ExamGecko
Search Search Login
Home Home / Amazon / SCS-C01

Amazon SCS-C01 Practice Test - Questions Answers, Page 41

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A security engineer needs to configure monitoring and auditing for AWS Lambda. Which combination of actions using AWS services should the security engineer take to accomplish this goal? (Select TWO.)
A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance. What should the security engineer do to resolve this error?
A company’s information security team wants to analyze Amazon EC2 performance and utilization data in the near-real time for anomalies. A Sec Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company’s AWS accounts in centralized location to perform the analysis. How should the Security Engineer do this? Log in to each account four te a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.
A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1 the company cannot access the key that was used to encrypt the original database. What should the company do to set up the snapshot in us-west-1 with proper encryption?
A company has two AW5 accounts within AWS Organizations. In Account-1. Amazon EC2 Auto Scaling is launched using a service-linked role. In Account-2. Amazon EBS volumes are encrypted with an AWS KMS key A Security Engineer needs to ensure that the service-linked role can launch instances with these encrypted volumes Which combination of steps should the Security Engineer take in both accounts? (Select TWO.)
A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)
A company's web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs. The operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The operations team needs to view log information to determine if the company is being attacked. Which set of actions will identify the suspect attacker's IP address for future occurrences?
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?

Question 401

Report
Export
Collapse

Your company has many AWS accounts defined and all are managed via AWS Organizations. One AWS account has a S3 bucket that has critical dat a. How can we ensure that all the users in the AWS organisation have access to this bucket?

Please select:

A.
Ensure the bucket policy has a condition which involves aws:PrincipalOrglD
A.
Ensure the bucket policy has a condition which involves aws:PrincipalOrglD
Answers
B.
Ensure the bucket policy has a condition which involves aws:AccountNumber
B.
Ensure the bucket policy has a condition which involves aws:AccountNumber
Answers
C.
Ensure the bucket policy has a condition which involves aws:PrincipaliD
C.
Ensure the bucket policy has a condition which involves aws:PrincipaliD
Answers
D.
Ensure the bucket policy has a condition which involves aws:OrglD
D.
Ensure the bucket policy has a condition which involves aws:OrglD
Answers
Suggested answer: A

Explanation:

The AWS Documentation mentions the following

AWS Identity and Access Management (IAM) now makes it easier for you to control access to your AWS resources by using the AWS organization of IAM principals (users and roles). For some services, you grant permissions using resource- based policies to specify the accounts and principals that can access the resource and what actions they can perform on it. Now, you can use a new condition key, aws:PrincipalOrglD, in these policies to require all principals accessing the resource to be from an account in the organization Option B.C and D are invalid because the condition in the bucket policy has to mention aws:PrincipalOrglD For more information on controlling access via Organizations, please refer to the below Link:

https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-usins-the-awsorganization-of-iam-principal ( The correct answer is: Ensure the bucket policy has a condition which involves aws:PrincipalOrglD Submit your Feedback/Queries to our Experts

Question 402

Report
Export
Collapse

Your company has defined a set of S3 buckets in AWS. They need to monitor the S3 buckets and know the source IP address and the person who make requests to the S3 bucket. How can this be achieved? Please select:

A.
Enable VPC flow logs to know the source IP addresses
A.
Enable VPC flow logs to know the source IP addresses
Answers
B.
Monitor the S3 API calls by using Cloudtrail logging
B.
Monitor the S3 API calls by using Cloudtrail logging
Answers
C.
Monitor the S3 API calls by using Cloudwatch logging
C.
Monitor the S3 API calls by using Cloudwatch logging
Answers
D.
Enable AWS Inspector for the S3 bucket
D.
Enable AWS Inspector for the S3 bucket
Answers
Suggested answer: B

Explanation:

The AWS Documentation mentions the following

Amazon S3 is integrated with AWS CloudTrail. CloudTrail is a service that captures specific API calls made to Amazon S3 from your AWS account and delivers the log files to an Amazon S3 bucket that you specify. It captures API calls made from the Amazon S3 console or from the Amazon S3 API.

Using the information collected by CloudTrail, you can determine what request was made to Amazon S3, the source IP address from which the request was made, who made the request when it was made, and so on Options A,C and D are invalid because these services cannot be used to get the source IP address of the calls to S3 buckets For more information on Cloudtrail logging, please refer to the below Link:

https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logeins.htmllThe correct answer is: Monitor the S3 API calls by using Cloudtrail logging Submit yourFeedback/Queries to our Experts

Question 403

Report
Export
Collapse

Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which three IAM best practices should you consider implementing? Please select:

A.
Create individual IAM users
A.
Create individual IAM users
Answers
B.
Configure MFA on the root account and for privileged IAM users
B.
Configure MFA on the root account and for privileged IAM users
Answers
C.
Assign IAM users and groups configured with policies granting least privilege access
C.
Assign IAM users and groups configured with policies granting least privilege access
Answers
D.
Ensure all users have been assigned and dre frequently rotating a password, access ID/secret key, and X.509 certificate
D.
Ensure all users have been assigned and dre frequently rotating a password, access ID/secret key, and X.509 certificate
Answers
Suggested answer: A, B, C

Explanation:

When you go to the security dashboard, the security status will show the best practices for initiating the first level of security.

Option D is invalid because as per the dashboard, this is not part of the security recommendation For more information on best security practices please visit the URL:

https://aws.amazon.com/whitepapers/aws-security-best-practices;The correct answers are: Create individual IAM users, Configure MFA on the root account and forprivileged IAM users. Assign IAM users and groups configured with policies granting least privilegeaccessSubmit your Feedback/Queries to our Experts

Question 404

Report
Export
Collapse

Your team is experimenting with the API gateway service for an application. There is a need to implement a custom module which can be used for authentication/authorization for calls made to the API gateway. How can this be achieved? Please select:

A.
Use the request parameters for authorization
A.
Use the request parameters for authorization
Answers
B.
Use a Lambda authorizer
B.
Use a Lambda authorizer
Answers
C.
Use the gateway authorizer
C.
Use the gateway authorizer
Answers
D.
Use CORS on the API gateway
D.
Use CORS on the API gateway
Answers
Suggested answer: B

Explanation:

The AWS Documentation mentions the following

An Amazon API Gateway Lambda authorizer (formerly known as a custom authorize?) is a Lambda function that you provide to control access to your API methods. A Lambda authorizer uses bearer token authentication strategies, such as OAuth or SAML. It can also use information described by headers, paths, query strings, stage variables, or context variables request parameters. Options A,C and D are invalid because these cannot be used if you need a custom authentication/authorization for calls made to the API gateway For more information on using the API gateway Lambda authorizer please visit the URL:

https://docs.aws.amazon.com/apisateway/latest/developerguide/apieateway-use-lambdaauthorizer.htmllThe correct answer is: Use a Lambda authorizerSubmit your Feedback/Queries to our Experts

Question 405

Report
Export
Collapse

A company has set up EC2 instances on the AW5 Cloud. There is a need to see all the IP addresses which are accessing the EC2 Instances. Which service can help achieve this? Please select:

A.
Use the AWS Inspector service
A.
Use the AWS Inspector service
Answers
B.
Use AWS VPC Flow Logs
B.
Use AWS VPC Flow Logs
Answers
C.
Use Network ACL's
C.
Use Network ACL's
Answers
D.
Use Security Groups
D.
Use Security Groups
Answers
Suggested answer: B

Explanation:

The AWS Documentation mentions the foil

A flow log record represents a network flow in your flow log. Each record captures the network flow for a specific 5-tuple, for a specific capture window. A 5-tuple is a set of five different values that specify the source, destination, and protocol for an internet protocol (IP) flow.

Options A,C and D are all invalid because these services/tools cannot be used to get the the IP addresses which are accessing the EC2 Instances For more information on VPC Flow Logs please visit the URL https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.htmlThe correct answer is: Use AWS VPC Flow Logs Submit vour Feedback/Queries to our Experts

Question 406

Report
Export
Collapse

You have private video content in S3 that you want to serve to subscribed users on the Internet. User IDs, credentials, and subscriptions are stored in an Amazon RDS database. Which configuration will allow you to securely serve private content to your users?

Please select:

A.
Generate pre-signed URLs for each user as they request access to protected S3 content
A.
Generate pre-signed URLs for each user as they request access to protected S3 content
Answers
B.
Create an IAM user for each subscribed user and assign the GetObject permission to each IAM user
B.
Create an IAM user for each subscribed user and assign the GetObject permission to each IAM user
Answers
C.
Create an S3 bucket policy that limits access to your private content to only your subscribed users'credentials n. Crpafp a Cloud Front Clriein Identity user for vnur suhsrrihprl users and assign the GptOhiprt oprmissinn to this user
C.
Create an S3 bucket policy that limits access to your private content to only your subscribed users'credentials n. Crpafp a Cloud Front Clriein Identity user for vnur suhsrrihprl users and assign the GptOhiprt oprmissinn to this user
Answers
Suggested answer: A

Explanation:

All objects and buckets by default are private. The pre-signed URLs are useful if you want your user/customer to be able upload a specific object to your bucket but you don't require them to have AWS security credentials or permissions. When you create a pre-signed URL, you must provide your security credentials, specify a bucket name, an object key, an HTTP method (PUT for uploading objects), and an expiration date and time. The pre-signed URLs are valid only for the specified duration.

Option B is invalid because this would be too difficult to implement at a user level.

Option C is invalid because this is not possible

Option D is invalid because this is used to serve private content via Cloudfront For more information on pre-signed urls, please refer to the Link: http://docs.aws.amazon.com/AmazonS3/latest/dev/PresienedUrlUploadObiect.htmll The correct answer is: Generate pre-signed URLs for each user as they request access to protected S3 content Submit your Feedback/Queries to our Experts

Question 407

Report
Export
Collapse

A company is hosting sensitive data in an AWS S3 bucket. It needs to be ensured that the bucket always remains private. How can this be ensured continually? Choose 2 answers from the options given below Please select:

A.
Use AWS Config to monitor changes to the AWS Bucket
A.
Use AWS Config to monitor changes to the AWS Bucket
Answers
B.
Use AWS Lambda function to change the bucket policy
B.
Use AWS Lambda function to change the bucket policy
Answers
C.
Use AWS Trusted Advisor API to monitor the changes to the AWS Bucket
C.
Use AWS Trusted Advisor API to monitor the changes to the AWS Bucket
Answers
D.
Use AWS Lambda function to change the bucket ACL
D.
Use AWS Lambda function to change the bucket ACL
Answers
Suggested answer: A, D

Explanation:

One of the AWS Blogs mentions the usage of AWS Config and Lambda to achieve this. Below is the diagram representation of this

Option C is invalid because the Trusted Advisor API cannot be used to monitor changes to the AWS Bucket Option B doesn't seems to be the most appropriate.

1. If the object is in a bucket in which all the objects need to be private and the object is not private anymore, the Lambda function makes a PutObjectAcI call to S3 to make the object private. |https://aws.amazon.com/blogs/security/how-to-detect-and-automatically-remediate-unintendedpermissions-in-amazon-s3-bbiect-acls-with-cloudwatch-events/

The following link also specifies thatCreate a new Lambda function to examine an Amazon S3 buckets ACL and bucket policy. If the bucket ACL is found to al public access, the Lambda function overwrites it to be private. If a bucket policy is found, the Lambda function creatt an SNS message, puts the policy in the message body, and publishes it to the Amazon SNS topic we created. Bucket policies can be complex, and overwriting your policy may cause unexpected loss of access, so this Lambda function doesn't attempt to alter your policy in any way.

https://aws.amazon.com/blogs/security/how-to-use-aws-config-to-monitor-for-and-respond-toamazon-s3-buckets-allowinj Based on these facts Option D seems to be more appropriate then Option B.

