ExamGecko
Search Search Login
Home Home / Amazon / SCS-C01

Amazon SCS-C01 Practice Test - Questions Answers, Page 42

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A security engineer needs to configure monitoring and auditing for AWS Lambda. Which combination of actions using AWS services should the security engineer take to accomplish this goal? (Select TWO.)
A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance. What should the security engineer do to resolve this error?
A company’s information security team wants to analyze Amazon EC2 performance and utilization data in the near-real time for anomalies. A Sec Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company’s AWS accounts in centralized location to perform the analysis. How should the Security Engineer do this? Log in to each account four te a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.
A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1 the company cannot access the key that was used to encrypt the original database. What should the company do to set up the snapshot in us-west-1 with proper encryption?
A company has two AW5 accounts within AWS Organizations. In Account-1. Amazon EC2 Auto Scaling is launched using a service-linked role. In Account-2. Amazon EBS volumes are encrypted with an AWS KMS key A Security Engineer needs to ensure that the service-linked role can launch instances with these encrypted volumes Which combination of steps should the Security Engineer take in both accounts? (Select TWO.)
A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)
A company's web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs. The operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The operations team needs to view log information to determine if the company is being attacked. Which set of actions will identify the suspect attacker's IP address for future occurrences?
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?

Question 411

Report
Export
Collapse

You currently operate a web application In the AWS US-East region. The application runs on an autoscaled layer of EC2 instances and an RDS Multi-AZ database. Your IT security compliance officer has tasked you to develop a reliable and durable logging solution to track changes made to your EC2.IAM and RDS resources. The solution must ensure the integrity and confidentiality of your log dat a. Which of these solutions would you recommend? Please select:

A.
Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected. Use IAM roles S3 bucket policies and Mufti Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.
A.
Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected. Use IAM roles S3 bucket policies and Mufti Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.
Answers
B.
Create a new CloudTrail with one new S3 bucket to store the logs. Configure SNS to send log file delivery notifications to your management system. Use IAM roles and S3 bucket policies on the S3 bucket that stores your logs.
B.
Create a new CloudTrail with one new S3 bucket to store the logs. Configure SNS to send log file delivery notifications to your management system. Use IAM roles and S3 bucket policies on the S3 bucket that stores your logs.
Answers
C.
Create a new CloudTrail trail with an existing S3 bucket to store the logs and with the global services option selected. Use S3 ACLsand Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.
C.
Create a new CloudTrail trail with an existing S3 bucket to store the logs and with the global services option selected. Use S3 ACLsand Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.
Answers
D.
Create three new CloudTrail trails with three new S3 buckets to store the logs one for the AWS Management console, one for AWS SDKs and one for command line tools. Use IAM roles and S3 bucket policies on the S3 buckets that store your logs.
D.
Create three new CloudTrail trails with three new S3 buckets to store the logs one for the AWS Management console, one for AWS SDKs and one for command line tools. Use IAM roles and S3 bucket policies on the S3 buckets that store your logs.
Answers
Suggested answer: B

Explanation:

AWS Identity and Access Management (IAM) is integrated with AWS CloudTrail, a service that logs AWS events made by or on behalf of your AWS account. CloudTrail logs authenticated AWS API calls and also AWS sign-in events, and collects this event information in files that are delivered to Amazon S3 buckets. You need to ensure that all services are included. Hence option B is partially correct. Option B is invalid because you need to ensure that global services is select Option C is invalid because you should use bucket policies Option D is invalid because you should ideally just create one S3 bucket For more information on Cloudtrail, please visit the below URL: http://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-inteeration.html The correct answer is: Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services o selected. Use IAM roles S3 bucket policies and Mulrj Factor Authentication (MFA) Delete on the S3 bucket that stores your l(

Question 412

Report
Export
Collapse

An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise's account. The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party. Which of the following would meet all of these conditions?

Please select:

A.
From the AWS Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.
A.
From the AWS Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.
Answers
B.
Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application. Create a new access and secret key for the user and provide these credentials to the SaaS provider.
B.
Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application. Create a new access and secret key for the user and provide these credentials to the SaaS provider.
Answers
C.
Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.
C.
Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.
Answers
D.
Create an IAM role for EC2 instances, assign it a policy that allows only the actions required tor the Saas application to work, provide the role ARN to the SaaS provider to use when launching their application instances.
D.
Create an IAM role for EC2 instances, assign it a policy that allows only the actions required tor the Saas application to work, provide the role ARN to the SaaS provider to use when launching their application instances.
Answers
Suggested answer: C

Explanation:

The below diagram from an AWS blog shows how access is given to other accounts for the services in your own account

Options A and B are invalid because you should not user IAM users or IAM Access keys

Options D is invalid because you need to create a role for cross account access For more information on Allowing access to external accounts, please visit the below URL:

|https://aws.amazon.com/blogs/apn/how-to-best-architect-your-aws-marketplace-saassubscription-across-multiple-aws-accounts;The correct answer is: Create an IAM role for cross-account access allows the SaaS provider's accountto assume the role and assign it a policy that allows only the actions required by the SaaS application. Submit your Feedback/Queries to our Experts

