Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 351:

  You have several S3 buckets defined in your AWS account. You need to give access to external AWS accounts to these S3 buckets. Which of the following can allow you to define the permissions for the external accounts? Choose 2 answers from the options given below

  Please select:

  A. IAM policies
  B. Buckets ACL's
  C. IAM users
  D. Bucket policies
  B. Buckets ACL's
  D. Bucket policies

  ---

  Explanation/Reference:

  The AWS Security whitepaper gives the type of access control and to what level the control can be given

  

  Options A and C are incorrect since for external access to buckets, you need to use either Bucket policies or Bucket ACL's or more information on Security for storage services role please refer to the below URL: https://d1.awsstatic.com/whitepapers/Security/Security Storage Services Whitepaper.pdf The correct answers are: Buckets ACL's, Bucket policies

• Question 352:

  A company needs a cloud-based, managed desktop solution for its workforce of remote employees. The company wants to ensure that the employees can access the desktops only by using company-provided devices. A security engineer must design a solution that will minimize cost and management overhead.

  Which solution will meet these requirements?

  A. Deploy a custom virtual desktop infrastructure (VDI) solution with a restriction policy to allow access only from corporate devices.
  B. Deploy a fleet of Amazon EC2 instances. Assign an instance to each employee with certificate-based device authentication that uses Windows Active Directory.
  C. Deploy Amazon WorkSpaces. Set up a trusted device policy with IP blocking on the authentication gateway by using AWS Identity and Access Management (IAM).
  D. Deploy Amazon WorkSpaces. Create client certificates, and deploy them to trusted devices. Enable restricted access at the directory level.
  A. Deploy a custom virtual desktop infrastructure (VDI) solution with a restriction policy to allow access only from corporate devices.

  ---

  Explanation/Reference:

• Question 353:

  You have a set of Keys defined using the AWS KMS service. You want to stop using a couple of keys , but are not sure of which services are currently using the keys. Which of the following would be a safe option to stop using the keys from further usage.

  Please select:

  A. Delete the keys since anyway there is a 7 day waiting period before deletion
  B. Disable the keys
  C. Set an alias for the key
  D. Change the key material for the key
  B. Disable the keys

  ---

  Explanation/Reference:

  Option A is invalid because once you schedule the deletion and waiting period ends, you cannot come back from the deletion process. Option C and D are invalid because these will not check to see if the keys are being used or not The AWS Documentation mentions the following Deleting a customer master key (CMK) in AWS Key Management Service (AWS KMS) is destructive and potentially dangerous. It deletes the key material and all metadata associated with the CMK, and is irreversible. After a CMK is deleted you can no longer decrypt the data that was encrypted under that CMK, which means that data becomes unrecoverable. You should delete a CMK only when you are sure that you don't need to use it anymore. If you are not sure, consider disabling the CMK instead of deleting it. You can re-enable a disabled CMK if you need to use it again later, but you cannot recover a deleted CMK. For more information on deleting keys from KMS, please visit the below URL: https://docs.aws.amazon.com/kms/latest/developereuide/deleting-keys.html The correct answer is: Disable the keys

• Question 354:

  The Security Engineer created a new AWS Key Management Service (AWS KMS) key with the following key policy:

  

  What are the effects of the key policy? (Choose two.)

  A. The policy allows access for the AWS account 111122223333 to manage key access though IAM policies.
  B. The policy allows all IAM users in account 111122223333 to have full access to the KMS key.
  C. The policy allows the root user in account 111122223333 to have full access to the KMS key.
  D. The policy allows the KMS service-linked role in account 111122223333 to have full access to the KMS key.
  E. The policy allows all IAM roles in account 111122223333 to have full access to the KMS key.
  A. The policy allows access for the AWS account 111122223333 to manage key access though IAM policies.
  C. The policy allows the root user in account 111122223333 to have full access to the KMS key.

  ---

  Explanation/Reference:

  Giving the AWS account full access to the CMK does this; it enables you to use IAM policies to give IAM users and roles in the account access to the CMK. It does not by itself give any IAM users or roles access to the CMK, but it enables you to use IAM policies to do so.

  https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy- default-allow-root-enable-iam

• Question 355:

  A company hosts critical data in an S3 bucket. Even though they have assigned the appropriate permissions to the bucket, they are still worried about data deletion. What measures can be taken to restrict the risk of data deletion on the bucket. Choose 2 answers from the options given below Please select:

  A. Enable versioning on the S3 bucket
  B. Enable data at rest for the objects in the bucket
  C. Enable MFA Delete in the bucket policy
  D. Enable data in transit for the objects in the bucket
  A. Enable versioning on the S3 bucket
  C. Enable MFA Delete in the bucket policy

  ---

  Explanation/Reference:

  One of the AWS Security blogs mentions the followinj Versioning keeps multiple versions of an object in the same bucket. When you enable it on a bucket Amazon S3 automatically adds a unique version ID to every object stored in the

  bucket. At that point, a simple DELETE action does not permanently delete an object version; it merely associates a delete marker with the object. If you want to permanently delete an object version, you must specify its version ID in your

  DELETE request. You can add another layer of protection by enabling MFA Delete on a versioned bucket. Once you do so, you must provide your AWS accounts access keys and a valid code from the account's MFA device in order to

  permanently delete an object version or suspend or reactivate versioning on the bucket.

  Option B is invalid because enabling encryption does not guarantee risk of data deletion.

  Option D is invalid because this option does not guarantee risk of data deletion. For more information on AWS S3 versioning and MFA please refer to the below URL:

  https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/

  The correct answers are: Enable versioning on the S3 bucket Enable MFA Delete in the bucket policy

• Question 356:

  A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances . The application will store highly sensitive user data in Amazon RDS tables

  The application must

  1.

  Include migration to a different AWS Region in the application disaster recovery plan.

  2.

  Provide a full audit trail of encryption key administration events

  3.

  Allow only company administrators to administer keys.

  4.

  Protect data at rest using application layer encryption

  A Security Engineer is evaluating options for encryption key management

  Why should the Security Engineer choose AWS CloudHSM over AWS KMS for encryption key management in this situation?

  A. The key administration event logging generated by CloudHSM is significantly more extensive than AWS KMS.
  B. CloudHSM ensures that only company support staff can administer encryption keys, whereas AWS KMS allows AWS staff to administer keys
  C. The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by AWS KMS
  D. CloudHSM provides the ability to copy keys to a different Region, whereas AWS KMS does not
  B. CloudHSM ensures that only company support staff can administer encryption keys, whereas AWS KMS allows AWS staff to administer keys

• Question 357:

  A company is configuring three Amazon EC2 instances with each instance in a separate Availability Zone. The EC2 instances wilt be used as transparent proxies for outbound internet traffic for ports 80 and 443 so the proxies can block traffic to certain internet destinations as required by the company's security policies. A Security Engineer completed the following:

  1.

  Set up the proxy software on the EC2 instances.

  2.

  Modified the route tables on the private subnets to use the proxy EC2 instances as the default route.

  3.

  Created a security group rule opening inbound port 80 and 443 TCP protocols on the proxy EC2 instance security group.

  However, the proxy EC2 instances are not successfully forwarding traffic to the internet.

  What should the Security Engineer do to make the proxy EC2 instances route traffic to the internet?

  A. Put all the proxy EC2 instances in a cluster placement group.
  B. Disable source and destination checks on the proxy EC2 instances.
  C. Open all inbound ports on the proxy EC2 instance security group.
  D. Change the VPC's DHCP domain-name-servers options set to the IP addresses of proxy EC2 instances.
  B. Disable source and destination checks on the proxy EC2 instances.

• Question 358:

  A development team is attempting to encrypt and decode a secure string parameter from the IAM Systems Manager Parameter Store using an IAM Key Management Service (IAM KMS) CMK. However, each attempt results in an error message being sent to the development team.

  Which CMK-related problems possibly account for the error? (Select two.)

  A. The CMK is used in the attempt does not exist.
  B. The CMK is used in the attempt needs to be rotated.
  C. The CMK is used in the attempt is using the CMKTMs key ID instead of the CMK ARN.
  D. The CMK is used in the attempt is not enabled.
  E. The CMK is used in the attempt is using an alias.
  A. The CMK is used in the attempt does not exist.
  D. The CMK is used in the attempt is not enabled.

  ---

  Explanation/Reference:

  https://docs.IAM.amazon.com/kms/latest/developerguide/services-parameter-store.html#parameter-store-cmk-fail

• Question 359:

  A public subnet contains two Amazon EC2 instances. The subnet has a custom network ACL. A security engineer is designing a solution to improve the subnet security.

  The solution must allow outbound traffic to an internet service that uses TLS through port 443. The solution also must deny inbound traffic that is destined for MySQL port 3306.

  Which network ACL rule set meets these requirements?

  A. Use inbound rule 100 to allow traffic on TCP port 443. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.
  B. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port 443.
  C. Use inbound rule 100 to allow traffic on TCP port range 1024-65535. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.
  D. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port 443. Use outbound rule 100 to allow traffic on TCP port 443.
  A. Use inbound rule 100 to allow traffic on TCP port 443. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.

• Question 360:

  A company deployed an Amazon EC2 instance to a VPC on AWS. A recent alert indicates that the EC2 instance is receiving a suspicious number of requests over an open TCP port from an external source. The TCP port remains open for

  long periods of time.

  The company's security team needs to stop all activity to this port from the external source to ensure that the EC2 instance is not being compromised. The application must remain available to other users.

  Which solution will meet these requirements?

  A. Update the network ACL that is attached to the subnet that is associated with the EC2 instance. Add a Deny statement for the port and the source IP addresses.
  B. Update the elastic network interface security group that is attached to the EC2 instance to remove the port from the inbound rule list.
  C. Update the elastic network interface security group that is attached to the EC2 instance by adding a Deny entry in the inbound list for the port and the source IP addresses.
  D. Create a new network ACL for the subnet. Deny all traffic from the EC2 instance to prevent data from being removed.
  D. Create a new network ACL for the subnet. Deny all traffic from the EC2 instance to prevent data from being removed.