Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 311:

  During a manual review of system logs from an Amazon Linux EC2 instance, a Security Engineer noticed that there are sudo commands that were never properly alerted or reported on the Amazon CloudWatch Logs agent

  Why were there no alerts on the sudo commands?

  A. There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs
  B. The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch
  C. CloudWatch Logs status is set to ON versus SECURE, which prevents it from pulling in OS security event logs
  D. The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.
  B. The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch

• Question 312:

  You have a set of 100 EC2 Instances in an AWS account. You need to ensure that all of these instances are patched and kept to date. All of the instances are in a private subnet. How can you achieve this. Choose 2 answers from the options given below

  Please select:

  A. Ensure a NAT gateway is present to download the updates
  B. Use the Systems Manager to patch the instances
  C. Ensure an internet gateway is present to download the updates
  D. Use the AWS inspector to patch the updates
  A. Ensure a NAT gateway is present to download the updates
  B. Use the Systems Manager to patch the instances

  ---

  Explanation/Reference:

  Option C is invalid because the instances need to remain in the private:

  Option D is invalid because AWS inspector can only detect the patches One of the AWS Blogs mentions how patching of Linux servers can be accomplished. Below is the diagram representation of the architecture setup

  

  For more information on patching Linux workloads in AWS, please refer to the Lin.

  https://aws.amazon.com/blogs/security/how-to-patch-linux-workloads-on-awsj The correct answers are: Ensure a NAT gateway is present to download the updates. Use the Systems Manager to patch the instances

• Question 313:

  A Developer is building a serverless application that uses Amazon API Gateway as the front end. The application will not be publicly accessible. Other legacy applications running on Amazon EC2 will make calls to the application A Security Engineer Has been asked to review the security controls for authentication and authorization of the application

  Which combination of actions would provide the MOST secure solution? (Select TWO )

  A. Configure an IAM policy that allows the least permissive actions to communicate with the API Gateway Attach the policy to the role used by the legacy EC2 instances
  B. Enable AWS WAF for API Gateway Configure rules to explicitly allow connections from the legacy EC2 instances
  C. Create a VPC endpoint for API Gateway Attach an IAM resource policy that allows the role of the legacy EC2 instances to call specific APIs
  D. Create a usage plan Generate a set of API keys for each application that needs to call the API.
  E. Configure cross-origin resource sharing (CORS) in each API Share the CORS information with the applications that call the API.
  A. Configure an IAM policy that allows the least permissive actions to communicate with the API Gateway Attach the policy to the role used by the legacy EC2 instances
  E. Configure cross-origin resource sharing (CORS) in each API Share the CORS information with the applications that call the API.

• Question 314:

  A company's Security Engineer has been asked to monitor and report all AWS account root user activities.

  Which of the following would enable the Security Engineer to monitor and report all root user activities? (Select TWO)

  A. Configuring AWS Organizations to monitor root user API calls on the paying account
  B. Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported
  C. Configuring Amazon Inspector to scan the AWS account for any root user activity
  D. Configuring AWS Trusted Advisor to send an email to the Security team when the root user logs in to the console
  E. Using Amazon SNS to notify the target group
  B. Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported
  E. Using Amazon SNS to notify the target group

• Question 315:

  There are currently multiple applications hosted in a VPC. During monitoring it has been noticed that multiple port scans are coming in from a specific IP Address block. The internal security team has requested that all offending IP Addresses be denied for the next 24 hours. Which of the following is the best method to quickly and temporarily deny access from the specified IP Address's.

  Please select:

  A. Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.
  B. Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.
  C. Add a rule to all of the VPC Security Groups to deny access from the IP Address block.
  D. Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block.
  B. Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.

  ---

  Explanation/Reference:

  NACL acts as a firewall at the subnet level of the VPC and we can deny the offending IP address block at the subnet level using NACL rules to block the incoming traffic to the VPC instances. Since NACL rules are applied as per the Rule

  numbers make sure that this rule number should take precedence over other rule numbers if there are any such rules that will allow traffic from these IP ranges. The lowest rule number has more precedence over a rule that has a higher

  number.

  The AWS Documentation mentions the following as a best practices for IAM users For extra security, enable multi-factor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or APIs). With MFA,

  users have a device that generates a unique authentication code (a one-time password, or OTP). Users must provide both their normal credentials (like their user name and password) and the OTP. The MFA device can either be a special

  piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone).

  Options C is invalid because these options are not available Option D is invalid because there is not root access for users For more information on IAM best practices, please visit the below URL:

  https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

  The correct answer is: Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.

• Question 316:

  A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon POS cluster a recent report suggests this software platform is vulnerable to SQL injection attacks. with samples of attacks provided. The company's security engineer must secure this system against SQL injection attacks within 24 hours. The secure, engineer's solution involve the least amount of effort and maintain normal operations during implementation. What should the security engineer do to meet these requirements?

  A. Create an Application Load Balancer with the existing EC2 instances as a target group Create an AWS WAF web ACL containing rules mat protect the application from this attach. then apply it to the ALB Test to ensure me vulnerability has been mitigated, then redirect thee Route 53 records to point to the ALB Update security groups on the EC 2 instances to prevent direct access from the internet
  B. Create an Amazon CloudFront distribution specifying one EC2 instance as an origin Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to me distribution Test to ensure the vulnerability has mitigated, then redirect the Route 53 records to point to CloudFront
  C. Obtain me latest source code for the platform and make ire necessary updates Test me updated code to ensure that the vulnerability has been irrigated, then deploy me patched version of the platform to the EC2 instances
  D. Update the security group mat is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database Create an AWS WAF web ACL containing rules mat protect me application from this attack, men apply it to the EC2 instances Test to ensure me vulnerability has been mitigated. then restore the security group to me onginal setting
  A. Create an Application Load Balancer with the existing EC2 instances as a target group Create an AWS WAF web ACL containing rules mat protect the application from this attach. then apply it to the ALB Test to ensure me vulnerability has been mitigated, then redirect thee Route 53 records to point to the ALB Update security groups on the EC 2 instances to prevent direct access from the internet

• Question 317:

  A company has been using the AW5 KMS service for managing its keys. They are planning on carrying out housekeeping activities and deleting keys which are no longer in use. What are the ways that can be incorporated to see which keys are in use? Choose 2 answers from the options given below

  Please select:

  A. Determine the age of the master key
  B. See who is assigned permissions to the master key
  C. See Cloudtrail for usage of the key
  D. Use AWS cloudwatch events for events generated for the key
  B. See who is assigned permissions to the master key
  C. See Cloudtrail for usage of the key

  ---

  Explanation/Reference:

  The direct ways that can be used to see how the key is being used is to see the current access permissions and cloudtrail logs Option A is invalid because seeing how long ago the key was created would not determine the usage of the key Option D is invalid because Cloudtrail Event is better for seeing for events generated by the key This is also mentioned in the AWS Documentation Examining CMK Permissions to Determine the Scope of Potential Usage Determining who or what currently has access to a customer master key (CMK) might help you determine how widely the CM was used and whether it is still needed. To learn how to determine who or what currently has access to a CMK, go to Determining Access to an AWS KMS Customer Master Key. Examining AWS CloudTrail Logs to Determine Actual Usage AWS KMS is integrated with AWS CloudTrail, so all AWS KMS API activity is recorded in CloudTrail log files. If you have CloudTrail turned on in the region where your customer master key (CMK) is located, you can examine your CloudTrail log files to view a history of all AWS KMS API activity for a particular CMK, and thus its usage history. You might be able to use a CMK's usage history to help you determine whether or not you still need it For more information on determining the usage of CMK keys, please visit the following URL: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-determining-usage.html The correct answers are: See who is assigned permissions to the master key. See Cloudtrail for usage of the key

• Question 318:

  A company Is trying to replace its on-premises bastion hosts used to access on-premises Linux servers with AWS Systems Manager Session Manager. A security engineer has installed the Systems Manager Agent on all servers.

  The security engineer verifies that the agent is running on all the servers, but Session Manager cannot connect to them.

  The security engineer needs to perform verification steps before Session Manager will work on the servers.

  Which combination of steps should the security engineer perform? (Select THREE.)

  A. Open inbound port 22 to 0 0.0.0/0 on all Linux servers.
  B. Enable the advanced-instances tier in Systems Manager.
  C. Create a managed-instance activation for the on-premises servers.
  D. Reconfigure the Systems Manager Agent with the activation code and ID.
  E. Assign an IAM role to all of the on-premises servers.
  F. Initiate an inventory collection with Systems Manager on the on-premises servers
  C. Create a managed-instance activation for the on-premises servers.
  E. Assign an IAM role to all of the on-premises servers.
  F. Initiate an inventory collection with Systems Manager on the on-premises servers

  ---

  Explanation/Reference:

• Question 319:

  A company has complex connectivity rules governing ingress, egress, and communications between Amazon EC2 instances. The rules are so complex that they cannot be implemented within the limits of the maximum number of security groups and network access control lists (network ACLs).

  What mechanism will allow the company to implement all required network rules without incurring additional cost?

  A. Configure AWS WAF rules to implement the required rules.
  B. Use the operating system built-in, host-based firewall to implement the required rules.
  C. Use a NAT gateway to control ingress and egress according to the requirements.
  D. Launch an EC2-based firewall product from the AWS Marketplace, and implement the required rules in that product.
  B. Use the operating system built-in, host-based firewall to implement the required rules.

• Question 320:

  A security team is working on a solution that will use Amazon EventBridge (Amazon CloudWatch Events) to monitor new Amazon S3 objects. The solution will monitor for public access and for changes to any S3 bucket policy or setting that result in public access. The security team configures EventBridge to watch for specific API calls that are logged from AWS CloudTrail. EventBridge has an action to send an email notification through Amazon Simple Notification Service (Amazon SNS) to the security team immediately with details of the API call.

  Specifically, the security team wants EventBridge to watch for the s3:PutObjectAcl, s3:DeleteBucketPolicy, and s3:PutBucketPolicy API invocation logs from CloudTrail. While developing the solution in a single account, the security team discovers that the s3:PutObjectAcl API call does not invoke an EventBridge event. However, the s3:DeleteBucketPolicy API call and the s3:PutBucketPolicy API call do invoke an event.

  The security team has enabled CloudTrail for AWS management events with a basic configuration in the AWS Region in which EventBridge is being tested. Verification of the EventBridge event pattern indicates that the pattern is set up correctly. The security team must implement a solution so that the s3:PutObjectAcl API call will invoke an EventBridge event. The solution must not generate false notifications.

  Which solution will meet these requirements?

  A. Modify the EventBridge event pattern by selecting Amazon S3. Select All Events as the event type.
  B. Modify the EventBridge event pattern by selecting Amazon S3. Select Bucket Level Operations as the event type.
  C. Enable CloudTrail Insights to identify unusual API activity.
  D. Enable CloudTrail to monitor data events for read and write operations to S3 buckets.
  D. Enable CloudTrail to monitor data events for read and write operations to S3 buckets.

  ---

  Explanation/Reference: