Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 421:

  Your company has a requirement to work with a DynamoDB table. There is a security mandate that all data should be encrypted at rest. What is the easiest way to accomplish this for DynamoDB.

  Please select:

  A. Use the AWS SDK to encrypt the data before sending it to the DynamoDB table
  B. Encrypt the DynamoDB table using KMS during its creation
  C. Encrypt the table using AWS KMS after it is created
  D. Use S3 buckets to encrypt the data before sending it to DynamoDB
  B. Encrypt the DynamoDB table using KMS during its creation

  ---

  Explanation/Reference:

  The most easiest option is to enable encryption when the DynamoDB table is created. The AWS Documentation mentions the following Amazon DynamoDB offers fully managed encryption at rest. DynamoDB encryption at rest provides enhanced security by encrypting your data at rest using an AWS Key Management Service (AWS KMS) managed encryption key for DynamoDB. This functionality eliminates the operational burden and complexity involved in protecting sensitive data. Option A is partially correct, you can use the AWS SDK to encrypt the data, but the easier option would be to encrypt the table before hand. Option C is invalid because you cannot encrypt the table after it is created Option D is invalid because encryption for S3 buckets is for the objects in S3 only. For more information on securing data at rest for DynamoDB please refer to below URL: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.htmll The correct answer is: Encrypt the DynamoDB table using KMS during its creation

• Question 422:

  What is the result of the following bucket policy?

  

  Choose the correct answer:

  Please select:

  A. It will allow all access to the bucket mybucket
  B. It will allow the user mark from AWS account number 111111111 all access to the bucket but deny everyone else all access to the bucket
  C. It will deny all access to the bucket mybucket
  D. None of these
  C. It will deny all access to the bucket mybucket

  ---

  Explanation/Reference:

  The policy consists of 2 statements, one is the allow for the user mark to the bucket and the next is the deny policy for all other users. The deny permission will override the allow and hence all users will not have access to the bucket. Options A,B and D are all invalid because this policy is used to deny all access to the bucket mybucket For examples on S3 bucket policies, please refer to the below Link: http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.htmll The correct answer is: It will deny all access to the bucket mybucket

• Question 423:

  Every application in a company's portfolio has a separate AWS account for development and production. The security team wants to prevent the root user and all IAM users in the production accounts from accessing a specific set of unneeded services. How can they control this functionality?

  Please select:

  A. Create a Service Control Policy that denies access to the services. Assemble all production accounts in an organizational unit. Apply the policy to that organizational unit.
  B. Create a Service Control Policy that denies access to the services. Apply the policy to the root account.
  C. Create an IAM policy that denies access to the services. Associate the policy with an IAM group and enlist all users and the root users in this group.
  D. Create an IAM policy that denies access to the services. Create a Config Rule that checks that all users have the policy m assigned. Trigger a Lambda function that adds the policy when found missing.
  A. Create a Service Control Policy that denies access to the services. Assemble all production accounts in an organizational unit. Apply the policy to that organizational unit.

  ---

  Explanation/Reference:

  As an administrator of the master account of an organization, you can restrict which AWS services and individual API actions the users and roles in each member account can access. This restriction even overrides the administrators of member accounts in the organization. When AWS Organizations blocks access to a service or API action for a member account a user or role in that account can't access any prohibited service or API action, even if an administrator of a member account explicitly grants such permissions in an IAM policy. Organization permissions overrule account permissions. Option B is invalid because service policies cannot be assigned to the root account at the account level. Option C and D are invalid because IAM policies alone at the account level would not be able to suffice the requirement The correct answer is: Create a Service Control Policy that denies access to the services. Assemble all production accounts in an organizational unit. Apply the policy to that organizational unit

• Question 424:

  While analyzing a company's security solution, a Security Engineer wants to secure the AWS account root user.

  What should the Security Engineer do to provide the highest level of security for the account?

  A. Create a new IAM user that has administrator permissions in the AWS account. Delete the password for the AWS account root user.
  B. Create a new IAM user that has administrator permissions in the AWS account. Modify the permissions for the existing IAM users.
  C. Replace the access key for the AWS account root user. Delete the password for the AWS account root user.
  D. Create a new IAM user that has administrator permissions in the AWS account. Enable multi-factor authentication for the AWS account root user.
  D. Create a new IAM user that has administrator permissions in the AWS account. Enable multi-factor authentication for the AWS account root user.

