Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 161:

  A security engineer has been tasked with implementing a solution that allows the company's development team to have interactive command line access to Amazon EC2 Linux instances using the AWS Management Console.

  Which steps should the security engineer take to satisfy this requirement while maintaining least privilege?

  A. Enable AWS Systems Manager in the AWS Management Console and configure for access to EC2 instances using the default AmazonEC2RoleforSSM role. Install the Systems Manager Agent on all EC2 Linux instances that need interactive access. Configure IAM user policies to allow development team access to the Systems Manager Session Manager and attach to the team's IAM users.
  B. Enable console SSH access in the EC2 console. Configure IAM user policies to allow development team access to the AWS Systems Manager Session Manager and attach to the development team's IAM users.
  C. Enable AWS Systems Manager in the AWS Management Console and configure to access EC2 instances using the default AmazonEC2RoleforSSM role. Install the Systems Manager Agent on all EC2 Linux instances that need interactive access. Configure a security group that allows SSH port 22 from all published IP addresses. Configure IAM user policies to allow development team access to the AWS Systems Manager Session Manager and attach to the team's IAM users.
  D. Enable AWS Systems Manager in the AWS Management Console and configure to access EC2 instances using the default AmazonEC2RoleforSSM role Install the Systems Manager Agent on all EC2 Linux instances that need interactive access. Configure IAM policies to allow development team access to the EC2 console and attach to the teams IAM users.
  D. Enable AWS Systems Manager in the AWS Management Console and configure to access EC2 instances using the default AmazonEC2RoleforSSM role Install the Systems Manager Agent on all EC2 Linux instances that need interactive access. Configure IAM policies to allow development team access to the EC2 console and attach to the teams IAM users.

  ---

  Explanation/Reference:

• Question 162:

  You are designing a custom IAM policy that would allow uses to list buckets in S3 only if they are MFA authenticated. Which of the following would best match this requirement?

  A. { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "Resource": "arn:aws:s3:::*", "Condition": { "Bool": {"aws:MultiFactorAuthPresent": true} } } }
  B. { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "Resource": "arn:aws:s3:::*", "Condition": { "Bool": {"aws:MultiFactorAuthPresent":false} } } }
  C. { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "Resource": "arn:aws:s3:::*", "Condition": { "aws:MultiFactorAuthPresent":false } } }
  D. { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "Resource": "arn:aws:s3:::*", "Condition": { "aws:MultiFactorAuthPresent":true } } }
  A. { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "Resource": "arn:aws:s3:::*", "Condition": { "Bool": {"aws:MultiFactorAuthPresent": true} } } }

  ---

  Explanation/Reference:

  The Condition clause can be used to ensure users can only work with resources if they are MFA authenticated.

  Option B and C are wrong since the aws:MultiFactorAuthPresent clause should be marked as true. Here you are saying that onl if the user has been MFA activated, that means it is true, then allow access.

  Option D is invalid because the "boor clause is missing in the evaluation for the condition clause.

  Boolean conditions let you construct Condition elements that restrict access based on comparing a key to "true" or "false."

  Here in this scenario the boot attribute in the condition element will return a value True for option A which will ensure that access is allowed on S3 resources. For more information on an example on such a policy, please visit the following

  URL:

  https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_mfa-dates.html

• Question 163:

  A Solutions Architect is designing a web application that uses Amazon CloudFront, an Elastic Load Balancing Application Load Balancer, and an Auto Scaling group of Amazon EC2 instances. The load balancer and EC2 instances are in the US West (Oregon) region. It has been decided that encryption in transit is necessary by using a customer-branded domain name from the client to CloudFront and from CloudFront to the load balancer.

  Assuming that AWS Certificate Manager is used, how many certificates will need to be generated?

  A. One in the US West (Oregon) region and one in the US East (Virginia) region.
  B. Two in the US West (Oregon) region and none in the US East (Virginia) region.
  C. One in the US West (Oregon) region and none in the US East (Virginia) region.
  D. Two in the US East (Virginia) region and none in the US West (Oregon) region.
  B. Two in the US West (Oregon) region and none in the US East (Virginia) region.

• Question 164:

  A company has deployed servers on Amazon EC2 instances in a VPC. External vendors access these servers over the internet. Recently, the company deployed a new application on EC2 instances in a new CIDR range. The company needs

  to make the application available to the vendors.

  A security engineer verified that the associated security groups and network ACLs are allowing the required ports in the inbound diction. However, the vendors cannot connect to the application.

  Which solution will provide the vendors access to the application?

  A. Modify the security group that is associated with the EC2 instances to have the same outbound rules as inbound rules.
  B. Modify the network ACL that is associated with the CIDR range to allow outbound traffic to ephemeral ports.
  C. Modify the inbound rules on the internet gateway to allow the required ports.
  D. Modify the network ACL that is associated with the CIDR range to have the same outbound rules as inbound rules.
  D. Modify the network ACL that is associated with the CIDR range to have the same outbound rules as inbound rules.

  ---

  Explanation/Reference:

• Question 165:

  A Security Engineer has discovered that, although encryption was enabled on the Amazon S3 bucket example bucket, anyone who has access to the bucket has the ability to retrieve the files. The Engineer wants to limit access to each IAM user can access an assigned folder only.

  What should the Security Engineer do to achieve this?

  A. Use envelope encryption with the AWS-managed CMK aws/s3.
  B. Create a customer-managed CMK with a key policy granting "kms:Decrypt" based on the "${aws:username}" variable.
  C. Create a customer-managed CMK for each user. Add each user as a key user in their corresponding key policy.
  D. Change the applicable IAM policy to grant S3 access to "Resource":"arn:aws:s3:::examplebucket/${aws:username}/*"
  B. Create a customer-managed CMK with a key policy granting "kms:Decrypt" based on the "${aws:username}" variable.

  ---

  Explanation/Reference:

  Reference: https://aws.amazon.com/premiumsupport/knowledge-center/iam-s3-user-specific-folder/

• Question 166:

  A company is implementing new compliance requirements to meet customer needs. According to the new requirements, the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster.

  Which solution will meet these requirements in the MOST operationally efficient manner?

  A. Create an AWS Config managed rule to detect unencrypted RDS storage. Configure an automatic remediation action to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.
  B. Create an AWS Config managed rule to detect unencrypted RDS storage. Configure a manual remediation action to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.
  C. Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.
  D. Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.
  A. Create an AWS Config managed rule to detect unencrypted RDS storage. Configure an automatic remediation action to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

  ---

  Explanation/Reference:

• Question 167:

  Which of the following is not a best practice for carrying out a security audit?

  Please select:

  A. Conduct an audit on a yearly basis
  B. Conduct an audit if application instances have been added to your account
  C. Conduct an audit if you ever suspect that an unauthorized person might have accessed your account
  D. Whenever there are changes in your organization
  A. Conduct an audit on a yearly basis

  ---

  Explanation/Reference:

  A year's time is generally too long a gap for conducting security audits The AWS Documentation mentions the following

  You should audit your security configuration in the following situations:

  On a periodic basis.

  If there are changes in your organization, such as people leaving. If you have stopped using one or more individual AWS services. This is important for removing permissions that users in your account no longer need. If you've added or

  removed software in your accounts, such as applications on Amazon EC2 instances, AWS OpsWor stacks, AWS CloudFormation templates, etc. If you ever suspect that an unauthorized person might have accessed your account. Option B,

  C and D are all the right ways and recommended best practices when it comes to conducting audits For more information on Security Audit guideline, please visit the below URL:

  https://docs.aws.amazon.com/eeneral/latest/gr/aws-security-audit-euide.html

  The correct answer is: Conduct an audit on a yearly basis

• Question 168:

  The Security team believes that a former employee may have gained unauthorized access to AWS resources sometime in the past 3 months by using an identified access key. What approach would enable the Security team to find out what the former employee may have done within AWS?

  A. Use the AWS CloudTrail console to search for user activity.
  B. Use the Amazon CloudWatch Logs console to filter CloudTrail data by user.
  C. Use AWS Config to see what actions were taken by the user.
  D. Use Amazon Athena to query CloudTrail logs stored in Amazon S3.
  A. Use the AWS CloudTrail console to search for user activity.

  ---

  Explanation/Reference:

  You can use CloudTrail to search event history for the last 90 days. You can use CloudWatch queries to search API history beyond the last 90 days. You can use Athena to query CloudTrail logs over the last 90 days. https://aws.amazon.com/premiumsupport/knowledge-center/view-iam-history/

• Question 169:

  Your company is planning on developing an application in AWS. This is a web based application. The application user will use their facebook or google identities for authentication. You want to have the ability to manage user profiles without having to add extra coding to manage this. Which of the below would assist in this.

  Please select:

  A. Create an OlDC identity provider in AWS
  B. Create a SAML provider in AWS
  C. Use AWS Cognito to manage the user profiles
  D. Use IAM users to manage the user profiles
  C. Use AWS Cognito to manage the user profiles

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito. Your users can also sign in through social

  identity providers like Facebook or Amazon, and through SAML identity providers. Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through an SDK.

  User pools provide:

  Sign-up and sign-in services.

  A built-in, customizable web Ul to sign in users. Social sign-in with Facebook, Google, and Login with Amazon, as well as sign-in with SAML identity providers from your user pool.

  User directory management and user profiles.

  Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification. Customized workflows and user migration through AWS Lambda triggers.

  Options A and B are invalid because these are not used to manage users Option D is invalid because this would be a maintenance overhead For more information on Cognito User Identity pools, please refer to the below Link:

  https://docs.aws.amazon.com/coenito/latest/developerguide/cognito-user-identity-pools.html

  The correct answer is: Use AWS Cognito to manage the user profiles

• Question 170:

  A company's engineering team is developing a new application that creates AWS Key Management Service (AWS KMS) CMK grants for users. Immediately after a grant is created, users must be able to use the CMK to encrypt a 512-byte payload. During load testing, a bug appears intermittently where AccessDeniedExceptions are occasionally triggered when a user first attempts to encrypt using the CMK.

  Which solution should the company's security specialist recommend?

  A. Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.
  B. Instruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token. Instruct users to use that grant token in their call to encrypt.
  C. Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name as the grant token in the call to encrypt.
  D. Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.
  D. Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.

  ---

  Explanation/Reference:

  When you apply a grant, the effect is not immediate. It takes time for all of KMS to learn it. So if you want the grant to work immediately, you need to use the CreateGrant operation and use the grant token that it returns. You can use this token to GenerateDataKey and Decrypt.

  # Create a grant; save the grant token

  token=$(aws kms create-grant \

  --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \

  --grantee-principal arn:aws:iam::111122223333:user/appUser \

  --retiring-principal arn:aws:iam::111122223333:user/acctAdmin \

  --operations GenerateDataKey Decrypt \

  --query GrantToken \

  --output text)

  # Use the grant token in a request

  aws kms generate-data-key \

  --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \

  ?key-spec AES_256 \

  --grant-tokens $token