Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 371:

  An Amazon EC2 instance is denied access to a newly created AWS KMS CMK used for decrypt actions. The environment has the following configuration:

  1.

  The instance is allowed the kms:Decrypt action in its IAM role for all resources

  2.

  The AWS KMS CMK status is set to enabled

  3.

  The instance can communicate with the KMS API using a configured VPC endpoint What is causing the issue?

  A. The kms:GenerateDataKey permission is missing from the EC2 instance's IAM role
  B. The ARN tag on the CMK contains the EC2 instance's ID instead of the instance's ARN
  C. The kms:Encrypt permission is missing from the EC2 IAM role
  D. The KMS CMK key policy that enables IAM user permissions is missing
  A. The kms:GenerateDataKey permission is missing from the EC2 instance's IAM role

  ---

  Explanation/Reference:

  In a key policy, you use "*" for the resource, which means "this CMK." A key policy applies only to the CMK it is attached to Reference: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html

• Question 372:

  A security engineer is asked to update an AW3 CoudTrail log file prefix for an existing trail. When attempting to save the change in the CloudTrail console, the security engineer receives the following error message. "There is a problem with the bucket policy''

  What will enable the security engineer to saw the change?

  A. Create a new trail with the updated log file prefix, and then delete the original nail Update the existing bucket policy in the Amazon S3 console with the new log the prefix, and then update the log file prefix in the CloudTrail console
  B. Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform PutBucketPolicy. and then update the log file prefix in the CloudTrail console
  C. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.
  D. Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console
  C. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.

  ---

  Explanation/Reference:

  Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html

• Question 373:

  A Security Engineer must enforce the use of only Amazon EC2, Amazon S3, Amazon RDS, Amazon DynamoDB, and AWS STS in specific accounts. What is a scalable and efficient approach to meet this requirement?

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  A. Option A

  ---

  Explanation/Reference:

  It says specific accounts which mean specific governed OUs under your organization and you apply specific service control policy to these OUs.

• Question 374:

  An organizational must establish the ability to delete an AWS KMS Customer Master Key (CMK) within a 24-hour timeframe to keep it from being used for encrypt or decrypt operations.

  Which of the following actions will address this requirement?

  A. Manually rotate a key within KMS to create a new CMK immediately
  B. Use the KMS import key functionality to execute a delete key operation
  C. Use the schedule key deletion function within KMS to specify the minimum wait period for deletion
  D. Change the KMS CMK alias to immediately prevent any services from using the CMK.
  C. Use the schedule key deletion function within KMS to specify the minimum wait period for deletion

  ---

  Explanation/Reference:

  Reference: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html

• Question 375:

  A company stores data on an Amazon EBS volume attached to an Amazon EC2 instance. The data is asynchronously replicated to an Amazon S3 bucket. Both the EBS volume and the S3 bucket are encrypted with the same AWS KMS Customer Master Key (CMK). A former employee scheduled a deletion of that CMK before leaving the company.

  The company's Developer Operations department learns about this only after the CMK has been deleted.

  Which steps must be taken to address this situation?

  A. Copy the data directly from the EBS encrypted volume before the volume is detached from the EC2 instance.
  B. Recover the data from the EBS encrypted volume using an earlier version of the KMS backing key.
  C. Make a request to AWS Support to recover the S3 encrypted data.
  D. Make a request to AWS Support to restore the deleted CMK, and use it to recover the data.
  C. Make a request to AWS Support to recover the S3 encrypted data.

• Question 376:

  Your company makes use of S3 buckets for storing data. There is a company policy that all services should have logging enabled. How can you ensure that logging is always enabled for created S3 buckets in the AWS Account?

  Please select:

  A. Use AWS Inspector to inspect all S3 buckets and enable logging for those where it is not enabled
  B. Use AWS Config Rules to check whether logging is enabled for buckets
  C. Use AWS Cloudwatch metrics to check whether logging is enabled for buckets
  D. Use AWS Cloudwatch logs to check whether logging is enabled for buckets
  B. Use AWS Config Rules to check whether logging is enabled for buckets

  ---

  Explanation/Reference:

  This is given in the AWS Documentation as an example rule in AWS Config Example rules with triggers Example rule with configuration change trigger

  1.

  You add the AWS Config managed rule, S3_BUCKET_LOGGING_ENABLED, to your account to check whether your Amazon S3 buckets have logging enabled.

  2.

  The trigger type for the rule is configuration changes. AWS Config runs the evaluations for the rule when an Amazon S3 bucket is created, changed, or deleted.

  3.

  When a bucket is updated, the configuration change triggers the rule and AWS Config evaluates whether the bucket is compliant against the rule.

  Option A is invalid because AWS Inspector cannot be used to scan all buckets Option C and D are invalid because Cloudwatch cannot be used to check for logging enablement for buckets. For more information on Config Rules please see the below Link: https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html The correct answer is: Use AWS Config Rules to check whether logging is enabled for buckets

• Question 377:

  A company is hosting a set of application, database, and web server instances in the AWS Cloud. Each set of instances has separate security groups. The company has properly defined the network ACLs. The company discovers an issue with the communication between the application and database instances.

  Which set of steps should a security engineer take to troubleshoot the issue?

  A. Check the inbound rules for the database security group. Check the outbound rules for the application security group.
  B. Check the outbound rules for the database security group. Check the inbound rules for the application security group.
  C. Check the inbound rules for the database security group. Check the inbound rules for the application security group.
  D. Check the outbound rules for the database security group. Check the inbound rules and the outbound rules for the application security group.
  A. Check the inbound rules for the database security group. Check the outbound rules for the application security group.

  ---

  Explanation/Reference:

• Question 378:

  A security engineer is attempting to assign a virtual multi-factor authentication (MFA) device to an IAM user whose current virtual MFA device is faulty. The security engineer receives an error message that indicates that the security engineer is not authorized to perform iam:DeleteVirtualMFADevice.

  The IAM role that the security engineer is using has the correct permissions to delete, list, and create a virtual MFA device. The IAM user also has permissions to delete their own virtual MFA device, but only if the IAM user is authenticated with MFA.

  What should the security engineer do to resolve this issue?

  A. Modify the policy for the IAM user to allow the IAM user to delete the virtual MFA device without using MFA authentication.
  B. Sign in as the AWS account root user. Modify the MFA device by using the IAM console to generate a new synchronization quick response (QR) code.
  C. Use the AWS CLI or AWS API to find the ARN of the virtual MFA device and to delete the device.
  D. Sign in as the AWS account root user. Delete the virtual MFA device by using the IAM console.
  D. Sign in as the AWS account root user. Delete the virtual MFA device by using the IAM console.

  ---

  Explanation/Reference:

• Question 379:

  Your company has created a set of keys using the AWS KMS service. They need to ensure that each key is only used for certain services. For example , they want one key to be used only for the S3 service. How can this be achieved?

  Please select:

  A. Create an IAM policy that allows the key to be accessed by only the S3 service.
  B. Create a bucket policy that allows the key to be accessed by only the S3 service.
  C. Use the kms:ViaService condition in the Key policy
  D. Define an IAM user, allocate the key and then assign the permissions to the required service
  C. Use the kms:ViaService condition in the Key policy

  ---

  Explanation/Reference:

  Option A and B are invalid because mapping keys to services cannot be done via either the IAM or bucket policy Option D is invalid because keys for IAM users cannot be assigned to services This is mentioned in the AWS Documentation The kms:ViaService condition key limits use of a customer-managed CMK to requests from particular AWS services. (AWS managed CMKs in your account, such as aws/s3, are always restricted to the AWS service that created them.) For example, you can use kms:V1aService to allow a user to use a customer managed CMK only for requests that Amazon S3 makes on their behalf. Or you can use it to deny the user permission to a CMK when a request on their behalf comes from AWS Lambda. For more information on key policy's for KMS please visit the following URL: https://docs.aws.amazon.com/kms/latest/developereuide/policy-conditions.html The correct answer is: Use the kms:ViaServtce condition in the Key policy

• Question 380:

  An organization is moving non-business-critical applications to AWS while maintaining a mission-critical application in an on-premises data center. An on-premises application must share limited confidential information with the applications in AWS. The internet performance is unpredictable.

  Which configuration will ensure continued connectivity between sites MOST securely?

  A. VPN and a cached storage gateway
  B. AWS Snowball Edge
  C. VPN Gateway over AWS Direct Connect
  D. AWS Direct Connect
  C. VPN Gateway over AWS Direct Connect

  ---

  Explanation/Reference:

  https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect-plus-vpn-network-to-amazon.html