  ---

  Explanation/Reference:

  If you continue to use the root user credentials, we recommend that you follow the security best practice to enable multi-factor authentication (MFA) for your account. Because your root user can perform sensitive operations in your account, adding an additional layer of authentication helps you to better secure your account. Multiple types of MFA are available.

• Question 425:

  A company's security engineer wants to receive an email alert whenever Amazon GuardDuty, AWS Identity and Access Management Access Analyzer, or Amazon Made generate a high-severity security finding. The company uses AWS Control Tower to govern all of its accounts. The company also uses AWS Security Hub with all of the AWS service integrations turned on.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Set up separate AWS Lambda functions for GuardDuty, IAM Access Analyzer, and Macie to call each service's public API to retrieve high-severity findings. Use Amazon Simple Notification Service (Amazon SNS) to send the email alerts. Create an Amazon EventBridge rule to invoke the functions on a schedule.
  B. Create an Amazon EventBridge rule with a pattern that matches Security Hub findings events with high severity. Configure the rule to send the findings to a target Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the desired email addresses to the SNS topic.
  C. Create an Amazon EventBridge rule with a pattern that matches AWS Control Tower events with high severity. Configure the rule to send the findings to a target Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the desired email addresses to the SNS topic.
  D. Host an application on Amazon EC2 to call the GuardDuty, IAM Access Analyzer, and Macie APIs. Within the application, use the Amazon Simple Notification Service (Amazon SNS) API to retrieve high-severity findings and to send the findings to an SNS topic. Subscribe the desired email addresses to the SNS topic.
  B. Create an Amazon EventBridge rule with a pattern that matches Security Hub findings events with high severity. Configure the rule to send the findings to a target Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the desired email addresses to the SNS topic.

  ---

  Explanation/Reference:

  The AWS documentation states that you can create an Amazon EventBridge rule with a pattern that matches Security Hub findings events with high severity. You can then configure the rule to send the findings to a target Amazon Simple Notification Service (Amazon SNS) topic. You can subscribe the desired email addresses to the SNS topic. This method is the least operational overhead way to meet the requirements. References: AWS Security Hub User Guide

• Question 426:

  A company's security team needs to receive a notification whenever an AWS access key has not been rotated in 90 or more days. A security engineer must develop a solution that provides these notifications automatically.

  Which solution will meet these requirements with the LEAST amount of effort?

  A. Deploy an AWS Config managed rule to run on a periodic basis of 24 hours. Select the access-keys-rotated managed rule, and set the maxAccessKeyAge parameter to 90 days. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern that matches the compliance type of NON_COMPLIANT from AWS Config for the managed rule. Configure EventBridge (CloudWatch Events) to send an Amazon Simple Notification Service (Amazon SNS) notification to the security team.
  B. Create a script to export a .csv file from the AWS Trusted Advisor check for IAM access key rotation. Load the script into an AWS Lambda function that will upload the .csv file to an Amazon S3 bucket. Create an Amazon Athena table query that runs when the .csv file is uploaded to the S3 bucket. Publish the results for any keys older than 90 days by using an invocation of an Amazon Simple Notification Service (Amazon SNS) notification to the security team.
  C. Create a script to download the IAM credentials report on a periodic basis. Load the script into an AWS Lambda function that will run on a schedule through Amazon EventBridge (Amazon CloudWatch Events). Configure the Lambda script to load the report into memory and to filter the report for records in which the key was last rotated at least 90 days ago. If any records are detected, send an Amazon Simple Notification Service (Amazon SNS) notification to the security team.
  D. Create an AWS Lambda function that queries the IAM API to list all the users. Iterate through the users by using the ListAccessKeys operation. Verify that the value in the CreateDate field is not at least 90 days old. Send an Amazon Simple Notification Service (Amazon SNS) notification to the security team if the value is at least 90 days old. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to schedule the Lambda function to run each day.
  A. Deploy an AWS Config managed rule to run on a periodic basis of 24 hours. Select the access-keys-rotated managed rule, and set the maxAccessKeyAge parameter to 90 days. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern that matches the compliance type of NON_COMPLIANT from AWS Config for the managed rule. Configure EventBridge (CloudWatch Events) to send an Amazon Simple Notification Service (Amazon SNS) notification to the security team.

  ---

  Explanation/Reference:

• Question 427:

  A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a private VPC subnet that was created with default ACL settings. The IT Security department has a suspicion that a DDos attack is coming from a suspecting IP. How can you protect the subnets from this attack?

  Please select:

  A. Change the Inbound Security Groups to deny access from the suspecting IP
  B. Change the Outbound Security Groups to deny access from the suspecting IP
  C. Change the Inbound NACL to deny access from the suspecting IP
  D. Change the Outbound NACL to deny access from the suspecting IP
  C. Change the Inbound NACL to deny access from the suspecting IP

  ---

  Explanation/Reference:

  Option A and B are invalid because by default the Security Groups already block traffic. You can use NACL's as an additional security layer for the subnet to deny traffic. Option D is invalid since just changing the Inbound Rules is sufficient The AWS Documentation mentions the following A network access control list (ACLJ is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC. The correct answer is: Change the Inbound NACL to deny access from the suspecting IP

• Question 428:

  A company uses a third-party identity provider and SAML-based SSO for its AWS accounts After the third-party identity provider renewed an expired signing certificate users saw the following message when trying to log in:

  

  Error: Response Signature Invalid (Service: AWSSecurityTokenService; status Code: 400; Error Code: InvalidIdentityToken)

  A security engineer needs to provide a solution that corrects the error and minimizes operational overhead Which solution meets these requirements?

  A. Upload the third-party signing certificate's new private key to the AWS identity provider entity defined in AWS identity and Access Management (IAM) by using the AWS Management Console
  B. Sign the identity provider's metadata file with the new public key Upload the signature to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CLI.
  C. Download the updated SAML metadata tile from the identity service provider Update the file in the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CLI
  D. Configure the AWS identity provider entity defined in AWS Identity and Access Management (IAM) to synchronously fetch the new public key by using the AWS Management Console.
  B. Sign the identity provider's metadata file with the new public key Upload the signature to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CLI.

  ---

  Explanation/Reference:

  Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html

• Question 429:

  Your development team is using access keys to develop an application that has access to S3 and DynamoDB. A new security policy has outlined that the credentials should not be older than 2 months, and should be rotated. How can you achieve this?

  Please select:

  A. Use the application to rotate the keys in every 2 months via the SDK
  B. Use a script to query the creation date of the keys. If older than 2 months, create new access key and update all applications to use it inactivate the old key and delete it.
  C. Delete the user associated with the keys after every 2 months. Then recreate the user again.
  D. Delete the IAM Role associated with the keys after every 2 months. Then recreate the IAM Role again.
  B. Use a script to query the creation date of the keys. If older than 2 months, create new access key and update all applications to use it inactivate the old key and delete it.

  ---

  Explanation/Reference:

  One can use the CLI command list-access-keys to get the access keys. This command also returns the "CreateDate" of the keys. If the CreateDate is older than 2 months, then the keys can be deleted. The Returns list-access-keys CLI command returns information about the access key IDs associated with the specified IAM user. If there are none, the action returns an empty list Option A is incorrect because you might as use a script for such maintenance activities Option C is incorrect because you would not rotate the users themselves Option D is incorrect because you don't use IAM roles for such a purpose For more information on the CLI command, please refer to the below Link:

  http://docs.aws.amazon.com/cli/latest/reference/iam/list-access-keys.html

  The correct answer is: Use a script to query the creation date of the keys. If older than 2 months, create new access key and update all applications to use it inactivate the old key and delete it.

• Question 430:

  A security engineer logs in to the AWS Lambda console with administrator permissions. The security engineer is trying to view logs in Amazon CloudWatch for a Lambda function that is named my Function. When the security engineer chooses the option in the Lambda console to view logs in CloudWatch, an “error loading Log Streams" message appears.

  The IAM policy for the Lambda function's execution role contains the following:

  

  How should the security engineer correct the error?

  A. Move the logs:CreateLogGroup action to the second Allow statement.
  B. Add the logs:PutDestination action to the second Allow statement.
  C. Add the logs:GetLogEvents action to the second Allow statement.
  D. Add the logs:CreateLogStream action to the second Allow statement.
  D. Add the logs:CreateLogStream action to the second Allow statement.

  ---

  Explanation/Reference:

  https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.html