For more information on implementation of this use case, please refer to the Link:

https://aws.amazon.com/blogs/security/how-to-use-aws-config-to-monitor-for-and-respond-toamazon-s3-buckets-allowinj The correct answers are: Use AWS Config to monitor changes to the AWS Bucket Use AWS Lambda function to change the bucket ACL

Question 408

Report
Export
Collapse

You have a set of 100 EC2 Instances in an AWS account. You need to ensure that all of these instances are patched and kept to date. All of the instances are in a private subnet. How can you achieve this. Choose 2 answers from the options given below

Please select:

A.
Ensure a NAT gateway is present to download the updates
A.
Ensure a NAT gateway is present to download the updates
Answers
B.
Use the Systems Manager to patch the instances
B.
Use the Systems Manager to patch the instances
Answers
C.
Ensure an internet gateway is present to download the updates
C.
Ensure an internet gateway is present to download the updates
Answers
D.
Use the AWS inspector to patch the updates
D.
Use the AWS inspector to patch the updates
Answers
Suggested answer: A, B

Explanation:

Option C is invalid because the instances need to remain in the private:

Option D is invalid because AWS inspector can only detect the patches One of the AWS Blogs mentions how patching of Linux servers can be accomplished. Below is the diagram representation of the architecture setup

For more information on patching Linux workloads in AWS, please refer to the Lin.

https://aws.amazon.com/blogs/security/how-to-patch-linux-workloads-on-awsjThe correct answers are: Ensure a NAT gateway is present to download the updates. Use the SystemsManager to patch the instancesSubmit your Feedback/ Queries to our Experts

Question 409

Report
Export
Collapse

You have an EC2 instance with the following security configured: a. ICMP inbound allowed on Security Group b. ICMP outbound not configured on Security Group c. ICMP inbound allowed on Network ACL d. ICMP outbound denied on Network ACL If Flow logs is enabled for the instance, which of the following flow records will be recorded? Choose 3 answers from the options give below Please select:

A.
An ACCEPT record for the request based on the Security Group
A.
An ACCEPT record for the request based on the Security Group
Answers
B.
An ACCEPT record for the request based on the NACL
B.
An ACCEPT record for the request based on the NACL
Answers
C.
A REJECT record for the response based on the Security Group
C.
A REJECT record for the response based on the Security Group
Answers
D.
A REJECT record for the response based on the NACL
D.
A REJECT record for the response based on the NACL
Answers
Suggested answer: A, B, D

Explanation:

This example is given in the AWS documentation as well

For example, you use the ping command from your home computer (IP address is 203.0.113.12) to your instance (the network interface's private IP address is 172.31.16.139). Your security group's inbound rules allow ICMP traffic and the outbound rules do not allow ICMP traffic however, because security groups are stateful, the response ping from your instance is allowed. Your network ACL permits inbound ICMP traffic but does not permit outbound ICMP traffic. Because network ACLs are stateless, the response ping is dropped and will not reach your home computer. In a flow log, this is displayed as 2 flow log records:

An ACCEPT record for the originating ping that was allowed by both the network ACL and the security group, and therefore was allowed to reach your instance. A REJECT record for the response ping that the network ACL denied.

Option C is invalid because the REJECT record would not be present For more information on Flow Logs, please refer to the below URL: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-loes.html The correct answers are: An ACCEPT record for the request based on the Security Group, An ACCEPT record for the request based on the NACL, A REJECT record for the response based on the NACL Submit your Feedback/Queries to our Experts

Question 410

Report
Export
Collapse

Your company looks at the gaming domain and hosts several Ec2 Instances as game servers. The servers each experience user loads in the thousands. There is a concern of DDos attacks on the EC2 Instances which could cause a huge revenue loss to the company. Which of the following can help mitigate this security concern and also ensure minimum downtime for the servers. Please select:

A.
Use VPC Flow logs to monitor the VPC and then implement NACL's to mitigate attacks
A.
Use VPC Flow logs to monitor the VPC and then implement NACL's to mitigate attacks
Answers
B.
Use AWS Shield Advanced to protect the EC2 Instances
B.
Use AWS Shield Advanced to protect the EC2 Instances
Answers
C.
Use AWS Inspector to protect the EC2 Instances
C.
Use AWS Inspector to protect the EC2 Instances
Answers
D.
Use AWS Trusted Advisor to protect the EC2 Instances
D.
Use AWS Trusted Advisor to protect the EC2 Instances
Answers
Suggested answer: B

Explanation:

Below is an excerpt from the AWS Documentation on some of the use cases for AWS Shield

Total 590 questions
Go to page: of 59
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms