Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 521:

  A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?

  A. Add a rule to the Application Load Balancer to route the traffic originating from the IP address in question and show a static webpage.
  B. Implement a rate-based rule with AWS WAF
  C. Use AWS Shield to limit the originating traffic hit rate.
  D. Implement the GeoLocation feature in Amazon Route 53.
  B. Implement a rate-based rule with AWS WAF

• Question 522:

  A company has a security team that manages its AWS Key Management Service (AWS KMS) CMKs. Members of the security team must be the only ones to administer the CMKs. The company's application team has a software process that needs temporary access to the CMKS occasionally. The security team must provide the application team's software process access to the CMKs.

  Which solution meets these requirements with the LEAST overhead?

  A. Export the CMK key material to an on-premises hardware security module (HSM). Give the application team access to the key material.
  B. Edit the key policy that grants the security team access to the CMKs by adding the application team as principals. Revert this change when the application team no longer needs access.
  C. Create a key grant to allow the application team to use the CMKs. Revoke the grant when the application team no longer needs access.
  D. Create a new CMK by generating key material on premises. Import the key material to AWS KMS whenever the application team needs access. Grant the application team permissions to use the CMK.
  C. Create a key grant to allow the application team to use the CMKs. Revoke the grant when the application team no longer needs access.

  ---

  Explanation/Reference:

• Question 523:

  A company has a requirement to create a DynamoDB table. The company's software architect has provided the following CLI command for the DynamoDB table

  

  Which of the following has been taken of from a security perspective from the above command?

  Please select:

  A. Since the ID is hashed, it ensures security of the underlying table.
  B. The above command ensures data encryption at rest for the Customer table
  C. The above command ensures data encryption in transit for the Customer table
  D. The right throughput has been specified from a security perspective
  B. The above command ensures data encryption at rest for the Customer table

  ---

  Explanation/Reference:

  The above command with the "-sse-specification Enabled=true" parameter ensures that the data for the DynamoDB table is encrypted at rest. Options A,C and D are all invalid because this command is specifically used to ensure data encryption at rest For more information on DynamoDB encryption, please visit the URL: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html The correct answer is: The above command ensures data encryption at rest for the Customer table

• Question 524:

  A new application will be deployed on EC2 instances in private subnets. The application will transfer sensitive data to and from an S3 bucket. Compliance requirements state that the data must not traverse the public internet. Which solution meets the compliance requirement?

  Please select:

  A. Access the S3 bucket through a proxy server
  B. Access the S3 bucket through a NAT gateway.
  C. Access the S3 bucket through a VPC endpoint for S3
  D. Access the S3 bucket through the SSL protected S3 endpoint
  C. Access the S3 bucket through a VPC endpoint for S3

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network. Option A is invalid because using a proxy server is not sufficient enough Option B and D are invalid because you need secure communication which should not traverse the internet For more information on VPC endpoints please see the below link https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.htmll The correct answer is: Access the S3 bucket through a VPC endpoint for S3

• Question 525:

  A company uses AWS Organization to manage 50 AWS accounts. The finance staff members log in as AWS IAM users in the FinanceDept AWS account. The staff members need to read the consolidated billing information in the MasterPayer AWS account. They should not be able to view any other resources in the MasterPayer AWS account. IAM access to billing has been enabled in the MasterPayer account.

  Which of the following approaches grants the finance staff the permissions they require without granting any unnecessary permissions?

  A. Create an IAM group for the finance users in the FinanceDept account, then attach the AWS managed ReadOnlyAccess IAM policy to the group.
  B. Create an IAM group for the finance users in the MasterPayer account, then attach the AWS managed ReadOnlyAccess IAM policy to the group.
  C. Create an AWS IAM role in the FinanceDept account with the ViewBilling permission, then grant the finance users in the MasterPayer account the permission to assume that role.
  D. Create an AWS IAM role in the MasterPayer account with the ViewBilling permission, then grant the finance users in the FinanceDept account the permission to assume that role.
  D. Create an AWS IAM role in the MasterPayer account with the ViewBilling permission, then grant the finance users in the FinanceDept account the permission to assume that role.

  ---

  Explanation/Reference:

  AWS Region that You Request a Certificate In (for AWS Certificate Manager) If you want to require HTTPS between viewers and CloudFront, you must change the AWS region to US East (N. Virginia) in the AWS Certificate Manager console before you request or import a certificate. If you want to require HTTPS between CloudFront and your origin, and you're using an ELB load balancer as your origin, you can request or import a certificate in any region. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html

• Question 526:

  A security engineer needs to create an Amazon S3 bucket policy that restricts access to specific IP address ranges. The policy must allow only IP addresses in the range 10.24.34.0/23 to access the S3 bucket DOC-EXAMPLE-BUCKET and its objects. The policy must deny access to DOC-EXAMPLE-BUCKET from other IP address ranges.

  IAM policies will control the actions that principals can take in the S3 bucket.

  Which policy meets these requirements?

  A. { "Version": "2012-10-17","Id": "Policy1415115909152","Statement": [{ "Sid": "Access to specify VPC CIDR only","Principal": "*","Action": "s3:*","Effect": "Allow","Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET","arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"],"Condition": {"NotIpAddress": {"aws:VpcSourceIp": "10.24.34.0/23"}}}]}
  B. { "Version": "2012-10-17","Id": "Policy1415115909152","Statement": [{ "Sid": "Access to specify VPC CIDR only","Principal": "*","Action": "s3:*","Effect": "Deny","Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET","arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"],"Condition": {"NotIpAddress": {"aws:VpcSourceIp": "10.24.34.0/23"}}}]}
  C. { "Version": "2012-10-17","Id": "Policy1415115909152","Statement": [{ "Sid": "Access-to-specify-VPC-CIDR-only","Principal": "*","Action": "s3:*","Effect": "Deny","Resource": ["arn:aws:s3:::DOC EXAMPLE BUCKET","arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"],"Condition": {"IpAddress": {"aws:VpcSourceIp": "10.24.34.0/23"}}}]}
  D. { "Version": "2012-10-17","Id": "Policy1415115909152","Statement": [{ "Sid": "Access-to-specify-VPC-CIDR-only","Principal": "*","Action": "s3:*","Effect": "Allow","Resource": ["arn:aws:s3:::DOC EXAMPLE BUCKET","arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"],"Condition": {"IpAddress": {"aws:VpcSourceIp": "10.24.34.0/23"}}}]}
  C. { "Version": "2012-10-17","Id": "Policy1415115909152","Statement": [{ "Sid": "Access-to-specify-VPC-CIDR-only","Principal": "*","Action": "s3:*","Effect": "Deny","Resource": ["arn:aws:s3:::DOC EXAMPLE BUCKET","arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"],"Condition": {"IpAddress": {"aws:VpcSourceIp": "10.24.34.0/23"}}}]}

  ---

  Explanation/Reference:

• Question 527:

  A company is attempting to conduct forensic analysis on an Amazon EC2 instance, but the company is unable to connect to the instance by using AWS Systems Manager Session Manager. The company has installed AWS Systems Manager Agent (SSM Agent) on the EC2 instance.

  The EC2 instance is in a subnet in a VPC that does not have an internet gateway attached. The company has associated a security group with the EC2 instance. The security group does not have inbound or outbound rules. The subnet's network ACL allows all inbound and outbound traffic.

  Which combination of actions will allow the company to conduct forensic analysis on the EC2 instance without compromising forensic data? (Select THREE.)

  A. Update the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0/0.
  B. Update the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC's CIDR range.
  C. Create an EC2 key pair. Associate the key pair with the EC2 instance.
  D. Create a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance is located.
  E. Attach a security group to the VPC interface endpoint. Allow inbound traffic on port 443 to the VPC's CIDR range.
  F. Create a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.
  B. Update the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC's CIDR range.
  C. Create an EC2 key pair. Associate the key pair with the EC2 instance.
  F. Create a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.

• Question 528:

  A company has multiple accounts in the AWS Cloud. Users in the developer account need to have access to specific resources in the production account.

  What is the MOST secure way to provide this access?

  A. Create one IAM user in the production account. Grant the appropriate permissions to the resources that are needed. Share the password only with the users that need access.
  B. Create cross-account access with an IAM role in the developer account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.
  C. Create cross-account access with an IAM user account in the production account. Grant the appropriate permissions to this user account. Allow users in the developer account to use this user account to access the production resources.
  D. Create cross-account access with an IAM role in the production account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.
  A. Create one IAM user in the production account. Grant the appropriate permissions to the resources that are needed. Share the password only with the users that need access.

  ---

  Explanation/Reference:

• Question 529:

  A company is using HTTPS for all its public endpoints. A third-party certificate authority (CA) issues the certificates. The company imports the certificates and attaches the certificates to an Elastic Load Balancer or an Amazon CloudFront

  distribution. The company also is using a third-party DNS hosting provider.

  The certificates are near expiration. The company wants to migrate to AWS Certificate Manager (ACM) with automatic renewal. When the company adds the CNAME record during DNS validation, the certificate status changes to Failed.

  What is the root cause of this issue?

  A. DNS validation requires the domain to be hosted on Amazon Route 53.
  B. Automatic renewal for domain validation requires the domain to be hosted on Amazon Route 53.
  C. The domain has Certification Authority Authorization (CAA) DNS records that allow only specific certificate authorities.
  D. DNS validation requires a TXT record instead of a CNAME record.
  D. DNS validation requires a TXT record instead of a CNAME record.

  ---

  Explanation/Reference:

• Question 530:

  A company has a few dozen application servers in private subnets behind an Elastic Load Balancer (ELB) in an AWS Auto Scaling group. The application is accessed from the web over HTTPS. The data must always be encrypted in transit. The Security Engineer is worried about potential key exposure due to vulnerabilities in the application software.

  Which approach will meet these requirements while protecting the external certificate during a breach?

  A. Use a Network Load Balancer (NLB) to pass through traffic on port 443 from the internet to port 443 on the instances.
  B. Purchase an external certificate, and upload it to the AWS Certificate Manager (for use with the ELB) and to the instances. Have the ELB decrypt traffic, and route and re-encrypt with the same certificate.
  C. Generate an internal self-signed certificate and apply it to the instances. Use AWS Certificate Manager to generate a new external certificate for the ELB. Have the ELB decrypt traffic, and route and re-encrypt with the internal certificate.
  D. Upload a new external certificate to the load balancer. Have the ELB decrypt the traffic and forward it on port 80 to the instances.
  C. Generate an internal self-signed certificate and apply it to the instances. Use AWS Certificate Manager to generate a new external certificate for the ELB. Have the ELB decrypt traffic, and route and re-encrypt with the internal certificate.