —serial-number and —token-code parameters. Use these resulting values to make API/CLI calls
Answers
C.
Implement federated API/CLI access using SAML 2.0, then configure the identity provider to enforce multi-factor authentication.
C.
Implement federated API/CLI access using SAML 2.0, then configure the identity provider to enforce multi-factor authentication.
Answers
D.
Create a role and enforce multi-factor authentication in the role trust policy Instruct users to run the sts assume-role CLI command and pass --serial-number and —token-code parameters Store the resulting values in environment variables. Add sts:AssumeRole to NotAction in the policy.
D.
Create a role and enforce multi-factor authentication in the role trust policy Instruct users to run the sts assume-role CLI command and pass --serial-number and —token-code parameters Store the resulting values in environment variables. Add sts:AssumeRole to NotAction in the policy.
Answers
Suggested answer: B
Total 590 questions
Go to page: of 59
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms