Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 261:

  A global company must mitigate and respond to DDoS attacks at Layers 3, 4 and 7 All of the company's AWS applications are serverless with static content hosted on Amazon S3 using Amazon CloudFront and Amazon Route 53 Which solution will meet these requirements?

  A. Use AWS WAF with an upgrade to the AWS Business support plan
  B. Use AWS Certificate Manager with an Application Load Balancer configured with an origin access identity
  C. Use AWS Shield Advanced
  D. Use AWS WAF to protect AWS Lambda functions encrypted with AWS KMS and a NACL restricting all Ingress traffic
  C. Use AWS Shield Advanced

• Question 262:

  A company requires deep packet inspection on encrypted traffic to its web servers in its VPC. Which solution will meet this requirement?

  A. Decrypt traffic by using an Application Load Balancer (ALB) that is configured for TLS termination. Configure the ALB to send the traffic to an AWS Network Firewall endpoint for the deep packet inspection.
  B. Decrypt traffic by using a Network Load Balancer (NLB) that is configured for TLS termination. Configure the NLB to send the traffic to an AWS Network Firewall endpoint for the deep packet inspection.
  C. Decrypt traffic by using an Application Load Balancer (ALB) that is configured for TLS termination. Configure the ALB to send the traffic to an AWS WAF endpoint for the deep packet inspection.
  D. Decrypt traffic by using a Network Load Balancer (NLB) that is configured for TLS termination. Configure the NLB to send the traffic to an AWS WAF endpoint for the deep packet inspection.
  A. Decrypt traffic by using an Application Load Balancer (ALB) that is configured for TLS termination. Configure the ALB to send the traffic to an AWS Network Firewall endpoint for the deep packet inspection.

  ---

  Explanation/Reference:

• Question 263:

  You need to create a Linux EC2 instance in AWS. Which of the following steps is used to ensure secure authentication the EC2 instance from a windows machine. Choose 2 answers from the options given below.

  Please select:

  A. Ensure to create a strong password for logging into the EC2 Instance
  B. Create a key pair using putty
  C. Use the private key to log into the instance
  D. Ensure the password is passed securely using SSL
  B. Create a key pair using putty
  C. Use the private key to log into the instance

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following You can use Amazon EC2 to create your key pair. Alternatively, you could use a third-party tool and then import the public key to Amazon EC2. Each key pair requires a name. Be sure to

  choose a name that is easy to remember. Amazon EC2 associates the public key with the name that you specify as the key name.

  Amazon EC2 stores the public key only, and you store the private key. Anyone who possesses your private key can decrypt login information, so it's important that you store your private keys in a secure place.

  Options A and D are incorrect since you should use key pairs for secure access to Ec2 Instances

  For more information on EC2 key pairs, please refer to below URL:

  https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html The correct answers are: Create a key pair using putty. Use the private key to log into the instance

• Question 264:

  A company is building an application on AWS that will store sensitive information. The company has a support team with access to the IT infrastructure, including databases. The company's security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead. The credentials must be regularly rotated.

  What should the security engineer recommend?

  A. Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an AWS Lambda function to rotate database credentials. Set up TLS for the connection to the database.
  B. Install a database on an Amazon EC2 instance. Enable third-party disk encryption to encrypt Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in AWS CloudHSM with automatic rotation. Set up TLS for the connection to the database.
  C. Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in AWS Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.
  D. Set up an AWS CloudHSM cluster with AWS Key Management Service (AWS KMS) to store KMS keys. Set up Amazon RDS encryption using AWS KSM to encrypt the database. Store the database credentials in AWS Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.
  C. Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in AWS Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.

• Question 265:

  A company uses AWS Organizations and has Amazon Elastic Kubernetes Service (Amazon EKS) clusters in many AWS accounts. A security engineer integrates Amazon EKS with AWS CloudTrail. The CloudTrail trails are stored in an Amazon S3 bucket in each account to monitor API calls. The security engineer observes that CloudTrail logs are not displaying Kubernetes pod creation events.

  What should the security engineer do to view the Kubernetes events from Amazon CloudWatch?

  A. Configure the EKS clusters to use private S3 VPC endpoints. Configure the S3 buckets for logging.
  B. Enable Kubernetes API server component logs for each cluster.
  C. Enable cross-origin resource sharing (CORS) in the S3 bucket that is used for logging.
  D. Configure CloudWatch. View the events in the CloudWatch console.
  B. Enable Kubernetes API server component logs for each cluster.

  ---

  Explanation/Reference:

• Question 266:

  Your company uses AWS to host its resources. They have the following requirements 1) Record all API calls and Transitions 2) Help in understanding what resources are there in the account 3) Facility to allow auditing credentials and logins Which services would suffice the above requirements Please select:

  A. AWS Inspector, CloudTrail, IAM Credential Reports
  B. CloudTrail. IAM Credential Reports, AWS SNS
  C. CloudTrail, AWS Config, IAM Credential Reports
  D. AWS SQS, IAM Credential Reports, CloudTrail
  C. CloudTrail, AWS Config, IAM Credential Reports

  ---

  Explanation/Reference:

  You can use AWS CloudTrail to get a history of AWS API calls and related events for your account. This history includes calls made with the AWS Management Console, AWS Command Line Interface, AWS SDKs, and other AWS services.

  Options A,B and D are invalid because you need to ensure that you use the services of CloudTrail, AWS Config, IAM Credential Reports For more information on Cloudtrail, please visit the below URL:

  http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html

  AWS Config is a service that enables you to assess, audit and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of

  recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall

  compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, char management and operational troubleshooting.

  For more information on the config service, please visit the below URL https://aws.amazon.com/config/

  You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices. You can get a credential report from the AWS

  Management Console, the AWS SDKs and Command Line Tools, or the IAM API.

  For more information on Credentials Report, please visit the below URL:

  http://docs.aws.amazon.com/IAM/latest/UserGuide/id credentials_getting-report.html The correct answer is: CloudTrail, AWS Config, IAM Credential Reports

• Question 267:

  An employee accidentally exposed an AWS access key and secret access key during a public presentation. The company Security Engineer immediately disabled the key. How can the Engineer assess the impact of the key exposure and ensure that the credentials were not misused? (Choose two.)

  A. Analyze AWS CloudTrail for activity.
  B. Analyze Amazon CloudWatch Logs for activity.
  C. Download and analyze the IAM Use report from AWS Trusted Advisor.
  D. Analyze the resource inventory in AWS Config for IAM user activity.
  E. Download and analyze a credential report from IAM.
  A. Analyze AWS CloudTrail for activity.
  E. Download and analyze a credential report from IAM.

  ---

  Explanation/Reference:

  https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html

• Question 268:

  An application running on EC2 instances processes sensitive information stored on Amazon S3. The information is accessed over the Internet. The security team is concerned that the Internet connectivity to Amazon S3 is a security risk. Which solution will resolve the security concern?

  Please select:

  A. Access the data through an Internet Gateway.
  B. Access the data through a VPN connection.
  C. Access the data through a NAT Gateway.
  D. Access the data through a VPC endpoint for Amazon S3
  D. Access the data through a VPC endpoint for Amazon S3

  ---

  Explanation/Reference:

  The AWS Documentation mentions the followii A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network. Option A.B and C are all invalid because the question specifically mentions that access should not be provided via the Internet The correct answer is: Access the data through a VPC endpoint for Amazon S3

• Question 269:

  An Incident Response team is investigating an AWS access key leak that resulted in Amazon EC2 instances being launched. The company did not discover the incident until many months later The Director of Information Security wants to implement new controls that will alert when similar incidents happen in the future Which controls should the company implement to achieve this? {Select TWO.)

  A. Enable VPC Flow Logs in all VPCs Create a scheduled AWS Lambda function that downloads and parses the logs, and sends an Amazon SNS notification for violations.
  B. Use AWS CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3 bucket to receive all the CloudTrail log files
  C. Add the following bucket policy to the company's AWS CloudTrail bucket to prevent log tampering { "Version": "2012-10-17-, "Statement": { "Effect": "Deny", "Action": "s3:PutObject", "Principal": "-", "Resource": "arn:aws:s3:::cloudtrail/AWSLogs/111122223333/*" } } Create an Amazon S3 data event for an PutObject attempts, which sends notifications to an Amazon SNS topic.
  D. Create a Security Auditor role with permissions to access Amazon CloudWatch Logs m all Regions Ship the logs to an Amazon S3 bucket and make a lifecycle policy to ship the logs to Amazon S3 Glacier.
  E. Verify that Amazon GuardDuty is enabled in all Regions, and create an Amazon CloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as the rule's target
  A. Enable VPC Flow Logs in all VPCs Create a scheduled AWS Lambda function that downloads and parses the logs, and sends an Amazon SNS notification for violations.
  E. Verify that Amazon GuardDuty is enabled in all Regions, and create an Amazon CloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as the rule's target

• Question 270:

  An organization policy states that all encryption keys must be automatically rotated every 12 months. Which AWS Key Management Service (KMS) key type should be used to meet this requirement?

  A. AWS managed Customer Master Key (CMK)
  B. Customer managed CMK with AWS generated key material
  C. Customer managed CMK with imported key material
  D. AWS managed data key
  B. Customer managed CMK with AWS generated key material