Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 211:

  A security engineer must develop an AWS Identity and Access Management (IAM) strategy for a company's organization in AWS Organizations. The company needs to give developers autonomy to develop and test their applications on AWS, but the company also needs to implement security guardrails to help protect itself. The company creates and distributes applications with different levels of data classification and types. The solution must maximize scalability.

  Which combination of steps should the security engineer take to meet these requirements? (Choose three.)

  A. Create an SCP to restrict access to highly privileged or unauthorized actions to specific IAM principals. Assign the SCP to the appropriate AWS accounts.
  B. Create an IAM permissions boundary to allow access to specific actions and IAM principals. Assign the IAM permissions boundary to all IAM principals within the organization
  C. Create a delegated IAM role that has capabilities to create other IAM roles. Use the delegated IAM role to provision IAM principals by following the principle of least privilege.
  D. Create OUs based on data classification and type. Add the AWS accounts to the appropriate OU. Provide developers access to the AWS accounts based on business need.
  E. Create IAM groups based on data classification and type. Add only the required developers’ IAM role to the IAM groups within each AWS account.
  F. Create IAM policies based on data classification and type. Add the minimum required IAM policies to the developers’ IAM role within each AWS account.
  A. Create an SCP to restrict access to highly privileged or unauthorized actions to specific IAM principals. Assign the SCP to the appropriate AWS accounts.
  C. Create a delegated IAM role that has capabilities to create other IAM roles. Use the delegated IAM role to provision IAM principals by following the principle of least privilege.
  E. Create IAM groups based on data classification and type. Add only the required developers’ IAM role to the IAM groups within each AWS account.

  ---

  Explanation/Reference:

• Question 212:

  A company has decided to use encryption in its AWS account to secure the objects in Amazon S3 using server-side encryption. Object sizes range from 16,000 B to 5 MB. The requirements are as follows:

  1.

  The key material must be generated and stored in a certified Federal Information Processing Standard (FIPS) 140-2 Level 3 machine.

  2.

  The key material must be available in multiple Regions.

  Which option meets these requirements?

  A. Use an AWS KMS customer managed key and store the key material in AWS with replication across Regions
  B. Use an AWS customer managed key, import the key material into AWS KMS using in- house AWS CloudHSM. and store the key material securely in Amazon S3.
  C. Use an AWS KMS custom key store backed by AWS CloudHSM clusters, and copy backups across Regions
  D. Use AWS CloudHSM to generate the key material and backup keys across Regions Use the Java Cryptography Extension (JCE) and Public Key Cryptography Standards #11 (PKCS #11) encryption libraries to encrypt and decrypt the data.
  C. Use an AWS KMS custom key store backed by AWS CloudHSM clusters, and copy backups across Regions

  ---

  Explanation/Reference:

• Question 213:

  A company's Chief Security Officer has requested that a Security Analyst review and improve the security posture of each company AWS account The Security Analyst decides to do this by Improving AWS account root user security.

  Which actions should the Security Analyst take to meet these requirements? (Select THREE.)

  A. Delete the access keys for the account root user in every account.
  B. Create an admin IAM user with administrative privileges and delete the account root user in every account.
  C. Implement a strong password to help protect account-level access to the AWS Management Console by the account root user.
  D. Enable multi-factor authentication (MFA) on every account root user in all accounts.
  E. Create a custom IAM policy to limit permissions to required actions for the account root user and attach the policy to the account root user.
  F. Attach an IAM role to the account root user to make use of the automated credential rotation in AWS STS.
  A. Delete the access keys for the account root user in every account.
  C. Implement a strong password to help protect account-level access to the AWS Management Console by the account root user.
  D. Enable multi-factor authentication (MFA) on every account root user in all accounts.

  ---

  Explanation/Reference:

  -

  If you do have an access key for your AWS account root user, delete it.

  -

  Use a strong password to help protect account-level access to the AWS Management Console.

  -

  Enable AWS multi-factor authentication (MFA) on your AWS account root user account

  https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users

• Question 214:

  A Security Engineer is trying to determine whether the encryption keys used in an AWS service are in compliance with certain regulatory standards. Which of the following actions should the Engineer perform to get further guidance?

  A. Read the AWS Customer Agreement.
  B. Use AWS Artifact to access AWS compliance reports.
  C. Post the question on the AWS Discussion Forums.
  D. Run AWS Config and evaluate the configuration outputs.
  A. Read the AWS Customer Agreement.

  ---

  Explanation/Reference:

  https://aws.amazon.com/artifact/

• Question 215:

  A company's on-premises networks are connected to VPCs using an AWS Direct Connect gateway. The company's on-premises application needs to stream data using an existing Amazon Kinesis Data Firehose delivery stream. The company's security policy requires that data be encrypted in transit using a private network.

  How should the company meet these requirements?

  A. Create a VPC endpoint for Kinesis Data Firehose. Configure the application to connect to the VPC endpoint.
  B. Configure an IAM policy to restrict access to Kinesis Data Firehose using a source IP condition. Configure the application to connect to the existing Firehose delivery stream.
  C. Create a new TLS certificate in AWS Certificate Manager (ACM). Create a public-facing Network Load Balancer (NLB) and select the newly created TLS certificate. Configure the NLB to forward all traffic to Kinesis Data Firehose. Configure the application to connect to the NLB.
  D. Peer the on-premises network with the Kinesis Data Firehose VPC using Direct Connect. Configure the application to connect to the existing Firehose delivery stream.
  A. Create a VPC endpoint for Kinesis Data Firehose. Configure the application to connect to the VPC endpoint.

