Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 141:

  A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running In Amazon Elastic Container Service (Amazon ECS). This solution will also handle volatile traffic patterns

  Which solution would have the MOST scalability and LOWEST latency?

  A. Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers
  B. Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers
  C. Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers
  D. Configure Amazon Route 53 to use multivalue answer routing to send traffic to the containers
  B. Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers

  ---

  Explanation/Reference:

• Question 142:

  Your company is planning on developing an application in AWS. This is a web based application. The application users will use their facebook or google identities for authentication. You want to have the ability to manage user profiles without having to add extra coding to manage this. Which of the below would assist in this.

  Please select:

  A. Create an OlDC identity provider in AWS
  B. Create a SAML provider in AWS
  C. Use AWS Cognito to manage the user profiles
  D. Use IAM users to manage the user profiles
  B. Create a SAML provider in AWS

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following The AWS Documentation mentions the following OIDC identity providers are entities in IAM that describe an identity provider (IdP) service that supports the OpenID Connect (OIDC) standard. You use an OIDC identity provider when you want to establish trust between an OlDC-compatible IdP--such as Google, Salesforce, and many others--and your AWS account This is useful if you are creating a mobile app or web application that requires access to AWS resources, but you don't want to create custom sign-in code or manage your own user identities Option A is invalid because in the security groups you would not mention this information/ Option C is invalid because SAML is used for federated authentication Option D is invalid because you need to use the OIDC identity provider in AWS For more information on ODIC identity providers, please refer to the below Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/id roles providers create oidc.html The correct answer is: Create an OIDC identity provider in AWS

• Question 143:

  A company has an application that uses an Amazon RDS PostgreSQL database. The company is developing an application feature that will store sensitive information for an individual in the database.

  During a security review of the environment, the company discovers that the RDS DB instance is not encrypting data at rest. The company needs a solution that will provide encryption at rest for all the existing data and for any new data that is

  entered for an individual.

  Which combination of options can the company use to meet these requirements? (Choose two.)

  A. Create a snapshot of the DB instance. Copy the snapshot to a new snapshot, and enable encryption for the copy process. Use the new snapshot to restore the DB instance.
  B. Modify the configuration of the DB instance by enabling encryption. Create a snapshot of the DB instance. Use the snapshot to restore the DB instance.
  C. Use AWS Key Management Service (AWS KMS) to create a new default AWS managed aws/rds key. Select this key as the encryption key for operations with Amazon RDS.
  D. Use AWS Key Management Service (AWS KMS) to create a new CMK. Select this key as the encryption key for operations with Amazon RDS.
  E. Create a snapshot of the DB instance. Enable encryption on the snapshot. Use the snapshot to restore the DB instance.
  A. Create a snapshot of the DB instance. Copy the snapshot to a new snapshot, and enable encryption for the copy process. Use the new snapshot to restore the DB instance.
  D. Use AWS Key Management Service (AWS KMS) to create a new CMK. Select this key as the encryption key for operations with Amazon RDS.

  ---

  Explanation/Reference:

  In the Amazon RDS console navigation pane, choose Snapshots, and select the DB snapshot you created. For Actions, choose Copy Snapshot. Provide the destination AWS Region and the name of the DB snapshot copy in the corresponding fields. Select the Enable Encryption checkbox. For Master Key, specify the KMS key identifier to use to encrypt the DB snapshot copy. Choose Copy Snapshot. Reference: https://docs.aws.amazon.com/prescriptive-guidance/ latest/patterns/encrypt-an-existing-amazon-rds-for-postgresql-db-instance.html

• Question 144:

  A company plans to use custom AMIs to launch Amazon EC2 instances across multiple AWS accounts in a single Region to perform security monitoring and analytics tasks. The EC2 instances are launched in EC2 Auto Scaling groups. To increase the security of the solution, a Security Engineer will manage the lifecycle of the custom AMIs in a centralized account and will encrypt them with a centrally managed AWS KMS CMK. The Security Engineer configured the KMS key policy to allow cross-account access. However, the EC2 instances are still not being properly launched by the EC2 Auto Scaling groups.

  Which combination of configuration steps should the Security Engineer take to ensure the EC2 Auto Scaling groups have been granted the proper permissions to execute task?

  A. Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Create an IAM role in all applicable accounts and configure its access policy to allow the use of the centrally managed CMK for cryptographical operations. Configure EC2 Auto Scaling groups within each applicable account to use the created IAM role to launch EC2 instances.
  B. Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Create an IAM role in all applicable accounts and configure its access policy with permissions to create grants for the centrally managed CMK. Use this IAM role to create a grant for the centrally managed CMK with permissions to perform cryptographical operations and with the EC2 Auto Scaling service-linked role defined as the grantee principal.
  C. Create a customer-managed CMK or an AWS managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Use the CMK administrator to create a CMK grant that includes permissions to perform cryptographical operations that define EC2 Auto Scaling service-linked roles from all other accounts as the grantee principal.
  D. Create a customer-managed CMK or an AWS managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Modify the access policy for the EC2 Auto Scaling roles to perform cryptographical operations against the centrally managed CMK.
  D. Create a customer-managed CMK or an AWS managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Modify the access policy for the EC2 Auto Scaling roles to perform cryptographical operations against the centrally managed CMK.

  ---

  Explanation/Reference:

  Reference: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html

• Question 145:

  A company deploys a set of standard IAM roles in AWS accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented AWS Organizations SCPs to restrict access to critical security services in all company accounts.

  All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and AWS Security Hub. The security engineer also must not override other permissions that are granted by IAM policies that are defined in the accounts.

  Which SCP should the security engineer attach to the root of the organization to meet these requirements?

  

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  A. Option A

• Question 146:

  A company hosts an application on Amazon EC2 that is subject to specific rules for regulatory compliance. One rule states that traffic to and from the workload must be inspected for network-level attacks. This involves inspecting the whole packet.

  To comply with this regulatory rule, a security engineer must install intrusion detection software on a c5n.4xlarge EC2 instance. The engineer must then configure the software to monitor traffic to and from the application instances.

  What should the security engineer do next?

  A. Place the network interface in promiscuous mode to capture the traffic.
  B. Configure VPC Flow Logs to send traffic to the monitoring EC2 instance using a Network Load Balancer.
  C. Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer.
  D. Use Amazon Inspector to detect network-level attacks and trigger an AWS Lambda function to send the suspicious packets to the EC2 instance.
  C. Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer.

  ---

  Explanation/Reference:

  Promiscuous mode doesn't work in AWS. You can think of VPC Traffic Mirroring as a "virtual fiber tap" that gives you direct access to the network packets flowing through your VPC. As you will soon see, you can choose to capture all traffic or you can use filters to capture the packets that are of particular interest to you, with an option to limit the number of bytes captured per packet. You can use VPC Traffic Mirroring in a multi-account AWS environment, capturing traffic from VPCs spread across many AWS accounts and then routing it to a central VPC for inspection

• Question 147:

  For compliance reasons, an organization limits the use of resources to three specific AWS regions. It wants to be alerted when any resources are launched in unapproved regions. Which of the following approaches will provide alerts on any resources launched in an unapproved region?

  A. Develop an alerting mechanism based on processing AWS CloudTrail logs.
  B. Monitor Amazon S3 Event Notifications for objects stored in buckets in unapproved regions.
  C. Analyze Amazon CloudWatch Logs for activities in unapproved regions.
  D. Use AWS Trusted Advisor to alert on all resources being created.
  A. Develop an alerting mechanism based on processing AWS CloudTrail logs.

  ---

  Explanation/Reference:

  https://stackoverflow.com/questions/45449053/cloudwatch-alert-on-any-instance-creation

• Question 148:

  A company has multiple production AWS accounts. Each account has AWS CloudTrail configured to log to a single Amazon S3 bucket in a central account. Two of the production accounts have trails that are not logging anything to the S3 bucket.

  Which steps should be taken to troubleshoot the issue? (Choose three.)

  A. Verify that the log file prefix is set to the name of the S3 bucket where the logs should go.
  B. Verify that the S3 bucket policy allows access for CloudTrail from the production AWS account IDs.
  C. Create a new CloudTrail configuration in the account, and configure it to log to the account's S3 bucket.
  D. Confirm in the CloudTrail Console that each trail is active and healthy.
  E. Open the global CloudTrail configuration in the master account, and verify that the storage location is set to the correct S3 bucket.
  F. Confirm in the CloudTrail Console that the S3 bucket name is set correctly.
  B. Verify that the S3 bucket policy allows access for CloudTrail from the production AWS account IDs.
  D. Confirm in the CloudTrail Console that each trail is active and healthy.
  F. Confirm in the CloudTrail Console that the S3 bucket name is set correctly.

• Question 149:

  A Security Engineer for a large company is managing a data processing application used by 1,500 subsidiary companies. The parent and subsidiary companies all use AWS. The application uses TCP port 443 and runs on Amazon EC2 behind a Network Load Balancer (NLB). For compliance reasons, the application should only be accessible to the subsidiaries and should not be available on the public internet. To meet the compliance requirements for restricted access, the Engineer has received the public and private CIDR block ranges for each subsidiary

  What solution should the Engineer use to implement the appropriate access restrictions for the application?

  A. Create a NACL to allow access on TCP port 443 from the 1;500 subsidiary CIDR block ranges. Associate the NACL to both the NLB and EC2 instances
  B. Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group to the NLB. Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group.
  C. Create an AWS PrivateLink endpoint service in the parent company account attached to the NLB. Create an AWS security group for the instances to allow access on TCP port 443 from the AWS PrivateLink endpoint. Use AWS PrivateLink interface endpoints in the 1,500 subsidiary AWS accounts to connect to the data processing application.
  D. Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.
  D. Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.

• Question 150:

  A company is hosting multiple applications within a single VPC in its AWS account. The applications are running behind an Application Load Balancer that is associated with an AWS WAF web ACL. The company's security team has identified that multiple port scans are originating from a specific range of IP addresses on the internet.

  A security engineer needs to deny access from the offending IP addresses.

  Which solution will meet these requirements?

  A. Modify the AWS WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range.
  B. Add a rule to all security groups to deny the incoming requests from the IP address range.
  C. Modify the AWS WAF web ACL with a rate-based rule statement to deny incoming requests from the IP address range.
  D. Configure the AWS WAF web ACL with regex match conditions. Specify a pattern set to deny the incoming requests based on the match condition.
  A. Modify the AWS WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range.

  ---

  Explanation/Reference:

  The IP set match statement inspects the IP address of a web request against a set of IP addresses and address ranges. Use this to allow or block web requests based on the IP addresses that the requests originate from https:// docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-ipset-match.html