Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 291:

  A security engineer has created an Amazon Cognito user pool. The engineer needs to manually verify the ID and access token sent by the application for troubleshooting purposes What is the MOST secure way to accomplish this?

  A. Extract the subject (sub), audience (aud), and cognito:username from the ID token payload Manually check the subject and audience for the user name In the user pool
  B. Search for the public key with a key ID that matches the key ID In the header of the token. Then use a JSON Web Token (JWT) library to validate the signature of the token and extract values, such as the expiry date
  C. Verify that the token is not expired. Then use the token_use claim function In Amazon Cognito to validate the key IDs
  D. Copy the JSON Web Token (JWT) as a JSON document Obtain the public JSON Web Key (JWK) and convert It to a pem file. Then use the file to validate the original JWT.
  A. Extract the subject (sub), audience (aud), and cognito:username from the ID token payload Manually check the subject and audience for the user name In the user pool

• Question 292:

  A company is using Amazon Route 53 Resolver for its hybrid DNS infrastructure. The company has set up Route 53 Resolver forwarding rules for authoritative domains that are hosted on on-premises DNS servers.

  A new security mandate requires the company to implement a solution to log and query DNS traffic that goes to the on-premises DNS servers. The logs must show details of the source IP address of the instance from which the query

  originated. The logs also must show the DNS name that was requested in Route 53 Resolver.

  Which solution will meet these requirements?

  A. Use VPC Traffic Mirroring. Configure all relevant elastic network interfaces as the traffic source, include amazon-dns in the mirror filter, and set Amazon CloudWatch Logs as the mirror target. Use CloudWatch Insights on the mirror session logs to run queries on the source IP address and DNS name.
  B. Configure VPC flow logs on all relevant VPCs. Send the logs to an Amazon S3 bucket. Use Amazon Athena to run SQL queries on the source IP address and DNS name.
  C. Configure Route 53 Resolver query logging on all relevant VPCs. Send the logs to Amazon CloudWatch Logs. Use CloudWatch Insights to run queries on the source IP address and DNS name.
  D. Modify the Route 53 Resolver rules on the authoritative domains that forward to the on-premises DNS servers. Send the logs to an Amazon S3 bucket. Use Amazon Athena to run SQL queries on the source IP address and DNS name.
  D. Modify the Route 53 Resolver rules on the authoritative domains that forward to the on-premises DNS servers. Send the logs to an Amazon S3 bucket. Use Amazon Athena to run SQL queries on the source IP address and DNS name.

  ---

  Explanation/Reference:

• Question 293:

  A company is planning on extending their on-premise AWS Infrastructure to the AWS Cloud. They need to have a solution that would give core benefits of traffic encryption and ensure latency is kept to a minimum. Which of the following would help fulfil this requirement? Choose 2 answers from the options given below

  Please select:

  A. AWS VPN
  B. AWS VPC Peering
  C. AWS NAT gateways
  D. AWS Direct Connect
  A. AWS VPN
  D. AWS Direct Connect

  ---

  Explanation/Reference:

  The AWS Document mention the following which supports the requirement

  

  Option B is invalid because VPC peering is only used for connection between VPCs and cannot be used to connect On-premise infrastructure to the AWS Cloud. Option C is invalid because NAT gateways is used to connect instances in a private subnet to the internet For more information on VPN Connections, please visit the following url https://docs.aws.amazon.com/AmazonVPC/latest/UserGuideA/pn-connections.html The correct answers are: AWS VPN, AWS Direct Connect

• Question 294:

  You have a 2 tier application hosted in AWS. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-123) and database security group(db- 345). Which combination of the following security group rules will allow the application to be secure and functional. Choose 2 answers from the options given below.

  Please select:

  A. wg-123 -Allow ports 80 and 443 from 0.0.0.0/0
  B. db-345 - Allow port 1433 from wg-123
  C. wg-123 - Allow port 1433 from wg-123
  D. db-345 -Allow ports 1433 from 0.0.0.0/0
  A. wg-123 -Allow ports 80 and 443 from 0.0.0.0/0
  B. db-345 - Allow port 1433 from wg-123

  ---

  Explanation/Reference:

  The Web security groups should allow access for ports 80 and 443 for HTTP and HTTPS traffic to all users from the internet. The database security group should just allow access from the web security group from port 1433. Option C is invalid because this is not a valid configuration Option D is invalid because database security should not be allowed on the internet For more information on Security Groups please visit the below URL: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usins-network-security.htmll The correct answers are: wg-123 - Allow ports 80 and 443 from 0.0.0.0/0, db-345 - Allow port 1433 from wg-123

• Question 295:

  A company's security engineer needs to restrict access to AWS so that the company can deploy resources only in the eu-west-1 Region. The company uses AWS Organizations and has applied the following SCP at the organization's root level:

  

  The company uses Amazon S3, Amazon Route 53, Amazon CloudFront, and AWS Identity and Access Management (IAM). These services must still work in eu-west-1. Which entry should the security engineer remove from the NotAction element in the Deny policy to achieve this goal?

  A. s3:*
  B. iam:*
  C. cloudfront:*
  D. route53:*
  A. s3:*

  ---

  Explanation/Reference:

  IAM, Route53, Cloudfront, Support are global https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-requested-region.html

• Question 296:

  A security engineer recently enabled the me-south-1 Region. The security engineer is now assuming an IAM role and is making an API call to an endpoint in me-south-1.

  The API call returns the following error: “AuthFailure: AWS was not able to validate the provided access credentials”.

  Which solutions will resolve this error? (Choose two.)

  A. Add the iam:SetSecurityTokenServicePreferences action to the security engineer's IAM role.
  B. Use the AWS Security Token Service (AWS STS) endpoint in me-south-1 to obtain an STS token.
  C. Use the AWS Security Token Service (AWS STS) endpoint in the us-east-1 Region to obtain an STS token.
  D. Manually activate the AWS Security Token Service (AWS STS) endpoint in me-south-1.
  E. Change the AWS Security Token Service (AWS STS) global endpoint to issue Region-compatible session tokens.
  A. Add the iam:SetSecurityTokenServicePreferences action to the security engineer's IAM role.
  E. Change the AWS Security Token Service (AWS STS) global endpoint to issue Region-compatible session tokens.

  ---

  Explanation/Reference:

• Question 297:

  A Network Load Balancer (NLB) target instance is not entering the InService state. A security engineer determines that health checks are failing. Which factors could cause the health check failures? (Choose three.)

  A. The target instance's security group does not allow traffic from the NLB.
  B. The target instance's security group is not attached to the NLB.
  C. The NLB's security group is not attached to the target instance.
  D. The target instance's subnet network ACL does not allow traffic from the NLB.
  E. The target instance's security group is not using IP addresses to allow traffic from the NLB.
  F. The target network ACL is not attached to the NLB.
  A. The target instance's security group does not allow traffic from the NLB.
  D. The target instance's subnet network ACL does not allow traffic from the NLB.
  F. The target network ACL is not attached to the NLB.

  ---

  Explanation/Reference:

• Question 298:

  A security engineer needs to implement a solution to create and control the keys that a company uses for cryptographic operations. The security engineer must create symmetric keys in which the key material is generated and used within a custom key store that is backed by an AWS CloudHSM cluster.

  The security engineer will use symmetric and asymmetric data key pairs for local use within applications. The security engineer also must audit the use of the keys.

  How can the security engineer meet these requirements?

  A. To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon Athena.
  B. To create the keys, use Amazon S3 and the custom key stores with the CloudHSM cluster. For auditing, use AWS CloudTrail.
  C. To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon GuardDuty.
  D. To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use AWS CloudTrail.
  D. To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use AWS CloudTrail.

  ---

  Explanation/Reference:

• Question 299:

  A company needs to use HTTPS when connecting to its web applications to meet compliance requirements. These web applications run in Amazon VPC on Amazon EC2 instances behind an Application Load Balancer (ALB). A security engineer wants to ensure that the load balancer win only accept connections over port 443. even if the ALB is mistakenly configured with an HTTP listener

  Which configuration steps should the security engineer take to accomplish this task?

  A. Create a security group with a rule that denies Inbound connections from 0.0.0 0/0 on port 00. Attach this security group to the ALB to overwrite more permissive rules from the ALB's default security group.
  B. Create a network ACL that denies inbound connections from 0 0.0.0/0 on port 80 Associate the network ACL with the VPC s internet gateway
  C. Create a network ACL that allows outbound connections to the VPC IP range on port 443 only. Associate the network ACL with the VPC's internet gateway.
  D. Create a security group with a single inbound rule that allows connections from 0.0.0 0/0 on port 443. Ensure this security group is the only one associated with the ALB
  D. Create a security group with a single inbound rule that allows connections from 0.0.0 0/0 on port 443. Ensure this security group is the only one associated with the ALB

• Question 300:

  After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised.

  How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?

  A. Give consent to the AWS Security team to dump the memory core on the compromised instance and provide it to AWS Support for analysis.
  B. Review memory dump data that the AWS Systems Manager Agent sent to Amazon CloudWatch Logs.
  C. Download and run the EC2Rescue for Windows Server utility from AWS.
  D. Reboot the EC2 Windows Server, enter safe mode, and select memory dump.
  B. Review memory dump data that the AWS Systems Manager Agent sent to Amazon CloudWatch Logs.

  ---

  Explanation/Reference:

  Reference: https://www.giac.org/paper/gcfa/13310/digital-forensic-analysis-amazon-linux-ec2-instances/123500