ExamGecko
Search Search Login
Home Home / Amazon / SCS-C01

Amazon SCS-C01 Practice Test - Questions Answers, Page 50

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A security engineer needs to configure monitoring and auditing for AWS Lambda. Which combination of actions using AWS services should the security engineer take to accomplish this goal? (Select TWO.)
A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance. What should the security engineer do to resolve this error?
A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1 the company cannot access the key that was used to encrypt the original database. What should the company do to set up the snapshot in us-west-1 with proper encryption?
A company's web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs. The operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The operations team needs to view log information to determine if the company is being attacked. Which set of actions will identify the suspect attacker's IP address for future occurrences?
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?
A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)
Your current setup in AWS consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup Please select:
A company’s information security team wants to analyze Amazon EC2 performance and utilization data in the near-real time for anomalies. A Sec Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company’s AWS accounts in centralized location to perform the analysis. How should the Security Engineer do this? Log in to each account four te a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.

Question 491

Report
Export
Collapse

A company wants to establish separate AWS Key Management Service (AWS KMS) keys to use for different AWS services. The company's security engineer created the following key policy lo allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructureDeployment 1AM role:

The security engineer recently discovered that 1AM roles other than the InfrastructureDeployment role used this key (or other services. Which change to the policy should the security engineer make to resolve these issues?

A.
In the statement block that contains the Sid "Allow use of the key", under the "Condition" block, change StringEquals to StringLike.
A.
In the statement block that contains the Sid "Allow use of the key", under the "Condition" block, change StringEquals to StringLike.
Answers
B.
In the policy document, remove the statement Dlock that contains the Sid "Enable 1AM User Permissions". Add key management policies to the KMS policy.
B.
In the policy document, remove the statement Dlock that contains the Sid "Enable 1AM User Permissions". Add key management policies to the KMS policy.
Answers
C.
In the statement block that contains the Sid "Allow use of the Key", under the "Condition" block, change the Kms:ViaService value to ec2.us-east-1 .amazonaws com.
C.
In the statement block that contains the Sid "Allow use of the Key", under the "Condition" block, change the Kms:ViaService value to ec2.us-east-1 .amazonaws com.
Answers
D.
In the policy document, add a new statement block that grants the kms:Disable' permission to the security engineer's IAM role.
D.
In the policy document, add a new statement block that grants the kms:Disable' permission to the security engineer's IAM role.
Answers
Suggested answer: C

Question 492

Report
Export
Collapse

A company stores images for a website in an Amazon S3 bucket. The company is using Amazon CloudFront to serve the images to end users. The company recently discovered that the images are being accessed from countries where the company does not have a distribution license.

Which actions should the company take to secure the images to limit their distribution? (Select TWO.)

A.
Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).
A.
Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).
Answers
B.
Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.
B.
Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.
Answers
C.
Add a CloudFront geo restriction deny list of countries where the company lacks a license.
C.
Add a CloudFront geo restriction deny list of countries where the company lacks a license.
Answers
D.
Update the S3 bucket policy with a deny list of countries where the company lacks a license.
D.
Update the S3 bucket policy with a deny list of countries where the company lacks a license.
Answers
E.
Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.
E.
Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.
Answers
Suggested answer: A, C

Question 493

Report
Export
Collapse

A company maintains an open-source application that is hosted on a public GitHub repository. While creating a new commit to the repository, an engineer uploaded their AWS access key and secret access key. The engineer reported the mistake to a manager, and the manager immediately disabled the access key.

The company needs to assess the impact of the exposed access key. A security engineer must recommend a solution that requires the least possible managerial overhead. Which solution meets these requirements?

A.
Analyze an AWS Identity and Access Management (1AM) use report from AWS Trusted Advisor to see when the access key was last used.
A.
Analyze an AWS Identity and Access Management (1AM) use report from AWS Trusted Advisor to see when the access key was last used.
Answers
B.
Analyze Amazon CloudWatch Logs for activity by searching for the access key.
B.
Analyze Amazon CloudWatch Logs for activity by searching for the access key.
Answers
C.
Analyze VPC flow logs for activity by searching for the access key
C.
Analyze VPC flow logs for activity by searching for the access key
Answers
D.
Analyze a credential report in AWS Identity and Access Management (1AM) to see when the access key was last used.
D.
Analyze a credential report in AWS Identity and Access Management (1AM) to see when the access key was last used.
Answers
Suggested answer: A

Question 494

Report
Export
Collapse

A developer at a company uses an SSH key to access multiple Amazon EC2 instances. The company discovers that the SSH key has been posted on a public GitHub repository. A security engineer verifies that the key has not been used recently.

How should the security engineer prevent unauthorized access to the EC2 instances?

A.
Delete the key pair from the EC2 console. Create a new key pair.
A.
Delete the key pair from the EC2 console. Create a new key pair.
Answers
B.
Use the ModifylnstanceAttribute API operation to change the key on any EC2 instance that is using the key.
B.
Use the ModifylnstanceAttribute API operation to change the key on any EC2 instance that is using the key.
Answers
C.
Restrict SSH access in the security group to only known corporate IP addresses.
C.
Restrict SSH access in the security group to only known corporate IP addresses.
Answers
D.
Update the key pair in any AMI that is used to launch the EC2 instances. Restart the EC2 instances.
D.
Update the key pair in any AMI that is used to launch the EC2 instances. Restart the EC2 instances.
Answers
Suggested answer: C

Question 495

Report
Export
Collapse

A company uses an external identity provider to allow federation into different AWS accounts. A security engineer for the company needs to identify the federated user that terminated a production Amazon EC2 instance a week ago. What is the FASTEST way for the security engineer to identify the federated user?

A.
Review the AWS CloudTrail event history logs in an Amazon S3 bucket and look for the Terminatelnstances event to identify the federated user from the role session name.
A.
Review the AWS CloudTrail event history logs in an Amazon S3 bucket and look for the Terminatelnstances event to identify the federated user from the role session name.
Answers
B.
Filter the AWS CloudTrail event history for the Terminatelnstances event and identify the assumed 1AM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username.
B.
Filter the AWS CloudTrail event history for the Terminatelnstances event and identify the assumed 1AM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username.
Answers
C.
Search the AWS CloudTrail logs for the Terminatelnstances event and note the event time. Review the 1AM Access Advisor tab for all federated roles. The last accessed time should match the time when the instance was terminated.
C.
Search the AWS CloudTrail logs for the Terminatelnstances event and note the event time. Review the 1AM Access Advisor tab for all federated roles. The last accessed time should match the time when the instance was terminated.
Answers
D.
Use Amazon Athena to run a SQL query on the AWS CloudTrail logs stored in an Amazon S3 bucket and filter on the Terminatelnstances event. Identify the corresponding role and run another query to filter the AssumeRoleWithWebldentity event for the user name.
D.
Use Amazon Athena to run a SQL query on the AWS CloudTrail logs stored in an Amazon S3 bucket and filter on the Terminatelnstances event. Identify the corresponding role and run another query to filter the AssumeRoleWithWebldentity event for the user name.
Answers
Suggested answer: B

Question 496

Report
Export
Collapse

An audit determined that a company's Amazon EC2 instance security group violated company policy by allowing unrestricted incoming SSH traffic. A security engineer must implement a near-real-time monitoring and alerting solution that will notify administrators of such violations.

Which solution meets these requirements with the MOST operational efficiency?

A.
Create a recurring Amazon Inspector assessment run that runs every day and uses the Network Reachability package. Create an Amazon CloudWatch rule that invokes an AWS Lambda function when an assessment run starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification if there are any violations for unrestricted incoming SSH traffic.
A.
Create a recurring Amazon Inspector assessment run that runs every day and uses the Network Reachability package. Create an Amazon CloudWatch rule that invokes an AWS Lambda function when an assessment run starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification if there are any violations for unrestricted incoming SSH traffic.
Answers
B.
Use the restricted-ssh AWS Config managed rule that is invoked by security group configuration changes that are not compliant. Use the AWS Config remediation feature to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
B.
Use the restricted-ssh AWS Config managed rule that is invoked by security group configuration changes that are not compliant. Use the AWS Config remediation feature to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
Answers
C.
Configure VPC Flow Logs for the VPC. and specify an Amazon CloudWatch Logs group. Subscribe the CloudWatch Logs group to an AWS Lambda function that parses new log entries, detects successful connections on port 22, and publishes a notification through Amazon Simple Notification Service (Amazon SNS).
C.
Configure VPC Flow Logs for the VPC. and specify an Amazon CloudWatch Logs group. Subscribe the CloudWatch Logs group to an AWS Lambda function that parses new log entries, detects successful connections on port 22, and publishes a notification through Amazon Simple Notification Service (Amazon SNS).
Answers
D.
Create a recurring Amazon Inspector assessment run that runs every day and uses the Security Best Practices package. Create an Amazon CloudWatch rule that invokes an AWS Lambda function when an assessment run starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification if there are any violations for unrestricted incoming SSH traffic.
D.
Create a recurring Amazon Inspector assessment run that runs every day and uses the Security Best Practices package. Create an Amazon CloudWatch rule that invokes an AWS Lambda function when an assessment run starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification if there are any violations for unrestricted incoming SSH traffic.
Answers
Suggested answer: A

Question 497

Report
Export
Collapse

A company manages multiple AWS accounts using AWS Organizations. The company's security team notices that some member accounts are not sending AWS CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured (or all existing accounts and for any account that is created in the future. Which set of actions should the security team implement to accomplish this?

A.
Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.
A.
Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.
Answers
B.
Deploy an AWS Lambda function in every account to check if there is an existing trail and create a new trail, if needed.
B.
Deploy an AWS Lambda function in every account to check if there is an existing trail and create a new trail, if needed.
Answers
C.
Edit the existing trail in the Organizations master account and apply it to the organization.
C.
Edit the existing trail in the Organizations master account and apply it to the organization.
Answers
D.
Create an SCP to deny the cloudtrail:Delete" and cloudtrail:Stop' actions. Apply the SCP to all accounts.
D.
Create an SCP to deny the cloudtrail:Delete" and cloudtrail:Stop' actions. Apply the SCP to all accounts.
Answers
Suggested answer: C

Question 498

Report
Export
Collapse

A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows:

Which recommendations should the security engineer make to resolve this issue? (Select TWO.)

A.
Ask the developers to change their password and use a different web browser.
A.
Ask the developers to change their password and use a different web browser.
Answers
B.
Ensure that developers are using multi-factor authentication (MFA) when they log in to their developer account as the developer role.
B.
Ensure that developers are using multi-factor authentication (MFA) when they log in to their developer account as the developer role.
Answers
C.
Modify the production account ReadS3 role policy to allow the PutBucketPolicy action on the productionapp S3 bucket.
C.
Modify the production account ReadS3 role policy to allow the PutBucketPolicy action on the productionapp S3 bucket.
Answers
D.
Update the trust relationship policy on the production account S3 role to allow the account number of the developer account.
D.
Update the trust relationship policy on the production account S3 role to allow the account number of the developer account.
Answers
E.
Update the developer group permissions in the developer account to allow access to the productionapp S3 bucket.
E.
Update the developer group permissions in the developer account to allow access to the productionapp S3 bucket.
Answers
Suggested answer: A, D

Question 499

Report
Export
Collapse

A company is using AWS Organizations to develop a multi-account secure networking strategy. The company plans to use separate centrally managed accounts for shared services, auditing, and security inspection. The company plans to provide dozens of additional accounts to application owners for production and development environments. Company security policy requires that all internet traffic be routed through a centrally managed security inspection layer in the security inspection account. A security engineer must recommend a solution that minimizes administrative overhead and complexity.

Which solution meets these requirements?

A.
Use AWS Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route table. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account.
A.
Use AWS Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route table. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account.
Answers
B.
Create a centrally managed VPC in the security inspection account. Establish VPC peering connections between the security inspection account and other accounts. Instruct account owners to create default routes in their account route tables that point to the VPC peer. Create an SCP that denies the Attach InternetGateway action. Attach the SCP to all accounts except the security inspection account.
B.
Create a centrally managed VPC in the security inspection account. Establish VPC peering connections between the security inspection account and other accounts. Instruct account owners to create default routes in their account route tables that point to the VPC peer. Create an SCP that denies the Attach InternetGateway action. Attach the SCP to all accounts except the security inspection account.
Answers
C.
Use AWS Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transit gateway and to create a default route to the transit gateway in the default route table. Create an SCP that denies the AttachlnternetGateway action. Attach the SCP to all accounts except the security inspection account.
C.
Use AWS Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transit gateway and to create a default route to the transit gateway in the default route table. Create an SCP that denies the AttachlnternetGateway action. Attach the SCP to all accounts except the security inspection account.
Answers
D.
Enable AWS Resource Access Manager (AWS RAM) for AWS Organizations. Create a shared transit gateway, and make it available by using an AWS RAM resource share. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account.Create routes in the route tables of all accounts that point to the shared transit gateway.
D.
Enable AWS Resource Access Manager (AWS RAM) for AWS Organizations. Create a shared transit gateway, and make it available by using an AWS RAM resource share. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account.Create routes in the route tables of all accounts that point to the shared transit gateway.
Answers
Suggested answer: C

Question 500

Report
Export
Collapse

A company plans to create individual child accounts within an existing organization in AWS Organizations for each of its DevOps teams. AWS CloudTrail has been enabled and configured on all accounts to write audit logs to an Amazon S3 bucket in a centralized AWS account. A security engineer needs to ensure that DevOps team members are unable to modify or disable this configuration. How can the security engineer meet these requirements?

A.
Create an 1AM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the AWS account root user.
A.
Create an 1AM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the AWS account root user.
Answers
B.
Create an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the AWS account root user in the source account.
B.
Create an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the AWS account root user in the source account.
Answers
C.
Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations.
C.
Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations.
Answers
D.
Create an 1AM policy that prohibits changes to the specific CloudTrail trail and apply the policy to a new 1AM group. Have team members use individual 1AM accounts that are members of the new 1AM group.
D.
Create an 1AM policy that prohibits changes to the specific CloudTrail trail and apply the policy to a new 1AM group. Have team members use individual 1AM accounts that are members of the new 1AM group.
Answers
Suggested answer: D
Total 590 questions
Go to page: of 59
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms