Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 281:

  A Security Engineer is troubleshooting an issue with a company's custom logging application. The application logs are written to an Amazon S3 bucket with event notifications enabled to send events lo an Amazon SNS topic. All logs are encrypted at rest using an AWS KMS CMK. The SNS topic is subscribed to an encrypted Amazon SQS queue. The logging application polls the queue for new messages that contain metadata about the S3 object. The application then reads the content of the object from the S3 bucket for indexing.

  The Logging team reported that Amazon CloudWatch metrics for the number of messages sent or received is showing zero. No togs are being received.

  What should the Security Engineer do to troubleshoot this issue?

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  D. Option D

• Question 282:

  A company is using IAM Organizations to develop a multi-account secure networking strategy. The company plans to use separate centrally managed accounts for shared services, auditing, and security inspection. The company plans to provide dozens of additional accounts to application owners for production and development environments.

  Company security policy requires that all internet traffic be routed through a centrally managed security inspection layer in the security inspection account. A security engineer must recommend a solution that minimizes administrative overhead and complexity.

  Which solution meets these requirements?

  A. Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route table. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account.
  B. Create a centrally managed VPC in the security inspection account. Establish VPC peering connections between the security inspection account and other accounts. Instruct account owners to create default routes in their account route tables that point to the VPC peer. Create an SCP that denies the Attach InternetGateway action. Attach the SCP to all accounts except the security inspection account.
  C. Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transit gateway and to create a default route to the transit gateway in the default route table. Create an SCP that denies the AttachlnternetGateway action. Attach the SCP to all accounts except the security inspection account.
  D. Enable IAM Resource Access Manager (IAM RAM) for IAM Organizations. Create a shared transit gateway, and make it available by using an IAM RAM resource share. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account. Create routes in the route tables of all accounts that point to the shared transit gateway.
  C. Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transit gateway and to create a default route to the transit gateway in the default route table. Create an SCP that denies the AttachlnternetGateway action. Attach the SCP to all accounts except the security inspection account.

• Question 283:

  A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running on AWS.

  Which combination of AWS services and features will provide protection in this scenario? (Choose three.)

  A. Amazon Route 53
  B. AWS Certificate Manager (ACM)
  C. Amazon S3
  D. AWS Shield
  E. Elastic Load Balancer
  F. Amazon GuardDuty
  A. Amazon Route 53
  D. AWS Shield
  E. Elastic Load Balancer

  ---

  Explanation/Reference:

  The combination of AWS services and features that provide protection in this scenario are:

  A. Amazon Route 53 - This service provides DNS-based routing and can help to mitigate DDoS attacks by using health checks to identify healthy endpoints and automatically routing traffic away from any endpoints that are under attack.

  D. AWS Shield - This service provides protection against DDoS attacks at both the network and application layer. It can detect and mitigate attacks in real time, and is available in two tiers: AWS Shield Standard and AWS Shield Advanced.

  E. Elastic Load Balancer - ELB provides protection against DDoS attacks by distributing traffic across multiple instances, and by using a range of techniques to filter out malicious traffic. Note: ACM, S3, and GuardDuty are not directly related to mitigating layer 3 and layer 4 DDoS attacks.

• Question 284:

  One of the EC2 Instances in your company has been compromised. What steps would you take to ensure that you could apply digital forensics on the Instance. Select 2 answers from the options given below

  Please select:

  A. Remove the role applied to the Ec2 Instance
  B. Create a separate forensic instance
  C. Ensure that the security groups only allow communication to this forensic instance
  D. Terminate the instance
  B. Create a separate forensic instance
  C. Ensure that the security groups only allow communication to this forensic instance

  ---

  Explanation/Reference:

  Option A is invalid because removing the role will not help completely in such a situation Option D is invalid because terminating the instance means that you cannot conduct forensic analysis on the instance One way to isolate an affected EC2 instance for investigation is to place it in a Security Group that only the forensic investigators can access. Close all ports except to receive inbound SSH or RDP traffic from one single IP address from which the investigators can safely examine the instance. For more information on security scenarios for your EC2 Instance, please refer to below URL: https://d1.awsstatic.com/Marketplace/scenarios/security/SEC 11 TSB Final.pd1 The correct answers are: Create a separate forensic instance. Ensure that the security groups only allow communication to this forensic instance

• Question 285:

  A Security Engineer manages AWS Organizations for a company. The Engineer would like to restrict AWS usage to allow Amazon S3 only in one of the organizational units (OUs). The Engineer adds the following SCP to the OU: The next day, API calls to AWS IAM appear in AWS CloudTrail logs in an account under that OU. How should the Security Engineer resolve this issue?

  

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  B. Option B

  ---

  Explanation/Reference:

  Reference: https://docs.aws.amazon.com/organizations/latest/userguide/organizations-userguide.pdf (22)

• Question 286:

  An IAM user with fill EC2 permissions could bot start an Amazon EC2 instance after it was stopped for a maintenance task. Upon starting the instance, the instance state would change to "Pending", but after a few seconds, it would switch back to "Stopped".

  An inspection revealed that the instance has attached Amazon EBS volumes that were encrypted by using a Customer Master Key (CMK). When these encrypted volumes were detached, the IAM user was able to start the EC2 instances.

  The IAM user policy is as follows:

  

  What additional items need to be added to the IAM user policy? (Choose two.)

  A. kms:GenerateDataKey
  B. kms:Decrypt
  C. kms:CreateGrant
  D. "Condition": {"Bool": {"kms:ViaService": "ec2.us-west-2.amazonaws.com"}}
  E. "Condition": {"Bool": {"kms:GrantIsForAWSResource": true}}
  C. kms:CreateGrant
  E. "Condition": {"Bool": {"kms:GrantIsForAWSResource": true}}

  ---

  Explanation/Reference:

  The EBS which is AWS resource service is encrypted with CMK and to allow EC2 to decrypt , the IAM user should create a grant ( action) and a boolean condition for the AWs resource . This link explains how AWS keys works. https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html

• Question 287:

  A Security Engineer has been tasked with enabling AWS Security Hub to monitor Amazon EC2 instances fix CVE in a single AWS account The Engineer has already enabled AWS Security Hub and Amazon Inspector m the AWS Management Console and has installed me Amazon Inspector agent on an EC2 instances that need to be monitored.

  Which additional steps should the Security Engineer lake 10 meet this requirement?

  A. Configure the Amazon inspector agent to use the CVE rule package
  B. Configure the Amazon Inspector agent to use the CVE rule package Configure Security Hub to ingest from AWS inspector by writing a custom resource policy
  C. Configure the Security Hub agent to use the CVE rule package Configure AWS Inspector lo ingest from Security Hub by writing a custom resource policy
  D. Configure the Amazon Inspector agent to use the CVE rule package Install an additional Integration library Allow the Amazon Inspector agent to communicate with Security Hub
  D. Configure the Amazon Inspector agent to use the CVE rule package Install an additional Integration library Allow the Amazon Inspector agent to communicate with Security Hub

• Question 288:

  A company had developed an incident response plan 18 months ago. Regular implementations of the response plan are carried out. No changes have been made to the response plan have been made since its creation. Which of the following is a right statement with regards to the plan?

  Please select:

  A. It places too much emphasis on already implemented security controls.
  B. The response plan is not implemented on a regular basis
  C. The response plan does not cater to new services
  D. The response plan is complete in its entirety
  C. The response plan does not cater to new services

  ---

  Explanation/Reference:

  So definitely the case here is that the incident response plan is not catering to newly created services. AWS keeps on changing and adding new services and hence the response plan must cater to these new services. Option A and B are invalid because we don't know this for a fact. Option D is invalid because we know that the response plan is not complete, because it does not cater to new features of AWS For more information on incident response plan please visit the following URL: https://aws.amazon.com/blogs/publicsector/buildins-a-cloud-specific-incident-response-plan; The correct answer is: The response plan does not cater to new services

• Question 289:

  Amazon CloudWatch Logs agent is successfully delivering logs to the CloudWatch Logs service. However, logs stop being delivered after the associated log stream has been active for a specific number of hours.

  What steps are necessary to identify the cause of this phenomenon? (Choose two.)

  A. Ensure that file permissions for monitored files that allow the CloudWatch Logs agent to read the file have not been modified.
  B. Verify that the OS Log rotation rules are compatible with the configuration requirements for agent streaming.
  C. Configure an Amazon Kinesis producer to first put the logs into Amazon Kinesis Streams.
  D. Create a CloudWatch Logs metric to isolate a value that changes at least once during the period before logging stops.
  E. Use AWS CloudFormation to dynamically create and maintain the configuration file for the CloudWatch Logs agent.
  A. Ensure that file permissions for monitored files that allow the CloudWatch Logs agent to read the file have not been modified.
  B. Verify that the OS Log rotation rules are compatible with the configuration requirements for agent streaming.

  ---

  Explanation/Reference:

  https://acloud.guru/forums/aws-certified-security-specialty/discussion/-Lm5A3w6_NybQPhh6tRP/Cloudwatch%20Log%20question

• Question 290:

  A company needs its Amazon Elastic Block Store (Amazon EBS) volumes to be encrypted at all times. During a security incident, EBS snapshots of suspicious instances are shared to a forensics account for analysis. A security engineer

  attempting to share a suspicious EBS snapshot to the forensics account receives the following error:

  “Unable to share snapshot. An error occurred (OperationNotPermitted) when calling the ModifySnapshotAttribute operation: Encrypted snapshots with EBS default key cannot be shared”

  Which combination of steps should the security engineer take in the incident account to complete the sharing operation? (Choose three.)

  A. Create a customer managed CMK. Copy the EBS snapshot encrypting the destination snapshot using the new CMK.
  B. Allow forensics accounting principals to use the CMK by modifying its policy.
  C. Create an Amazon EC2 instance. Attach the encrypted and suspicious EBS volume. Copy data from the suspicious volume to an unencrypted volume. Snapshot the unencrypted volume.
  D. Copy the EBS snapshot to the new decrypted snapshot.
  E. Restore a volume from the suspicious EBS snapshot. Create an unencrypted EBS volume of the same size.
  F. Share the target EBS snapshot with the forensics account.
  C. Create an Amazon EC2 instance. Attach the encrypted and suspicious EBS volume. Copy data from the suspicious volume to an unencrypted volume. Snapshot the unencrypted volume.
  D. Copy the EBS snapshot to the new decrypted snapshot.
  E. Restore a volume from the suspicious EBS snapshot. Create an unencrypted EBS volume of the same size.

  ---

  Explanation/Reference: