Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 121:

  A company needs to retain log data archives for several years to be compliant with regulations. The log data is no longer used, but it must be retained.

  What is the MOST secure and cost-effective solution to meet these requirements?

  A. Archive the data to Amazon S3 and apply a restrictive bucket policy to deny the s3:DeleteObject API.
  B. Archive the data to Amazon S3 Glacier and apply a Vault Lock policy.
  C. Archive the data to Amazon S3 and replicated it to a second bucket in a second AWS Region. Choose the S3 Standard-Infrequent Access (S3 Standard-IA) storage class and apply a restrictive bucket policy to deny the s3:DeleteObject API.
  D. Migrate the log data to a 16 TB Amazon Elastic Block Store (Amazon EBS) volume. Create a snapshot of the EBS volume.
  C. Archive the data to Amazon S3 and replicated it to a second bucket in a second AWS Region. Choose the S3 Standard-Infrequent Access (S3 Standard-IA) storage class and apply a restrictive bucket policy to deny the s3:DeleteObject API.

• Question 122:

  Your company has confidential documents stored in the simple storage service. Due to compliance requirements, you have to ensure that the data in the S3 bucket is available in a different geographical location. As an architect what is the change you would make to comply with this requirement.

  Please select:

  A. Apply Multi-AZ for the underlying 53 bucket
  B. Copy the data to an EBS Volume in another Region
  C. Create a snapshot of the S3 bucket and copy it to another region
  D. Enable Cross region replication for the S3 bucket
  D. Enable Cross region replication for the S3 bucket

  ---

  Explanation/Reference:

  This is mentioned clearly as a use case for S3 cross-region replication You might configure cross-region replication on a bucket for various reasons, including the following:

  Compliance requirements - Although, by default Amazon S3 stores your data across multiple geographically distant Availability Zones, compliance requirements might dictate that you store data at even further distances. Cross-region

  replication allows you to replicate data between distant AWS Regions to satisfy these compliance requirements.

  Option A is invalid because Multi-AZ cannot be used to S3 buckets

  Option B is invalid because copying it to an EBS volume is not a recommended practice

  Option C is invalid because creating snapshots is not possible in S3 For more information on S3 cross-region replication, please visit the following URL:

  https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.htmll The correct answer is: Enable Cross region replication for the S3 bucket

• Question 123:

  A company's data is encrypted in an Amazon S3 bucket by an AWS Key Management Service (AWS KMS) customer managed key. The company has AWS Lambda functions that run in the same account as the S3 bucket. The Lambda functions need to access the data in the S3 bucket. A security engineer must ensure that each Lambda function has its own programmatic access control permissions to use the KMS key.

  What should the security engineer do to meet this requirement?

  A. Create Lambda IAM users for each Lambda function. Attach an IAM policy that includes specific access permissions to use the KMS key.
  B. Create a key grant for the Lambda service principal. Add or remove specific access permissions to use the KMS key.
  C. Create a Lambda execution role that provides specific access permissions to use the KMS key for each Lambda function.
  D. Configure each Lambda function to assume an IAM role that provides specific access permissions to use the AWS managed KMS key for Amazon S3.
  D. Configure each Lambda function to assume an IAM role that provides specific access permissions to use the AWS managed KMS key for Amazon S3.

  ---

  Explanation/Reference:

• Question 124:

  A corporate cloud security policy states that communications between the company's VPC and KMS must travel entirely within the AWS network and not use public service endpoints.

  Which combination of the following actions MOST satisfies this requirement? (Choose two.)

  A. Add the aws:sourceVpce condition to the AWS KMS key policy referencing the company's VPC endpoint ID.
  B. Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.
  C. Create a VPC endpoint for AWS KMS with private DNS enabled.
  D. Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN.
  E. Add the following condition to the AWS KMS key policy: "aws:SourceIp": "10.0.0.0/16".
  A. Add the aws:sourceVpce condition to the AWS KMS key policy referencing the company's VPC endpoint ID.
  C. Create a VPC endpoint for AWS KMS with private DNS enabled.

  ---

  Explanation/Reference:

  An IAM policy can deny access to KMS except through your VPC endpoint with the following condition statement:

  "Condition": {

  "StringNotEquals": {

  "aws:sourceVpce": "vpce-0295a3caf8414c94a"

  }

  }

  If you select the Enable Private DNS Name option, the standard AWS KMS DNS hostname (https://kms..amazonaws.com) resolves to your VPC endpoint.

• Question 125:

  You need to create a policy and apply it for just an individual user. How could you accomplish this in the right way?

  Please select:

  A. Add an AWS managed policy for the user
  B. Add a service policy for the user
  C. Add an IAM role for the user
  D. Add an inline policy for the user
  D. Add an inline policy for the user

  ---

  Explanation/Reference:

  Options A and B are incorrect since you need to add an inline policy just for the user Option C is invalid because you don't assign an IAM role to a user The AWS Documentation mentions the following An inline policy is a policy that's embedded in a principal entity (a user, group, or role)--that is, the policy is an inherent part of the principal entity. You can create a policy and embed it in a principal entity, either when you create the principal entity or later. For more information on IAM Access and Inline policies, just browse to the below URL: https://docs.aws.amazon.com/IAM/latest/UserGuide/access The correct answer is: Add an inline policy for the user

• Question 126:

  You have an S3 bucket hosted in AWS. This is used to host promotional videos uploaded by yourself. You need to provide access to users for a limited duration of time. How can this be achieved? Please select:

  A. Use versioning and enable a timestamp for each version
  B. Use Pre-signed URL's
  C. Use IAM Roles with a timestamp to limit the access
  D. Use IAM policies with a timestamp to limit the access
  B. Use Pre-signed URL's

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following All objects by default are private. Only the object owner has permission to access these objects. However, the object owner can optionally share objects with others by creating a pre-signed URL using their own security credentials, to grant time-limited permission to download the objects. Option A is invalid because this can be used to prevent accidental deletion of objects Option C is invalid because timestamps are not possible for Roles Option D is invalid because policies is not the right way to limit access based on time For more information on pre-signed URL's, please visit the URL: https://docs.aws.ama2on.com/AmazonS3/latest/dev/ShareObiectPreSisnedURL.html

  The correct answer is: Use Pre-signed URL's

• Question 127:

  A company has a set of EC2 instances hosted in AWS. These instances have EBS volumes for storing critical information. There is a business continuity requirement and in order to boost the agility of the business and to ensure data durability which of the following options are not required.

  Please select:

  A. Use lifecycle policies for the EBS volumes
  B. Use EBS Snapshots
  C. Use EBS volume replication
  D. Use EBS volume encryption
  C. Use EBS volume replication
  D. Use EBS volume encryption

  ---

  Explanation/Reference:

  Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations as part of normal operation of those services and at no additional charge. However, Amazon EBS replication is stored within the same availability zone,

  not across multiple zones; therefore, it is highly recommended that you conduct regular snapshots to Amazon S3 for long-term data durability. You can use Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention,

  and deletion of snapshots

  taken to back up your Amazon EBS volumes.

  With lifecycle management, you can be sure that snapshots are cleaned up regularly and keep costs under control.

  EBS Lifecycle Policies

  A lifecycle policy consists of these core settings:

  Resource type--The AWS resource managed by the policy, in this case, EBS volumes.

  Target tag--The tag that must be associated with an EBS volume for it to be managed by the policy.

  Schedule--Defines how often to create snapshots and the maximum number of snapshots to keep. Snapshot creation starts within an hour of the specified start time. If creating a new snapshot exceeds the maximum number of snapshots to

  keep for the volume, the oldest snapshot is deleted.

  Option C is correct. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. But it does not have an explicit feature like that. Option D is

  correct Encryption does not ensure data durability For information on security for Compute Resources, please visit the below URL https://d1.awsstatic.com/whitepapers/Security/Security

  Compute Services Whitepaper.pdl The correct answers are: Use EBS volume replication. Use EBS volume encryption

• Question 128:

  A company has a group of Amazon EC2 instances in a single private subnet of a VPC with no internet gateway attached. A security engineer has installed the Amazon CloudWatch agent on all instances in that subnet to capture logs from a

  specific application. To ensure that the logs flow securely, the company's networking team has created VPC endpoints for CloudWatch monitoring and CloudWatch logs. The networking team has attached the endpoints to the VPC.

  The application is generating logs. However, when the security engineer queries CloudWatch, the logs do not appear.

  Which combination of steps should the security engineer take to troubleshoot this issue? (Choose three.)

  A. Ensure that the EC2 instance profile that is attached to the EC2 instances has permissions to create log streams and write logs.
  B. Create a metric filter on the logs so that they can be viewed in the AWS Management Console.
  C. Check the CloudWatch agent configuration file on each EC2 instance to make sure that the CloudWatch agent is collecting the proper log files.
  D. Check the VPC endpoint policies of both VPC endpoints to ensure that the EC2 instances have permissions to use them.
  E. Create a NAT gateway in the subnet so that the EC2 instances can communicate with CloudWatch.
  F. Ensure that the security groups allow all the EC2 instances to communicate with each other to aggregate logs before sending.
  B. Create a metric filter on the logs so that they can be viewed in the AWS Management Console.
  D. Check the VPC endpoint policies of both VPC endpoints to ensure that the EC2 instances have permissions to use them.
  F. Ensure that the security groups allow all the EC2 instances to communicate with each other to aggregate logs before sending.

  ---

  Explanation/Reference:

• Question 129:

  A company's security engineer is configuring Amazon S3 permissions to ban all current and future public buckets However, the company hosts several websites directly off S3 buckets with public access enabled

  The engineer needs to bock me pubic S3 buckets without causing any outages on me easting websites The engineer has set up an Amazon CloudFrom distribution (or each website

  Which set or steps should the security engineer implement next?

  A. Configure an S3 bucket as the origin an origin access identity (OAI) for the CloudFront distribution Switch the DNS records from websites to point to the CloudFront distribution Enable Nock public access settings at the account level
  B. Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Switch the ONS records tor the websites to point to the CloudFront disinfection Then, tor each S3 bucket enable block public access settings
  C. Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Enable block public access settings at the account level
  D. Configure an S3 bucket as the origin for me CloudFront distribution Configure the S3 bucket policy to accept connections from the CloudFront points of presence only Switch the DNS records for the websites to point to the CloudFront distribution Enable block public access settings at me account level
  A. Configure an S3 bucket as the origin an origin access identity (OAI) for the CloudFront distribution Switch the DNS records from websites to point to the CloudFront distribution Enable Nock public access settings at the account level

• Question 130:

  A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code In the company's source code repository

  A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates. The solution must also minimize administrate overhead

  Which solution meets these requirements?

  A. Use the AWS Systems Manager Parameter Store to generate database credentials. Use an 1AM profile for ECS tasks to restrict access to database credentials to specific containers only.
  B. Use AWS Secrets Manager to store database credentials. Use an 1AM inline policy for ECS tasks to restrict access to database credentials to specific containers only.
  C. Use the AWS Systems Manager Parameter Store to store database credentials. Use 1AM roles for ECS tasks to restrict access to database credentials lo specific containers only
  D. Use AWS Secrets Manager to store database credentials. Use 1AM roles for ECS tasks to restrict access to database credentials to specific containers only.
  D. Use AWS Secrets Manager to store database credentials. Use 1AM roles for ECS tasks to restrict access to database credentials to specific containers only.