Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 221:

  A company has a new AWS account that does not have AWS CloudTrail configured. The account has an IAM access key that was issued by AWS Security Token Service (AWS STS). A security engineer discovers that the IAM access key

  has been compromised within the last 24 hours.

  The security engineer must stop the compromised IAM access key from being used. The security engineer also must determine which activities the key has been used for so far.

  What should the security engineer do to meet these requirements?

  A. In the CloudTrail console, under CloudTrail event history, search by access key for the compromised key, with the correlated events, and identify which IAM user the key belongs to. In the IAM console, revoke all active sessions for that IAM user.
  B. Create a new CloudTrail trail. In the CloudTrail console, under CloudTrail event history, search by access key for the compromised key, view the correlated events, and identify which IAM user the key belongs to. In the IAM console, revoke all active sessions for that IAM user.
  C. Create a new CloudTrail trail. In the CloudTrail console, under CloudTrail event history, search by access key for the compromised key, view the correlated events, and identify which IAM role the key belongs to. In the IAM console, delete that IAM role.
  D. In the CloudTrail console, under CloudTrail event history, search by access key for the compromised key, view the correlated events, and identify which IAM role the key belongs to. In the IAM console, revoke all active sessions for that IAM role.
  A. In the CloudTrail console, under CloudTrail event history, search by access key for the compromised key, with the correlated events, and identify which IAM user the key belongs to. In the IAM console, revoke all active sessions for that IAM user.

  ---

  Explanation/Reference:

  Reference: https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-account-activity/

• Question 222:

  A security engineer is developing automation that uses an AWS Lambda function to add tags to non-compliant IAM users and IAM roles. During testing, the function fails to perform the tagging action. When the security engineer attempts to look at the associated Amazon CloudWatch log group, no logs are being generated. After additional troubleshooting, the security engineer determines that the issue is related to the associated Lambda execution role.

  Which statement should the security engineer add to the Lambda execution role to ensure functionality while following the principle of least privilege?

  

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  D. Option D

  ---

  Explanation/Reference:

  Use SourceARN to compare the (ARN) of the resource making a "service-to-service" request with the ARN that you specify in the policy. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#:~:text=aws%3ASourceArn,ARN%20that%20you%20specify%20in%20the%20policy.

• Question 223:

  Your company has the following setup in AWS A set of EC2 Instances hosting a web application An application load balancer placed in front of the EC2 Instances There seems to be a set of malicious requests coming from a set of IP addresses.

  Which of the following can be used to protect against these requests?

  Please select:

  A. Use Security Groups to block the IP addresses
  B. Use VPC Flow Logs to block the IP addresses
  C. Use AWS inspector to block the IP addresses
  D. Use AWS WAF to block the IP addresses
  D. Use AWS WAF to block the IP addresses

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following on AWS WAF which can be used to protect Application Load Balancers and Cloud front A web access control list (web ACL) gives you fine-grained control over the web requests that your Amazon CloudFront distributions or Application Load Balancers respond to. You can allow or block the following types of requests: Originate from an IP address or a range of IP addresses Originate from a specific country or countries Contain a specified string or match a regular expression (regex) pattern in a particular part of requests Exceed a specified length Appear to contain malicious SQL code (known as SQL injection) Appear to contain malicious scripts (known as cross-site scripting) Option A is invalid because by default Security Groups have the Deny policy Options B and C are invalid because these services cannot be used to block IP addresses For information on AWS WAF, please visit the below URL: https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.html

  The correct answer is: Use AWS WAF to block the IP addresses

• Question 224:

  A company hosts a web-based application that captures and stores sensitive data in an Amazon DynamoDB table. A security audit reveals that the application does not provide end-to-end data protection or the ability to detect unauthorized data changes The software engineering team needs to make changes that will address the audit findings.

  Which set of steps should the software engineering team take?

  A. Use an AWS Key Management Service (AWS KMS) CMK. Encrypt the data at rest.
  B. Use AWS Certificate Manager (ACM) Private Certificate Authority Encrypt the data in transit.
  C. Use a DynamoDB encryption client. Use client-side encryption and sign the table items
  D. Use the AWS Encryption SDK. Use client-side encryption and sign the table items.
  A. Use an AWS Key Management Service (AWS KMS) CMK. Encrypt the data at rest.

• Question 225:

  A company wants to ensure that its IAM resources can be launched only in the us-east-1 and us-west-2 Regions.

  What is the MOST operationally efficient solution that will prevent developers from launching Amazon EC2 instances in other Regions?

  A. Enable Amazon GuardDuty in all Regions. Create alerts to detect unauthorized activity outside us-east-1 and us-west-2.
  B. Use an organization in IAM Organizations. Attach an SCP that allows all actions when the IAM: Requested Region condition key is either us-east-1 or us-west-2. Delete the FullIAMAccess policy.
  C. Provision EC2 resources by using IAM Cloud Formation templates through IAM CodePipeline. Allow only the values of us-east-1 and us-west-2 in the IAM CloudFormation template's parameters.
  D. Create an IAM Config rule to prevent unauthorized activity outside us-east-1 and us- west-2.
  C. Provision EC2 resources by using IAM Cloud Formation templates through IAM CodePipeline. Allow only the values of us-east-1 and us-west-2 in the IAM CloudFormation template's parameters.

• Question 226:

  You want to launch an EC2 Instance with your own key pair in AWS. How can you achieve this? Choose 3 answers from the options given below.

  Please select:

  A. Use a third party tool to create the Key pair
  B. Create a new key pair using the AWS CLI
  C. Import the public key into EC2
  D. Import the private key into EC2
  A. Use a third party tool to create the Key pair
  B. Create a new key pair using the AWS CLI
  C. Import the public key into EC2

  ---

  Explanation/Reference:

  This is given in the AWS Documentation Creating a Key Pair You can use Amazon EC2 to create your key pair. For more information, see Creating a Key Pair Using Amazon EC2. Alternatively, you could use a third-party tool and then import the public key to Amazon EC2. For more information, see Importing Your Own Public Key to Amazon EC2. Option B is Correct, because you can use the AWS CLI to create a new key pair 1 https://docs.aws.amazon.com/cli/latest/userguide/ cli-ec2-keypairs.html Option D is invalid because the public key needs to be stored in the EC2 Instance For more information on EC2 Key pairs, please visit the below URL:

  * https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs

  The correct answers are: Use a third party tool to create the Key pair. Create a new key pair using the AWS CLI, Import the public key into EC2

• Question 227:

  A company's security engineer is investigating an Amazon GuardDuty finding for unusual activity for an IAM role. The AWS account has AWS Single Sign-On configured with federation with the company's on-premises Active Directory domain

  controller. The security engineer determines that the root cause of the finding is a compromised Active Directory identity on premises. Multiple production workloads are using the IAM role on AWS.

  The security engineer must mitigate the unauthorized use of the IAM role while minimizing production workload downtime on AWS.

  Which combination of actions should the security engineer take to meet these requirements? (Choose two.)

  A. Inactivate the IAM role's access key. Issue a new IAM access key,
  B. Revoke access for the identity in the on-premises Active Directory.
  C. Attach an IAM policy to the IAM role to deny all access to any AWS Security Token Service (AWS STS) tokens that were issued prior to the current time.
  D. Attach an IAM policy to the IAM role to deny access to the federated Active Directory identity's ARN.
  E. Remove the IAM role's login profile to restrict use of the AWS Management Console.
  C. Attach an IAM policy to the IAM role to deny all access to any AWS Security Token Service (AWS STS) tokens that were issued prior to the current time.
  D. Attach an IAM policy to the IAM role to deny access to the federated Active Directory identity's ARN.

  ---

  Explanation/Reference:

• Question 228:

  An AWS Lambda function was misused to alter data, and a Security Engineer must identify who invoked the function and what output was produced. The Engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.

  Which of the following explains why the logs are not available?

  A. The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.
  B. The Lambda function was executed by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.
  C. The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.
  D. The version of the Lambda function that was executed was not current.
  A. The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.

• Question 229:

  For compliance reasons a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied. The Engineer must also ensure that no system goes more than 30 days without the latest approved updates being applied

  What would the MOST efficient way to achieve these goals?

  A. Use Amazon inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version
  B. Configure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows
  C. Examine AWS CloudTrail togs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances
  D. Update the AMls with the latest approved patches and redeploy each instance during the defined maintenance window
  B. Configure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows

• Question 230:

  A Security Analyst attempted to troubleshoot the monitoring of suspicious security group changes. The Analyst was told that there is an Amazon CloudWatch alarm in place for these AWS CloudTrail log events. The Analyst tested the monitoring setup by making a configuration change to the security group but did not receive any alerts.

  Which of the following troubleshooting steps should the Analyst perform?

  A. Ensure that CloudTrail and S3 bucket access logging is enabled for the Analyst's AWS account.
  B. Verify that a metric filter was created and then mapped to an alarm. Check the alarm notification action.
  C. Check the CloudWatch dashboards to ensure that there is a metric configured with an appropriate dimension for security group changes.
  D. Verify that the Analyst's account is mapped to an IAM policy that includes permissions for cloudwatch: GetMetricStatistics and Cloudwatch: ListMetrics.
  B. Verify that a metric filter was created and then mapped to an alarm. Check the alarm notification action.

  ---

  Explanation/Reference:

  MetricFilter:

  Type: 'AWS::Logs::MetricFilter'

  Properties:

  LogGroupName: ''

  FilterPattern: >{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName =

  RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) } MetricTransformations:

  -MetricValue: '1' MetricNamespace: CloudTrailMetrics MetricName: SecurityGroupEventCount