ExamGecko
Login
Home / Amazon / SCS-C01 / List of questions
Ask Question

Amazon SCS-C01 Practice Test - Questions Answers, Page 8

List of questions

Question 71

Report
Export
Collapse

Authorized Administrators are unable to connect to an Amazon EC2 Linux bastion host using SSH over the internet. The connection either fails to respond or generates the following error message:

Network error: Connection timed out.

What could be responsible for the connection failure? (Select THREE )

The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured
The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured
The internet gateway of the VPC has been reconfigured
The internet gateway of the VPC has been reconfigured
The security group denies outbound traffic on ephemeral ports
The security group denies outbound traffic on ephemeral ports
The route table is missing a route to the internet gateway
The route table is missing a route to the internet gateway
The NACL denies outbound traffic on ephemeral ports
The NACL denies outbound traffic on ephemeral ports
The host-based firewall is denying SSH traffic
The host-based firewall is denying SSH traffic
Suggested answer: B, D, F
asked 16/09/2024
Tyler Smith
42 questions

Question 72

Report
Export
Collapse

A company's Security Engineer has been asked to monitor and report all AWS account root user activities. Which of the following would enable the Security Engineer to monitor and report all root user activities? (Select TWO)

Configuring AWS Organizations to monitor root user API calls on the paying account
Configuring AWS Organizations to monitor root user API calls on the paying account
Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported
Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported
Configuring Amazon Inspector to scan the AWS account for any root user activity
Configuring Amazon Inspector to scan the AWS account for any root user activity
Configuring AWS Trusted Advisor to send an email to the Security team when the root user logs in to the console
Configuring AWS Trusted Advisor to send an email to the Security team when the root user logs in to the console
Using Amazon SNS to notify the target group
Using Amazon SNS to notify the target group
Suggested answer: B, E
asked 16/09/2024
PRABHAT VAIBHAV
29 questions

Question 73

Report
Export
Collapse

The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet. What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.)

Use AWS Certificate Manager to encrypt all traffic between the client and application servers.
Use AWS Certificate Manager to encrypt all traffic between the client and application servers.
Review the application security groups to ensure that only the necessary ports are open.
Review the application security groups to ensure that only the necessary ports are open.
Use Elastic Load Balancing to offload Secure Sockets Layer encryption.
Use Elastic Load Balancing to offload Secure Sockets Layer encryption.
Use Amazon Inspector to periodically scan the backend instances.
Use Amazon Inspector to periodically scan the backend instances.
Use AWS Key Management Services to encrypt all the traffic between the client and application servers.
Use AWS Key Management Services to encrypt all the traffic between the client and application servers.
Suggested answer: B, D
asked 16/09/2024
Sanaa CHOKIRI
45 questions

Question 74

Report
Export
Collapse

After a recent security audit involving Amazon S3, a company has asked assistance reviewing its S3 buckets to determine whether data is properly secured. The first S3 bucket on the list has the following bucket policy.

Amazon SCS-C01 image Question 74 7192 09162024005923000000

Is this bucket policy sufficient to ensure that the data is not publicity accessible?

Yes, the bucket policy makes the whole bucket publicly accessible despite now the S3 bucket ACL or object ACLs are configured.
Yes, the bucket policy makes the whole bucket publicly accessible despite now the S3 bucket ACL or object ACLs are configured.
Yes, none of the data in the bucket is publicity accessible, regardless of how the S3 bucket ACL and object ACLs are configured.
Yes, none of the data in the bucket is publicity accessible, regardless of how the S3 bucket ACL and object ACLs are configured.
No, the IAM user policy would need to be examined first to determine whether any data is publicly accessible.
No, the IAM user policy would need to be examined first to determine whether any data is publicly accessible.
No, the S3 bucket ACL and object ACLs need to be examined first to determine whether any data is publicly accessible.
No, the S3 bucket ACL and object ACLs need to be examined first to determine whether any data is publicly accessible.
Suggested answer: A
asked 16/09/2024
Juy Juy
39 questions

Question 75

Report
Export
Collapse

A company is using AWS Organizations to manage multiple AWS member accounts. All of these accounts have Amazon GuardDuty enabled in all Regions. The company's AW5 Security Operations Center has a centralized security account for logging and monitoring. One of the member accounts has received an excessively high bill A security engineer discovers that a compromised Amazon EC2 instance is being used to mine crypto currency. The Security Operations Center did not receive a GuardDuty finding in the central security account. but there was a GuardDuty finding in the account containing the compromised EC2 instance. The security engineer needs to ensure an GuardDuty finding are available in the security account.

What should the security engineer do to resolve this issue?

Set up an Amazon CloudWatch Event rule to forward ail GuardDuty findings to the security account Use an AWS Lambda function as a target to raise findings
Set up an Amazon CloudWatch Event rule to forward ail GuardDuty findings to the security account Use an AWS Lambda function as a target to raise findings
Set up an Amazon CloudWatch Events rule to forward all GuardDuty findings to the security account Use an AWS Lambda function as a target to raise findings in AWS Security Hub
Set up an Amazon CloudWatch Events rule to forward all GuardDuty findings to the security account Use an AWS Lambda function as a target to raise findings in AWS Security Hub
Check that GuardDuty in the security account is able to assume a role in the compromised account using the GuardDuty fast findings permission Schedule an Amazon CloudWatch Events rule and an AWS Lambda function to periodically check for GuardDuty findings
Check that GuardDuty in the security account is able to assume a role in the compromised account using the GuardDuty fast findings permission Schedule an Amazon CloudWatch Events rule and an AWS Lambda function to periodically check for GuardDuty findings
Use the aws GuardDuty get-members AWS CLI command m the security account to see if the account is listed Send an invitation from GuardDuty m the security account to GuardDuty in the compromised account Accept the invitation to forward all future GuardDuty findings
Use the aws GuardDuty get-members AWS CLI command m the security account to see if the account is listed Send an invitation from GuardDuty m the security account to GuardDuty in the compromised account Accept the invitation to forward all future GuardDuty findings
Suggested answer: D
asked 16/09/2024
OLUWAGBENRO AFUWAPE
39 questions

Question 76

Report
Export
Collapse

A Developer signed in to a new account within an AWS Organizations organizations unit (OU) containing multiple accounts. Access to the Amazon S3 service is restricted with the following SCP:

Amazon SCS-C01 image Question 76 7194 09162024005923000000

How can the Security Engineer provide the Developer with Amazon S3 access without affecting other accounts?

Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.
Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.
Add an IAM policy for the Developer, which grants S3 access.
Add an IAM policy for the Developer, which grants S3 access.
Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.
Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.
Add an allow list for the Developer account for the S3 service.
Add an allow list for the Developer account for the S3 service.
Suggested answer: C
asked 16/09/2024
Martin Lundgren
39 questions

Question 77

Report
Export
Collapse

A Security Engineer launches two Amazon EC2 instances in the same Amazon VPC but in separate Availability Zones. Each instance has a public IP address and is able to connect to external hosts on the internet. The two instances are able to communicate with each other by using their private IP addresses, but they are not able to communicate with each other when using their public IP addresses. Which action should the Security Engineer take to allow communication over the public IP addresses?

Associate the instances to the same security groups.
Associate the instances to the same security groups.
Add 0.0.0.0/0 to the egress rules of the instance security groups.
Add 0.0.0.0/0 to the egress rules of the instance security groups.
Add the instance IDs to the ingress rules of the instance security groups.
Add the instance IDs to the ingress rules of the instance security groups.
Add the public IP addresses to the ingress rules of the instance security groups.
Add the public IP addresses to the ingress rules of the instance security groups.
Suggested answer: D

Explanation:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html#sgrules-other-instances

asked 16/09/2024
Vincent Scotti
29 questions

Question 78

Report
Export
Collapse

A Developer reported that AWS CloudTrail was disabled on their account. A Security Engineer investigated the account and discovered the event was undetected by the current security solution. The Security Engineer must recommend a solution that will detect future changes to the CloudTrail configuration and send alerts when changes occur. What should the Security Engineer do to meet these requirements?

Use AWS Resource Access Manager (AWS RAM) to monitor the AWS CloudTrail configuration.Send notifications using Amazon SNS.
Use AWS Resource Access Manager (AWS RAM) to monitor the AWS CloudTrail configuration.Send notifications using Amazon SNS.
Create an Amazon CloudWatch Events rule to monitor Amazon GuardDuty findings. Send email notifications using Amazon SNS.
Create an Amazon CloudWatch Events rule to monitor Amazon GuardDuty findings. Send email notifications using Amazon SNS.
Update security contact details in AWS account settings for AWS Support to send alerts when suspicious activity is detected.
Update security contact details in AWS account settings for AWS Support to send alerts when suspicious activity is detected.
Use Amazon Inspector to automatically detect security issues. Send alerts using Amazon SNS.
Use Amazon Inspector to automatically detect security issues. Send alerts using Amazon SNS.
Suggested answer: B
asked 16/09/2024
Junwei Li
41 questions

Question 79

Report
Export
Collapse

A security engineer is designing an incident response plan to address the risk of a compromised Amazon EC2 instance. The plan must recommend a solution to meet the following requirements:

• A trusted forensic environment must be provisioned

• Automated response processes must be orchestrated

Which AWS services should be included in the plan? {Select TWO)

AWS CloudFormation
AWS CloudFormation
Amazon GuardDuty
Amazon GuardDuty
Amazon Inspector
Amazon Inspector
Amazon Macie
Amazon Macie
AWS Step Functions
AWS Step Functions
Suggested answer: A, E
asked 16/09/2024
alejandro capel
49 questions

Question 80

Report
Export
Collapse

A company uses multiple AWS accounts managed with AWS Organizations Security engineers have created a standard set of security groups for all these accounts. The security policy requires that these security groups be used for all applications and delegates modification authority to the security team only.

A recent security audit found that the security groups are inconsistency implemented across accounts and that unauthorized changes have been made to the security groups. A security engineer needs to recommend a solution to improve consistency and to prevent unauthorized changes in the individual accounts in the future.

Which solution should the security engineer recommend?

Use AWS Resource Access Manager to create shared resources for each requited security group and apply an IAM policy that permits read-only access to the security groups only.
Use AWS Resource Access Manager to create shared resources for each requited security group and apply an IAM policy that permits read-only access to the security groups only.
Create an AWS CloudFormation template that creates the required security groups Execute the template as part of configuring new accounts Enable Amazon Simple Notification Service (Amazon SNS) notifications when changes occur
Create an AWS CloudFormation template that creates the required security groups Execute the template as part of configuring new accounts Enable Amazon Simple Notification Service (Amazon SNS) notifications when changes occur
Use AWS Firewall Manager to create a security group policy, enable the policy feature to identify and revert local changes, and enable automatic remediation
Use AWS Firewall Manager to create a security group policy, enable the policy feature to identify and revert local changes, and enable automatic remediation
Use AWS Control Tower to edit the account factory template to enable the snare security groups option Apply an SCP to the OU or individual accounts that prohibits security group modifications from local account users
Use AWS Control Tower to edit the account factory template to enable the snare security groups option Apply an SCP to the OU or individual accounts that prohibits security group modifications from local account users
Suggested answer: B
asked 16/09/2024
jordi vanderpooten
34 questions
Total 590 questions
Go to page: of 59
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: Encryption in transit Encryption at rest Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.)
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A company's cloud operations team is responsible for building effective security for AWS crossaccount access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)
A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture: 1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets. 3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other 4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols 5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required Which of the following accurately reflects the access control mechanisms the Architect should verify1?
A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances. Which solution will meet this requirement with the LEAST operational effort?
A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution. Which solution will meet these requirements MOST securely?
A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below Please select:
A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents. A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly. Which combination of actions would build the required solution? (Choose three.)
After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised. How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of “Sensitive,” “Confidential,” and “Restricted.” The security solution must meet all of the following requirements: Each object must be encrypted using a unique key. Items that are stored in the “Restricted” bucket require two-factor authentication for decryption. AWS KMS must automatically rotate encryption keys annually. Which of the following meets these requirements?