Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 501:

  A company sends Amazon RDS snapshots to two accounts as part of its disaster recovery (DR) plan. The snapshots must be encrypted. However, each account needs to be able to decrypt the snapshots in case of a DR event. Which solution will meet these requirements?

  A. Use the default AWS Key Management Service (AWS KMS) key to generate the snapshots. Create an AWS Lambda function that copies the KMS encryption key to the two accounts.
  B. Use an AWS Key Management Service (AWS KMS) customer managed key to generate the snapshots. Create an AWS Lambda function that imports the KMS key in the two accounts.
  C. Use the default AWS Key Management Service (AWS KMS) key to generate the snapshots. Share the KMS key with the two accounts by using an IAM principal that has the proper KMS permissions in each account.
  D. Use an AWS Key Management Service (AWS KMS) customer managed key to generate the snapshots. Share the KMS key with the two accounts by using an IAM principal that has the proper KMS permissions in each account.
  A. Use the default AWS Key Management Service (AWS KMS) key to generate the snapshots. Create an AWS Lambda function that copies the KMS encryption key to the two accounts.

  ---

  Explanation/Reference:

• Question 502:

  A company has several workloads running on AWS Employees are required to authenticate using on-premises ADFS and SSO to access the AWS Management Console Developers migrated an existing legacy web application to an Amazon EC2 instance Employees need to access this application from anywhere on the internet but currently, mere is no authentication system but into the application.

  How should the Security Engineer implement employee-only access to this system without changing the application?

  A. Place the application behind an Application Load Balancer (ALB) Use Amazon Cognito as authentication (or the ALB Define a SAML-based Amazon Cognito user pool and connect it to ADFS
  B. Implement AWS SSO in the master account and link it to ADFS as an identity provide' Define the EC2 instance as a managed resource, then apply an IAM policy on the resource
  C. Define an Amazon Cognito identity pool then install the connector on the Active Directory server Use the Amazon Cognito SDK on the application instance to authenticate the employees using their Active Directory user names and passwords
  D. Create an AWS Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2 Ensure the security group on Amazon EC2 only allows access from the Lambda function.
  A. Place the application behind an Application Load Balancer (ALB) Use Amazon Cognito as authentication (or the ALB Define a SAML-based Amazon Cognito user pool and connect it to ADFS

• Question 503:

  Your company is planning on using bastion hosts for administering the servers in AWS. Which of the following is the best description of a bastion host from a security perspective?

  Please select:

  A. A Bastion host should be on a private subnet and never a public subnet due to security concerns
  B. A Bastion host sits on the outside of an internal network and is used as a gateway into the private network and is considered the critical strong point of the network
  C. Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources.
  D. A Bastion host should maintain extremely tight security and monitoring as it is available to the public
  C. Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources.

  ---

  Explanation/Reference:

  A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited

  to reduce the threat to the computer.

  In AWS, A bastion host is kept on a public subnet. Users log on to the bastion host via SSH or RDP and then use that session to manage other hosts in the private subnets. Options A and B are invalid because the bastion host needs to sit on

  the public network. Option D is invalid because bastion hosts are not used for monitoring For more information on bastion hosts, just browse to the below URL:

  https://docsaws.amazon.com/quickstart/latest/linux-bastion/architecture.html The correct answer is: Bastion hosts allow users to log in using RDP or SSH and use that session to SSH into internal network to access private subnet resources.

• Question 504:

  A security engineer is designing an incident response plan to address the risk of a compromised Amazon EC2 instance. The plan must recommend a solution to meet the following requirements:

  1.

  A trusted forensic environment must be provisioned

  2.

  Automated response processes must be orchestrated

  Which AWS services should be included in the plan? (Select TWO)

  A. AWS CloudFormation
  B. Amazon GuardDuty
  C. Amazon Inspector
  D. Amazon Macie
  E. AWS Step Functions
  A. AWS CloudFormation
  B. Amazon GuardDuty

  ---

  Explanation/Reference:

  Reference: https://aws.amazon.com/blogs/security/how-to-automate-incident-response-in-aws-cloud-for-ec2-instances/

• Question 505:

  You are trying to use the AWS Systems Manager run command on a set of Instances. The run command on a set of Instances. What can you do to diagnose the issue? Choose 2 answers from the options given

  Please select:

  A. Ensure that the SSM agent is running on the target machine
  B. Check the /var/log/amazon/ssm/errors.log file
  C. Ensure the right AMI is used for the Instance
  D. Ensure the security groups allow outbound communication for the instance
  A. Ensure that the SSM agent is running on the target machine
  B. Check the /var/log/amazon/ssm/errors.log file

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following If you experience problems executing commands using Run Command, there might be a problem with the SSM Agent. Use the following information to help you troubleshoot the agent View Agent Logs The SSM Agent logs information in the following files. The information in these files can help you troubleshoot problems. On Windows %PROGRAMDATA%\Amazon\SSM\Logs\amazon-ssm-agent.log %PROGRAMDATA%\Amazon\SSM\Logs\error.log The default filename of the seelog is seelog-xml.template. If you modify a seelog, you must rename the file to seelog.xml. On Linux /var/log/amazon/ssm/amazon-ssm-agentlog /var/log/amazon/ssm/errors.log Option C is invalid because the right AMI has nothing to do with the issues. The agent which is used to execute run commands can run on a variety of AMI'S Option D is invalid because security groups does not come into the picture with the communication between the agent and the SSM service For more information on troubleshooting AWS SSM, please visit the following URL: https://docs.aws.amazon.com/systems-manaeer/latest/userguide/troubleshootine-remote- commands.htmll The correct answers are: Ensure that the SSM agent is running on the target machine. Check the /var/log/amazon/ssm/errors.log file

• Question 506:

  A company's director of information security wants a daily email report from AWS that contains recommendations for each company account to meet AWS Security best practices. Which solution would meet these requirements?

  A. in every AWS account, configure AWS Lambda to query me AWS Support API tor AWS Trusted Advisor security checks Send the results from Lambda to an Amazon SNS topic to send reports.
  B. Configure Amazon GuardDuty in a master account and invite all other accounts to be managed by the master account Use GuardDuty's integration with Amazon SNS to report on findings
  C. Use Amazon Athena and Amazon QuickSight to build reports off of AWS CloudTrail Create a daily Amazon CloudWatch trigger to run the report dally and email It using Amazon SNS
  D. Use AWS Artifact's prebuilt reports and subscriptions Subscribe the Director of Information Security to the reports by adding the Director as the security alternate contact tor each account
  D. Use AWS Artifact's prebuilt reports and subscriptions Subscribe the Director of Information Security to the reports by adding the Director as the security alternate contact tor each account

  ---

  Explanation/Reference:

• Question 507:

  A company deploys a distributed web application on a fleet of Amazon EC2 instances. The fleet is behind an Application Load Balancer (ALB) that will be configured to terminate the TLS connection. All TLS traffic to the ALB must stay secure, even if the certificate private key is compromised.

  How can a security engineer meet this requirement?

  A. Create an HTTPS listener that uses a certificate that is managed by IAM Certificate Manager (ACM).
  B. Create an HTTPS listener that uses a security policy that uses a cipher suite with perfect toward secrecy (PFS).
  C. Create an HTTPS listener that uses the Server Order Preference security feature.
  D. Create a TCP listener that uses a custom security policy that allows only cipher suites with perfect forward secrecy (PFS).
  A. Create an HTTPS listener that uses a certificate that is managed by IAM Certificate Manager (ACM).

• Question 508:

  A security engineer has noticed that VPC Flow Logs are getting a lot REJECT traffic originating from a single Amazon EC2 instance in an Auto Scaling group. The security engineer is concerned that this EC2 instance may be compromised.

  What immediate action should the security engineer take?

  A. Remove me instance from the Auto Seating group Close me security group mm ingress only from a single forensic P address to perform an analysis.
  B. Remove me instance from the Auto Seating group Change me network ACL rules to allow traffic only from a single forensic IP address to perform en analysis Add a rule to deny all other traffic.
  C. Remove the instance from the Auto Scaling group Enable Amazon GuardDuty in that AWS account Install the Amazon Inspector agent cm the suspicious EC 2 instance to perform a scan.
  D. Take a snapshot of the suspicious EC2 instance. Create a new EC2 instance from me snapshot in a closed security group with ingress only from a single forensic IP address to perform an analysis
  B. Remove me instance from the Auto Seating group Change me network ACL rules to allow traffic only from a single forensic IP address to perform en analysis Add a rule to deny all other traffic.

• Question 509:

  Your CTO is very worried about the security of your AWS account. How best can you prevent hackers from completely hijacking your account?

  Please select:

  A. Use short but complex password on the root account and any administrators.
  B. Use AWS IAM Geo-Lock and disallow anyone from logging in except for in your city.
  C. Use MFA on all users and accounts, especially on the root account.
  D. Don't write down or remember the root account password after creating the AWS account.
  C. Use MFA on all users and accounts, especially on the root account.

  ---

  Explanation/Reference:

  Multi-factor authentication can add one more layer of security to your AWS account Even when you go to your Security Credentials dashboard one of the items is to enable MFA on your root account

  

  Option A is invalid because you need to have a good password policy Option B is invalid because there is no IAM Geo-Lock Option D is invalid because this is not a recommended practices For more information on MFA, please visit the below URL http://docs.aws.amazon.com/IAM/latest/UserGuide/id credentials mfa.htmll The correct answer is: Use MFA on all users and accounts, especially on the root account.

• Question 510:

  A company is operating an AWS workload that consists of multiple applications that are deployed on Amazon EC2 instances. Recent changes to a security group caused connectivity issues for some application instances that use the security group. The company now needs all changes to security groups to initiate an alert to a specific company email address.

  Which solution will meet this requirement in the MOST operationally efficient manner?

  A. Implement AWS Config. Configure an AWS Config managed rule to detect changes to security groups. Configure a manual remediation action for noncompliant resources to forward evaluations to an Amazon Simple Notification Service (Amazon SNS) topic.
  B. Implement AWS Config. Configure an AWS Config managed rule to detect changes to security groups. Configure a manual remediation action for noncompliant resources to forward evaluations to an Amazon Simple Queue Service (Amazon SQS) queue.
  C. Implement AWS CloudTrail. Configure forwarding to Amazon CloudWatch Logs. Configure a CloudWatch Logs metric filter with a pattern match on all security group changes. Configure an Amazon CloudWatch alarm to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic.
  D. Implement AWS CloudTrail. Configure forwarding to Amazon S3. Configure an AWS Glue crawler for use with Amazon Athena to query log contents for event patterns that indicate changes to security groups. Publish the query results to an Amazon Simple Queue Service (Amazon SQS) queue.
  A. Implement AWS Config. Configure an AWS Config managed rule to detect changes to security groups. Configure a manual remediation action for noncompliant resources to forward evaluations to an Amazon Simple Notification Service (Amazon SNS) topic.

  ---

  Explanation/Reference: