Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 531:

  Users report intermittent availability of a web application hosted on AWS. Monitoring systems report an excess of abnormal network traffic followed by high CPU utilization on the application web tier. Which of the following techniques will improve the availability of the application? (Choose two.)

  A. Deploy AWS WAF to block all unsecured web applications from accessing the internet.
  B. Deploy an Intrusion Detection/Prevention System (IDS/IPS) to monitor or block unusual incoming network traffic.
  C. Configure security groups to allow outgoing network traffic only from hosts that are protected with up-to-date antivirus software.
  D. Create Amazon CloudFront distribution and configure AWS WAF rules to protect the web applications from malicious traffic.
  E. Use the default Amazon VPC for externakfacing systems to allow AWS to actively block malicious network traffic affecting Amazon EC2 instances.
  A. Deploy AWS WAF to block all unsecured web applications from accessing the internet.
  B. Deploy an Intrusion Detection/Prevention System (IDS/IPS) to monitor or block unusual incoming network traffic.

  ---

  Explanation/Reference:

• Question 532:

  Your company has mandated that all calls to the AWS KMS service be recorded. How can this be achieved?

  Please select:

  A. Enable logging on the KMS service
  B. Enable a trail in Cloudtrail
  C. Enable Cloudwatch logs
  D. Use Cloudwatch metrics
  B. Enable a trail in Cloudtrail

  ---

  Explanation/Reference:

  The AWS Documentation states the following AWS KMS is integrated with CloudTrail, a service that captures API calls made by or on behalf of AWS KMS in your AWS account and delivers the log files to an Amazon S3 bucket that you specify. CloudTrail captures API calls from the AWS KMS console or from the AWS KMS API. Using the information collected by CloudTrail, you can determine what request was made, the source IP address from which the request was made, who made the request when it was made, and so on. Option A is invalid because logging is not possible in the KMS service Option C and D are invalid because Cloudwatch cannot be used to monitor API calls For more information on logging using Cloudtrail please visit the below URL https:// docs.aws.amazon.com/kms/latest/developerguide/loeeing-usine-cloudtrail.html The correct answer is: Enable a trail in Cloudtrail Jubmit your Feedback/Queries to our Experts

• Question 533:

  A developer is building a serverless application hosted on AWS that uses Amazon Redshift as a data store. The application has separate module for read/write and read-only functionality. The modules need their own database users for compliance reasons.

  Which combination of steps should a security engineer implement to grant appropriate access? (Choose two.)

  A. Configure cluster security groups for each application module to control access to database users that are required for read-only and read-write.
  B. Configure a VPC endpoint for Amazon Redshift. Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write.
  C. Configure an IAM policy for each module. Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call.
  D. Create local database users for each module.
  E. Configure an IAM policy for each module. Specify the ARN of an IAM user that allows the GetClusterCredentials API call.
  C. Configure an IAM policy for each module. Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call.
  D. Create local database users for each module.

• Question 534:

  A company's security team has defined a set of AWS Config rules that must be enforced globally in all AWS accounts the company owns. What should be done to provide a consolidated compliance overview for the security team?

  A. Use AWS Organizations to limit AWS Config rules to the appropriate Regions, and then consolidate the Amazon CloudWatch dashboard into one AWS account.
  B. Use AWS Config aggregation to consolidate the views into one AWS account, and provide role access to the security team.
  C. Consolidate AWS Config rule results with an AWS Lambda function and push data to Amazon SQS. Use Amazon SNS to consolidate and alert when some metrics are triggered.
  D. Use Amazon GuardDuty to load data results from the AWS Config rules compliance status, aggregate GuardDuty findings of all AWS accounts into one AWS account, and provide role access to the security team.
  B. Use AWS Config aggregation to consolidate the views into one AWS account, and provide role access to the security team.

• Question 535:

  A company has two AW5 accounts within AWS Organizations. In Account-1. Amazon EC2 Auto Scaling is launched using a service-linked role. In Account-2. Amazon EBS volumes are encrypted with an AWS KMS key A Security Engineer needs to ensure that the service- linked role can launch instances with these encrypted volumes

  Which combination of steps should the Security Engineer take in both accounts? (Select TWO.)

