Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 331:

  A company has a legacy application that outputs all logs to a local text file. Logs from all applications running on AWS

  must be continually monitored for security related messages.

  What can be done to allow the company to deploy the legacy application on Amazon EC2 and still meet the monitoring requirement?

  Please select:

  A. Create a Lambda function that mounts the EBS volume with the logs and scans the logs for security incidents. Trigger the function every 5 minutes with a scheduled Cloudwatch event.
  B. Send the local text log files to CloudWatch Logs and configure a CloudWatch metric filter. Trigger cloudwatch alarms based on the metrics.
  C. Install the Amazon inspector agent on any EC2 instance running the legacy application. Generate CloudWatch alerts a based on any Amazon inspector findings.
  D. Export the local text log files to CloudTrail. Create a Lambda function that queries the CloudTrail logs for security ' incidents using Athena.
  B. Send the local text log files to CloudWatch Logs and configure a CloudWatch metric filter. Trigger cloudwatch alarms based on the metrics.

  ---

  Explanation/Reference:

  One can send the log files to Cloudwatch Logs. Log files can also be sent from On-premise servers. You can then specify metrii to search the logs for any specific values. And then create alarms based on these metrics.

  Option A is invalid because this will be just a long over drawn process to achieve this requirement

  Option C is invalid because AWS Inspector cannot be used to monitor for security related messages.

  Option D is invalid because files cannot be exported to AWS Cloudtrail For more information on Cloudwatch logs agent please visit the below URL:

  https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2lnstance.html

  The correct answer is: Send the local text log files to Cloudwatch Logs and configure a Cloudwatch metric filter. Trigger cloudwatch alarms based on the metrics.

• Question 332:

  A financial institution has the following security requirements:

  Cloud-based users must be contained in a separate authentication domain. Cloud-based users cannot access on-premises systems.

  As part of standing up a cloud environment, the financial institution is creating a number of Amazon managed databases and Amazon EC2 instances. An Active Directory service exists on-premises that has all the administrator accounts, and

  these must be able to access the databases and instances.

  How would the organization manage its resources in the MOST secure manner? (Choose two.)

  A. Configure an AWS Managed Microsoft AD to manage the cloud resources.
  B. Configure an additional on-premises Active Directory service to manage the cloud resources.
  C. Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service.
  D. Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service.
  E. Establish a two-way trust between the new and existing Active Directory services.
  A. Configure an AWS Managed Microsoft AD to manage the cloud resources.
  E. Establish a two-way trust between the new and existing Active Directory services.

  ---

  Explanation/Reference:

  Deploy a new forest/domain on AWS with one-way trust. If you are planning on leveraging credentials from an on-premises AD on AWS member servers, you must establish at least a one-way trust to the Active Directory running on AWS. In this model, the AWS domain becomes the resource domain where computer objects are located and on-premises domain becomes the account domain.

  Ref: https://d1.awsstatic.com/whitepapers/adds-on-aws.pdf

• Question 333:

  A company has deployed a custom DNS server in AWS. The Security Engineer wants to ensure that Amazon EC2 instances cannot use the Amazon-provided DNS. How can the Security Engineer block access to the Amazon-provided DNS in the VPC?

  A. Deny access to the Amazon DNS IP within all security groups.
  B. Add a rule to all network access control lists that deny access to the Amazon DNS IP.
  C. Add a route to all route tables that black holes traffic to the Amazon DNS IP.
  D. Disable DNS resolution within the VPC configuration.
  D. Disable DNS resolution within the VPC configuration.

  ---

  Explanation/Reference:

  https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html

• Question 334:

  There is a set of Ec2 Instances in a private subnet. The application hosted on these EC2 Instances need to access a DynamoDB table. It needs to be ensured that traffic does not flow out to the internet. How can this be achieved?

  Please select:

  A. Use a VPC endpoint to the DynamoDB table
  B. Use a VPN connection from the VPC
  C. Use a VPC gateway from the VPC
  D. Use a VPC Peering connection to the DynamoDB table
  A. Use a VPC endpoint to the DynamoDB table

  ---

  Explanation/Reference:

  The following diagram from the AWS Documentation shows how you can access the DynamoDB service from within a V without going to the Internet This can be done with the help of a VPC endpoint Option B is invalid because this is used for connection between an on-premise solution and AWS Option C is invalid because there is no such option Option D is invalid because this is used to connect 2 VPCs For more information on VPC endpointsfor DynamoDB, please visit the URL: The correct answer is: Use a VPC endpoint to the DynamoDB table

  

• Question 335:

  A company is observing frequent bursts of unusual traffic to its corporate website. The IP address ranges that inflate the requests keep changing, and the volumes of traffic are increasing.

  A security engineer needs to implement a solution to protect the website from a potential DDoS attack. The solution must rack the rate of requests from IP addresses. When the requests from a particular IP address exceed a specific rate, the

  solution must limit the amount of traffic that can reach the website from that IP address.

  Which solution will meet these requirements?

  A. Setup Amazon Inspector on the backend servers. Create assessment targets with a rate-based configuration to block any offending IP address.
  B. Create a rate-based rule in AWS WAF to block an IP address when that IP address exceeds the configured threshold rate.
  C. Identity the offending client IP address ranges. Create a regular rule in AWS WAF to block the offending IP address ranges.
  D. Create a rate-based rule in Amazon GuardDuty to block an IP address when that IP address exceeds the configured threshold rate
  C. Identity the offending client IP address ranges. Create a regular rule in AWS WAF to block the offending IP address ranges.

  ---

  Explanation/Reference:

• Question 336:

  You have just developed a new mobile application that handles analytics workloads on large scale datasets that are stored on Amazon Redshift. Consequently, the application needs to access Amazon Redshift tables. Which of the belov methods would be the best both practically and security-wise, to access the tables? Choose the correct answer from the options below Please select:

  A. Create an IAM user and generate encryption keys for that user. Create a policy for Redshift read-only access. Embed th keys in the application.
  B. Create an HSM client certificate in Redshift and authenticate using this certificate.
  C. Create a Redshift read-only access policy in IAM and embed those credentials in the application.
  D. Use roles that allow a web identity federated user to assume a role that allows access to the Redshift table by providing temporary credentials.
  D. Use roles that allow a web identity federated user to assume a role that allows access to the Redshift table by providing temporary credentials.

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following "When you write such an app, you'll make requests to AWS services that must be signed with an AWS access key. However, we strongly recommend that you do not embed or distribute longterm AWS credentials with apps that a user downloads t device, even in an encrypted store. Instead, build your app so that it requests temporary AWS security credentials dynamica when needed using web identify federation. The supplied

  temporary credentials map to an AWS role that has only the permissioi needed to perform the tasks required by the mobile app".

  Option A.B and C are all automatically incorrect because you need to use IAM Roles for Secure access to services For more information on web identity federation please refer to the below Link:

  http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html The correct answer is: Use roles that allow a web identity federated user to assume a role that allows access to the RedShift table by providing temporary

  credentials.

• Question 337:

  A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password. Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)

  A. Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.
  B. Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.
  C. Configure automatic rotation of credentials in AWS Secrets Manager.
  D. Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it.
  E. Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.
  C. Configure automatic rotation of credentials in AWS Secrets Manager.
  E. Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.

• Question 338:

  A company wants to use AWS Systems Manager Patch Manager to patch Amazon EC2 instances that run Amazon Linux 2. The EC2 instances are running in a single AWS account. No internet connectivity is allowed from any EC2 instances

  in the account.

  A security engineer has configured the relevant settings in Patch Manager. The security engineer now needs to ensure that the EC2 instances can connect to the Systems Manager endpoint.

  Which combination of steps must the security engineer take to meet these requirements? (Choose three.)

  A. Create a gateway VPC endpoint for com.amazonaws.[region].s3.
  B. Create VPC endpoints for com.amazonaws.[region].ec2messages and com.amazonaws.[region].ssm.
  C. Create a NAT gateway.
  D. Update the route tables to route Systems Manager traffic through the NAT gateway.
  E. Update the route tables with a route to the gateway VPC endpoint.
  F. Update the route tables to route the update traffic through the NAT gateway.
  A. Create a gateway VPC endpoint for com.amazonaws.[region].s3.
  E. Update the route tables with a route to the gateway VPC endpoint.
  F. Update the route tables to route the update traffic through the NAT gateway.

  ---

  Explanation/Reference:

• Question 339:

  A Systems Engineer has been tasked with configuring outbound mail through Simple Email Service (SES) and requires compliance with current TLS standards.

  The mail application should be configured to connect to which of the following endpoints and corresponding ports?

  A. email.us-east-1.amazonaws.com over port 8080
  B. email-pop3.us-east-1.amazonaws.com over port 995
  C. email-smtp.us-east-1.amazonaws.com over port 587
  D. email-imap.us-east-1.amazonaws.com over port 993
  C. email-smtp.us-east-1.amazonaws.com over port 587

  ---

  Explanation/Reference:

  https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-connect.html

• Question 340:

  A company is using Amazon GuardDuty in its AWS environment. The company asks a security engineer to suspend GuardDuty. Which combination of steps must the security engineer perform to meet this requirement? (Choose two.)

  A. Disable all optional data sources from all detectors in all regions.
  B. Disassociate or delete all member accounts.
  C. Disable all associated monitoring services.
  D. Delete all existing findings.
  E. Export all existing findings.
  A. Disable all optional data sources from all detectors in all regions.
  B. Disassociate or delete all member accounts.

  ---

  Explanation/Reference:

  Reference: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_suspend-disable.html