Home / Amazon / SCS-C01

Amazon SCS-C01 Practice Test - Questions Answers, Page 47

Question list

List of questions

Question 461

(0)

A System Administrator is unable to start an Amazon EC2 instance in the eu-west-1 Region using an IAM role The same System Administrator is able to start an EC2 instance in the eu-west-2 and euwest-

Question 462

(0)

A company manages three separate AWS accounts for its production, development, and test environments, Each Developer is assigned a unique IAM user under the development account. A new application ho

Question 463

(0)

A company is operating a website using Amazon CloudFornt. CloudFront servers some content from Amazon S3 and other from web servers running EC2 instances behind an Application. Load Balancer (ALB).

Question 464

(0)

A company has a web-based application using Amazon CloudFront and running on Amazon Elastic Container Service (Amazon ECS) behind an Application Load Balancer (ALB). The ALB is terminating TLS and b

Question 465

(0)

A company needs to use HTTPS when connecting to its web applications to meet compliancerequirements. These web applications run in Amazon VPC on Amazon EC2 instances behind anApplication Load Balanc

Question 466

(0)

A company created an AWS account for its developers to use for testing and learning purposes Because MM account will be shared among multiple teams of developers, the company wants to restrict the a

Question 467

(0)

An ecommerce website was down for 1 hour following a DDoS attack Users were unable to connect to the website during the attack period. The ecommerce company's security team is worried about future p

Question 468

(0)

A security engineer must troubleshoot an administrator's inability to make an existing Amazon S3 bucket public in an account that is part of an organization n AWS Organizations. The administrator sw

Question 469

(0)

Attach the following SCP to the OU that contains this account: In the Amazon EC2 console, select the Always Encrypt new EBS volumes setting for each AWS Region.

Question 470

(0)

A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data During a recent security audit, the company identified a security issue in wh

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)

A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)

A security engineer needs to configure monitoring and auditing for AWS Lambda. Which combination of actions using AWS services should the security engineer take to accomplish this goal? (Select TWO.)

A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance. What should the security engineer do to resolve this error?

A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1 the company cannot access the key that was used to encrypt the original database. What should the company do to set up the snapshot in us-west-1 with proper encryption?

A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)

A company's web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs. The operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The operations team needs to view log information to determine if the company is being attacked. Which set of actions will identify the suspect attacker's IP address for future occurrences?

A company’s information security team wants to analyze Amazon EC2 performance and utilization data in the near-real time for anomalies. A Sec Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company’s AWS accounts in centralized location to perform the analysis. How should the Security Engineer do this? Log in to each account four te a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.

A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?

Your current setup in AWS consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup Please select:

Question 461

A System Administrator is unable to start an Amazon EC2 instance in the eu-west-1 Region using an IAM role The same System Administrator is able to start an EC2 instance in the eu-west-2 and euwest- 3 Regions. The AWSSystemAdministrator access policy attached to the System Administrator IAM role allows unconditional access to all AWS services and resources within the account Which configuration caused this issue?

An SCP is attached to the account with the following permission statement:

A permission boundary policy is attached to the System Administrator role with the following permission statement:

A permission boundary is attached to the System Administrator role with the following permission statement:

An SCP is attached to the account with the following statement:

Show Answer Comment (0)

Question 462

A company manages three separate AWS accounts for its production, development, and test environments, Each Developer is assigned a unique IAM user under the development account. A new application hosted on an Amazon EC2 instance in the developer account requires read access to the archived documents stored in an Amazon S3 bucket in the production account. How should access be granted?

Create an IAM role in the production account and allow EC2 instances in the development account to assume that role using the trust policy. Provide read access for the required S3 bucket to this role.

Use a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket.

Create a temporary IAM user for the application to use in the production account.

Create a temporary IAM user in the production account and provide read access to Amazon S3.Generate the temporary IAM user's access key and secret key and store these on the EC2 instance used by the application in the development account.

Show Answer Comment (0)

Question 463

A company is operating a website using Amazon CloudFornt. CloudFront servers some content from Amazon S3 and other from web servers running EC2 instances behind an Application. Load Balancer (ALB). Amazon DynamoDB is used as the data store. The company already uses AWS Certificate Manager (ACM) to store a public TLS certificate that can optionally secure connections between the website users and CloudFront. The company has a new requirement to enforce end-to-end encryption in transit.

Which combination of steps should the company take to meet this requirement? (Select THREE.)

Update the CloudFront distribution. configuring it to optionally use HTTPS when connecting toorigins on Amazon S3

Update the web application configuration on the web servers to use HTTPS instead of HTTP whenconnecting to DynamoDB

Update the CloudFront distribution to redirect HTTP corrections to HTTPS

Configure the web servers on the EC2 instances to listen using HTTPS using the public ACM TLScertificate Update the ALB to connect to the target group using HTTPS

Update the ALB listen to listen using HTTPS using the public ACM TLS certificate. Update theCloudFront distribution to connect to the HTTPS listener.

Create a TLS certificate Configure the web servers on the EC2 instances to use HTTPS only with thatcertificate. Update the ALB to connect to the target group using HTTPS.

Show Answer Comment (0)

Question 464

A company has a web-based application using Amazon CloudFront and running on Amazon Elastic Container Service (Amazon ECS) behind an Application Load Balancer (ALB). The ALB is terminating TLS and balancing load across ECS service tasks A security engineer needs to design a solution to ensure that application content is accessible only through CloudFront and that I is never accessible directly. How should the security engineer build the MOST secure solution?

