Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 441:

  A security engineer is configuring a mechanism to send an alert when three or more failed sign-in attempts to the AWS Management Console occur during a 5-minute period. The security engineer creates a trail in AWS CloudTrail to assist in this work.

  Which solution will meet these requirements?

  A. In CloudTrail, turn on Insights events on the trail. Configure an alarm on the insight with eventName matching ConsoleLogin and errorMessage matching “Failed authentication”. Configure a threshold of 3 and a period of 5 minutes.
  B. Configure CloudTrail to send events to Amazon CloudWatch Logs. Create a metric filter for the relevant log group. Create a filter pattern with eventName matching ConsoleLogin and errorMessage matching “Failed authentication”. Create a CloudWatch alarm with a threshold of 3 and a period of 5 minutes.
  C. Create an Amazon Athena table from the CloudTrail events. Run a query for eventName matching ConsoleLogin and for errorMessage matching “Failed authentication”. Create a notification action from the query to send an Amazon Simple Notification Service (Amazon SNS) notification when the count equals 3 within a period of 5 minutes.
  D. In AWS Identity and Access Management Access Analyzer, create a new analyzer. Configure the analyzer to send an Amazon Simple Notification Service (Amazon SNS) notification when a failed sign-in event occurs 3 times for any IAM user within a period of 5 minutes.
  A. In CloudTrail, turn on Insights events on the trail. Configure an alarm on the insight with eventName matching ConsoleLogin and errorMessage matching “Failed authentication”. Configure a threshold of 3 and a period of 5 minutes.

  ---

  Explanation/Reference:

• Question 442:

  A company needs to store multiple years of financial records. The company wants to use Amazon S3 to store copies of these documents. The company must implement a solution to prevent the documents from being edited, replaced, or

  deleted for 7 years after the documents are stored in Amazon S3. The solution must also encrypt the documents at rest.

  A security engineer creates a new S3 bucket to store the documents.

  What should the security engineer do next to meet these requirements?

  A. Configure S3 server-side encryption. Create an S3 bucket policy that has an explicit deny rule for all users for s3:DeleteObject and s3:PutObject API calls. Configure S3 Object Lock to use governance mode with a retention period of 7 years.
  B. Configure S3 server-side encryption. Configure S3 Versioning on the S3 bucket. Configure S3 Object Lock to use compliance mode with a retention period of 7 years.
  C. Configure S3 Versioning. Configure S3 Intelligent-Tiering on the S3 bucket to move the documents to S3 Glacier Deep Archive storage. Use S3 server-side encryption immediately. Expire the objects after 7 years.
  D. Set up S3 Event Notifications and use S3 server-side encryption. Configure S3 Event Notifications to target an AWS Lambda function that will review any S3 API call to the S3 bucket and deny the s3:DeleteObject and s3:PutObject API calls. Remove the S3 event notification after 7 years.
  B. Configure S3 server-side encryption. Configure S3 Versioning on the S3 bucket. Configure S3 Object Lock to use compliance mode with a retention period of 7 years.

• Question 443:

  A company needs to implement DNS Security Extensions (DNSSEC) for a specific subdomain. The subdomain is already registered with Amazon Route 53. A security engineer has enabled DNSSEC signing and has created a key-signing key (KSK). When the security engineer tries to test the configuration, the security engineer receives an error for a broken trust chain.

  What should the security engineer do to resolve this error?

  A. Replace the KSK with a zone-signing key (ZSK).
  B. Deactivate and then activate the KSK.
  C. Create a Delegation Signer (DS) record in the parent hosted zone.
  D. Create a Delegation Signer (DS) record in the subdomain.
  D. Create a Delegation Signer (DS) record in the subdomain.

  ---

  Explanation/Reference:

• Question 444:

  A company has two web applications that run on Amazon EC2 and Amazon S3. The applications failed an HTTP security audit, and users are reporting latency issues.

  The applications need to deliver web content at low latencies while improving security and privacy for users and content providers. The company must implement a solution that does not require changes to the application code.

  Which combination of actions should the company take to meet these requirements? (Choose two.)

  A. Deploy Amazon API Gateway. Cache the endpoint's responses.
  B. Configure Amazon API Gateway with a request parameter-based AWS Lambda authorizer to add HTTP security headers on origin responses.
  C. Write a Lambda@Edge function to add HTTP security headers on origin responses.
  D. Configure Amazon CloudFront. Create a distribution for the EC2 and S3 origins.
  E. Implement an Application Load Balancer (ALB) to honor the connection header from the incoming client request after forwarding the response back to the client.
  D. Configure Amazon CloudFront. Create a distribution for the EC2 and S3 origins.
  E. Implement an Application Load Balancer (ALB) to honor the connection header from the incoming client request after forwarding the response back to the client.

  ---

  Explanation/Reference:

• Question 445:

  An organization is using AWS CloudTrail, Amazon CloudWatch Logs, and Amazon CloudWatch to send alerts when new access keys are created. However, the alerts are no longer appearing in the Security Operations mail box. Which of the following actions would resolve this issue?

  A. In CloudTrail, verify that the trail logging bucket has a log prefix configured.
  B. In Amazon SNS, determine whether the "Account spend limit" has been reached for this alert.
  C. In SNS, ensure that the subscription used by these alerts has not been deleted.
  D. In CloudWatch, verify that the alarm threshold "consecutive periods" value is equal to, or greater than 1.
  C. In SNS, ensure that the subscription used by these alerts has not been deleted.

• Question 446:

  You work at a company that makes use of AWS resources. One of the key security policies is to ensure that all data i encrypted both at rest and in transit. Which of the following is one of the right ways to implement this.

  Please select:

  A. Use S3 SSE and use SSL for data in transit
  B. SSL termination on the ELB
  C. Enabling Proxy Protocol
  D. Enabling sticky sessions on your load balancer
  A. Use S3 SSE and use SSL for data in transit

  ---

  Explanation/Reference:

  By disabling SSL termination, you are leaving an unsecure connection from the ELB to the back end instances. Hence this means that part of the data transit is not being encrypted. Option B is incorrect because this would not guarantee complete encryption of data in transit Option C and D are incorrect because these would not guarantee encryption For more information on SSL Listeners for your load balancer, please visit the below URL: http://docs.aws.amazon.com/elasticloadbalancine/latest/classic/elb-https-load- balancers.html The correct answer is: Use S3 SSE and use SSL for data in transit

• Question 447:

  A company's policies require that code be validated to ensure that the code has not been altered before invocation. A security engineer needs to update code in an AWS Lambda function. The developer has finalized the code and has stored the code in an Amazon S3 bucket.

  Which combination of steps should the security engineer take to meet these requirements? (Choose two.)

  A. Deploy the new code in a zip file to the S3 bucket.
  B. Invoke a signing job by using AWS Signer. Deploy the new signed code to the Lambda function.
  C. Use AWS Key Management Service (AWS KMS) to encrypt the code.
  D. Analyze the code with Amazon CodeGuru.
  E. Store all passwords in AWS Secrets Manager.
  A. Deploy the new code in a zip file to the S3 bucket.
  E. Store all passwords in AWS Secrets Manager.

  ---

  Explanation/Reference:

• Question 448:

  An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK. Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below

  Please select:

  A. Add the EC2 instance role as a trusted service to the SSM service role.
  B. Add permission to use the KMS key to decrypt to the SSM service role.
  C. Add permission to read the SSM parameter to the EC2 instance role. .
  D. Add permission to use the KMS key to decrypt to the EC2 instance role
  E. Add the SSM service role as a trusted service to the EC2 instance role.
  C. Add permission to read the SSM parameter to the EC2 instance role. .
  D. Add permission to use the KMS key to decrypt to the EC2 instance role

  ---

  Explanation/Reference:

  The below example policy from the AWS Documentation is required to be given to the EC2 Instance in order to read a secure string from AWS KMS. Permissions need to be given to the Get Parameter API and the KMS API call to decrypt the secret.

  

  Option A is invalid because roles can be attached to EC2 and not EC2 roles to SSM Option B is invalid because the KMS key does not need to decrypt the SSM service role. Option E is invalid because this configuration is valid For more information on the parameter store, please visit the below URL: https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.htmll The correct answers are: Add permission to read the SSM parameter to the EC2 instance role., Add permission to use the KMS key to decrypt to the EC2 instance role

• Question 449:

  A company wants to use Cloudtrail for logging all API activity. They want to segregate the logging of data events and management events. How can this be achieved? Choose 2 answers from the options given below

  Please select:

  A. Create one Cloudtrail log group for data events
  B. Create one trail that logs data events to an S3 bucket
  C. Create another trail that logs management events to another S3 bucket
  D. Create another Cloudtrail log group for management events
  B. Create one trail that logs data events to an S3 bucket
  C. Create another trail that logs management events to another S3 bucket

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following You can configure multiple trails differently so that the trails process and log only the events that you specify. For example, one trail can log read-only data and management events, so that all read-only events are delivered to one S3 bucket. Another trail can log only write-only data and management events, so that all write-only events are delivered to a separate S3 bucket Options A and D are invalid because you have to create a trail and not a log group For more information on managing events with cloudtrail, please visit the following URL: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/loHEing-manasement-and- data-events-with-cloudtrai The correct answers are: Create one trail that logs data events to an S3 bucket. Create another trail that logs management events to another S3 bucket

• Question 450:

  A company's Developers plan to migrate their on-premises applications to Amazon EC2 instances running Amazon Linux AMIs. The applications are accessed by a group of partner companies The Security Engineer needs to implement the following host-based security measures for these instances:

  1.

  Block traffic from documented known bad IP addresses

  2.

  Detect known software vulnerabilities and CIS Benchmarks compliance.

  Which solution addresses these requirements?

  A. Launch the EC2 instances with an IAM role attached. Include a user data script that uses the AWS CLI to retrieve the list of bad IP addresses from AWS Secrets Manager and uploads it as a threat list in Amazon GuardDuty Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance
  B. Launch the EC2 instances with an IAM role attached Include a user data script that uses the AWS CLl to create NACLs blocking ingress traffic from the known bad IP addresses in the EC2 instance's subnets Use AWS Systems Manager to scan the instances for known software vulnerabilities, and AWS Trusted Advisor to check instances for CIS Benchmarks compliance
  C. Launch the EC2 instances with an IAM role attached Include a user data script that uses the AWS CLl to create and attach security groups that only allow an allow listed source IP address range inbound. Use Amazon Inspector to scan the instances for known software vulnerabilities, and AWS Trusted Advisor to check instances for CIS Benchmarks compliance
  D. Launch the EC2 instances with an IAM role attached Include a user data script that creates a cron job to periodically retrieve the list of bad IP addresses from Amazon S3, and configures iptabies on the instances blocking the list of bad IP addresses Use Amazon inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.
  D. Launch the EC2 instances with an IAM role attached Include a user data script that creates a cron job to periodically retrieve the list of bad IP addresses from Amazon S3, and configures iptabies on the instances blocking the list of bad IP addresses Use Amazon inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.

  ---

  Explanation/Reference: