Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 181:

  A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of "Sensitive," "Confidential," and "Restricted." The security solution must meet all of the following requirements:

  1.

  Each object must be encrypted using a unique key. Items that are stored in the "Restricted" bucket require two-factor authentication for decryption.

  2.

  AWS KMS must automatically rotate encryption keys annually. Which of the following meets these requirements?

  A. Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the "Restricted" CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.
  B. Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK.
  C. Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket.
  D. Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the "Restricted" key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.
  A. Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the "Restricted" CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.

  ---

  Explanation/Reference:

  CMKs that are not eligible for automatic key rotation, including asymmetric CMKs, CMKs in custom key stores, and CMKs with imported key material.

• Question 182:

  Your CTO thinks your AWS account was hacked. What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated AWS engineers and doing everything they can to cover their tracks?

  Please select:

  A. Use CloudTrail Log File Integrity Validation.
  B. Use AWS Config SNS Subscriptions and process events in real time.
  C. Use CloudTrail backed up to AWS S3 and Glacier.
  D. Use AWS Config Timeline forensics.
  A. Use CloudTrail Log File Integrity Validation.

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. You can use the AWS CLI to validate the files in the location where CloudTrail delivered them Validated log files are invaluable in security and forensic investigations. For example, a validated log file enables you to assert positively that the log file itself has not changed, or that particular user credentials performed specific API activity. The CloudTrail log file integrity validation process also lets you know if a log file has been deleted or changed, or assert positively that no log files were delivered to your account during a given period of time. Options B.C and D is invalid because you need to check for log File Integrity Validation for cloudtrail logs For more information on Cloudtrail log file validation, please visit the below URL: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation- intro.html The correct answer is: Use CloudTrail Log File Integrity Validation.

• Question 183:

  A company is deploying a new web application on AWS. Based on their other web applications, they anticipate being the target of frequent DDoS attacks. Which steps can the company use to protect their application? Select 2 answers from the options given below.

  Please select:

  A. Associate the EC2 instances with a security group that blocks traffic from blacklisted IP addresses.
  B. Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic.
  C. Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious traffic.
  D. Use CloudFront and AWS WAF to prevent malicious traffic from reaching the application
  E. Enable GuardDuty to block malicious traffic from reaching the application
  B. Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic.
  D. Use CloudFront and AWS WAF to prevent malicious traffic from reaching the application

  ---

  Explanation/Reference:

  The below diagram from AWS shows the best case scenario for avoiding DDos attacks using services such as AWS Cloudfro WAF, ELB and Autoscaling

  

  Option A is invalid because by default security groups don't allow access Option C is invalid because AWS Inspector cannot be used to examine traffic Option E is invalid because this can be used for attacks on EC2 Instances but not against DDos attacks on the entire application For more information on DDos mitigation from AWS, please visit the below URL: https://aws.amazon.com/answers/networking/aws-ddos-attack-mitieationi The correct answers are: Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic., Use CloudFront and AWS WAF to prevent malicious traffic from reaching the application

• Question 184:

  A company recently adopted new compliance standards that require all user actions in AWS to be logged. The user actions must be logged for all accounts that belong to an organization in AWS Organizations. The company needs to set alarms that respond when specified actions occur. The alarms must forward alerts to an email distribution list. The alerts must occur in as close to real time as possible.

  Which solution will meet these requirements?

  A. Implement an AWS CloudTrail trail as an organizational trail. Configure the trail with Amazon CloudWatch Logs forwarding. In CloudWatch Logs, set a metric filter for any user action events that the company specifies. Create an Amazon CloudWatch alarm to provide alerts for occurrences within a reported period and to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic.
  B. Implement an AWS CloudTrail trail. Configure the trail with Amazon CloudWatch Logs forwarding. In CloudWatch Logs, set a metric filter for any user action events that the company specifies. Create an Amazon CloudWatch alarm to provide alerts for occurrences within a reported period and to send messages to an Amazon Simple Queue Service (Amazon SQS) queue.
  C. Implement an AWS CloudTrail trail as an organizational trail. Configure the trail to store logs in an Amazon S3 bucket. Configure an Amazon EC2 instance to mount the S3 bucket as a file system to ingest new log files that are pushed to the S3 bucket. Configure the EC2 instance also to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic when one of the specified actions is found in the logs.
  D. Implement an AWS CloudTrail trail. Configure the trail to store logs in an Amazon S3 bucket. Each hour, create an AWS Glue Data Catalog that references the S3 bucket. Configure Amazon Athena to initiate queries against the Data Catalog to identify the specified actions in the logs.
  A. Implement an AWS CloudTrail trail as an organizational trail. Configure the trail with Amazon CloudWatch Logs forwarding. In CloudWatch Logs, set a metric filter for any user action events that the company specifies. Create an Amazon CloudWatch alarm to provide alerts for occurrences within a reported period and to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic.

  ---

  Explanation/Reference:

• Question 185:

  An application running on Amazon EC2 instances generates log files in a folder on a Linux file system. The instances block access to the console and file transfer utilities, such as Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP). The Application Support team wants to automatically monitor the application log files so the team can set up notifications in the future.

  A Security Engineer must design a solution that meets the following requirements:

  1.

  Make the log files available through an AWS managed service.

  2.

  Allow for automatic monitoring of the logs.

  3.

  Provide an Interlace for analyzing logs.

  4.

  Minimize effort.

  Which approach meets these requirements^

  A. Modify the application to use the AWS SDK Write the application logs lo an Amazon S3 bucket
  B. Install the unified Amazon CloudWatch agent on the instances. Configure the agent to collect the application log files on the EC2 file system and send them to Amazon CloudWatch Logs.
  C. Install AWS Systems Manager Agent on the instances Configure an automation document to copy the application log files to AWS DeepLens
  D. Install Amazon Kinesis Agent on the instances Stream the application log files to Amazon Kinesis Data Firehose and sot the destination to Amazon Elasticsearch Service
  B. Install the unified Amazon CloudWatch agent on the instances. Configure the agent to collect the application log files on the EC2 file system and send them to Amazon CloudWatch Logs.

  ---

  Explanation/Reference:

  Reference: https://docs.aws.amazon.com/systems-manager/latest/userguide/monitoring-cloudwatch-agent.html

• Question 186:

  You have setup a set of applications across 2 VPC's. You have also setup VPC Peering. The applications are still not able to communicate across the Peering connection. Which network troubleshooting steps should be taken to resolve the issue?

  Please select:

  A. Ensure the applications are hosted in a public subnet
  B. Check to see if the VPC has an Internet gateway attached.
  C. Check to see if the VPC has a NAT gateway attached.
  D. Check the Route tables for the VPC's
  D. Check the Route tables for the VPC's

  ---

  Explanation/Reference:

  After the VPC peering connection is established, you need to ensure that the route tables are modified to ensure traffic can between the VPCs Option A ,B and C are invalid because allowing access the Internet gateway and usage of public subnets can help for Inter, access, but not for VPC Peering. For more information on VPC peering routing, please visit the below URL: com/AmazonVPC/latest/Peeri The correct answer is: Check the Route tables for the VPCs

• Question 187:

  You want to get a list of vulnerabilities for an EC2 Instance as per the guidelines set by the Center of Internet Security. How can you go about doing this?

  Please select:

  A. Enable AWS Guard Duty for the Instance
  B. Use AWS Trusted Advisor
  C. Use AWS inspector
  D. UseAWSMacie
  C. Use AWS inspector

  ---

  Explanation/Reference:

  The AWS Inspector service can inspect EC2 Instances based on specific Rules. One of the rules packages is based on the guidelines set by the Center of Internet Security Center for Internet security (CIS) Benchmarks The CIS Security Benchmarks program provides well-defined, un-biased and consensus- based industry best practices to help organizations assess and improve their security. Amazon Web Services is a CIS Security Benchmarks Member company and the list of Amazon Inspector certifications can be viewed nere. Option A is invalid because this can be used to protect an instance but not give the list of vulnerabilities Options B and D are invalid because these services cannot give a list of vulnerabilities For more information on the guidelines, please visit the below URL:

  * https://docs.aws.amazon.com/inspector/latest/userguide/inspector_cis.html

  The correct answer is: Use AWS Inspector

• Question 188:

  A company maintains sensitive data in an Amazon S3 bucket that must be protected using an AWS KMS CMK. The company requires that keys be rotated automatically every year.

  How should the bucket be configured?

  A. Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select an AWS-managed CMK.
  B. Select Amazon S3-AWS KMS managed encryption keys (S3-KMS) and select a customer-managed CMK with key rotation enabled.
  C. Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select a customer-managed CMK that has imported key material.
  D. Select server-side encryption with AWS KMS-managed keys (SSE-KMS) and select an alias to an AWS-managed CMK.
  B. Select Amazon S3-AWS KMS managed encryption keys (S3-KMS) and select a customer-managed CMK with key rotation enabled.

• Question 189:

  The Accounting department at Example Corp. has made a decision to hire a third-party firm, AnyCompany, to monitor Example Corp.'s AWS account to help optimize costs.

  The Security Engineer for Example Corp. has been tasked with providing AnyCompany with access to the required Example Corp. AWS resources. The Engineer has created an IAM role and granted permission to AnyCompany's AWS account to assume this role.

  When customers contact AnyCompany, they provide their role ARN for validation. The Engineer is concerned that one of AnyCompany's other customers might deduce Example Corp.'s role ARN and potentially compromise the company's account.

  What steps should the Engineer perform to prevent this outcome?

  A. Create an IAM user and generate a set of long-term credentials. Provide the credentials to AnyCompany. Monitor access in IAM access advisor and plan to rotate credentials on a recurring basis.
  B. Request an external ID from AnyCompany and add a condition with sts:Externald to the role's trust policy.
  C. Require two-factor authentication by adding a condition to the role's trust policy with aws:MultiFactorAuthPresent.
  D. Request an IP range from AnyCompany and add a condition with aws:SourceIp to the role's trust policy.
  B. Request an external ID from AnyCompany and add a condition with sts:Externald to the role's trust policy.

• Question 190:

  A company is developing a mobile shopping web app. The company needs an environment that is configured to encrypt all resources in transit and at rest.

  A security engineer must develop a solution that will encrypt traffic in transit to the company's Application Load Balancer and Amazon API Gateway resources. The solution also must encrypt traffic at rest for Amazon S3 storage.

  What should the security engineer do to meet these requirements?

  A. Use AWS Certificate Manager (ACM) for encryption in transit. Use AWS Key Management Service for encryption at rest.
  B. Use AWS Certificate Manager (ACM) for encryption in transit and encryption at rest.
  C. Use AWS Key Management Service for encryption in transit. Use AWS Certificate Manager (ACM) for encryption at rest.
  D. Use AWS Key Management Service for encryption in transit and encryption at rest.
  A. Use AWS Certificate Manager (ACM) for encryption in transit. Use AWS Key Management Service for encryption at rest.