Question 413

Report
Export
Collapse

You have an S3 bucket defined in AWS. You want to ensure that you encrypt the data before sending it across the wire. What is the best way to achieve this. Please select:

A.
Enable server side encryption for the S3 bucket. This request will ensure that the data is encrypted first.
A.
Enable server side encryption for the S3 bucket. This request will ensure that the data is encrypted first.
Answers
B.
Use the AWS Encryption CLI to encrypt the data first
B.
Use the AWS Encryption CLI to encrypt the data first
Answers
C.
Use a Lambda function to encrypt the data before sending it to the S3 bucket.
C.
Use a Lambda function to encrypt the data before sending it to the S3 bucket.
Answers
D.
Enable client encryption for the bucket
D.
Enable client encryption for the bucket
Answers
Suggested answer: B

Explanation:

One can use the AWS Encryption CLI to encrypt the data before sending it across to the S3 bucket.

Options A and C are invalid because this would still mean that data is transferred in plain text Option D is invalid because you cannot just enable client side encryption for the S3 bucket For more information on Encrypting and Decrypting data, please visit the below URL:

https://aws.amazonxom/blogs/securirv/how4o-encrvpt-and-decrypt-your-data-with-the-awsencryption-clThe correct answer is: Use the AWS Encryption CLI to encrypt the data first Submit yourFeedback/Queries to our Experts

Question 414

Report
Export
Collapse

Your company has a set of EC2 Instances defined in AWS. These Ec2 Instances have strict security groups attached to them. You need to ensure that changes to the Security groups are noted and acted on accordingly. How can you achieve this?

Please select:

A.
Use Cloudwatch logs to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.
A.
Use Cloudwatch logs to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.
Answers
B.
Use Cloudwatch metrics to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.
B.
Use Cloudwatch metrics to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.
Answers
C.
Use AWS inspector to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS f the notification.
C.
Use AWS inspector to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS f the notification.
Answers
D.
Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.
D.
Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.
Answers
Suggested answer: D

Explanation:

The below diagram from an AWS blog shows how security groups can be monitored

Option A is invalid because you need to use Cloudwatch Events to check for chan, Option B is invalid because you need to use Cloudwatch Events to check for chang Option C is invalid because AWS inspector is not used to monitor the activity on Security Groups For more information on monitoring security groups, please visit the below URL:

Ihttpsy/aws.amazon.com/blogs/security/how-to-automatically-revert-and-receive-notificationsabout-changes-to-your-amazonj 'pc-security-groups/The correct answer is: Use Cloudwatch events to be triggered for any changes to the Security Groups.

Configure the Lambda function for email notification as well.

Submit your Feedback/Queries to our Experts

Question 415

Report
Export
Collapse

Your company has just set up a new central server in a VPC. There is a requirement for other teams who have their servers located in different VPC's in the same region to connect to the central server. Which of the below options is best suited to achieve this requirement.

Please select:

A.
Set up VPC peering between the central server VPC and each of the teams VPCs.
A.
Set up VPC peering between the central server VPC and each of the teams VPCs.
Answers
B.
Set up AWS DirectConnect between the central server VPC and each of the teams VPCs.
B.
Set up AWS DirectConnect between the central server VPC and each of the teams VPCs.
Answers
C.
Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.
C.
Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.
Answers
D.
None of the above options will work.
D.
None of the above options will work.
Answers
Suggested answer: A

Explanation:

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within a single region. Options B and C are invalid because you need to use VPC Peering

Option D is invalid because VPC Peering is available

For more information on VPC Peering please see the below Link: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html The correct answer is: Set up VPC peering between the central server VPC and each of the teams VPCs. Submit your Feedback/Queries to our Experts

Question 416

Report
Export
Collapse

There is a requirement for a company to transfer large amounts of data between AWS and an onpremise location. There is an additional requirement for low latency and high consistency traffic to AWS. Given these requirements how would you design a hybrid architecture? Choose the correct answer from the options below Please select:

A.
Provision a Direct Connect connection to an AWS region using a Direct Connect partner.
A.
Provision a Direct Connect connection to an AWS region using a Direct Connect partner.
Answers
B.
Create a VPN tunnel for private connectivity, which increases network consistency and reduces latency.
B.
Create a VPN tunnel for private connectivity, which increases network consistency and reduces latency.
Answers
C.
Create an iPSec tunnel for private connectivity, which increases network consistency and reduces latency.
C.
Create an iPSec tunnel for private connectivity, which increases network consistency and reduces latency.
Answers
D.
Create a VPC peering connection between AWS and the Customer gateway.
D.
Create a VPC peering connection between AWS and the Customer gateway.
Answers
Suggested answer: A

Explanation:

AWS Direct Connect makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect you can establish private connectivity between AWS and your datacenter, office, or colocation environment which in many cases can reduce your network costs, increase bandwidth throughput and provide a more consistent network experience than Internetbased connections. Options B and C are invalid because these options will not reduce network latency Options D is invalid because this is only used to connect 2 VPC's For more information on AWS direct connect, just browse to the below URL:

https://aws.amazon.com/directconnectThe correct answer is: Provision a Direct Connect connection to an AWS region using a Direct Connectpartner. omit your Feedback/Queries to our Experts

Question 417

Report
Export
Collapse

Which of the following bucket policies will ensure that objects being uploaded to a bucket called 'demo' are encrypted. Please select:

A.
A.
Answers
B.
B.
Answers
C.
C.
Answers
D.
D.
Answers
Suggested answer: A

Explanation:

The condition of "s3:x-amz-server-side-encryption":"aws:kms" ensures that objects uploaded need to be encrypted.

Options B,C and D are invalid because you have to ensure the condition of ns3:x-amz-server-sideencryption":" aws:kms" is present For more information on AWS KMS best practices, just browse to the below URL:

https://dl.awsstatic.com/whitepapers/aws-kms-best-praaices.pdf

Submit your Feedback/Queries to our Expert

Question 418

Report
Export
Collapse

A company's AWS account consists of approximately 300 IAM users. Now there is a mandate that an access change is required for 100 IAM users to have unlimited privileges to S3.As a system administrator, how can you implement this effectively so that there is no need to apply the policy at the individual user level?

Please select:

A.
Create a new role and add each user to the IAM role
A.
Create a new role and add each user to the IAM role
Answers
B.
Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group
B.
Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group
Answers
C.
Create a policy and apply it to multiple users using a JSON script
C.
Create a policy and apply it to multiple users using a JSON script
Answers
D.
Create an S3 bucket policy with unlimited access which includes each user's AWS account ID
D.
Create an S3 bucket policy with unlimited access which includes each user's AWS account ID
Answers
Suggested answer: B

Explanation:

Option A is incorrect since you don't add a user to the IAM Role

Option C is incorrect since you don't assign multiple users to a policy Option D is incorrect since this is not an ideal approach An IAM group is used to collectively manage users who need the same set of permissions. By having groups, it becomes easier to manage permissions. So if you change the permissions on the group scale, it will affect all the users in that group For more information on IAM Groups, just browse to the below URL:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_eroups.htmlThe correct answer is: Use the IAM groups and add users, based upon their role, to different groupsand apply the policy to groupSubmit your Feedback/Queries to our Experts

Question 419

Report
Export
Collapse

You need to create a policy and apply it for just an individual user. How could you accomplish this in the right way? Please select:

A.
Add an AWS managed policy for the user
A.
Add an AWS managed policy for the user
Answers
B.
Add a service policy for the user
B.
Add a service policy for the user
Answers
C.
Add an IAM role for the user
C.
Add an IAM role for the user
Answers
D.
Add an inline policy for the user
D.
Add an inline policy for the user
Answers
Suggested answer: D

Explanation:

Options A and B are incorrect since you need to add an inline policy just for the user Option C is invalid because you don't assign an IAM role to a user The AWS Documentation mentions the following An inline policy is a policy that's embedded in a principal entity (a user, group, or role)—that is, the policy is an inherent part of the principal entity. You can create a policy and embed it in a principal entity, either when you create the principal entity or later. For more information on IAM Access and Inline policies, just browse to the below URL:

https://docs.aws.amazon.com/IAM/latest/UserGuide/accessThe correct answer is: Add an inline policy for the user Submit your Feedback/Queries to our Experts

Question 420

Report
Export
Collapse

Your company is planning on using bastion hosts for administering the servers in AWS. Which of the following is the best description of a bastion host from a security perspective? Please select:

A.
A Bastion host should be on a private subnet and never a public subnet due to security concerns
A.
A Bastion host should be on a private subnet and never a public subnet due to security concerns
Answers
B.
A Bastion host sits on the outside of an internal network and is used as a gateway into the private network and is considered the critical strong point of the network
B.
A Bastion host sits on the outside of an internal network and is used as a gateway into the private network and is considered the critical strong point of the network
Answers
C.
Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources.
C.
Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources.
Answers
D.
A Bastion host should maintain extremely tight security and monitoring as it is available to the public
D.
A Bastion host should maintain extremely tight security and monitoring as it is available to the public
Answers
Suggested answer: C

Explanation:

A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer.

In AWS, A bastion host is kept on a public subnet. Users log on to the bastion host via SSH or RDP and then use that session to manage other hosts in the private subnets. Options A and B are invalid because the bastion host needs to sit on the public network. Option D is invalid because bastion hosts are not used for monitoring For more information on bastion hosts, just browse to the below URL:

https://docsaws.amazon.com/quickstart/latest/linux-bastion/architecture.htlThe correct answer is: Bastion hosts allow users to log in using RDP or SSH and use that session toSSH into internal network to access private subnet resources. Submit your Feedback/Queries to our Experts

Total 590 questions
Go to page: of 59
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms