ExamGecko
Home / Amazon / SCS-C01 / List of questions
Ask Question

Amazon SCS-C01 Practice Test - Questions Answers, Page 8

List of questions

Question 71

Report
Export
Collapse

Authorized Administrators are unable to connect to an Amazon EC2 Linux bastion host using SSH over the internet. The connection either fails to respond or generates the following error message:

Network error: Connection timed out.

What could be responsible for the connection failure? (Select THREE )

The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured
The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured
The internet gateway of the VPC has been reconfigured
The internet gateway of the VPC has been reconfigured
The security group denies outbound traffic on ephemeral ports
The security group denies outbound traffic on ephemeral ports
The route table is missing a route to the internet gateway
The route table is missing a route to the internet gateway
The NACL denies outbound traffic on ephemeral ports
The NACL denies outbound traffic on ephemeral ports
The host-based firewall is denying SSH traffic
The host-based firewall is denying SSH traffic
Suggested answer: B, D, F
asked 16/09/2024
Tyler Smith
42 questions

Question 72

Report
Export
Collapse

A company's Security Engineer has been asked to monitor and report all AWS account root user activities. Which of the following would enable the Security Engineer to monitor and report all root user activities? (Select TWO)

Configuring AWS Organizations to monitor root user API calls on the paying account
Configuring AWS Organizations to monitor root user API calls on the paying account
Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported
Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported
Configuring Amazon Inspector to scan the AWS account for any root user activity
Configuring Amazon Inspector to scan the AWS account for any root user activity
Configuring AWS Trusted Advisor to send an email to the Security team when the root user logs in to the console
Configuring AWS Trusted Advisor to send an email to the Security team when the root user logs in to the console
Using Amazon SNS to notify the target group
Using Amazon SNS to notify the target group
Suggested answer: B, E
asked 16/09/2024
PRABHAT VAIBHAV
29 questions

Question 73

Report
Export
Collapse

The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet. What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.)

Use AWS Certificate Manager to encrypt all traffic between the client and application servers.
Use AWS Certificate Manager to encrypt all traffic between the client and application servers.
Review the application security groups to ensure that only the necessary ports are open.
Review the application security groups to ensure that only the necessary ports are open.
Use Elastic Load Balancing to offload Secure Sockets Layer encryption.
Use Elastic Load Balancing to offload Secure Sockets Layer encryption.
Use Amazon Inspector to periodically scan the backend instances.
Use Amazon Inspector to periodically scan the backend instances.
Use AWS Key Management Services to encrypt all the traffic between the client and application servers.
Use AWS Key Management Services to encrypt all the traffic between the client and application servers.
Suggested answer: B, D
asked 16/09/2024
Sanaa CHOKIRI
45 questions

Question 74

Report
Export
Collapse

After a recent security audit involving Amazon S3, a company has asked assistance reviewing its S3 buckets to determine whether data is properly secured. The first S3 bucket on the list has the following bucket policy.

Amazon SCS-C01 image Question 74 7192 09162024005923000000

Is this bucket policy sufficient to ensure that the data is not publicity accessible?

Yes, the bucket policy makes the whole bucket publicly accessible despite now the S3 bucket ACL or object ACLs are configured.
Yes, the bucket policy makes the whole bucket publicly accessible despite now the S3 bucket ACL or object ACLs are configured.
Yes, none of the data in the bucket is publicity accessible, regardless of how the S3 bucket ACL and object ACLs are configured.
Yes, none of the data in the bucket is publicity accessible, regardless of how the S3 bucket ACL and object ACLs are configured.
No, the IAM user policy would need to be examined first to determine whether any data is publicly accessible.
No, the IAM user policy would need to be examined first to determine whether any data is publicly accessible.
No, the S3 bucket ACL and object ACLs need to be examined first to determine whether any data is publicly accessible.
No, the S3 bucket ACL and object ACLs need to be examined first to determine whether any data is publicly accessible.
Suggested answer: A
asked 16/09/2024
Juy Juy
39 questions

Question 75

Report
Export
Collapse

A company is using AWS Organizations to manage multiple AWS member accounts. All of these accounts have Amazon GuardDuty enabled in all Regions. The company's AW5 Security Operations Center has a centralized security account for logging and monitoring. One of the member accounts has received an excessively high bill A security engineer discovers that a compromised Amazon EC2 instance is being used to mine crypto currency. The Security Operations Center did not receive a GuardDuty finding in the central security account. but there was a GuardDuty finding in the account containing the compromised EC2 instance. The security engineer needs to ensure an GuardDuty finding are available in the security account.

What should the security engineer do to resolve this issue?

Set up an Amazon CloudWatch Event rule to forward ail GuardDuty findings to the security account Use an AWS Lambda function as a target to raise findings
Set up an Amazon CloudWatch Event rule to forward ail GuardDuty findings to the security account Use an AWS Lambda function as a target to raise findings
Set up an Amazon CloudWatch Events rule to forward all GuardDuty findings to the security account Use an AWS Lambda function as a target to raise findings in AWS Security Hub
Set up an Amazon CloudWatch Events rule to forward all GuardDuty findings to the security account Use an AWS Lambda function as a target to raise findings in AWS Security Hub
Check that GuardDuty in the security account is able to assume a role in the compromised account using the GuardDuty fast findings permission Schedule an Amazon CloudWatch Events rule and an AWS Lambda function to periodically check for GuardDuty findings
Check that GuardDuty in the security account is able to assume a role in the compromised account using the GuardDuty fast findings permission Schedule an Amazon CloudWatch Events rule and an AWS Lambda function to periodically check for GuardDuty findings
Use the aws GuardDuty get-members AWS CLI command m the security account to see if the account is listed Send an invitation from GuardDuty m the security account to GuardDuty in the compromised account Accept the invitation to forward all future GuardDuty findings
Use the aws GuardDuty get-members AWS CLI command m the security account to see if the account is listed Send an invitation from GuardDuty m the security account to GuardDuty in the compromised account Accept the invitation to forward all future GuardDuty findings
Suggested answer: D
asked 16/09/2024
OLUWAGBENRO AFUWAPE
39 questions

Question 76

Report
Export
Collapse

A Developer signed in to a new account within an AWS Organizations organizations unit (OU) containing multiple accounts. Access to the Amazon S3 service is restricted with the following SCP:

Amazon SCS-C01 image Question 76 7194 09162024005923000000

How can the Security Engineer provide the Developer with Amazon S3 access without affecting other accounts?

Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.
Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.
Add an IAM policy for the Developer, which grants S3 access.
Add an IAM policy for the Developer, which grants S3 access.
Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.
Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.
Add an allow list for the Developer account for the S3 service.
Add an allow list for the Developer account for the S3 service.
Suggested answer: C
asked 16/09/2024
Martin Lundgren
39 questions

Question 77

Report
Export
Collapse

A Security Engineer launches two Amazon EC2 instances in the same Amazon VPC but in separate Availability Zones. Each instance has a public IP address and is able to connect to external hosts on the internet. The two instances are able to communicate with each other by using their private IP addresses, but they are not able to communicate with each other when using their public IP addresses. Which action should the Security Engineer take to allow communication over the public IP addresses?

Associate the instances to the same security groups.
Associate the instances to the same security groups.
Add 0.0.0.0/0 to the egress rules of the instance security groups.
Add 0.0.0.0/0 to the egress rules of the instance security groups.
Add the instance IDs to the ingress rules of the instance security groups.
Add the instance IDs to the ingress rules of the instance security groups.
Add the public IP addresses to the ingress rules of the instance security groups.
Add the public IP addresses to the ingress rules of the instance security groups.
Suggested answer: D

Explanation:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html#sgrules-other-instances

asked 16/09/2024
Vincent Scotti
29 questions

Question 78

Report
Export
Collapse

A Developer reported that AWS CloudTrail was disabled on their account. A Security Engineer investigated the account and discovered the event was undetected by the current security solution. The Security Engineer must recommend a solution that will detect future changes to the CloudTrail configuration and send alerts when changes occur. What should the Security Engineer do to meet these requirements?

Use AWS Resource Access Manager (AWS RAM) to monitor the AWS CloudTrail configuration.Send notifications using Amazon SNS.
Use AWS Resource Access Manager (AWS RAM) to monitor the AWS CloudTrail configuration.Send notifications using Amazon SNS.
Create an Amazon CloudWatch Events rule to monitor Amazon GuardDuty findings. Send email notifications using Amazon SNS.
Create an Amazon CloudWatch Events rule to monitor Amazon GuardDuty findings. Send email notifications using Amazon SNS.
Update security contact details in AWS account settings for AWS Support to send alerts when suspicious activity is detected.
Update security contact details in AWS account settings for AWS Support to send alerts when suspicious activity is detected.
Use Amazon Inspector to automatically detect security issues. Send alerts using Amazon SNS.
Use Amazon Inspector to automatically detect security issues. Send alerts using Amazon SNS.
Suggested answer: B
asked 16/09/2024
Junwei Li
41 questions

Question 79

Report
Export
Collapse

A security engineer is designing an incident response plan to address the risk of a compromised Amazon EC2 instance. The plan must recommend a solution to meet the following requirements:

• A trusted forensic environment must be provisioned

• Automated response processes must be orchestrated

Which AWS services should be included in the plan? {Select TWO)

AWS CloudFormation
AWS CloudFormation
Amazon GuardDuty
Amazon GuardDuty
Amazon Inspector
Amazon Inspector
Amazon Macie
Amazon Macie
AWS Step Functions
AWS Step Functions
Suggested answer: A, E
asked 16/09/2024
alejandro capel
49 questions

Question 80

Report
Export
Collapse

A company uses multiple AWS accounts managed with AWS Organizations Security engineers have created a standard set of security groups for all these accounts. The security policy requires that these security groups be used for all applications and delegates modification authority to the security team only.

A recent security audit found that the security groups are inconsistency implemented across accounts and that unauthorized changes have been made to the security groups. A security engineer needs to recommend a solution to improve consistency and to prevent unauthorized changes in the individual accounts in the future.

Which solution should the security engineer recommend?

Use AWS Resource Access Manager to create shared resources for each requited security group and apply an IAM policy that permits read-only access to the security groups only.
Use AWS Resource Access Manager to create shared resources for each requited security group and apply an IAM policy that permits read-only access to the security groups only.
Create an AWS CloudFormation template that creates the required security groups Execute the template as part of configuring new accounts Enable Amazon Simple Notification Service (Amazon SNS) notifications when changes occur
Create an AWS CloudFormation template that creates the required security groups Execute the template as part of configuring new accounts Enable Amazon Simple Notification Service (Amazon SNS) notifications when changes occur
Use AWS Firewall Manager to create a security group policy, enable the policy feature to identify and revert local changes, and enable automatic remediation
Use AWS Firewall Manager to create a security group policy, enable the policy feature to identify and revert local changes, and enable automatic remediation
Use AWS Control Tower to edit the account factory template to enable the snare security groups option Apply an SCP to the OU or individual accounts that prohibits security group modifications from local account users
Use AWS Control Tower to edit the account factory template to enable the snare security groups option Apply an SCP to the OU or individual accounts that prohibits security group modifications from local account users
Suggested answer: B
asked 16/09/2024
jordi vanderpooten
34 questions
Total 590 questions
Go to page: of 59
Search

Related questions