Amazon SCS-C01 Practice Test - Questions Answers, Page 42
List of questions
Question 411
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
You currently operate a web application In the AWS US-East region. The application runs on an autoscaled layer of EC2 instances and an RDS Multi-AZ database. Your IT security compliance officer has tasked you to develop a reliable and durable logging solution to track changes made to your EC2.IAM and RDS resources. The solution must ensure the integrity and confidentiality of your log dat a. Which of these solutions would you recommend? Please select:
Explanation:
AWS Identity and Access Management (IAM) is integrated with AWS CloudTrail, a service that logs AWS events made by or on behalf of your AWS account. CloudTrail logs authenticated AWS API calls and also AWS sign-in events, and collects this event information in files that are delivered to Amazon S3 buckets. You need to ensure that all services are included. Hence option B is partially correct. Option B is invalid because you need to ensure that global services is select Option C is invalid because you should use bucket policies Option D is invalid because you should ideally just create one S3 bucket For more information on Cloudtrail, please visit the below URL: http://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-inteeration.html The correct answer is: Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services o selected. Use IAM roles S3 bucket policies and Mulrj Factor Authentication (MFA) Delete on the S3 bucket that stores your l(
Question 412
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise's account. The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party. Which of the following would meet all of these conditions?
Please select:
Explanation:
The below diagram from an AWS blog shows how access is given to other accounts for the services in your own account
Options A and B are invalid because you should not user IAM users or IAM Access keys
Options D is invalid because you need to create a role for cross account access For more information on Allowing access to external accounts, please visit the below URL:
|https://aws.amazon.com/blogs/apn/how-to-best-architect-your-aws-marketplace-saassubscription-across-multiple-aws-accounts;The correct answer is: Create an IAM role for cross-account access allows the SaaS provider's accountto assume the role and assign it a policy that allows only the actions required by the SaaS application. Submit your Feedback/Queries to our Experts
Question 413
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
You have an S3 bucket defined in AWS. You want to ensure that you encrypt the data before sending it across the wire. What is the best way to achieve this. Please select:
Explanation:
One can use the AWS Encryption CLI to encrypt the data before sending it across to the S3 bucket.
Options A and C are invalid because this would still mean that data is transferred in plain text Option D is invalid because you cannot just enable client side encryption for the S3 bucket For more information on Encrypting and Decrypting data, please visit the below URL:
https://aws.amazonxom/blogs/securirv/how4o-encrvpt-and-decrypt-your-data-with-the-awsencryption-clThe correct answer is: Use the AWS Encryption CLI to encrypt the data first Submit yourFeedback/Queries to our Experts
Question 414
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
Your company has a set of EC2 Instances defined in AWS. These Ec2 Instances have strict security groups attached to them. You need to ensure that changes to the Security groups are noted and acted on accordingly. How can you achieve this?
Please select:
Explanation:
The below diagram from an AWS blog shows how security groups can be monitored
Option A is invalid because you need to use Cloudwatch Events to check for chan, Option B is invalid because you need to use Cloudwatch Events to check for chang Option C is invalid because AWS inspector is not used to monitor the activity on Security Groups For more information on monitoring security groups, please visit the below URL:
Ihttpsy/aws.amazon.com/blogs/security/how-to-automatically-revert-and-receive-notificationsabout-changes-to-your-amazonj 'pc-security-groups/The correct answer is: Use Cloudwatch events to be triggered for any changes to the Security Groups.
Configure the Lambda function for email notification as well.
Submit your Feedback/Queries to our Experts
Question 415
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
Your company has just set up a new central server in a VPC. There is a requirement for other teams who have their servers located in different VPC's in the same region to connect to the central server. Which of the below options is best suited to achieve this requirement.
Please select:
Explanation:
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within a single region. Options B and C are invalid because you need to use VPC Peering
Option D is invalid because VPC Peering is available
For more information on VPC Peering please see the below Link: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html The correct answer is: Set up VPC peering between the central server VPC and each of the teams VPCs. Submit your Feedback/Queries to our Experts
Question 416
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
There is a requirement for a company to transfer large amounts of data between AWS and an onpremise location. There is an additional requirement for low latency and high consistency traffic to AWS. Given these requirements how would you design a hybrid architecture? Choose the correct answer from the options below Please select:
Explanation:
AWS Direct Connect makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect you can establish private connectivity between AWS and your datacenter, office, or colocation environment which in many cases can reduce your network costs, increase bandwidth throughput and provide a more consistent network experience than Internetbased connections. Options B and C are invalid because these options will not reduce network latency Options D is invalid because this is only used to connect 2 VPC's For more information on AWS direct connect, just browse to the below URL:
https://aws.amazon.com/directconnectThe correct answer is: Provision a Direct Connect connection to an AWS region using a Direct Connectpartner. omit your Feedback/Queries to our Experts
Question 417
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
Which of the following bucket policies will ensure that objects being uploaded to a bucket called 'demo' are encrypted. Please select:
Explanation:
The condition of "s3:x-amz-server-side-encryption":"aws:kms" ensures that objects uploaded need to be encrypted.
Options B,C and D are invalid because you have to ensure the condition of ns3:x-amz-server-sideencryption":" aws:kms" is present For more information on AWS KMS best practices, just browse to the below URL:
https://dl.awsstatic.com/whitepapers/aws-kms-best-praaices.pdf
Submit your Feedback/Queries to our Expert
Question 418
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A company's AWS account consists of approximately 300 IAM users. Now there is a mandate that an access change is required for 100 IAM users to have unlimited privileges to S3.As a system administrator, how can you implement this effectively so that there is no need to apply the policy at the individual user level?
Please select:
Explanation:
Option A is incorrect since you don't add a user to the IAM Role
Option C is incorrect since you don't assign multiple users to a policy Option D is incorrect since this is not an ideal approach An IAM group is used to collectively manage users who need the same set of permissions. By having groups, it becomes easier to manage permissions. So if you change the permissions on the group scale, it will affect all the users in that group For more information on IAM Groups, just browse to the below URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_eroups.htmlThe correct answer is: Use the IAM groups and add users, based upon their role, to different groupsand apply the policy to groupSubmit your Feedback/Queries to our Experts
Question 419
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
You need to create a policy and apply it for just an individual user. How could you accomplish this in the right way? Please select:
Explanation:
Options A and B are incorrect since you need to add an inline policy just for the user Option C is invalid because you don't assign an IAM role to a user The AWS Documentation mentions the following An inline policy is a policy that's embedded in a principal entity (a user, group, or role)—that is, the policy is an inherent part of the principal entity. You can create a policy and embed it in a principal entity, either when you create the principal entity or later. For more information on IAM Access and Inline policies, just browse to the below URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/accessThe correct answer is: Add an inline policy for the user Submit your Feedback/Queries to our Experts
Question 420
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
Your company is planning on using bastion hosts for administering the servers in AWS. Which of the following is the best description of a bastion host from a security perspective? Please select:
Explanation:
A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer.
In AWS, A bastion host is kept on a public subnet. Users log on to the bastion host via SSH or RDP and then use that session to manage other hosts in the private subnets. Options A and B are invalid because the bastion host needs to sit on the public network. Option D is invalid because bastion hosts are not used for monitoring For more information on bastion hosts, just browse to the below URL:
https://docsaws.amazon.com/quickstart/latest/linux-bastion/architecture.htlThe correct answer is: Bastion hosts allow users to log in using RDP or SSH and use that session toSSH into internal network to access private subnet resources. Submit your Feedback/Queries to our Experts
Question