ExamGecko
Search Search Login
Home Home / Amazon / SCS-C01

Amazon SCS-C01 Practice Test - Questions Answers, Page 52

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance. What should the security engineer do to resolve this error?
A security engineer needs to configure monitoring and auditing for AWS Lambda. Which combination of actions using AWS services should the security engineer take to accomplish this goal? (Select TWO.)
A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1 the company cannot access the key that was used to encrypt the original database. What should the company do to set up the snapshot in us-west-1 with proper encryption?
A company's web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs. The operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The operations team needs to view log information to determine if the company is being attacked. Which set of actions will identify the suspect attacker's IP address for future occurrences?
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?
A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)
Your current setup in AWS consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup Please select:
A company’s information security team wants to analyze Amazon EC2 performance and utilization data in the near-real time for anomalies. A Sec Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company’s AWS accounts in centralized location to perform the analysis. How should the Security Engineer do this? Log in to each account four te a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.

Question 511

Report
Export
Collapse

A company hosts an application on Amazon EC2 that is subject to specific rules for regulatory compliance. One rule states that traffic to and from the workload must be inspected for networklevel attacks. This involves inspecting the whole packet.

To comply with this regulatory rule, a security engineer must install intrusion detection software on a c5n.4xlarge EC2 instance. The engineer must then configure the software to monitor traffic to and from the application instances. What should the security engineer do next?

A.
Place the network interface in promiscuous mode to capture the traffic.
A.
Place the network interface in promiscuous mode to capture the traffic.
Answers
B.
Configure VPC Flow Logs to send traffic to the monitoring EC2 instance using a Network Load Balancer.
B.
Configure VPC Flow Logs to send traffic to the monitoring EC2 instance using a Network Load Balancer.
Answers
C.
Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer.
C.
Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer.
Answers
D.
Use Amazon Inspector to detect network-level attacks and trigger an AWS Lambda function to send the suspicious packets to the EC2 instance.
D.
Use Amazon Inspector to detect network-level attacks and trigger an AWS Lambda function to send the suspicious packets to the EC2 instance.
Answers
Suggested answer: D

Question 512

Report
Export
Collapse

A company deploys a set of standard IAM roles in AWS accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented AWS Organizations SCPs to restrict access to critical security services in all company accounts.

All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and AWS Security Hub. The security engineer also must not override other permissions that are granted by 1AM policies that are defined in the accounts. Which SCP should the security engineer attach to the root of the organization to meet these requirements?

A.
A.
Answers
B.
B.
Answers
C.
C.
Answers
Suggested answer: C

Question 513

Report
Export
Collapse

A company has developed a new Amazon RDS database application. The company must secure the ROS database credentials for encryption in transit and encryption at rest. The company also must rotate the credentials automatically on a regular basis.

Which solution meets these requirements?

A.
Use AWS Systems Manager Parameter Store to store the database credentiais. Configure automatic rotation of the credentials.
A.
Use AWS Systems Manager Parameter Store to store the database credentiais. Configure automatic rotation of the credentials.
Answers
B.
Use AWS Secrets Manager to store the database credentials. Configure automat* rotation of the credentials
B.
Use AWS Secrets Manager to store the database credentials. Configure automat* rotation of the credentials
Answers
C.
Store the database credentials in an Amazon S3 bucket that is configured with server-side encryption with S3 managed encryption keys (SSE-S3) Rotate the credentials with 1AM database authentication.
C.
Store the database credentials in an Amazon S3 bucket that is configured with server-side encryption with S3 managed encryption keys (SSE-S3) Rotate the credentials with 1AM database authentication.
Answers
D.
Store the database credentials m Amazon S3 Glacier, and use S3 Glacier Vault Lock Configure an AWS Lambda function to rotate the credentials on a scheduled basts
D.
Store the database credentials m Amazon S3 Glacier, and use S3 Glacier Vault Lock Configure an AWS Lambda function to rotate the credentials on a scheduled basts
Answers
Suggested answer: A

Question 514

Report
Export
Collapse

A company deploys a distributed web application on a fleet of Amazon EC2 instances. The fleet is behind an Application Load Balancer (ALB) that will be configured to terminate the TLS connection. All TLS traffic to the ALB must stay secure, even if the certificate private key is compromised.

How can a security engineer meet this requirement?

A.
Create an HTTPS listener that uses a certificate that is managed by AWS Certificate Manager (ACM).
A.
Create an HTTPS listener that uses a certificate that is managed by AWS Certificate Manager (ACM).
Answers
B.
Create an HTTPS listener that uses a security policy that uses a cipher suite with perfect towardsecrecy (PFS).
B.
Create an HTTPS listener that uses a security policy that uses a cipher suite with perfect towardsecrecy (PFS).
Answers
C.
Create an HTTPS listener that uses the Server Order Preference security feature.
C.
Create an HTTPS listener that uses the Server Order Preference security feature.
Answers
D.
Create a TCP listener that uses a custom security policy that allows only cipher suites with perfect forward secrecy (PFS).
D.
Create a TCP listener that uses a custom security policy that allows only cipher suites with perfect forward secrecy (PFS).
Answers
Suggested answer: A

Question 515

Report
Export
Collapse

A company's application team wants to replace an internal application with a new AWS architecture that consists of Amazon EC2 instances, an AWS Lambda function, and an Amazon S3 bucket in a single AWS Region. After an architecture review, the security team mandates that no application network traffic can traverse the public internet at any point. The security team already has an SCP in place for the company's organization in AWS Organizations to restrict the creation of internet gateways. NAT gateways, and egress-only gateways.

Which combination of steps should the application team take to meet these requirements? (Select THREE.)

A.
Create an S3 endpoint that has a full-access policy for the application's VPC.
A.
Create an S3 endpoint that has a full-access policy for the application's VPC.
Answers
B.
Create an S3 access point for the S3 bucket. Include a policy that restricts the network origin to VPCs.
B.
Create an S3 access point for the S3 bucket. Include a policy that restricts the network origin to VPCs.
Answers
C.
Launch the Lambda function. Enable the block public access configuration.
C.
Launch the Lambda function. Enable the block public access configuration.
Answers
D.
Create a security group that has an outbound rule over port 443 with a destination of the S3 endpomt. Associate the security group with the EC2 instances.
D.
Create a security group that has an outbound rule over port 443 with a destination of the S3 endpomt. Associate the security group with the EC2 instances.
Answers
E.
Create a security group that has an outbound rule over port 443 with a destination of the S3 access point. Associate the security group with the EC2 instances.
E.
Create a security group that has an outbound rule over port 443 with a destination of the S3 access point. Associate the security group with the EC2 instances.
Answers
F.
Launch the Lambda function in a VPC.
F.
Launch the Lambda function in a VPC.
Answers
Suggested answer: A, D, F

Question 516

Report
Export
Collapse

A security engineer receives an AWS abuse email message. According to the message, an Amazon EC2 instance that is running in the security engineer's AWS account is sending phishing email messages. The EC2 instance is part of an application that is deployed in production. The application runs on many EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple subnets and multiple Availability Zones.

The instances normally communicate only over the HTTP. HTTPS, and MySQL protocols. Uponinvestigation, the security engineer discovers that email messages are being sent over port 587. Allother traffic is normal. The security engineer must create a solution that contains the compromised EC2 instance, preserves forensic evidence for analysis, and minimizes application downtime. Which combination of steps must the security engineer take to meet these requirements? (Select THREE.)

A.
Add an outbound rule to the security group that is attached to the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.
A.
Add an outbound rule to the security group that is attached to the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.
Answers
B.
Add an outbound rule to the network ACL for the subnet that contains the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.
B.
Add an outbound rule to the network ACL for the subnet that contains the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.
Answers
C.
Gather volatile memory from the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then take a snapshot of the compromised EC2 instance. v
C.
Gather volatile memory from the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then take a snapshot of the compromised EC2 instance. v
Answers
D.
Take a snapshot of the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then gather volatile memory from the compromised EC2 instance.
D.
Take a snapshot of the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then gather volatile memory from the compromised EC2 instance.
Answers
E.
Move the compromised EC2 instance to an isolated subnet that has a network ACL that has no inbound rules or outbound rules.
E.
Move the compromised EC2 instance to an isolated subnet that has a network ACL that has no inbound rules or outbound rules.
Answers
F.
Replace the existing security group that is attached to the compromised EC2 instance with a new security group that has no inbound rules or outbound rules.
F.
Replace the existing security group that is attached to the compromised EC2 instance with a new security group that has no inbound rules or outbound rules.
Answers
Suggested answer: A, C, E

Question 517

Report
Export
Collapse

A company has an application that uses an Amazon RDS PostgreSQL database. The company is developing an application feature that will store sensitive information for an individual in the database. During a security review of the environment, the company discovers that the RDS DB instance is not encrypting data at rest. The company needs a solution that will provide encryption at rest for all the existing data and for any new data that is entered for an individual.

Which combination of options can the company use to meet these requirements? (Select TWO.)

A.
Create a snapshot of the DB instance. Copy the snapshot to a new snapshot, and enable encryption for the copy process. Use the new snapshot to restore the DB instance.
A.
Create a snapshot of the DB instance. Copy the snapshot to a new snapshot, and enable encryption for the copy process. Use the new snapshot to restore the DB instance.
Answers
B.
Modify the configuration of the DB instance by enabling encryption. Create a snapshot of the DB instance. Use the snapshot to restore the DB instance.
B.
Modify the configuration of the DB instance by enabling encryption. Create a snapshot of the DB instance. Use the snapshot to restore the DB instance.
Answers
C.
Use AWS Key Management Service (AWS KMS) to create a new default AWS managed awa/rds key. Select this key as the encryption key for operations with Amazon RDS.
C.
Use AWS Key Management Service (AWS KMS) to create a new default AWS managed awa/rds key. Select this key as the encryption key for operations with Amazon RDS.
Answers
D.
Use AWS Key Management Service (AWS KMS] to create a new CMK. Select this key as the encryption key for operations with Amazon RDS.
D.
Use AWS Key Management Service (AWS KMS] to create a new CMK. Select this key as the encryption key for operations with Amazon RDS.
Answers
E.
Create a snapshot of the DB instance. Enable encryption on the snapshoVUse the snapshot to restore the DB instance.
E.
Create a snapshot of the DB instance. Enable encryption on the snapshoVUse the snapshot to restore the DB instance.
Answers
Suggested answer: C, E

Question 518

Report
Export
Collapse

A company is hosting multiple applications within a single VPC in its AWS account. The applications are running behind an Application Load Balancer that is associated with an AWS WAF web ACL. The company's security team has identified that multiple port scans are originating from a specific range of IP addresses on the internet. A security engineer needs to deny access from the offending IP addresses.

Which solution will meet these requirements?

A.
Modify the AWS WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range.
A.
Modify the AWS WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range.
Answers
B.
Add a rule to all security groups to deny the incoming requests from the IP address range.
B.
Add a rule to all security groups to deny the incoming requests from the IP address range.
Answers
C.
Modify the AWS WAF web ACL with a rate-based rule statement to deny the incoming requests from the IP address range.
C.
Modify the AWS WAF web ACL with a rate-based rule statement to deny the incoming requests from the IP address range.
Answers
D.
Configure the AWS WAF web ACL with regex match conditions. Specify a pattern set to deny the incoming requests based on the match condition
D.
Configure the AWS WAF web ACL with regex match conditions. Specify a pattern set to deny the incoming requests based on the match condition
Answers
Suggested answer: A

Explanation:

Note that the IP is known and the question wants us to deny access from that particular address and so we can use IP set match policy of WAF to block access.

Question 519

Report
Export
Collapse

A company's application team needs to host a MySQL database on AWS. According to the company's security policy, all data that is stored on AWS must be encrypted at rest. In addition, all cryptographic material must be compliant with FIPS 140-2 Level 3 validation.

The application team needs a solution that satisfies the company's security requirements and minimizes operational overhead. Which solution will meet these requirements?

A.
Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption.Use an AWS Key Management Service (AWS KMS) custom key store that is backed by AWS CloudHSM for key management.
A.
Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption.Use an AWS Key Management Service (AWS KMS) custom key store that is backed by AWS CloudHSM for key management.
Answers
B.
Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption.Use an AWS managed CMK in AWS Key Management Service (AWS KMS) for key management.
B.
Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption.Use an AWS managed CMK in AWS Key Management Service (AWS KMS) for key management.
Answers
C.
Host the database on an Amazon EC2 instance. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use a customer managed CMK in AWS Key Management Service (AWS KMS) for key management.
C.
Host the database on an Amazon EC2 instance. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use a customer managed CMK in AWS Key Management Service (AWS KMS) for key management.
Answers
D.
Host the database on an Amazon EC2 instance. Use Transparent Data Encryption (TDE) for encryption and key management.
D.
Host the database on an Amazon EC2 instance. Use Transparent Data Encryption (TDE) for encryption and key management.
Answers
Suggested answer: B

Question 520

Report
Export
Collapse

A Network Load Balancer (NLB) target instance is not entering the InService state. A security engineer determines that health checks are failing. Which factors could cause the health check failures? (Select THREE.)

A.
The target instance's security group does not allow traffic from the NLB.
A.
The target instance's security group does not allow traffic from the NLB.
Answers
B.
The target instance's security group is not attached to the NLB.
B.
The target instance's security group is not attached to the NLB.
Answers
C.
The NLB's security group is not attached to the target instance.
C.
The NLB's security group is not attached to the target instance.
Answers
D.
The target instance's subnet network ACL does not allow traffic from the NLB.
D.
The target instance's subnet network ACL does not allow traffic from the NLB.
Answers
E.
The target instance's security group is not using IP addresses to allow traffic from the NLB.
E.
The target instance's security group is not using IP addresses to allow traffic from the NLB.
Answers
F.
The target network ACL is not attached to the NLB.
F.
The target network ACL is not attached to the NLB.
Answers
Suggested answer: A, C, D
Total 590 questions
Go to page: of 59
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms