ExamGecko
Search Search Login
Home Home / Amazon / SCS-C01

Amazon SCS-C01 Practice Test - Questions Answers, Page 49

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A security engineer needs to configure monitoring and auditing for AWS Lambda. Which combination of actions using AWS services should the security engineer take to accomplish this goal? (Select TWO.)
A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance. What should the security engineer do to resolve this error?
A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1 the company cannot access the key that was used to encrypt the original database. What should the company do to set up the snapshot in us-west-1 with proper encryption?
A company's web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs. The operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The operations team needs to view log information to determine if the company is being attacked. Which set of actions will identify the suspect attacker's IP address for future occurrences?
A company’s information security team wants to analyze Amazon EC2 performance and utilization data in the near-real time for anomalies. A Sec Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company’s AWS accounts in centralized location to perform the analysis. How should the Security Engineer do this? Log in to each account four te a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?
A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)
Your current setup in AWS consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup Please select:

Question 481

Report
Export
Collapse

A developer signed in to a new account within an AWS Organization organizational unit (OU) containing multiple accounts. Access to the Amazon $3 service is restricted with the following SCP.

How can the security engineer provide the developer with Amazon $3 access without affecting other account?

A.
Move the SCP to the root OU of organization to remove the restriction to access Amazon $3.
A.
Move the SCP to the root OU of organization to remove the restriction to access Amazon $3.
Answers
B.
Add an IAM policy for the developer, which grants $3 access.
B.
Add an IAM policy for the developer, which grants $3 access.
Answers
C.
Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU.
C.
Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU.
Answers
D.
Add an allow list for the developer account for the $3 service.
D.
Add an allow list for the developer account for the $3 service.
Answers
Suggested answer: C

Question 482

Report
Export
Collapse

A company needs a security engineer to implement a scalable solution for multi-account authentication and authorization. The solution should not introduce additional user-managed architectural components. Native AWS features should be used as much as possible The security engineer has set up AWS Organizations w1th all features activated and AWS SSO enabled. Which additional steps should the security engineer take to complete the task?

A.
Use AD Connector to create users and groups for all employees that require access to AWS accounts. Assign AD Connector groups to AWS accounts and link to the IAM roles in accordance with the employees‘job functions and access requirements Instruct employees to access AWS accounts by using the AWS Directory Service user portal.
A.
Use AD Connector to create users and groups for all employees that require access to AWS accounts. Assign AD Connector groups to AWS accounts and link to the IAM roles in accordance with the employees‘job functions and access requirements Instruct employees to access AWS accounts by using the AWS Directory Service user portal.
Answers
B.
Use an AW5 SSO default directory to create users and groups for all employees that require access to AWS accounts. Assign groups to AWS accounts and link to permission sets in accordance with the employees‘job functions and access requirements. Instruct employees to access AWS accounts by using the AWS SSO user portal.
B.
Use an AW5 SSO default directory to create users and groups for all employees that require access to AWS accounts. Assign groups to AWS accounts and link to permission sets in accordance with the employees‘job functions and access requirements. Instruct employees to access AWS accounts by using the AWS SSO user portal.
Answers
C.
Use an AWS SSO default directory to create users and groups for all employees that require access to AWS accounts. Link AWS SSO groups to the IAM users present in all accounts to inherit existing permissions. Instruct employees to access AWS accounts by using the AW5 SSO user portal.
C.
Use an AWS SSO default directory to create users and groups for all employees that require access to AWS accounts. Link AWS SSO groups to the IAM users present in all accounts to inherit existing permissions. Instruct employees to access AWS accounts by using the AW5 SSO user portal.
Answers
D.
Use AWS Directory Service tor Microsoft Active Directory to create users and groups for all employees that require access to AWS accounts Enable AWS Management Console access in the created directory and specify AWS SSO as a source cl information tor integrated accounts and permission sets. Instruct employees to access AWS accounts by using the AWS Directory Service user portal.
D.
Use AWS Directory Service tor Microsoft Active Directory to create users and groups for all employees that require access to AWS accounts Enable AWS Management Console access in the created directory and specify AWS SSO as a source cl information tor integrated accounts and permission sets. Instruct employees to access AWS accounts by using the AWS Directory Service user portal.
Answers
Suggested answer: B

Question 483

Report
Export
Collapse

A company deployed AWS Organizations to help manage its increasing number of AWS accounts. A security engineer wants to ensure only principals in the Organization structure can access a specific Amazon S3 bucket. The solution must also minimize operational overhead Which solution will meet these requirements?

A.
1 Put all users into an IAM group with an access policy granting access to the J bucket.
A.
1 Put all users into an IAM group with an access policy granting access to the J bucket.
Answers
B.
Have the account creation trigger an AWS Lambda function that manages the bucket policy, allowing access to accounts listed in the policy only.
B.
Have the account creation trigger an AWS Lambda function that manages the bucket policy, allowing access to accounts listed in the policy only.
Answers
C.
Add an SCP to the Organizations master account, allowing all principals access to the bucket.
C.
Add an SCP to the Organizations master account, allowing all principals access to the bucket.
Answers
D.
Specify the organization ID in the global key condition element of a bucket policy, allowing all principals access.
D.
Specify the organization ID in the global key condition element of a bucket policy, allowing all principals access.
Answers
Suggested answer: D

Question 484

Report
Export
Collapse

A company's engineering team is developing a new application that creates AWS Key Management Service (AWS KMS) CMK grants for users immediately after a grant IS created users must be able to use the CMK tu encrypt a 512-byte payload. During load testing, a bug appears |intermittently where AccessDeniedExceptions are occasionally triggered when a user first attempts to encrypt using the CMK Which solution should the c0mpany‘s security specialist recommend‘?

A.
Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.
A.
Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.
Answers
B.
Instruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token. Instruct use to use that grant token in their call to encrypt.
B.
Instruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token. Instruct use to use that grant token in their call to encrypt.
Answers
C.
Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name as the grant token in the call to encrypt.
C.
Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name as the grant token in the call to encrypt.
Answers
D.
Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.
D.
Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.
Answers
Suggested answer: D

Question 485

Report
Export
Collapse

A website currently runs on Amazon EC2, wan mostly statics content on the site. Recently the site was subjected to a DDoS attack a security engineer was (asked was redesigning the edge security to help Mitigate this risk in the future. What are some ways the engineer could achieve this (Select THREE)?

A.
Use AWS X-Ray to inspect the traffic going to the EC2 instances.
A.
Use AWS X-Ray to inspect the traffic going to the EC2 instances.
Answers
B.
Move the static content to Amazon S3, and front this with an Amazon Cloud Front distribution.
B.
Move the static content to Amazon S3, and front this with an Amazon Cloud Front distribution.
Answers
C.
Change the security group configuration to block the source of the attack traffic
C.
Change the security group configuration to block the source of the attack traffic
Answers
D.
Use AWS WAF security rules to inspect the inbound traffic.
D.
Use AWS WAF security rules to inspect the inbound traffic.
Answers
E.
Use Amazon Inspector assessment templates to inspect the inbound traffic.
E.
Use Amazon Inspector assessment templates to inspect the inbound traffic.
Answers
F.
Use Amazon Route 53 to distribute traffic.
F.
Use Amazon Route 53 to distribute traffic.
Answers
Suggested answer: B, D, F

Question 486

Report
Export
Collapse

A company's on-premises networks are connected to VPCs using an AWS Direct Connect gateway.

The company's on-premises application needs to stream data using an existing Amazon Kinesis Data Firehose delivery stream. The company's security policy requires that data be encrypted in transit using a private network. How should the company meet these requirements?

A.
Create a VPC endpoint tor Kinesis Data Firehose. Configure the application to connect to the VPC endpoint.
A.
Create a VPC endpoint tor Kinesis Data Firehose. Configure the application to connect to the VPC endpoint.
Answers
B.
Configure an 1AM policy to restrict access to Kinesis Data Firehose using a source IP condition. Configure the application to connect to the existing Firehose delivery stream.
B.
Configure an 1AM policy to restrict access to Kinesis Data Firehose using a source IP condition. Configure the application to connect to the existing Firehose delivery stream.
Answers
C.
Create a new TLS certificate in AWS Certificate Manager (ACM). Create a public-facing Network Load Balancer (NLB) and select the newly created TLS certificate. Configure the NLB to forward all traffic to Kinesis Data Firehose. Configure the application to connect to the NLB.
C.
Create a new TLS certificate in AWS Certificate Manager (ACM). Create a public-facing Network Load Balancer (NLB) and select the newly created TLS certificate. Configure the NLB to forward all traffic to Kinesis Data Firehose. Configure the application to connect to the NLB.
Answers
D.
Peer the on-premises network with the Kinesis Data Firehose VPC using Direct Connect. Configure the application to connect to the existing Firehose delivery stream.
D.
Peer the on-premises network with the Kinesis Data Firehose VPC using Direct Connect. Configure the application to connect to the existing Firehose delivery stream.
Answers
Suggested answer: A

Question 487

Report
Export
Collapse

A company has implemented AWS WAF and Amazon CloudFront for an application. The application runs on Amazon EC2 instances that are part of an Auto Scaling group. The Auto Scaling group is behind an Application Load Balancer (ALB).

The AWS WAF web ACL uses an AWS Managed Rules rule group and is associated with the CloudFront distribution. CloudFront receives the request from AWS WAF and then uses the ALB as the distribution's origin. During a security review, a security engineer discovers that the infrastructure is susceptible to a large, layer 7 DDoS attack. How can the security engineer improve the security at the edge of the solution to defend against this type of attack?

A.
Configure the CloudFront distribution to use the Lambda@Edge feature. Create an AWS Lambda function that imposes a rate limit on CloudFront viewer requests. Block the request if the rate limit is exceeded.
A.
Configure the CloudFront distribution to use the Lambda@Edge feature. Create an AWS Lambda function that imposes a rate limit on CloudFront viewer requests. Block the request if the rate limit is exceeded.
Answers
B.
Configure the AWS WAF web ACL so that the web ACL has more capacity units to process all AWS WAF rules faster.
B.
Configure the AWS WAF web ACL so that the web ACL has more capacity units to process all AWS WAF rules faster.
Answers
C.
Configure AWS WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.
C.
Configure AWS WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.
Answers
D.
Configure the CloudFront distribution to use AWS WAF as its origin instead of the ALB.
D.
Configure the CloudFront distribution to use AWS WAF as its origin instead of the ALB.
Answers
Suggested answer: C

Question 488

Report
Export
Collapse

A security engineer needs to create an Amazon S3 bucket policy to grant least privilege read access to 1AM user accounts that are named User=1, User2. and User3. These IAM user accounts are members of the AuthorizedPeople IAM group. The security engineer drafts the following S3 bucket policy:

When the security engineer tries to add the policy to the S3 bucket, the following error message appears: "Missing required field Principal." The security engineer is adding a Principal element to the policy. The addition must provide read access to only User1. User2, and User3. Which solution meets these requirements?

A.
A.
Answers
B.
B.
Answers
C.
C.
Answers
D.
D.
Answers
Suggested answer: A

Question 489

Report
Export
Collapse

A company is building an application on AWS that will store sensitive Information. The company has a support team with access to the IT infrastructure, including databases. The company's security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead. The credentials must be regularly rotated. What should the security engineer recommend?

A.
Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an AWS Lambda function to rotate database credentials. Set up TLS for the connection to the database.
A.
Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an AWS Lambda function to rotate database credentials. Set up TLS for the connection to the database.
Answers
B.
Install a database on an Amazon EC2 Instance. Enable third-party disk encryption to encrypt the Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in AWS CloudHSM with automatic rotation. Set up TLS for the connection to the database.
B.
Install a database on an Amazon EC2 Instance. Enable third-party disk encryption to encrypt the Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in AWS CloudHSM with automatic rotation. Set up TLS for the connection to the database.
Answers
C.
Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in AWS Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.
C.
Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in AWS Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.
Answers
D.
Set up an AWS CloudHSM cluster with AWS Key Management Service (AWS KMS) to store KMS keys. Set up Amazon RDS encryption using AWS KMS to encrypt the database. Store database credentials in the AWS Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.
D.
Set up an AWS CloudHSM cluster with AWS Key Management Service (AWS KMS) to store KMS keys. Set up Amazon RDS encryption using AWS KMS to encrypt the database. Store database credentials in the AWS Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.
Answers
Suggested answer: C

Question 490

Report
Export
Collapse

A company deployed Amazon GuardDuty In the us-east-1 Region. The company wants all DNS logs that relate to the company's Amazon EC2 instances to be inspected. What should a security engineer do to ensure that the EC2 instances are logged?

A.
Use IPv6 addresses that are configured for hostnames.
A.
Use IPv6 addresses that are configured for hostnames.
Answers
B.
Configure external DNS resolvers as internal resolvers that are visible only to AWS.
B.
Configure external DNS resolvers as internal resolvers that are visible only to AWS.
Answers
C.
Use AWS DNS resolvers for all EC2 instances.
C.
Use AWS DNS resolvers for all EC2 instances.
Answers
D.
Configure a third-party DNS resolver with logging for all EC2 instances.
D.
Configure a third-party DNS resolver with logging for all EC2 instances.
Answers
Suggested answer: C
Total 590 questions
Go to page: of 59
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms