Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 361:

  A company Is building a data lake on Amazon S3. The data consists of millions of small files containing sensitive information. The security team has the following requirements for the architecture:

  1.

  Data must be encrypted in transit.

  2.

  Data must be encrypted at rest.

  3.

  The bucket must be private, but if the bucket is accidentally made public, the data must remain confidential. Which combination of steps would meet the requirements? (Select THREE.)

  A. Enable AES-256 encryption using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) on the S3 bucket
  B. Enable default encryption with server-side encryption with AWS KMS-managed keys (SSE-KMS) on the S3 bucket.
  C. Add a bucket policy that includes a deny if a PutObject request does not include awsiSecureTcanspoct.
  D. Add a bucket policy with ws: Sourcelpto Allow uploads and downloads from the corporate intranet only.
  E. Add a bucket policy that includes a deny if a PutObject request does not include s3:x- amz-sairv9r-side-enctyption: "aws: kms".
  F. Enable Amazon Macie to monitor and act on changes to the data lake's S3 bucket.
  B. Enable default encryption with server-side encryption with AWS KMS-managed keys (SSE-KMS) on the S3 bucket.
  D. Add a bucket policy with ws: Sourcelpto Allow uploads and downloads from the corporate intranet only.
  F. Enable Amazon Macie to monitor and act on changes to the data lake's S3 bucket.

• Question 362:

  Your company has an EC2 Instance hosted in AWS. This EC2 Instance hosts an application. Currently this application is experiencing a number of issues. You need to inspect the network packets to see what the type of error that is occurring?

  Which one of the below steps can help address this issue?

  Please select:

  A. Use the VPC Flow Logs.
  B. Use a network monitoring tool provided by an AWS partner.
  C. Use another instance. Setup a port to "promiscuous mode" and sniff the traffic to analyze the packets.
  D. Use Cloudwatch metric
  B. Use a network monitoring tool provided by an AWS partner.

• Question 363:

  A security engineer receives a notice from the AWS Abuse team about suspicious activity from a Linux-based Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS>-based storage The instance is making connections to known malicious addresses

  The instance is in a development account within a VPC that is in the us-east-1 Region The VPC contains an internet gateway and has a subnet in us-east-1a and us-easMb Each subnet is associate with a route table that uses the internet gateway as a default route Each subnet also uses the default network ACL The suspicious EC2 instance runs within the us-east-1 b subnet. During an initial investigation a security engineer discovers that the suspicious instance is the only instance that runs in the subnet

  Which response will immediately mitigate the attack and help investigate the root cause?

  A. Log in to the suspicious instance and use the netstat command to identify remote connections Use the IP addresses from these remote connections to create deny rules in the security group of the instance Install diagnostic tools on the instance for investigation Update the outbound network ACL for the subnet in us-east- lb to explicitly deny all connections as the first rule during the investigation of the instance
  B. Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule Replace the security group with a new security group that allows connections only from a diagnostics security group Update the outbound network ACL for the us-east-1b subnet to remove the deny all rule Launch a new EC2 instance that has diagnostic tools Assign the new security group to the new EC2 instance Use the new EC2 instance to investigate the suspicious instance
  C. Ensure that the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the suspicious EC2 instance will not delete upon termination Terminate the instance Launch a new EC2 instance in us-east-1a that has diagnostic tools Mount the EBS volumes from the terminated instance for investigation
  D. Create an AWS WAF web ACL that denies traffic to and from the suspicious instance Attach the AWS WAF web ACL to the instance to mitigate the attack Log in to the instance and install diagnostic tools to investigate the instance
  B. Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule Replace the security group with a new security group that allows connections only from a diagnostics security group Update the outbound network ACL for the us-east-1b subnet to remove the deny all rule Launch a new EC2 instance that has diagnostic tools Assign the new security group to the new EC2 instance Use the new EC2 instance to investigate the suspicious instance

  ---

  Explanation/Reference:

  This option suggests updating the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule, replacing the security group with a new one that only allows connections from a diagnostics security group, and launching a new EC2 instance with diagnostic tools to investigate the suspicious instance. This option will immediately mitigate the attack and provide the necessary tools for investigation.

• Question 364:

  Which of the following is the correct sequence of how KMS manages the keys when used along with the Redshift cluster service

  Please select:

  A. The master keys encrypts the cluster key. The cluster key encrypts the database key.The database key encrypts the data encryption keys.
  B. The master keys encrypts the database key. The database key encrypts the data encryption keys.
  C. The master keys encrypts the data encryption keys. The data encryption keys encrypts the database key
  D. The master keys encrypts the cluster key, database key and data encryption keys
  A. The master keys encrypts the cluster key. The cluster key encrypts the database key.The database key encrypts the data encryption keys.

  ---

  Explanation/Reference:

  This is mentioned in the AWS Documentation Amazon Redshift uses a four-tier, key-based architecture for encryption. The architecture consists of data encryption keys, a database key, a cluster key, and a master key. Data encryption keys encrypt data blocks in the cluster. Each data block is assigned a randomly-generated AES-256 key. These keys are encrypted by using the database key for the cluster. The database key encrypts data encryption keys in the cluster. The database key is a randomly-generated AES-256 key. It is stored on disk in a separate network from the Amazon Redshift cluster and passed to the cluster across a secure channel. The cluster key encrypts the database key for the Amazon Redshift cluster. Option B is incorrect because the master key encrypts the cluster key and not the database key Option C is incorrect because the master key encrypts the cluster key and not the data encryption keys Option D is incorrect because the master key encrypts the cluster key only For more information on how keys are used in Redshift, please visit the following URL: https://docs.aws.amazon.com/kms/latest/developereuide/services-redshift.html

  The correct answer is: The master keys encrypts the cluster key. The cluster key encrypts the database key. The database key encrypts the data encryption keys.

• Question 365:

  You are building a large-scale confidential documentation web server on AWSand all of the documentation for it will be stored on S3. One of the requirements is that it cannot be publicly accessible from S3 directly, and you will need to use Cloud Front to accomplish this. Which of the methods listed below would satisfy the requirements as outlined? Choose an answer from the options below

  Please select:

  A. Create an Identity and Access Management (IAM) user for CloudFront and grant access to the objects in your S3 bucket to that IAM User.
  B. Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAl.
  C. Create individual policies for each bucket the documents are stored in and in that policy grant access to only CloudFront.
  D. Create an S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).
  B. Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAl.

  ---

  Explanation/Reference:

  If you want to use CloudFront signed URLs or signed cookies to provide access to objects in your Amazon S3 bucket you probably also want to prevent users from accessing your Amazon S3 objects using Amazon S3 URLs. If users access your objects directly in Amazon S3, they bypass the controls provided by CloudFront signed URLs or signed cookies, for example, control over the date and time that a user can no longer access your content and control over which IP addresses can be used to access content. In addition, if user's access objects both through CloudFront and directly by using Amazon S3 URLs, CloudFront ace logs are less useful because they're incomplete. Option A is invalid because you need to create a Origin Access Identity for Cloudfront and not an IAM user Option C and D are invalid because using policies will not help fulfil the requirement For more information on Origin Access Identity please see the below Link: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restrictine-access-to-s3.htmll The correct answer is: Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.

• Question 366:

  A Security Engineer has launched multiple Amazon EC2 instances from a private AMI using an AWS CloudFormation template. The Engineer notices instances terminating right after they are launched. What could be causing these terminations?

  A. The IAM user launching those instances is missing ec2:Runinstances permission.
  B. The AMI used as encrypted and the IAM does not have the required AWS KMS permissions.
  C. The instance profile used with the EC2 instances in unable to query instance metadata.
  D. AWS currently does not have sufficient capacity in the Region.
  B. The AMI used as encrypted and the IAM does not have the required AWS KMS permissions.

  ---

  Explanation/Reference:

  Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/troubleshooting-launch.html

• Question 367:

  A corporation is preparing to acquire several companies. A Security Engineer must design a solution to ensure that newly acquired AWS accounts follow the corporation's security best practices. The solution should monitor each Amazon S3 bucket for unrestricted public write access and use AWS managed services.

  What should the Security Engineer do to meet these requirements?

  A. Configure Amazon Macie to continuously check the configuration of all S3 buckets.
  B. Enable AWS Config to check the configuration of each S3 bucket.
  C. Set up AWS Systems Manager to monitor S3 bucket policies for public write access.
  D. Configure an Amazon EC2 instance to have an IAM role and a cron job that checks the status of all S3 buckets.
  C. Set up AWS Systems Manager to monitor S3 bucket policies for public write access.

• Question 368:

  A security team has received an alert from Amazon GuardDuty that AWS CloudTrail logging has been disabled. The security team's account has AWS Config, Amazon Inspector, Amazon Detective, and AWS Security Hub enabled. The security team wants to identify who disabled CloudTrail and what actions were performed while CloudTrail was disabled.

  What should the security team do to obtain this information?

  A. Use AWS Config to search for the CLOUD_TRAIL_ENABLED event. Use the configuration recorder to find all activity that occurred when CloudTrail was disabled.
  B. Use Amazon Inspector to find the details of the CloudTrailLoggingDisabled event from GuardDuly, including the user name and all activity that occurred when CloudTrail was disabled.
  C. Use Detective to find the details of the CloudTrailLoggingDisabled event from GuardDuty, including the user name and all activity that occurred when CloudTrail was disabled.
  D. Use GuardDuty to find which user generated the CloudTrailLoggingDisabled event. Use Security Hub to find the trace of activity related to the event.
  C. Use Detective to find the details of the CloudTrailLoggingDisabled event from GuardDuty, including the user name and all activity that occurred when CloudTrail was disabled.

  ---

  Explanation/Reference:

• Question 369:

  The Information Technology department has stopped using Classic Load Balancers and switched to Application Load Balancers to save costs. After the switch, some users on older devices are no longer able to connect to the website. What is causing this situation?

  A. Application Load Balancers do not support older web browsers.
  B. The Perfect Forward Secrecy settings are not configured correctly.
  C. The intermediate certificate is installed within the Application Load Balancer.
  D. The cipher suites on the Application Load Balancers are blocking connections.
  D. The cipher suites on the Application Load Balancers are blocking connections.

  ---

  Explanation/Reference:

  https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

• Question 370:

  A company has an AWS WAF web ACL. According to a new compliance requirement, the company must configure comprehensive logging of all web ACL requests. The company has created an Amazon S3 bucket to store the logs. Which combination of steps should the company take next to meet this requirement? (Choose two.)

  A. Enable logging for the web ACL. Associate the web ACL with the Amazon Kinesis data stream.
  B. Enable logging for the web ACL. Associate the web ACL with the Amazon Kinesis Data Firehose delivery stream.
  C. Configure log filtering for the web ACL. Associate the web ACL with the Amazon Kinesis Data Firehose delivery stream.
  D. Create an Amazon Kinesis data stream in any AWS Region. Specify the S3 bucket as the destination for the data stream.
  E. Create an Amazon Kinesis Data Firehose delivery stream in the same AWS Region as the web ACL. Specify the S3 bucket as the destination for the delivery stream.
  B. Enable logging for the web ACL. Associate the web ACL with the Amazon Kinesis Data Firehose delivery stream.
  E. Create an Amazon Kinesis Data Firehose delivery stream in the same AWS Region as the web ACL. Specify the S3 bucket as the destination for the delivery stream.

  ---

  Explanation/Reference: