Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 461:

  A security engineer for a company wants to maintain all IAM users and roles according to the principle of least privilege. The security engineer plans to audit the IAM permissions once every 365 days. The security engineer must view the permissions that each IAM identity used in the last 365 days and must remove any unused permissions.

  Which solution will meet these requirements?

  A. Use AWS CloudTrail logs to review IAM identity actions and to remove unused permissions.
  B. Use AWS Config to review configuration changes by each IAM identity and to remove unused permissions.
  C. Use AWS Identity and Access Management Access Analyzer to review last accessed information and to remove unused permissions.
  D. Use AWS Trusted Advisor to check the IAM identities that have elevated permissions and to remove unused permissions.
  C. Use AWS Identity and Access Management Access Analyzer to review last accessed information and to remove unused permissions.

  ---

  Explanation/Reference:

• Question 462:

  A recent security audit found that AWS CloudTrail logs are insufficiently protected from tampering and unauthorized access Which actions must the Security Engineer take to address these audit findings? (Select THREE )

  A. Ensure CloudTrail log file validation is turned on
  B. Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long- term storage
  C. Use an S3 bucket with tight access controls that exists m a separate account
  D. Use Amazon Inspector to monitor the file integrity of CloudTrail log files.
  E. Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files
  F. Encrypt the CloudTrail log files with server-side encryption with AWS KMS-managed keys (SSE-KMS)
  A. Ensure CloudTrail log file validation is turned on
  D. Use Amazon Inspector to monitor the file integrity of CloudTrail log files.
  E. Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files

• Question 463:

  A company wants to gain better control of its large number of AWS accounts by establishing a centralized location where the accounts can be managed. The company also wants to prevent any users outside the company-owned AWS accounts from accessing a company Amazon S3 bucket.

  Which solution meets these requirements with the LEAST amount of operational overhead?

  A. Implement an organization in AWS Organizations. Build a detective control by monitoring AWS CloudTrail logs for attempts to access the S3 bucket from IP addresses outside the company.
  B. Deploy an AWS Control Tower landing zone, and migrate the accounts. Create an S3 bucket policy that restricts access to only a principal list of accounts that have been manually entered.
  C. Create an organization in AWS Organizations. Invite the AWS accounts to join the organization. Create a resource policy that includes a PrincipalOrgID condition key for the S3 bucket.
  D. Invite all of the company's AWS accounts into AWS Control Tower. Use AWS Control Tower's automatic protection for the AWS accounts to deny access from external users.
  C. Create an organization in AWS Organizations. Invite the AWS accounts to join the organization. Create a resource policy that includes a PrincipalOrgID condition key for the S3 bucket.

  ---

  Explanation/Reference:

  Reference: https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-using-the-aws-organization-of-iam-principals/

• Question 464:

  In order to encrypt data in transit for a connection to an AWS RDS instance, which of the following would you implement

  Please select:

  A. Transparent data encryption
  B. SSL from your application
  C. Data keys from AWS KMS
  D. Data Keys from CloudHSM
  B. SSL from your application

  ---

  Explanation/Reference:

  This is mentioned in the AWS Documentation You can use SSL from your application to encrypt a connection to a DB instance running MySQL MariaDB, Amazon Aurora, SQL Server, Oracle, or PostgreSQL.

  Option A is incorrect since Transparent data encryption is used for data at rest and not in transit

  Options C and D are incorrect since keys can be used for encryption of data at rest For more information on working with RDS and SSL, please refer to below URL:

  https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html The correct answer is: SSL from your application

• Question 465:

  An organization has setup multiple IAM users. The organization wants that each IAM user accesses the IAM console only within the organization and not from outside. How can it achieve this?

  Please select:

  A. Create an IAM policy with the security group and use that security group for AWS console login
  B. Create an IAM policy with a condition which denies access when the IP address range is not from the organization
  C. Configure the EC2 instance security group which allows traffic only from the organization's IP range
  D. Create an IAM policy with VPC and allow a secure gateway between the organization and AWS Console
  B. Create an IAM policy with a condition which denies access when the IP address range is not from the organization

  ---

  Explanation/Reference:

  You can actually use a Deny condition which will not allow the person to log in from outside. The below example shows the Deny condition to ensure that any address specified in the source address is not allowed to access the resources in aws. Option A is invalid because you don't mention the security group in the 1AM policy Option C is invalid because security groups by default don't allow traffic Option D is invalid because the 1AM policy does not have such an option For more information on 1AM policy conditions, please visit the URL: http://docs.aws.amazon.com/IAM/latest/UserGuide/accesspolexamples.htm l#iam-policy-example-ec2-two-condition! The correct answer is: Create an 1AM policy with a condition which denies access when the IP address range is not from the organization

• Question 466:

  A company uses AWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution Which solution will meet these requirements MOST securely?

  A. Configure trusted access for AWS System Manager in Organizations Configure a bastion host from the management account Replace SSH and RDP by using Systems Manager Session Manager from the management account Configure Session Manager logging to Amazon CloudWatch Logs
  B. Replace SSH and RDP with AWS Systems Manager Session Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the AmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudWatch Logs Create a separate logging account that has appropriate cross-account permissions to audit the log data
  C. Install a bastion host in the management account Reconfigure all SSH and RDP to allow access only from the bastion host Install AWS Systems Manager Agent (SSM Agent) on the bastion host Attach the AmazonSSMManagedlnstanceCore role to the bastion host Configure session data streaming to Amazon CloudWatch Logs in a separate logging account to audit log data
  D. Replace SSH and RDP with AWS Systems Manager State Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the AmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudTrail Use CloudTrail Insights to analyze the trail data
  C. Install a bastion host in the management account Reconfigure all SSH and RDP to allow access only from the bastion host Install AWS Systems Manager Agent (SSM Agent) on the bastion host Attach the AmazonSSMManagedlnstanceCore role to the bastion host Configure session data streaming to Amazon CloudWatch Logs in a separate logging account to audit log data

  ---

  Explanation/Reference:

  To meet the requirements of securing access management and implementing a centralized logging solution, the most secure solution would be to:

  Install a bastion host in the management account. Reconfigure all SSH and RDP to allow access only from the bastion host. Install AWS Systems Manager Agent (SSM Agent) on the bastion host. Attach the

  AmazonSSMManagedlnstanceCore role to the bastion host. Configure session data streaming to Amazon CloudWatch Logs in a separate logging account to audit log data This solution provides the following security benefits:

  It uses AWS Systems Manager Session Manager instead of traditional SSH and RDP protocols, which provides a secure method for accessing EC2 instances without requiring inbound firewall rules or open ports. It provides audit trails by

  configuring Session Manager logging to Amazon CloudWatch Logs and creating a separate logging account to audit the log data. It uses the AWS Systems Manager Agent to automate common administrative tasks and improve the security

  posture of the instances. The separate logging account with cross-account permissions provides better data separation and improves security posture.

  https://aws.amazon.com/solutions/implementations/centralized-logging/

• Question 467:

  A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected.

  Which combination of steps should the security engineer take to accomplish this? (Choose two.)

  A. Create an AWS Config rule to detect the creation of encrypted RDS databases. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the AWS Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
  B. Use AWS System Manager State Manager to detect RDS database encryption configuration drift. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
  C. Create a read replica for the existing unencrypted RDS database and enable replica encryption in the process. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.
  D. Take a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance.
  E. Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database.
  A. Create an AWS Config rule to detect the creation of encrypted RDS databases. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the AWS Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
  D. Take a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance.

  ---

  Explanation/Reference:

  To encrypt an unencrypted DB instance with minimal downtime, follow these steps:

  1.

  Encrypt an unencrypted snapshot that you take from an unencrypted read replica of the DB instance.

  2.

  Restore a new DB instance from the encrypted snapshot to deploy a new encrypted DB instance.

  3.

  Use MySQL replication to synchronize changes from the source to the new encrypted DB instance.

  4.

  Verify that the new, encrypted DB instance is in sync with the source DB instance.

  5.

  Switch your connections and redirect your traffic to the new DB instance.

  Reference: https://aws.amazon.com/premiumsupport/knowledge-center/rds-encrypt-instance-mysql-mariadb/

• Question 468:

  A security engineer has enabled AWS Security Hub in their AWS account, and has enabled the Center for Internet Security (CIS) AWS Foundations compliance standard. No evaluation results on compliance are returned in the Security Hub console after several hours. The engineer wants to ensure that Security Hub can evaluate their resources for CIS AWS Foundations compliance.

  Which steps should the security engineer take to meet these requirements?

  A. Add full Amazon Inspector 1AM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation
  B. Ensure that AWS Trusted Advisor Is enabled in the account and that the Security Hub service role has permissions to retrieve the Trusted Advisor security-related recommended actions
  C. Ensure that AWS Config. is enabled in the account, and that the required AWS Config rules have been created for the CIS compliance evaluation
  D. Ensure that the correct trail in AWS CloudTrail has been configured for monitoring by Security Hub and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrails Amazon S3 bucket
  C. Ensure that AWS Config. is enabled in the account, and that the required AWS Config rules have been created for the CIS compliance evaluation

  ---

  Explanation/Reference:

  To run security checks for the enabled controls on your environment's resources, Security Hub either runs through the exact audit steps prescribed for the checks in Securing Amazon Web Services or uses specific AWS Config managed rules.

• Question 469:

  A company has implemented centralized logging and monitoring of AWS CloudTrail logs from all Regions in an Amazon S3 bucket. The log Hies are encrypted using AWS KMS. A Security Engineer is attempting to review the log files using a third-party tool hosted on an Amazon EC2 instance The Security Engineer is unable to access the logs in the S3 bucket and receives an access denied error message

  What should the Security Engineer do to fix this issue?

  A. Check that the role the Security Engineer uses grants permission to decrypt objects using the KMS CMK.
  B. Check that the role the Security Engineer uses grants permission to decrypt objects using the KMS CMK and gives access to the S3 bucket and objects
  C. Check that the role the EC2 instance profile uses grants permission lo decrypt objects using the KMS CMK and gives access to the S3 bucket and objects
  D. Check that the role the EC2 instance profile uses grants permission to decrypt objects using the KMS CMK
  C. Check that the role the EC2 instance profile uses grants permission lo decrypt objects using the KMS CMK and gives access to the S3 bucket and objects

• Question 470:

  A Security Engineer is defining the logging solution for a newly developed product. Systems Administrators and Developers need to have appropriate access to event log files in AWS CloudTrail to support and troubleshoot the product.

  Which combination of controls should be used to protect against tampering with and unauthorized access to log files? (Choose two.)

  A. Ensure that the log file integrity validation mechanism is enabled.
  B. Ensure that all log files are written to at least two separate Amazon S3 buckets in the same account.
  C. Ensure that Systems Administrators and Developers can edit log files, but prevent any other access.
  D. Ensure that Systems Administrators and Developers with job-related need-to-know requirements only are capable of viewing--but not modifying--the log files.
  E. Ensure that all log files are stored on Amazon EC2 instances that allow SSH access from the internal corporate network only.
  A. Ensure that the log file integrity validation mechanism is enabled.
  D. Ensure that Systems Administrators and Developers with job-related need-to-know requirements only are capable of viewing--but not modifying--the log files.