  A. Allow Account-1 to access the KMS key in Account-2 using a key policy
  B. Attach an IAM policy to the service-linked role in Account-1 that allows these actions CreateGrant. DescnbeKey, Encrypt, GenerateDataKey, Decrypt, and ReEncrypt
  C. Create a KMS grant for the service-linked role with these actions CreateGrant, DescnbeKey Encrypt GenerateDataKey Decrypt, and ReEncrypt
  D. Attach an IAM policy to the role attached to the EC2 instances with KMS actions and then allow Account-1 in the KMS key policy.
  E. Attach an IAM policy to the user who is launching EC2 instances and allow the user to access the KMS key policy of Account-2.
  C. Create a KMS grant for the service-linked role with these actions CreateGrant, DescnbeKey Encrypt GenerateDataKey Decrypt, and ReEncrypt
  D. Attach an IAM policy to the role attached to the EC2 instances with KMS actions and then allow Account-1 in the KMS key policy.

• Question 536:

  A company has application logs from AWS accounts in an organization in AWS Organizations. A security engineer is copying these logs to a centralized Amazon S3 bucket in the security team's AWS account.

  Each of the company's applications is in its own AWS account. Logs are encrypted and pushed into S3 buckets that are associated with each account.

  The security engineer deploys an AWS Lambda function into each account to copy the relevant log files to the centralized S3 bucket. The Lambda function can copy the log files in the centralized S3 bucket.

  The Lambda function's IAM execution role policy from the security team's AWS account is the following:

  { "Version": "2012-10-17","Statement":

  {

  "Action": "s3:8",

  "Resource":"*",

  "Effect": "Allow"

  }

  ]

  }

  The centralized S3 bucket policy is the following:

  { "Version": "2012-10-17","Statement":

  {

  "Effect": "Allow",

  "Principal": {

  "AWS": [

  "arn:aws:iam::111122223333:role/LogCopier",

  "arn:aws:iam::444455556666:role/LogCopier"

  ]

  },

  "Action": ["s3:*"],

  "Resource": "*",

  }]}

  The security engineer needs to remove excess permissions while ensuring the functionality of the solution.

  Which changes to the policies meet these requirements? (Choose two.)

  A. Update the centralized S3 bucket policy to the following: { "Version": "2012-10-17","Statement": [{ "Effect": "Allow","Principal": {"AWS": ["arn:aws:iam::111122223333:role/LogCopier","arn:aws:iam::444455556666:role/LogCopier"]},"Action": ["s3:PutObject"],"Resource": "arn:aws:s3:::centralizedbucket/"}]}
  B. Update the centralized S3 bucket policy to the following: { "Version": "2012-10-17","Statement": [{ "Effect": "Allow","Principal": {"AWS": ["arn:aws:iam::111122223333:role/LogCopier","arn:aws:iam::444455556666:role/LogCopier"]},"Action": ["s3:Put*"],"Resource": "arn:aws:s3:::centralizedbucket/*"}]}
  C. Update the Lambda IAM execution role policy to the following: { "Version": "2012-10-17","Statement": [{ "Action": ["s3:Get*", "s3:List*"],"Resource": ["arn:aws:s3:::centralizedbucket/*","arn:aws:s3:::centralizedbucket/"],"Effect": "Allow" }]}
  D. Update the Lambda IAM execution role policy to the following: { "Version": "2012-10-17","Statement": [{ "Action": ["s3:Put*", "s3:List*"],"Resource": ["arn:aws:s3:::centralizedbucket/*","arn:aws:s3:::centralizedbucket/"],"Effect": "Allow" }]}
  E. Update the Lambda IAM execution role policy to the following: { "Version": "2012-10-17","Statement": [{ "Action": ["s3:Put*", "s3:Get*", "s3:List*"],"Resource": ["arn:aws:s3:::centralizedbucket/*","arn:aws:s3:::centralizedbucket/"],"Effect": "Allow" }]}
  A. Update the centralized S3 bucket policy to the following: { "Version": "2012-10-17","Statement": [{ "Effect": "Allow","Principal": {"AWS": ["arn:aws:iam::111122223333:role/LogCopier","arn:aws:iam::444455556666:role/LogCopier"]},"Action": ["s3:PutObject"],"Resource": "arn:aws:s3:::centralizedbucket/"}]}
  E. Update the Lambda IAM execution role policy to the following: { "Version": "2012-10-17","Statement": [{ "Action": ["s3:Put*", "s3:Get*", "s3:List*"],"Resource": ["arn:aws:s3:::centralizedbucket/*","arn:aws:s3:::centralizedbucket/"],"Effect": "Allow" }]}

  ---

  Explanation/Reference:

• Question 537:

  A DevOps team is planning to deploy a containerized application on Amazon Elastic Container Service (Amazon ECS). The team will use an Application Load Balancer (ALB) to distribute the incoming traffic for the ECS application. A security engineer needs to terminate the TLS traffic at the ALB to ensure security of data in transit.

  Which solutions can the security engineer use to create a certificate and deploy the certificate at the ALB to meet these requirements? (Choose two.)

  A. Use TLS tools to create a certificate signing request (CSR). Get the CSR signed by a certificate authority (CA) to produce a certificate. Import the certificate into AWS Certificate Manager (ACM). Specify the certificate for the TLS listener on the ALB.
  B. Use AWS Certificate Manager (ACM) to request a certificate. Specify the certificate fort the TLS listener on the ALB.
  C. Use AWS Key Management Service (AWS KMS) tools to create a certificate signing request (CSR). Get the CSR signed by a certificate authority (CA) to produce a certificate. Import the certificate into AWS Certificate Manager (ACM). Specify the certificate for the TLS listener on the ALB.
  D. Configure automatic TLS support in the ECS cluster. Configure the ALB to pass the TLS connection to the containers in the cluster.
  E. Generate a certificate while creating the ECS cluster. Import the certificate into AWS Certificate Manager (ACM). Specify the certificate for the TLS listener on the ALB.
  A. Use TLS tools to create a certificate signing request (CSR). Get the CSR signed by a certificate authority (CA) to produce a certificate. Import the certificate into AWS Certificate Manager (ACM). Specify the certificate for the TLS listener on the ALB.
  C. Use AWS Key Management Service (AWS KMS) tools to create a certificate signing request (CSR). Get the CSR signed by a certificate authority (CA) to produce a certificate. Import the certificate into AWS Certificate Manager (ACM). Specify the certificate for the TLS listener on the ALB.

  ---

  Explanation/Reference:

• Question 538:

  Your company has defined privileged users for their AWS Account. These users are administrators for key resources defined in the company. There is now a mandate to enhance the security authentication for these users. How can this be accomplished?

  Please select:

  A. Enable MFA for these user accounts
  B. Enable versioning for these user accounts
  C. Enable accidental deletion for these user accounts
  D. Disable root access for the users
  A. Enable MFA for these user accounts

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following as a best practices for IAM users. For extra security, enable multi-factor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or APIs). With MFA, users have a device that generates unique authentication code (a one-time password, or OTP). Users must provide both their normal credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone). Option B,C and D are invalid because no such security options are available in AWS For more information on IAM best practices, please visit the below URL https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html The correct answer is: Enable MFA for these user accounts

• Question 539:

  An Amazon S3 bucket is encrypted using an AWS KMS CMK. An IAM user is unable to download objects from the S3 bucket using the AWS Management Console; however, other users can download objects from the S3 bucket.

  Which policies should the Security Engineer review and modify to resolve this issue? (Select three.)

  A. The CMK policy
  B. The VPC endpoint policy
  C. The S3 bucket policy
  D. The S3 ACL
  E. The IAM policy
  C. The S3 bucket policy
  D. The S3 ACL
  E. The IAM policy

• Question 540:

  A company uses Microsoft Active Directory for access management for on-premises resources and wants to use the same mechanism for accessing its AWS accounts. Additionally, the development team plans to launch a public-facing application for which they need a separate authentication solution.

  When coma nation of the following would satisfy these requirements? (Select TWO)

  A. Set up domain controllers on Amazon EC2 to extend the on-premises directory to AWS
  B. Establish network connectivity between on-premises and the user's VPC
  C. Use Amazon Cognito user pools for application authentication
  D. Use AD Connector tor application authentication.
  E. Set up federated sign-in to AWS through ADFS and SAML.
  A. Set up domain controllers on Amazon EC2 to extend the on-premises directory to AWS
  B. Establish network connectivity between on-premises and the user's VPC

  ---

  Explanation/Reference: