Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 321:

  A company's application team needs to host a MySQL database on AWS. According to the company's security policy, all data that is stored on AWS must be encrypted at rest. In addition, all cryptographic material must be compliant with

  FIPS 140-2 Level 3 validation.

  The application team needs a solution that satisfies the company's security requirements and minimizes operational overhead.

  Which solution will meet these requirements?

  A. Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an AWS Key Management Service (AWS KMS) custom key store that is backed by AWS CloudHSM for key management.
  B. Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an AWS managed CMK in AWS Key Management Service (AWS KMS) for key management.
  C. Host the database on an Amazon EC2 instance. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use a customer managed CMK in AWS Key Management Service (AWS KMS) for key management.
  D. Host the database on an Amazon EC2 instance. Use Transparent Data Encryption (TDE) for encryption and key management.
  A. Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an AWS Key Management Service (AWS KMS) custom key store that is backed by AWS CloudHSM for key management.

  ---

  Explanation/Reference:

  FIPS + RDS minimizes operational overhead

• Question 322:

  A company has a legacy application that runs on a single Amazon EC2 instance. A security audit shows that the application has been using an IAM access key within its code to access an Amazon S3 bucket that is named DOC-EXAMPLEBUCKET1 in the same AWS account. This access key pair has the s3:GetObject permission to all objects in only this S3 bucket. The company takes the application offline because the application is not compliant with the company's security policies for accessing other AWS resources from Amazon EC2.

  A security engineer validates that AWS CloudTrail is turned on in all AWS Regions. CloudTrail is sending logs to an S3 bucket that is named DOC-EXAMPLE-BUCKET2. This S3 bucket is in the same AWS account as DOC-EXAMPLEBUCKET1. However, CloudTrail has not been configured to send logs to Amazon CloudWatch Logs.

  The company wants to know if any objects in DOC-EXAMPLE-BUCKET1 were accessed with the IAM access key in the past 60 days. If any objects were accessed, the company wants to know if any of the objects that are text files (.txt extension) contained personally identifiable information (PII).

  Which combination of steps should the security engineer take to gather this information? (Choose two.)

  A. Configure Amazon Macie to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII and that were available to the access key.
  B. Use Amazon CloudWatch Logs Insights to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII and that were available to the access key.
  C. Use Amazon OpenSearch Service (Amazon Elasticsearch Service) to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for API calls that used the access key to access an object that contained PII.
  D. Use Amazon Athena to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for any API calls that used the access key to access an object that contained PII.
  E. Use AWS Identity and Access Management Access Analyzer to identify any API calls that used the access key to access objects that contained PII in DOC-EXAMPLE-BUCKET1.
  D. Use Amazon Athena to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for any API calls that used the access key to access an object that contained PII.
  E. Use AWS Identity and Access Management Access Analyzer to identify any API calls that used the access key to access objects that contained PII in DOC-EXAMPLE-BUCKET1.

  ---

  Explanation/Reference:

• Question 323:

  An application uses Amazon Cognito to manage end users' permissions when directly accessing AWS resources, including Amazon DynamoDB. A new feature request reads as follows:

  Provide a mechanism to mark customers as suspended pending investigation or suspended permanently. Customers should still be able to log in when suspended, but should not be able to make changes.

  The priorities are to reduce complexity and avoid potential for future security issues.

  Which approach will meet these requirements and priorities?

  A. Create a new database field "suspended_status" and modify the application logic to validate that field when processing requests.
  B. Add suspended customers to second Cognito user pool and update the application login flow to check both user pools.
  C. Use Amazon Cognito Sync to push out a "suspension_status" parameter and split the lAM policy into normal users and suspended users.
  D. Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.
  D. Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.

  ---

  Explanation/Reference:

  https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-based-access-control-2/

• Question 324:

  A company uses AWS Organizations. The company has teams that use an AWS CloudHSM hardware security module (HSM) that is hosted in a central AWS account. One of the teams creates its own new dedicated AWS account and wants to use the HSM that is hosted in the central account.

  How should a security engineer share the HSM that is hosted in the central account with the new dedicated account?

  A. Use AWS Resource Access Manager (AWS RAM) to share the VPC subnet ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.
  B. Use AWS Identity and Access Management (IAM) to create a cross-account role to access the CloudHSM cluster that is in the central account. Create a new IAM user in the new dedicated account. Assign the cross-account role the new IAM user.
  C. Use AWS Single Sign-On to create an AWS Security Token Service (AWS STS) token to authenticate from the new dedicated account to the central account. Use the cross-account permissions that are assigned to the STS token to invoke an operation on the HSM in the central account.
  D. Use AWS Resource Access Manager (AWS RAM) to share the ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.
  A. Use AWS Resource Access Manager (AWS RAM) to share the VPC subnet ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.

  ---

  Explanation/Reference:

• Question 325:

  A Lambda function reads metadata from an S3 object and stores the metadata in a DynamoDB table. The function is

  triggered whenever an object is stored within the S3 bucket.

  How should the Lambda function be given access to the DynamoDB table?

  Please select:

  A. Create a VPC endpoint for DynamoDB within a VPC. Configure the Lambda function to access resources in the VPC.
  B. Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the poll to the DynamoDB table.
  C. Create an IAM user with permissions to write to the DynamoDB table. Store an access key for that user in the Lambda environment variables.
  D. Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.
  D. Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.

  ---

  Explanation/Reference:

  The ideal way is to create an IAM role which has the required permissions and then associate it with the Lambda function The AWS Documentation additionally mentions the following Each Lambda function has an IAM role (execution role) associated with it. You specify the IAM role when you create your Lambda function. Permissions you grant to this role determine what AWS Lambda can do when it assumes the role. There are two types of permissions that you grant to the IAM role: If your Lambda function code accesses other AWS resources, such as to read an object from an S3 bucket or write logs to CloudWatch Logs, you need to grant permissions for relevant Amazon S3 and CloudWatch actions to the role. If the event source is stream-based (Amazon Kinesis Data Streams and DynamoDB streams), AWS Lambda polls these streams on your behalf. AWS Lambda needs permissions to poll the stream and read new records on the stream so you need to grant the relevant permissions to this role. Option A is invalid because the VPC endpoint allows access instances in a private subnet to access DynamoDB Option B is invalid because resources policies are present for resources such as S3 and KMS, but not AWS Lambda Option C is invalid because AWS Roles should be used and not IAM Users For more information on the Lambda permission model, please visit the below URL: https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html The correct answer is: Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.

• Question 326:

  A Security Engineer is troubleshooting a connectivity issue between a web server that is writing log files to the logging server in another VPC. The Engineer has confirmed that a peering relationship exists between the two VPCs. VPC flow logs show that requests sent from the web server are accepted by the logging server, but the web server never receives a reply.

  Which of the following actions could fix this issue?

  A. Add an inbound rule to the security group associated with the logging server that allows requests from the web server
  B. Add an outbound rule to the security group associated with the web server that allows requests to the logging server.
  C. Add a route to the route table associated with the subnet that hosts the logging server that targets the peering connection
  D. Add a route to the route table associated with the subnet that hosts the web server that targets the peering connection
  A. Add an inbound rule to the security group associated with the logging server that allows requests from the web server

  ---

  Explanation/Reference:

  Reference: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

• Question 327:

  A company needs to restrict access to Amazon DynamoDB tables in the us-east1 Region for account 0123456789. All users must be denied permission to work with DynamoDB tables in us-east-1 unless the users access the tables through the following endpoint: vpce-11aa22bb.

  Which IAM statement will enforce this requirement?

  A. "Statement": [{ "Sid": "AccessFromSpecificEndpoint","Action": "dynamodb:*","Effect": "Deny","Resource": "arn:aws:dynamodb:us-east-1:0123456789:table/*","Condition": { "StringEquals" : { "aws:sourceVpce": "vpce-1laa22bb" } }}]
  B. "Statement": [{ "Sid": "AccessFromSpecificEndpoint","Action": "dynamodb:*","Effect": "Allow","Resource": "arn:aws:dynamodb:us-east-1:0123456789:table/*","Condition": { "StringNotEquals" : { "aws:sourceVpce": "vpce-1laa22bb" } }}]
  C. "Statement": [{ "Sid": "AccessFromSpecificEndpoint","Action": "dynamodb:*","Effect": "Allow","Resource": "arn:aws:dynamodb:us-east-1:0123456789:table/*","Condition": { "StringEquals" : { "aws:sourceVpce": "vpce-1laa22bb" } }}]
  D. "Statement": [{ "Sid": "AccessFromSpecificEndpoint","Action": "dynamodb:*","Effect": "Deny","Resource": "arn:aws:dynamodb:us-east-1:0123456789:table/*","Condition": { "StringNotEquals" : { "aws:sourceVpce": "vpce-1laa22bb" } }}]
  D. "Statement": [{ "Sid": "AccessFromSpecificEndpoint","Action": "dynamodb:*","Effect": "Deny","Resource": "arn:aws:dynamodb:us-east-1:0123456789:table/*","Condition": { "StringNotEquals" : { "aws:sourceVpce": "vpce-1laa22bb" } }}]

  ---

  Explanation/Reference:

• Question 328:

  A company has a web-based application using Amazon CloudFront and running on Amazon Elastic Container Service (Amazon ECS) behind an Application Load Balancer (ALB). The ALB is terminating TLS and balancing load across ECS service tasks A security engineer needs to design a solution to ensure that application content is accessible only through CloudFront and that I is never accessible directly.

  How should the security engineer build the MOST secure solution?

  A. Add an origin custom header Set the viewer protocol policy to HTTP and HTTPS Set the origin protocol pokey to HTTPS only Update the application to validate the CloudFront custom header
  B. Add an origin custom header Set the viewer protocol policy to HTTPS only Set the origin protocol policy to match viewer Update the application to validate the CloudFront custom header.
  C. Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS Set the origin protocol policy to HTTP only Update the application to validate the CloudFront custom header.
  D. Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS.Set the origin protocol policy to HTTPS only Update the application to validate the CloudFront custom header
  D. Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS.Set the origin protocol policy to HTTPS only Update the application to validate the CloudFront custom header

• Question 329:

  Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which three IAM best practices should you consider implementing?

  Please select:

  A. Create individual IAM users
  B. Configure MFA on the root account and for privileged IAM users
  C. Assign IAM users and groups configured with policies granting least privilege access
  D. Ensure all users have been assigned and dre frequently rotating a password, access ID/secret key, and X.509 certificate
  A. Create individual IAM users
  B. Configure MFA on the root account and for privileged IAM users
  C. Assign IAM users and groups configured with policies granting least privilege access

  ---

  Explanation/Reference:

  When you go to the security dashboard, the security status will show the best practices for initiating the first level of security.

  

  Option D is invalid because as per the dashboard, this is not part of the security recommendation For more information on best security practices please visit the URL: https://aws.amazon.com/whitepapers/aws-security-best-practices; The correct answers are: Create individual IAM users, Configure MFA on the root account and for privileged IAM users. Assign IAM users and groups configured with policies granting least privilege access

• Question 330:

  A company has enabled Amazon GuardDuty in all Regions as part of its security monitoring strategy. In one of the VPCs, the company hosts an Amazon EC2 instance working as an FTP server that is contacted by a high number of clients from multiple locations. This is identified by GuardDuty as a brute force attack due to the high number of connections that happen every hour.

  The finding has been flagged as a false positive. However, GuardDuty keeps raising the issue. A Security Engineer has been asked to improve the signal-to-noise ratio. The Engineer needs to ensure that changes do not compromise the visibility of potential anomalous behavior.

  How can the Security Engineer address the issue?

  A. Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed
  B. Add the FTP server to a trusted IP list and deploy it to GuardDuty to stop receiving the notifications
  C. Use GuardDuty filters with auto archiving enabled to close the findings
  D. Create an AWS Lambda function that closes the finding whenever a new occurrence is reported
  B. Add the FTP server to a trusted IP list and deploy it to GuardDuty to stop receiving the notifications

  ---

  Explanation/Reference:

  Trusted IP lists consist of IP addresses that you have whitelisted for secure communication with your AWS infrastructure and applications. GuardDuty does not generate findings for IP addresses on trusted IP lists. At any given time, you can have only one uploaded trusted IP list per AWS account per region.