Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 171:

  Your company has a set of EC2 Instances defined in AWS. These Ec2 Instances have strict security groups attached to them. You need to ensure that changes to the Security groups are noted and acted on accordingly. How can you achieve this?

  Please select:

  A. Use Cloudwatch logs to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.
  B. Use Cloudwatch metrics to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.
  C. Use AWS inspector to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS f the notification.
  D. Use Cloudwatch events to be triggered for any changes to the Security Groups.Configure the Lambda function for email notification as well.
  D. Use Cloudwatch events to be triggered for any changes to the Security Groups.Configure the Lambda function for email notification as well.

  ---

  Explanation/Reference:

  The below diagram from an AWS blog shows how security groups can be monitored Option A is invalid because you need to use Cloudwatch Events to check for chan, Option B is invalid because you need to use Cloudwatch Events to check for chang Option C is invalid because AWS inspector is not used to monitor the activity on Security Groups For more information on monitoring security groups, please visit the below URL: Ihttpsy/aws.amazon.com/blogs/security/how-to-automatically-revert-and-receive-notifications-about-changes-to-your-amazonj 'pc-security-groups/ The correct answer is: Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.

  

• Question 172:

  A company has a strict policy against using root credentials. The company's security team wants to be alerted as soon as possible when root credentials are used to sign in to the AWS Management Console. How should the security team achieve this goal?

  A. Use AWS Lambda to periodically query AWS CloudTrail for console login events and send alerts using Amazon Simple Notification Service (Amazon SNS).
  B. Use Amazon EventBridge (Amazon CloudWatch Events) to monitor console logins and direct them to Amazon Simple Notification Service (Amazon SNS).
  C. Use Amazon Athena to query AWS SSO logs and send alerts using Amazon Simple Notification Service (Amazon SNS) for root login events.
  D. Configure AWS Resource Access Manager to review the access logs and send alerts using Amazon Simple Notification Service (Amazon SNS).
  D. Configure AWS Resource Access Manager to review the access logs and send alerts using Amazon Simple Notification Service (Amazon SNS).

  ---

  Explanation/Reference:

  Reference https://aws.amazon.com/blogs/security/how-to-receive-notifications-when-your-aws-accounts-root-access-keys-are-used/

• Question 173:

  You want to track access requests for a particular S3 bucket. How can you achieve this in the easiest possible way?

  Please select:

  A. Enable server access logging for the bucket
  B. Enable Cloudwatch metrics for the bucket
  C. Enable Cloudwatch logs for the bucket
  D. Enable AWS Config for the S3 bucket
  A. Enable server access logging for the bucket

  ---

  Explanation/Reference:

  The AWS Documentation mentions the foil To track requests for access to your bucket you can enable access logging. Each access log record provides details about a single access request, such as the requester, bucket name, request

  time, request action, response status, and error code, if any. Options B and C are incorrect Cloudwatch is used for metrics and logging and cannot be used to track access requests.

  Option D is incorrect since this can be used for Configuration management but for not for tracking S3 bucket requests.

  For more information on S3 server logs, please refer to below UF https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLoes.html The correct answer is: Enable server access logging for the bucket

• Question 174:

  A security engineer has designed a VPC to segment private traffic from public traffic. The VPC includes two Availability Zones. The security engineer has provisioned each Availability Zone with one private subnet and one public subnet. The security engineer has created three route tables for use with the environment. One route table is for the public subnets, and two route tables are for the private subnets (one route table for the private subnet in each Availability Zone).

  The security engineer discovers that all four subnets are attempting to route traffic out though the internet gateway that is attached to the VPC.

  Which combination of steps should the security engineer take to remediate this scenario? (Choose two.)

  A. Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.
  B. Verify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.
  C. Modify the route tables that are associated with each of the public subnets. Create a new route for local destinations to the VPC CIDR range.
  D. Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the NAT gateway in the public subnet of the same Availability Zone as the target of the route
  E. Modify the route tables that ae associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the internet gateway in the public subnet of the same Availability Zone as the target of the route.
  A. Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.
  E. Modify the route tables that ae associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the internet gateway in the public subnet of the same Availability Zone as the target of the route.

  ---

  Explanation/Reference:

• Question 175:

  A company has configured a gateway VPC endpoint in a VPC. Only Amazon EC2 instances that reside in a single subnet in the VPC can use the endpoint. The company has modified the route table for this single subnet to route traffic to Amazon S3 through the gateway VPC endpoint. The VPC provides internet access through an internet gateway.

  A security engineer attempts to use instance profile credentials from an EC2 instance to retrieve an object from the S3 bucket, but the attempt fails. The security engineer verifies that the EC2 instance has an IAM instance profile with the correct permissions to access the S3 bucket and to retrieve objects. The security engineer also verifies that the S3 bucket policy is allowing access properly. Additionally, the security engineer verifies that the EC2 instance's security group and the subnet's network ACLs allow the communication.

  What else should the security engineer check to determine why the request from the EC2 instance is failing?

  A. Verify that the EC2 instance's security group does not have an implicit inbound deny rule for Amazon S3.
  B. Verify that the VPC endpoint's security group does not have an explicit inbound deny rule for the EC2 instance.
  C. Verify that the internet gateway is allowing traffic to Amazon S3.
  D. Verify that the VPC endpoint policy is allowing access to Amazon S3.
  D. Verify that the VPC endpoint policy is allowing access to Amazon S3.

  ---

  Explanation/Reference:

• Question 176:

  A company has developed a new Amazon RDS database application. The company must secure the RDS database credentials for encryption in transit and encryption at rest. The company also must rotate the credentials automatically on a regular basis.

  Which solution meets these requirements?

  A. Use AWS Systems Manager Parameter Store to store the database credentials. Configure automatic rotation of the credentials.
  B. Use AWS Secrets Manager to store the database credentials. Configure automatic rotation of the credentials.
  C. Store the database credentials in an Amazon S3 bucket that is configured with server-side encryption with S3 managed encryption keys (SSE-S3). Rotate the credentials with IAM database authentication.
  D. Store the database credentials in Amazon S3 Glacier, and use S3 Glacier Vault Lock. Configure an AWS Lambda function to rotate credentials on a scheduled basis.
  B. Use AWS Secrets Manager to store the database credentials. Configure automatic rotation of the credentials.

  ---

  Explanation/Reference:

  Found a great article to explain the differences and similarities between Parameter Store and Secrets Manager in terms of functionality and use cases https://medium.com/awesome-cloud/aws-difference-between-secrets-manager-and-parameter-store-systems-manager-f02686604eae

• Question 177:

  Due to new compliance requirements, a Security Engineer must enable encryption with customer-provided keys on corporate data that is stored in DynamoDB. The company wants to retain full control of the encryption keys. Which DynamoDB feature should the Engineer use to achieve compliance'?

  A. Use AWS Certificate Manager to request a certificate. Use that certificate to encrypt data prior to uploading it to DynamoDB.
  B. Enable S3 server-side encryption with the customer-provided keys. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB
  C. Create a KMS master key. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoDS. Dispose of the cleartext and encrypted data keys after encryption without storing.
  D. Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.
  D. Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.

  ---

  Explanation/Reference:

  Follow the link: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/what-is-ddb-encrypt.html

• Question 178:

  A company plans to migrate a sensitive dataset to Amazon S3. A Security Engineer must ensure that the data is encrypted at rest. The encryption solution must enable the company to generate its own keys without needing to manage key storage or the encryption process.

  What should the Security Engineer use to accomplish this?

  A. Server-side encryption with Amazon S3-managed keys (SSE-S3)
  B. Server-side encryption with AWS KMS-managed keys (SSE-KMS)
  C. Server-side encryption with customer-provided keys (SSE-C)
  D. Client-side encryption with an AWS KMS-managed CMK
  B. Server-side encryption with AWS KMS-managed keys (SSE-KMS)

  ---

  Explanation/Reference:

  Reference https://aws.amazon.com/s3/faqs/

• Question 179:

  A company is designing the security architecture for a global latency-sensitive web application it plans to deploy to AWS. A security engineer needs to configure a highly available and secure two-tier architecture. The security design must include controls to prevent common attacks such as DDoS, cross-site scripting, and SQL injection.

  Which solution meets these requirements?

  A. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.
  B. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.
  C. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate AWS WAF ACLs and enable them on the ALB.
  D. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate AWS WAF ACLs and enable them on the ALB.
  B. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.

  ---

  Explanation/Reference:

• Question 180:

  A developer is creating an AWS Lambda function that requires environment variables to store connection information and logging settings. The developer is required to use an AWS KMS Customer Master Key (CMK> supplied by the information security department in order to adhere to company standards for securing Lambda environment variables.

  Which of the following are required for this configuration to work? (Select TWO.)

  A. The developer must configure Lambda access to the VPC using the --vpc-config parameter.
  B. The Lambda function execution role must have the kms:Decrypt- permission added in the AWS IAM policy.
  C. The KMS key policy must allow permissions for the developer to use the KMS key.
  D. The AWS IAM policy assigned to the developer must have the kmseGcnerate-DataKcy permission added.
  E. The Lambda execution role must have the kms:Encrypt permission added in the AWS IAM policy.
  A. The developer must configure Lambda access to the VPC using the --vpc-config parameter.
  B. The Lambda function execution role must have the kms:Decrypt- permission added in the AWS IAM policy.