Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 491:

  An organization has a system in AWS that allows a large number of remote workers to submit data files. File sizes vary from a few kilobytes to several megabytes. A recent audit highlighted a concern that data files are not encrypted while in transit over untrusted networks.

  Which solution would remediate the audit finding while minimizing the effort required?

  A. Upload an SSL certificate to IAM, and configure Amazon CloudFront with the passphrase for the private key.
  B. Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() server-side.
  C. Use AWS Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service's servers.
  D. Create a new VPC with an Amazon VPC VPN endpoint, and update the web service's DNS record.
  C. Use AWS Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service's servers.

• Question 492:

  You have an S3 bucket defined in AWS. You want to ensure that you encrypt the data before sending it across the wire. What is the best way to achieve this.

  Please select:

  A. Enable server side encryption for the S3 bucket. This request will ensure that the data is encrypted first.
  B. Use the AWS Encryption CLI to encrypt the data first
  C. Use a Lambda function to encrypt the data before sending it to the S3 bucket.
  D. Enable client encryption for the bucket
  B. Use the AWS Encryption CLI to encrypt the data first

  ---

  Explanation/Reference:

  One can use the AWS Encryption CLI to encrypt the data before sending it across to the S3 bucket. Options A and C are invalid because this would still mean that data is transferred in plain text Option D is invalid because you cannot just enable client side encryption for the S3 bucket For more information on Encrypting and Decrypting data, please visit the below URL: https://aws.amazonxom/blogs/securirv/how4o-encrvpt-and-decrypt-your-data-with-the-aws-encryption-cl The correct answer is: Use the AWS Encryption CLI to encrypt the data first

• Question 493:

  A company uses AWS Organizations. According to compliance requirements, the company's applications that are hosted on Amazon EC2 instances must never use IAM credentials from Instance Metadata Service Version 1 (IMDSv1).

  What should a security engineer do to meet this requirement?

  A. Create a security group that denies access on HTTP to 169.254.169.254. Attach this security group to all EC2 instances.
  B. Deactivate all access to IMDSv1 through the instance metadata options when using the AWS CLI, AWS API, or AWS Management Console to launch an EC2 instance.
  C. Attach the following SCP to the root OU in AWS Organizations: { "Version": "2012-10-17","Statement": [{ "Effect": "Deny","Action": "ec2:RunInstances","Resource": "arn:aws:ec2:*:*:instance/*","Condition": {"StringNotEquals": {"ec2:MetadataHttpTokens": "required"}}}]}
  D. Attach the following SCP to the root OU in AWS Organizations: { "Version”: "2012-10-17","Statement": [{ "Effect": "Deny","Action": "*","Resource": "*","Condition": {"NumericLessThan": {"ec2:RoleDelivery": "2.0"}}}]}
  B. Deactivate all access to IMDSv1 through the instance metadata options when using the AWS CLI, AWS API, or AWS Management Console to launch an EC2 instance.

  ---

  Explanation/Reference:

• Question 494:

  A company has a website with an Amazon CloudFront HTTPS distribution, an Application Load Balancer (ALB) with multiple web instances for dynamic website content, and an Amazon S3 bucket for static website content. The company's security engineer recently updated the website security requirements:

  1.

  HTTPS needs to be enforced for all data in transit with specific ciphers.

  2.

  The CloudFront distribution needs to be accessible from the internet only.

  Which solution will meet these requirements?

  A. Set up an S3 bucket policy with the awssecuretransport key Configure the CloudFront origin access identity (OAI) with the S3 bucket Configure CloudFront to use specific ciphers. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers Link the ALB with AWS WAF to allow access from the CloudFront IP ranges.
  B. Set up an S3 bucket policy with the aws:securetransport key. Configure the CloudFront origin access identity (OAI) with the S3 bucket. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers.
  C. Modify the CloudFront distribution to use AWS WAF. Force HTTPS on the S3 bucket with specific ciphers in the bucket policy. Configure an HTTPS listener only for the ALB. Set up a security group to limit access to the ALB from the CloudFront IP ranges
  D. Modify the CloudFront distribution to use the ALB as the origin. Enforce an HTTPS listener on the ALB. Create a path-based routing rule on the ALB with proxies that connect lo Amazon S3. Create a bucket policy to allow access from these proxies only.
  C. Modify the CloudFront distribution to use AWS WAF. Force HTTPS on the S3 bucket with specific ciphers in the bucket policy. Configure an HTTPS listener only for the ALB. Set up a security group to limit access to the ALB from the CloudFront IP ranges

  ---

  Explanation/Reference:

• Question 495:

  A company is running its workloads in a single AWS Region and uses AWS Organizations. A security engineer must implement a solution to prevent users from launching resources in other Regions.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Create an IAM policy that has an aws:RequestedRegion condition that allows actions only in the designated Region. Attach the policy to all users.
  B. Create an IAM policy that has an aws:RequestedRegion condition that denies actions that are not in the designated Region. Attach the policy to the AWS account in AWS Organizations.
  C. Create an IAM policy that has an aws:RequestedRegion condition that allows the desired actions. Attach the policy only to the users who are in the designated Region.
  D. Create an SCP that has an aws:RequestedRegion condition that denies actions that are not in the designated Region. Attach the SCP to the AWS account in AWS Organizations.
  D. Create an SCP that has an aws:RequestedRegion condition that denies actions that are not in the designated Region. Attach the SCP to the AWS account in AWS Organizations.

  ---

  Explanation/Reference:

• Question 496:

  An application has been written that publishes custom metrics to Amazon CloudWatch. Recently, IAM changes have been made on the account and the metrics are no longer being reported. Which of the following is the LEAST permissive solution that will allow the metrics to be delivered?

  A. Add a statement to the IAM policy used by the application to allow logs:putLogEvents and logs:createLogStream
  B. Modify the IAM role used by the application by adding the CloudWatchFullAccess managed policy.
  C. Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData.
  D. Add a trust relationship to the IAM role used by the application for cloudwatch.amazonaws.com.
  C. Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData.

  ---

  Explanation/Reference:

  https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/permissions-reference-cw.html

• Question 497:

  A company is using AWS Organizations to manage multiple AWS member accounts. All of these accounts have Amazon GuardDuty enabled in all Regions. The company's AW5 Security Operations Center has a centralized security account for logging and monitoring. One of the member accounts has received an excessively high bill A security engineer discovers that a compromised Amazon EC2 instance is being used to mine crypto currency. The Security Operations Center did not receive a GuardDuty finding in the central security account.

  But there was a GuardDuty finding in the account containing the compromised EC2 instance. The security engineer needs to ensure an GuardDuty finding are available in the security account.

  What should the security engineer do to resolve this issue?

  A. Set up an Amazon CloudWatch Event rule to forward ail GuardDuty findings to the security account Use an AWS Lambda function as a target to raise findings
  B. Set up an Amazon CloudWatch Events rule to forward all GuardDuty findings to the security account Use an AWS Lambda function as a target to raise findings in AWS Security Hub
  C. Check that GuardDuty in the security account is able to assume a role in the compromised account using the GuardDuty fast findings permission Schedule an Amazon CloudWatch Events rule and an AWS Lambda function to periodically check for GuardDuty findings
  D. Use the aws GuardDuty get-members AWS CLI command m the security account to see if the account is listed Send an invitation from GuardDuty m the security account to GuardDuty in the compromised account Accept the invitation to forward all future GuardDuty findings
  B. Set up an Amazon CloudWatch Events rule to forward all GuardDuty findings to the security account Use an AWS Lambda function as a target to raise findings in AWS Security Hub

  ---

  Explanation/Reference:

• Question 498:

  A systems administrator was attempting to launch a new Amazon EC2 instance with an encrypted boot volume using a new AWS Key Management Service (AWS KMS) customer managed key. The EC2 console initially stated the launch was successful, but the instance was subsequently terminated. The IAM role used by the system administrator has the following IAM permissions:

  { "Version": "2012-10-17","Statement":

  {

  "Effect": "Allow”,

  "Action":

  "ec2:Describe*",

  "ec2:Create",

  "ec2:AuthorizeSecurityGroupIngress",

  "kms:Encrypt",

  "kms:Decrypt",

  "kms:ReEncrypt",

  "kms:GenerateDataKey*",

  "kms:DescribeKey",

  ],"Resource": "*" }],}

  Which IAM permission is the systems administrator missing?

  A. kms:GetKeyRotationStatus
  B. kms:CreateGrant
  C. kms:GenerateRandom
  D. kms:EnableKey
  B. kms:CreateGrant

  ---

  Explanation/Reference:

• Question 499:

  A Security Engineer launches two Amazon EC2 instances in the same Amazon VPC but in separate Availability Zones. Each instance has a public IP address and is able to connect to external hosts on the internet. The two instances are able to communicate with each other by using their private IP addresses, but they are not able to communicate with each other when using their public IP addresses.

  Which action should the Security Engineer take to allow communication over the public IP addresses?

  A. Associate the instances to the same security groups.
  B. Add 0.0.0.0/0 to the egress rules of the instance security groups.
  C. Add the instance IDs to the ingress rules of the instance security groups.
  D. Add the public IP addresses to the ingress rules of the instance security groups.
  D. Add the public IP addresses to the ingress rules of the instance security groups.

  ---

  Explanation/Reference:

  https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules- reference.html#sg-rules-other-instances

• Question 500:

  A company has a guideline that mandates the encryption of all Amazon S3 bucket data in transit. A security engineer must implement an S3 bucket policy that denies any S3 operations if data is not encrypted.

  Which S3 bucket policy will meet this requirement?

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  B. Option B

  ---

  Explanation/Reference:

  https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html