Add an origin custom header Set the viewer protocol policy to HTTP and HTTPS Set the originprotocol pokey to HTTPS only Update the application to validate the CloudFront custom header

Add an origin custom header Set the viewer protocol policy to HTTPS only Set the origin protocolpolicy to match viewer Update the application to validate the CloudFront custom header.

Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS Set theorigin protocol policy to HTTP only Update the application to validate the CloudFront custom header.

Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS. Set theorigin protocol policy to HTTPS only Update the application to validate the CloudFront customheader

Show Answer Comment (0)

Question 465

A company needs to use HTTPS when connecting to its web applications to meet compliancerequirements. These web applications run in Amazon VPC on Amazon EC2 instances behind anApplication Load Balancer (ALB). A security engineer wants to ensure that the load balancer win onlyaccept connections over port 443. even if the ALB is mistakenly configured with an HTTP listenerWhich configuration steps should the security engineer take to accomplish this task?

Create a security group with a rule that denies Inbound connections from 0.0.0 0/0 on port 00.Attach this security group to the ALB to overwrite more permissive rules from the ALB's default security group.

Create a network ACL that denies inbound connections from 0 0.0.0/0 on port 80 Associate the network ACL with the VPC s internet gateway

Create a network ACL that allows outbound connections to the VPC IP range on port 443 only.Associate the network ACL with the VPC's internet gateway.

Create a security group with a single inbound rule that allows connections from 0.0.0 0/0 on port 443. Ensure this security group is the only one associated with the ALB

Show Answer Comment (0)

Question 466

A company created an AWS account for its developers to use for testing and learning purposes Because MM account will be shared among multiple teams of developers, the company wants to restrict the ability to stop and terminate Amazon EC2 instances so that a team can perform these actions only on the instances it owns.

Developers were Instructed to tag al their instances with a Team tag key and use the team name in the tag value One of the first teams to use this account is Business Intelligence A security engineer needs to develop a highly scalable solution for providing developers with access to the appropriate resources within the account The security engineer has already created individual 1AM roles for each team. Which additional configuration steps should the security engineer take to complete the task?

For each team, create an AM policy similar to the one that fellows Populate the ec2:ResourceTag/Team condition key with a proper team name Attach resulting policies to the corresponding 1AM roles.

For each team create an 1AM policy similar to the one that follows Populate the aws TagKeys/Team condition key with a proper team name. Attach the resuming policies to the corresponding 1AM roles.

Tag each 1AM role with a Team lag key. and use the team name in the tag value. Create an 1AM policy similar to the one that follows, and attach 4 to all the 1AM roles used by developers.

Tag each IAM role with the Team key, and use the team name in the tag value. Create an IAM policy similar to the one that follows, and it to all the IAM roles used by developers.

Option A

Option B

Option C

Option D

Show Answer Comment (0)

Question 467

An ecommerce website was down for 1 hour following a DDoS attack Users were unable to connect to the website during the attack period. The ecommerce company's security team is worried about future potential attacks and wants to prepare for such events The company needs to minimize downtime in its response to similar attacks in the future. Which steps would help achieve this9 (Select TWO )

Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access.

Subscribe to AWS Shield Advanced and reach out to AWS Support in the event of an attack.

Use VPC Flow Logs to monitor network: traffic and an AWS Lambda function to automatically block an attacker's IP using security groups.

Set up an Amazon CloudWatch Events rule to monitor the AWS CloudTrail events in real time use AWS Config rules to audit the configuration, and use AWS Systems Manager for remediation.

Use AWS WAF to create rules to respond to such attacks

Show Answer Comment (0)

Question 468

A security engineer must troubleshoot an administrator's inability to make an existing Amazon S3 bucket public in an account that is part of an organization n AWS Organizations. The administrator switched the role from the master account to a member account and then attempted to make one S3 bucket public. This action was immediately denied Which actions should the security engineer take to troubleshoot the permissions issue? (Select TWO.)

Review the cross-account role permissions and the S3 bucket policy Verify that the Amazon S3 block public access option in the member account is deactivated.

Review the role permissions m the master account and ensure it has sufficient privileges to perform S3 operations

Filter AWS CloudTrail logs for the master account to find the original deny event and update the cross-account role m the member account accordingly Verify that the Amazon S3 block public access option in the master account is deactivated.

Evaluate the SCPs covering the member account and the permissions boundary of the role in the member account for missing permissions and explicit denies.

Ensure the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action for the role m the member account

Show Answer Comment (0)

Question 469

Attach the following SCP to the OU that contains this account:

In the Amazon EC2 console, select the Always Encrypt new EBS volumes setting for each AWS Region.

For each finding In the audit report, run the ec2 copy-snapshot command and use the encrypted flag specifying an AWS Key Management Service (AWS KMS) CMK

Create a private AMI for the company Configure encryption for the private AMI by selecting the custom AMI in the Amazon EC2 console, the destination AWS Region and the source account s AWS Key Management Service (AWS KMS) master key.

Show Answer Comment (0)

Question 470

A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code In the company's source code repository A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates. The solution must also minimize administrate overhead Which solution meets these requirements?

Use the AWS Systems Manager Parameter Store to generate database credentials. Use an 1AM profile for ECS tasks to restrict access to database credentials to specific containers only.

Use AWS Secrets Manager to store database credentials. Use an 1AM inline policy for ECS tasks to restrict access to database credentials to specific containers only.

Use the AWS Systems Manager Parameter Store to store database credentials. Use 1AM roles for ECS tasks to restrict access to database credentials lo specific containers only

Use AWS Secrets Manager to store database credentials. Use 1AM roles for ECS tasks to restrict access to database credentials to specific containers only.

Show Answer Comment (0)

Total 590 questions

45 46 47 48 49

Go to page: of 59