Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 271:

  An application is currently secured using network access control lists and security groups. Web servers are located in public subnets behind an Application Load Balancer (ALB); application servers are located in private subnets.

  How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose two.)

  A. Configure the application's EC2 instances to use NAT gateways for all inbound traffic.
  B. Move the web servers to private subnets without public IP addresses.
  C. Configure AWS WAF to provide DDoS attack protection for the ALB.
  D. Require all inbound network traffic to route through a bastion host in the private subnet.
  E. Require all inbound and outbound network traffic to route through an AWS Direct Connect connection.
  B. Move the web servers to private subnets without public IP addresses.
  C. Configure AWS WAF to provide DDoS attack protection for the ALB.

• Question 272:

  A company has an application that processes personally identifiable information (PII). The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The company's security policies require that data is encrypted in transit at all times to avoid the possibility of exposing any PII in plaintext.

  Which solutions could a security engineer use to meet these requirements? (Choose two.)

  A. Terminate SSL from clients on the existing ALB. Use HTTPS to connect from the ALB to the EC2 instances.
  B. Replace the existing ALB with a Network Load Balancer (NLB). On the NLB, configure an SSL listener and TCP passthrough to receive client connections. Terminate HTTPS traffic from the NLB on the EC2 instances.
  C. Replace the existing ALB with a Network Load Balancer (NLB). On the NLB, configure TCP passthrough to receive client connections. Terminate SSL from the NLB on the EC2 instances.
  D. Configure a Network Load Balancer (NLB) with TCP passthrough to receive client connections. Terminate SSL on the existing ALB.
  E. Configure a Network Load Balancer (NLB) with a TLS listener to receive client connections. Configure TCP passthrough on the existing ALB so that the NLB can reach the EC2 instances. Terminate SSL from the ALB on the EC2 instances.
  A. Terminate SSL from clients on the existing ALB. Use HTTPS to connect from the ALB to the EC2 instances.
  B. Replace the existing ALB with a Network Load Balancer (NLB). On the NLB, configure an SSL listener and TCP passthrough to receive client connections. Terminate HTTPS traffic from the NLB on the EC2 instances.

  ---

  Explanation/Reference:

• Question 273:

  An organization has three applications running on AWS, each accessing the same data on Amazon S3. The data on Amazon S3 is server-side encrypted by using an AWS KMS Customer Master Key (CMK).

  What is the recommended method to ensure that each application has its own programmatic access control permissions on the KMS CMK?

  A. Change the key policy permissions associated with the KMS CMK for each application when it must access the data in Amazon S3.
  B. Have each application assume an IAM role that provides permissions to use the AWS Certificate Manager CMK.
  C. Have each application use a grant on the KMS CMK to add or remove specific access controls on the KMS CMK.
  D. Have each application use an IAM policy in a user context to have specific access permissions on the KMS CMK.
  C. Have each application use a grant on the KMS CMK to add or remove specific access controls on the KMS CMK.

• Question 274:

  A company needs to encrypt all of its data stored in Amazon S3. The company wants to use AWS Key Management Service (AWS KMS) to create and manage its encryption keys. The company's security policies require the ability to Import the company's own key material for the keys, set an expiration date on the keys, and delete keys immediately, if needed.

  How should a security engineer set up AWS KMS to meet these requirements?

  A. Configure AWS KMS and use a custom key store. Create a customer managed CMK with no key material Import the company's keys and key material into the CMK
  B. Configure AWS KMS and use the default Key store Create an AWS managed CMK with no key material Import the company's key material into the CMK
  C. Configure AWS KMS and use the default key store Create a customer managed CMK with no key material import the company's key material into the CMK
  D. Configure AWS KMS and use a custom key store. Create an AWS managed CMK with no key material. Import the company's key material into the CMK.
  A. Configure AWS KMS and use a custom key store. Create a customer managed CMK with no key material Import the company's keys and key material into the CMK

  ---

  Explanation/Reference:

  Reference: https://docs.aws.amazon.com/kms/latest/developerguide/overview.html

• Question 275:

  A company is hosting a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application has become the target of a DoS attack. Application logging shows that requests are coming from small number of

  client IP addresses, but the addresses change regularly.

  The company needs to block the malicious traffic with a solution that requires the least amount of ongoing effort.

  Which solution meets these requirements?

  A. Create an AWS WAF rate-based rule, and attach it to the ALB.
  B. Update the security group that is attached to the ALB to block the attacking IP addresses.
  C. Update the ALB subnet's network ACL to block the attacking client IP addresses.
  D. Create a AWS WAF rate-based rule, and attach it to the security group of the EC2 instances.
  A. Create an AWS WAF rate-based rule, and attach it to the ALB.

  ---

  Explanation/Reference:

  Reference: https://docs.aws.amazon.com/whitepapers/latest/aws-best-practices-ddos-resiliency/aws-best-practices-ddos-resiliency.pdf

• Question 276:

  A company allows users to download its mobile app onto their phones. The app is MQTT based and connects to AWS IoT Core to subscribe to specific client-related topics.

  Recently, the company discovered that some malicious attackers have been trying to get a Trojan horse onto legitimate mobile phones. The Trojan horse poses as the authentic application and uses a client ID with injected special characters to gain access to topics outside the client's privilege scope.

  Which combination of actions should the company take to prevent this threat? (Choose two.)

  A. In the application, use an IoT thing name as the client ID to connect the device to AWS IoT Core.
  B. In the application, add a client ID check. Disconnect from the server if any special character is detected.
  C. Apply an AWS IoT Core policy that allows “AWSIoTWirelessDataAccess” with the principal set to “client/${iot:Connection.Thing.ThingName}”.
  D. Apply an AWS IoT Core policy to the device to allow “iot:Connect” with the resource set to “client/${iot:ClientId}”.
  E. Apply an AWS IoT Core policy to the device to allow “iot:Connect” with the resource set to “client/${iot:Connection.Thing.ThingName}”.
  B. In the application, add a client ID check. Disconnect from the server if any special character is detected.
  E. Apply an AWS IoT Core policy to the device to allow “iot:Connect” with the resource set to “client/${iot:Connection.Thing.ThingName}”.

  ---

  Explanation/Reference:

• Question 277:

  A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs.

  How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?

  A. Add a rule to the Application Load Balancer to route the traffic originating from the IP address in question and show a static webpage.
  B. Implement a rate-based rule with AWS WAF
  C. Use AWS Shield to limit the originating traffic hit rate.
  D. Implement the GeoLocation feature in Amazon Route 53.
  C. Use AWS Shield to limit the originating traffic hit rate.

  ---

  Explanation/Reference:

• Question 278:

  You have an instance setup in a test environment in AWS. You installed the required application and the promoted the server to a production environment. Your IT Security team has advised that there maybe traffic flowing in from an unknown IP address to port 22.

  How can this be mitigated immediately? Please select:

  A. Shutdown the instance
  B. Remove the rule for incoming traffic on port 22 for the Security Group
  C. Change the AMI for the instance
  D. Change the Instance type for the instance
  B. Remove the rule for incoming traffic on port 22 for the Security Group

  ---

  Explanation/Reference:

  In the test environment the security groups might have been opened to all IP addresses for testing purpose. Always to ensure to remove this rule once all testing is completed. Option A, C and D are all invalid because this would affect the application running on the server. The easiest way is just to remove the rule for access on port 22. For more information on authorizing access to an instance, please visit the below URL: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.htmll The correct answer is: Remove the rule for incoming traffic on port 22 for the Security Group

• Question 279:

  A security engineer noticed an anomaly within a company EC2 instance as shown in the image. The engineer must now investigate what is causing the anomaly.

  

  What are the MOST effective steps to take to ensure that the instance is not further manipulated, while allowing the engineer to understand what happened?

  A. Remove the instance from the Auto Scaling group. Place the instance within an isolation security group, detach the EBS volume, launch an EC2 instance with a forensic toolkit, and attach the EBS volume to investigate.
  B. Remove the instance from the Auto Scaling group and the Elastic Load Balancer. Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious instance to perform the investigation.
  C. Remove the instance from the Auto Scaling group. Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and use the forensic toolkit image to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance.
  D. Remove the instance from the Auto Scaling group and the Elastic Load Balancer. Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 instance with a forensic toolkit, and attach the copy of the EBS volume to investigate.
  D. Remove the instance from the Auto Scaling group and the Elastic Load Balancer. Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 instance with a forensic toolkit, and attach the copy of the EBS volume to investigate.

  ---

  Explanation/Reference:

• Question 280:

  A company uses user data scripts that contain sensitive information to bootstrap Amazon EC2 instances. A Security Engineer discovers that this sensitive information is viewable by people who should not have access to it.

  What is the MOST secure way to protect the sensitive information used to bootstrap the instances?

  A. Store the scripts in the AMI and encrypt the sensitive data using AWS KMS Use the instance role profile to control access to the KMS keys needed to decrypt the data.
  B. Store the sensitive data in AWS Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role.
  C. Externalize the bootstrap scripts in Amazon S3 and encrypt them using AWS KMS.Remove the scripts from the instance and clear the logs after the instance is configured.
  D. Block user access of the EC2 instance's metadata service using IAM policies. Remove all scripts and clear the logs after execution.
  B. Store the sensitive data in AWS Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role.