ExamGecko
Login
Home / Amazon / SCS-C01 / List of questions
Ask Question

Amazon SCS-C01 Practice Test - Questions Answers, Page 42

List of questions

Question 411

Report
Export
Collapse

You currently operate a web application In the AWS US-East region. The application runs on an autoscaled layer of EC2 instances and an RDS Multi-AZ database. Your IT security compliance officer has tasked you to develop a reliable and durable logging solution to track changes made to your EC2.IAM and RDS resources. The solution must ensure the integrity and confidentiality of your log dat a. Which of these solutions would you recommend? Please select:

Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected. Use IAM roles S3 bucket policies and Mufti Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.
Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected. Use IAM roles S3 bucket policies and Mufti Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.
Create a new CloudTrail with one new S3 bucket to store the logs. Configure SNS to send log file delivery notifications to your management system. Use IAM roles and S3 bucket policies on the S3 bucket that stores your logs.
Create a new CloudTrail with one new S3 bucket to store the logs. Configure SNS to send log file delivery notifications to your management system. Use IAM roles and S3 bucket policies on the S3 bucket that stores your logs.
Create a new CloudTrail trail with an existing S3 bucket to store the logs and with the global services option selected. Use S3 ACLsand Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.
Create a new CloudTrail trail with an existing S3 bucket to store the logs and with the global services option selected. Use S3 ACLsand Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.
Create three new CloudTrail trails with three new S3 buckets to store the logs one for the AWS Management console, one for AWS SDKs and one for command line tools. Use IAM roles and S3 bucket policies on the S3 buckets that store your logs.
Create three new CloudTrail trails with three new S3 buckets to store the logs one for the AWS Management console, one for AWS SDKs and one for command line tools. Use IAM roles and S3 bucket policies on the S3 buckets that store your logs.
Suggested answer: B

Explanation:

AWS Identity and Access Management (IAM) is integrated with AWS CloudTrail, a service that logs AWS events made by or on behalf of your AWS account. CloudTrail logs authenticated AWS API calls and also AWS sign-in events, and collects this event information in files that are delivered to Amazon S3 buckets. You need to ensure that all services are included. Hence option B is partially correct. Option B is invalid because you need to ensure that global services is select Option C is invalid because you should use bucket policies Option D is invalid because you should ideally just create one S3 bucket For more information on Cloudtrail, please visit the below URL: http://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-inteeration.html The correct answer is: Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services o selected. Use IAM roles S3 bucket policies and Mulrj Factor Authentication (MFA) Delete on the S3 bucket that stores your l(

asked 16/09/2024
Ronald Buffing
40 questions

Question 412

Report
Export
Collapse

An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise's account. The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party. Which of the following would meet all of these conditions?

Please select:

From the AWS Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.
From the AWS Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.
Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application. Create a new access and secret key for the user and provide these credentials to the SaaS provider.
Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application. Create a new access and secret key for the user and provide these credentials to the SaaS provider.
Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.
Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.
Create an IAM role for EC2 instances, assign it a policy that allows only the actions required tor the Saas application to work, provide the role ARN to the SaaS provider to use when launching their application instances.
Create an IAM role for EC2 instances, assign it a policy that allows only the actions required tor the Saas application to work, provide the role ARN to the SaaS provider to use when launching their application instances.
Suggested answer: C

Explanation:

The below diagram from an AWS blog shows how access is given to other accounts for the services in your own account

Amazon SCS-C01 image Question 412 explanation 7530 09162024005924000000

Options A and B are invalid because you should not user IAM users or IAM Access keys

Options D is invalid because you need to create a role for cross account access For more information on Allowing access to external accounts, please visit the below URL:

|https://aws.amazon.com/blogs/apn/how-to-best-architect-your-aws-marketplace-saassubscription-across-multiple-aws-accounts;The correct answer is: Create an IAM role for cross-account access allows the SaaS provider's accountto assume the role and assign it a policy that allows only the actions required by the SaaS application. Submit your Feedback/Queries to our Experts

asked 16/09/2024
Johannes Bickel
55 questions

Question 413

Report
Export
Collapse

You have an S3 bucket defined in AWS. You want to ensure that you encrypt the data before sending it across the wire. What is the best way to achieve this. Please select:

Enable server side encryption for the S3 bucket. This request will ensure that the data is encrypted first.
Enable server side encryption for the S3 bucket. This request will ensure that the data is encrypted first.
Use the AWS Encryption CLI to encrypt the data first
Use the AWS Encryption CLI to encrypt the data first
Use a Lambda function to encrypt the data before sending it to the S3 bucket.
Use a Lambda function to encrypt the data before sending it to the S3 bucket.
Enable client encryption for the bucket
Enable client encryption for the bucket
Suggested answer: B

Explanation:

One can use the AWS Encryption CLI to encrypt the data before sending it across to the S3 bucket.

Options A and C are invalid because this would still mean that data is transferred in plain text Option D is invalid because you cannot just enable client side encryption for the S3 bucket For more information on Encrypting and Decrypting data, please visit the below URL:

https://aws.amazonxom/blogs/securirv/how4o-encrvpt-and-decrypt-your-data-with-the-awsencryption-clThe correct answer is: Use the AWS Encryption CLI to encrypt the data first Submit yourFeedback/Queries to our Experts

asked 16/09/2024
Jim Apple
42 questions

Question 414

Report
Export
Collapse

Your company has a set of EC2 Instances defined in AWS. These Ec2 Instances have strict security groups attached to them. You need to ensure that changes to the Security groups are noted and acted on accordingly. How can you achieve this?

Please select:

Use Cloudwatch logs to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.
Use Cloudwatch logs to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.
Use Cloudwatch metrics to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.
Use Cloudwatch metrics to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.
Use AWS inspector to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS f the notification.
Use AWS inspector to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS f the notification.
Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.
Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.
Suggested answer: D

Explanation:

The below diagram from an AWS blog shows how security groups can be monitored

Amazon SCS-C01 image Question 414 explanation 7532 09162024005924000000

Option A is invalid because you need to use Cloudwatch Events to check for chan, Option B is invalid because you need to use Cloudwatch Events to check for chang Option C is invalid because AWS inspector is not used to monitor the activity on Security Groups For more information on monitoring security groups, please visit the below URL:

Ihttpsy/aws.amazon.com/blogs/security/how-to-automatically-revert-and-receive-notificationsabout-changes-to-your-amazonj 'pc-security-groups/The correct answer is: Use Cloudwatch events to be triggered for any changes to the Security Groups.

Configure the Lambda function for email notification as well.

Submit your Feedback/Queries to our Experts

asked 16/09/2024
Sankalp Wadiwa
34 questions

Question 415

Report
Export
Collapse

Your company has just set up a new central server in a VPC. There is a requirement for other teams who have their servers located in different VPC's in the same region to connect to the central server. Which of the below options is best suited to achieve this requirement.

Please select:

Set up VPC peering between the central server VPC and each of the teams VPCs.
Set up VPC peering between the central server VPC and each of the teams VPCs.
Set up AWS DirectConnect between the central server VPC and each of the teams VPCs.
Set up AWS DirectConnect between the central server VPC and each of the teams VPCs.
Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.
Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.
None of the above options will work.
None of the above options will work.
Suggested answer: A

Explanation:

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within a single region. Options B and C are invalid because you need to use VPC Peering

Option D is invalid because VPC Peering is available

For more information on VPC Peering please see the below Link: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html The correct answer is: Set up VPC peering between the central server VPC and each of the teams VPCs. Submit your Feedback/Queries to our Experts

asked 16/09/2024
Peter Shillingford
34 questions

Question 416

Report
Export
Collapse

There is a requirement for a company to transfer large amounts of data between AWS and an onpremise location. There is an additional requirement for low latency and high consistency traffic to AWS. Given these requirements how would you design a hybrid architecture? Choose the correct answer from the options below Please select:

Provision a Direct Connect connection to an AWS region using a Direct Connect partner.
Provision a Direct Connect connection to an AWS region using a Direct Connect partner.
Create a VPN tunnel for private connectivity, which increases network consistency and reduces latency.
Create a VPN tunnel for private connectivity, which increases network consistency and reduces latency.
Create an iPSec tunnel for private connectivity, which increases network consistency and reduces latency.
Create an iPSec tunnel for private connectivity, which increases network consistency and reduces latency.
Create a VPC peering connection between AWS and the Customer gateway.
Create a VPC peering connection between AWS and the Customer gateway.
Suggested answer: A

Explanation:

AWS Direct Connect makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect you can establish private connectivity between AWS and your datacenter, office, or colocation environment which in many cases can reduce your network costs, increase bandwidth throughput and provide a more consistent network experience than Internetbased connections. Options B and C are invalid because these options will not reduce network latency Options D is invalid because this is only used to connect 2 VPC's For more information on AWS direct connect, just browse to the below URL:

https://aws.amazon.com/directconnectThe correct answer is: Provision a Direct Connect connection to an AWS region using a Direct Connectpartner. omit your Feedback/Queries to our Experts

asked 16/09/2024
Jorrit Meijer
40 questions

Question 417

Report
Export
Collapse

Which of the following bucket policies will ensure that objects being uploaded to a bucket called 'demo' are encrypted. Please select:

Suggested answer: A

Explanation:

The condition of "s3:x-amz-server-side-encryption":"aws:kms" ensures that objects uploaded need to be encrypted.

Options B,C and D are invalid because you have to ensure the condition of ns3:x-amz-server-sideencryption":" aws:kms" is present For more information on AWS KMS best practices, just browse to the below URL:

https://dl.awsstatic.com/whitepapers/aws-kms-best-praaices.pdf

Amazon SCS-C01 image Question 417 explanation 7535 09162024005924000000

Submit your Feedback/Queries to our Expert

asked 16/09/2024
Mirza Daniyal Baig
40 questions

Question 418

Report
Export
Collapse

A company's AWS account consists of approximately 300 IAM users. Now there is a mandate that an access change is required for 100 IAM users to have unlimited privileges to S3.As a system administrator, how can you implement this effectively so that there is no need to apply the policy at the individual user level?

Please select:

Create a new role and add each user to the IAM role
Create a new role and add each user to the IAM role
Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group
Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group
Create a policy and apply it to multiple users using a JSON script
Create a policy and apply it to multiple users using a JSON script
Create an S3 bucket policy with unlimited access which includes each user's AWS account ID
Create an S3 bucket policy with unlimited access which includes each user's AWS account ID
Suggested answer: B

Explanation:

Option A is incorrect since you don't add a user to the IAM Role

Option C is incorrect since you don't assign multiple users to a policy Option D is incorrect since this is not an ideal approach An IAM group is used to collectively manage users who need the same set of permissions. By having groups, it becomes easier to manage permissions. So if you change the permissions on the group scale, it will affect all the users in that group For more information on IAM Groups, just browse to the below URL:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_eroups.htmlThe correct answer is: Use the IAM groups and add users, based upon their role, to different groupsand apply the policy to groupSubmit your Feedback/Queries to our Experts

asked 16/09/2024
Simone Somacal
31 questions

Question 419

Report
Export
Collapse

You need to create a policy and apply it for just an individual user. How could you accomplish this in the right way? Please select:

Add an AWS managed policy for the user
Add an AWS managed policy for the user
Add a service policy for the user
Add a service policy for the user
Add an IAM role for the user
Add an IAM role for the user
Add an inline policy for the user
Add an inline policy for the user
Suggested answer: D

Explanation:

Options A and B are incorrect since you need to add an inline policy just for the user Option C is invalid because you don't assign an IAM role to a user The AWS Documentation mentions the following An inline policy is a policy that's embedded in a principal entity (a user, group, or role)—that is, the policy is an inherent part of the principal entity. You can create a policy and embed it in a principal entity, either when you create the principal entity or later. For more information on IAM Access and Inline policies, just browse to the below URL:

https://docs.aws.amazon.com/IAM/latest/UserGuide/accessThe correct answer is: Add an inline policy for the user Submit your Feedback/Queries to our Experts

asked 16/09/2024
Liusel Herrera Garcia
27 questions

Question 420

Report
Export
Collapse

Your company is planning on using bastion hosts for administering the servers in AWS. Which of the following is the best description of a bastion host from a security perspective? Please select:

A Bastion host should be on a private subnet and never a public subnet due to security concerns
A Bastion host should be on a private subnet and never a public subnet due to security concerns
A Bastion host sits on the outside of an internal network and is used as a gateway into the private network and is considered the critical strong point of the network
A Bastion host sits on the outside of an internal network and is used as a gateway into the private network and is considered the critical strong point of the network
Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources.
Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources.
A Bastion host should maintain extremely tight security and monitoring as it is available to the public
A Bastion host should maintain extremely tight security and monitoring as it is available to the public
Suggested answer: C

Explanation:

A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer.

In AWS, A bastion host is kept on a public subnet. Users log on to the bastion host via SSH or RDP and then use that session to manage other hosts in the private subnets. Options A and B are invalid because the bastion host needs to sit on the public network. Option D is invalid because bastion hosts are not used for monitoring For more information on bastion hosts, just browse to the below URL:

https://docsaws.amazon.com/quickstart/latest/linux-bastion/architecture.htlThe correct answer is: Bastion hosts allow users to log in using RDP or SSH and use that session toSSH into internal network to access private subnet resources. Submit your Feedback/Queries to our Experts

asked 16/09/2024
Takenobu Tanida
36 questions
Total 590 questions
Go to page: of 59
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture: 1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets. 3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other 4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols 5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required Which of the following accurately reflects the access control mechanisms the Architect should verify1?
A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances. Which solution will meet this requirement with the LEAST operational effort?
A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution. Which solution will meet these requirements MOST securely?
A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below Please select:
A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents. A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly. Which combination of actions would build the required solution? (Choose three.)
After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised. How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of “Sensitive,” “Confidential,” and “Restricted.” The security solution must meet all of the following requirements: Each object must be encrypted using a unique key. Items that are stored in the “Restricted” bucket require two-factor authentication for decryption. AWS KMS must automatically rotate encryption keys annually. Which of the following meets these requirements?