  ---

  Explanation/Reference:

  Firehose VPC endpoints only use https, therefore data is encrypted in transit. Direct Connect Gateway establishes a private connection to the VPC.

• Question 216:

  A company is testing a new version of its application. The company is using a public Amazon API Gateway API to expose the application. Currently, the company wants to allow only testers from its network to access the new application. Which solutions can the company use to meet these requirements? (Choose two.)

  A. Create and configure a security group that allows access from the company's IP address range. Apply the security group to the API Gateway API.
  B. Create and configure a network ACL that allows traffic from the company's IP address range. Apply the network ACL to the API Gateway API subnet.
  C. Create an AWS WAF web ACL. Configure an IP match rule that allows traffic from the company's IP address range. Apply the web ACL to the API Gateway API.
  D. Use a condition in the API Gateway resource policy to allow access only from the company's IP address range.
  E. Create an interface VPC endpoint for the API Gateway execute-api. Instruct testers to use this endpoint.
  A. Create and configure a security group that allows access from the company's IP address range. Apply the security group to the API Gateway API.
  B. Create and configure a network ACL that allows traffic from the company's IP address range. Apply the network ACL to the API Gateway API subnet.

  ---

  Explanation/Reference:

• Question 217:

  Your company is planning on AWS on hosting its AWS resources. There is a company policy which mandates that all security keys are completely managed within the company itself. Which of the following is the correct measure of following

  this policy?

  Please select:

  A. Using the AWS KMS service for creation of the keys and the company managing the key lifecycle thereafter.
  B. Generating the key pairs for the EC2 Instances using puttygen
  C. Use the EC2 Key pairs that come with AWS
  D. Use S3 server-side encryption
  B. Generating the key pairs for the EC2 Instances using puttygen

  ---

  Explanation/Reference:

  y ensuring that you generate the key pairs for EC2 Instances, you will have complete control of the access keys.

  Options A,C and D are invalid because all of these processes means that AWS has ownership of the keys. And the question specifically mentions that you need ownership of the keys For information on security for Compute Resources,

  please visit the below URL:

  https://d1.awsstatic.com/whitepapers/Security/Security Compute Services Whitepaper.pdf The correct answer is: Generating the key pairs for the EC2 Instances using puttygen

• Question 218:

  An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs a network port scan against other instances in the VPC. When the Security team performs its own internal tests in a separate account by using pre-approved third- party scanners from the AWS Marketplace, the Security team also then receives multiple Amazon GuardDuty events from Amazon CloudWatch alerting on its test activities.

  How can the Security team suppress alerts about authorized security tests while still receiving alerts about the unauthorized activity?

  A. Use a filter in AWS CloudTrail to exclude the IP addresses of the Security team's EC2 instances.
  B. Add the Elastic IP addresses of the Security team's EC2 instances to a trusted IP list in Amazon GuardDuty.
  C. Install the Amazon Inspector agent on the EC2 instances that the Security team uses.
  D. Grant the Security team's EC2 instances a role with permissions to call Amazon GuardDuty API operations.
  B. Add the Elastic IP addresses of the Security team's EC2 instances to a trusted IP list in Amazon GuardDuty.

  ---

  Explanation/Reference:

  Trusted IP lists consist of IP addresses that you have whitelisted for secure communication with your AWS infrastructure and applications. GuardDuty does not generate findings for IP addresses on trusted IP lists. At any given time, you can have only one uploaded trusted IP list per AWS account per region. Threat lists consist of known malicious IP addresses. GuardDuty generates findings based on threat lists. At any given time, you can have up to six uploaded threat lists per AWS account per region.

  https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload_lists.html

• Question 219:

  A company uses an Amazon S3 bucket to store reports. Management has mandated that all new objects stored in this bucket must be encrypted at rest using server-side encryption with a client specified AWS Key Management Service (AWS KMS) CMK owned by the same account as the S3 bucket. The AWS account number is 111122223333, and the bucket name is reportbucket. The company's security specialist must write the S3 bucket policy to ensure the mandate can be implemented.

  Which statement should the security specialist include in the policy?

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  A. Option A

• Question 220:

  A security engineer is attempting to troubleshoot a problem. An application that runs on an Amazon EC2 instance in a VPC cannot communicate with an Amazon RDS DB instance in another subnet of the same VPC. The connection request is timing out.

  Which issues could be causing this problem? (Choose two.)

  A. The application instance's security group is not allowing outbound traffic.
  B. The network ACL of the application instance's subnet is not allowing traffic between the application and the DB instance.
  C. The VPC's route table is not configured correctly.
  D. There is no peering connection between the application and the database.
  E. The DB instance's security group is not allowing outbound traffic.
  C. The VPC's route table is not configured correctly.
  E. The DB instance's security group is not allowing outbound traffic.

  ---

  Explanation/Reference: