Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 451:

  A company manages multiple AWS accounts using AWS Organizations. The company's security team notices that some member accounts are not sending AWS CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured for all existing accounts and for any account that is created in the future.

  Which set of actions should the security team implement to accomplish this?

  A. Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.
  B. Deploy an AWS Lambda function in every account to check if there is an existing trail and create a new trail, if needed.
  C. Edit the existing trail in the Organizations master account and apply it to the organization.
  D. Create an SCP to deny the cloudtrail:Delete* and cloudtrail:Stop* actions. Apply the SCP to all accounts.
  C. Edit the existing trail in the Organizations master account and apply it to the organization.

  ---

  Explanation/Reference:

• Question 452:

  A company has an IAM group. All of the IAM users in the group have been assigned a multi-factor authentication (MFA) device and have full access to Amazon S3.

  The company needs to ensure that users in the group can perform S3 actions only after the users authenticate with MFA. A security engineer must design a solution that accomplishes this goal with the least maintenance overhead.

  Which combination of actions will meet these requirements? (Choose two.)

  A. Add a customer managed Deny policy to users in the group for s3:*actions.
  B. Add a customer managed Deny policy to the group for s3:*actions.
  C. Add a customer managed Allow policy to the group for s3:*actions.
  D. Add a condition to the policy: "Condition" : { "BoolIfExists" : { "aws:MultiFactorAuthPresent" : false } }
  E. Add a condition to the policy: "Condition" : { "Bool" : { "aws:MultiFactorAuthPresent" : false } }
  C. Add a customer managed Allow policy to the group for s3:*actions.
  E. Add a condition to the policy: "Condition" : { "Bool" : { "aws:MultiFactorAuthPresent" : false } }

  ---

  Explanation/Reference:

  Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html

• Question 453:

  A global company that deals with International finance is investing heavily in cryptocurrencies and wants to experiment with mining technologies using AWS. The company's security team has enabled Amazon GuardDuty and is concerned by the number of findings being generated by the accounts. The security team wants to minimize the possibility of GuardDuty finding false negatives for compromised instances that are performing mining

  How can the security team continue using GuardDuty while meeting these requirements?

  A. In the GuardDuty console, select the CryptoCurrency:EC2/BitcoinTool B'DNS finding and use the suppress findings option
  B. Create a custom AWS Lambda function to process newly detected GuardDuty alerts Process the CryptoCurrency EC2/BitcoinTool BIDNS alert and filter out the high-severity finding types only.
  C. When creating a new Amazon EC2 Instance, provide the instance with a specific tag that indicates it is performing mining operations Create a custom AWS Lambda function to process newly detected GuardDuty alerts and filter for the presence of this tag
  D. When GuardDuty produces a cryptocurrency finding, process the finding with a custom AWS Lambda function to extract the instance ID from the finding Then use the AWS Systems Manager Run Command to check for a running process performing mining operations
  A. In the GuardDuty console, select the CryptoCurrency:EC2/BitcoinTool B'DNS finding and use the suppress findings option

• Question 454:

  A company is running internal microservices on Amazon Elastic Container Service (Amazon ECS) with the Amazon EC2 launch type. The company is using Amazon Elastic Container Registry (Amazon ECR) private repositories.

  A security engineer needs to encrypt the private repositories by using AWS Key Management Service (AWS KMS). The security engineer also needs to analyze the container images for any common vulnerabilities and exposures (CVEs).

  Which solution will meet these requirements?

  A. Enable KMS encryption on the existing ECR repositories. Install Amazon Inspector Agent from the ECS container instances’ user data. Run an assessment with the CVE rules.
  B. Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Analyze the scan report after the next push of images.
  C. Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Install AWS Systems Manager Agent on the ECS container instances. Run an inventory report.
  D. Enable KMS encryption on the existing ECR repositories. Use AWS Trusted Advisor to check the ECS container instances and to verily the findings against a list of current CVEs.
  A. Enable KMS encryption on the existing ECR repositories. Install Amazon Inspector Agent from the ECS container instances’ user data. Run an assessment with the CVE rules.

  ---

  Explanation/Reference:

• Question 455:

  Auditors tor a health care company have mandated mat all data volumes be encrypted at rest Infrastructure is deployed mainly via AWS CloudFormation however third-party frameworks and manual deployment are required on some legacy systems

  What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

  A. On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume
  B. Configure an AWS Config rule lo run on a recurring basis 'or volume encryption
  C. Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule
  D. Use CloudWatch Logs to determine whether instances were created with an encrypted volume
  B. Configure an AWS Config rule lo run on a recurring basis 'or volume encryption

  ---

  Explanation/Reference:

  https://d1.IAMstatic.com/whitepapers/IAM-security-whitepaper.pdf "For example, IAM Config provides a managed IAM Config Rules to ensure that encryption is turned on for all EBS volumes in your account."

• Question 456:

  A security engineer is working with a company to design an ecommerce application. The application will run on Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB). The application will use an

  Amazon RDS DB instance for its database.

  The only require connectivity from the internet is for HTTP and HTTPS traffic to the application. The application must communicate with an external payment provider that allows traffic only from a preconfigured allow list of IP addresses. The company must ensure that communicators with the external payment provider are not interrupted as the environment scales.

  Which combination of actions should the security engineer recommend to meet these requirements? (Choose three.)

  A. Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.
  B. Place the DB instance in a public subnet.
  C. Place the DB instance in a private subnet.
  D. Configure the Auto Scaling group to place the EC2 instances in a public subnet.
  E. Configure the Auto Scaling group to place the EC2 instances in a private subnet.
  F. Deploy the ALB in a private subnet.
  A. Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.
  C. Place the DB instance in a private subnet.
  E. Configure the Auto Scaling group to place the EC2 instances in a private subnet.

• Question 457:

  A company is building a data processing application that uses AWS Lambda functions The application's Lambda functions need to communicate with an Amazon RDS OB instance that is deployed within a VPC in the same AWS account Which solution meets these requirements in the MOST secure way?

  A. Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region
  B. Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0 0 0 0/0
  C. Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group
  D. Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups
  C. Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group

  ---

  Explanation/Reference:

  The AWS documentation states that you can deploy the Lambda functions inside the VPC and attach a security group to the Lambda functions. You can then provide outbound rule access to the VPC CIDR range only and update the DB instance security group to allow traffic from the Lambda security group. This method is the most secure way to meet the requirements. References: AWS Lambda Developer Guide

• Question 458:

  A company finds that one of its Amazon EC2 instances suddenly has a high CPU usage. The company does not know whether the EC2 instance is compromised or whether the operating system is performing background cleanup.

  Which combination of steps should a security engineer take before investigating the issue? (Choose three.)

  A. Disable termination protection for the EC2 instance if termination protection has not been disabled.
  B. Enable termination protection for the EC2 instance if termination protection has not been enabled.
  C. Take snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.
  D. Remove all snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.
  E. Capture the EC2 instance metadata, and then tag the EC2 instance as under quarantine.
  F. Immediately remove any entries in the EC2 instance metadata that contain sensitive information.
  A. Disable termination protection for the EC2 instance if termination protection has not been disabled.
  B. Enable termination protection for the EC2 instance if termination protection has not been enabled.
  F. Immediately remove any entries in the EC2 instance metadata that contain sensitive information.

  ---

  Explanation/Reference:

• Question 459:

  A company has implemented AWS WAF and Amazon CloudFront for an application. The application runs on Amazon EC2 instances that are part of an Auto Scaling group. The Auto Scaling group is behind an Application Load Balancer

  (ALB).

  The AWS WAF web ACL uses an AWS Managed Rules rule group and is associated with the CloudFront distribution. CloudFront receives the request from AWS WAF and the uses the ALB as the distribution's origin.

  During a security review, a security engineer discovers that the infrastructure is susceptible to a large, layer 7 DDoS attack.

  How can the security engineer improve the security at the edge of the solution to defend against this type of attack?

  A. Configure the CloudFront distribution to use the Lambda@Edge feature. Create an AWS Lambda function that imposes a rate limit on CloudFront viewer requests. Block the request if the rate limit is exceeded.
  B. Configure the AWS WAF web ACL so that the web ACL has more capacity units to process all AWS WAF rules faster.
  C. Configure AWS WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.
  D. Configure the CloudFront distribution to use AWS WAF as its origin instead of the ALB.
  C. Configure AWS WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.

  ---

  Explanation/Reference:

  Option A, configuring the CloudFront distribution to use the Lambda@Edge feature to impose a rate limit on viewer requests, is a valid solution for DDoS protection, but it may not be the most efficient or effective option in this case. This option

  requires additional resources and complexity in terms of configuring and managing the Lambda function, and it may not be able to scale to handle a large-scale DDoS attack. Option C, configuring AWS WAF with a rate-based rule that

  imposes a rate limit, is a more efficient and effective solution as it directly addresses the threat of a layer 7 DDoS attack by limiting the number of requests that can be made to the application.

  Option D, configuring the CloudFront distribution to use AWS WAF as its origin, is not a valid solution as it does not address the problem of DDoS attack.

• Question 460:

  A security engineer is auditing a production system and discovers several additional IAM roles that are not required and were not previously documented during the last audit 90 days ago. The engineer is trying to find out who created these

  IAM roles and when they were created. The solution must have the lowest operational overhead.

  Which solution will meet this requirement?

  A. Import AWS CloudTrail logs from Amazon S3 into an Amazon Elasticsearch Service cluster, and search through the combined logs for CreateRole events.
  B. Create a table in Amazon Athena for AWS CloudTrail events. Query the table in Amazon Athena for CreateRole events.
  C. Use AWS Config to look up the configuration timeline for the additional IAM roles and view the linked AWS CloudTrail event.
  D. Download the credentials report from the IAM console to view the details for each IAM entity, including the creation dates.
  A. Import AWS CloudTrail logs from Amazon S3 into an Amazon Elasticsearch Service cluster, and search through the combined logs for CreateRole events.