Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 541:

  In your LAMP application, you have some developers that say they would like access to your logs. However, since you are using an AWS Auto Scaling group, your instances are constantly being re-created. What would you do to make sure that these developers can access these log files? Choose the correct answer from the options below

  Please select:

  A. Give only the necessary access to the Apache servers so that the developers can gain access to the log files.
  B. Give root access to your Apache servers to the developers.
  C. Give read-only access to your developers to the Apache servers.
  D. Set up a central logging server that you can use to archive your logs; archive these logs to an S3 bucket for developer-access.
  D. Set up a central logging server that you can use to archive your logs; archive these logs to an S3 bucket for developer-access.

  ---

  Explanation/Reference:

  One important security aspect is to never give access to actual servers, hence Option A.B and C are just totally wrong from a security perspective. The best option is to have a central logging server that can be used to archive logs. These logs can then be stored in S3. Options A,B and C are all invalid because you should not give access to the developers on the Apache se For more information on S3, please refer to the below link https://aws.amazon.com/documentation/s3 The correct answer is: Set up a central logging server that you can use to archive your logs; archive these logs to an S3 bucket for developer-access. Submit vour Feedback/Queries to our Experts

• Question 542:

  A company stores images for a website in an Amazon S3 bucket. The company is using Amazon CloudFront to serve the images to the end users. The company recently discovered that the images are being accessed form countries where the company does not have a distribution license.

  Which actions should the company take to secure the images to limit their distribution? (Choose two.)

  A. Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).
  B. Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.
  C. Add a CloudFront geo restriction deny list of countries where the company lacks a license.
  D. Update the S3 bucket policy with a deny list of countries where the company lacks a license.
  E. Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.
  A. Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).
  C. Add a CloudFront geo restriction deny list of countries where the company lacks a license.

  ---

  Explanation/Reference:

  For Enable Geo-Restriction, choose Yes. For Restriction Type, choose Whitelist to allow access to certain countries, or choose Blacklist to block access from certain countries.

  https://IAM.amazon.com/premiumsupport/knowledge-center/cloudfront-geo-restriction/

• Question 543:

  You have an EBS volume attached to an EC2 Instance which uses KMS for Encryption. Someone has now gone ahead and deleted the Customer Key which was used for the EBS encryption. What should be done to ensure the data can be decrypted.

  Please select:

  A. Create a new Customer Key using KMS and attach it to the existing volume
  B. You cannot decrypt the data that was encrypted under the CMK, and the data is not recoverable.
  C. Request AWS Support to recover the key
  D. Use AWS Config to recover the key
  B. You cannot decrypt the data that was encrypted under the CMK, and the data is not recoverable.

  ---

  Explanation/Reference:

  Deleting a customer master key (CMK) in AWS Key Management Service (AWS KMS) is destructive and potentially dangerous. It deletes the key material and all metadata associated with the CMK, and is irreversible. After a CMK is deleted you can no longer decrypt the data that was encrypted under that CMK, which means that data becomes unrecoverable. You should delete a CMK only when you are sure that you don't need to use it anymore. If you are not sure, consider disabling the CMK instead of deleting it. You can re-enable a disabled CMK if you need to use it again later, but you cannot recover a deleted CMK. https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html A is incorrect because Creating a new CMK and attaching it to the exiting volume will not allow the data to be decrypted, you cannot attach customer master keys after the volume is encrypted Option C and D are invalid because once the key has been deleted, you cannot recover it For more information on EBS Encryption with KMS, please visit the following URL: https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.html The correct answer is: You cannot decrypt the data that was encrypted under the CMK, and the data is not recoverable.

• Question 544:

  Your company hosts critical data in an S3 bucket. There is a requirement to ensure that all data is encrypted. There is also metadata about the information stored in the bucket that needs to be encrypted as well. Which of the below measures would you take to ensure that the metadata is encrypted?

  Please select:

  A. Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server side encryption.
  B. Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server KMS encryption.
  C. Put the metadata in a DynamoDB table and ensure the table is encrypted during creation time.
  D. Put thp metadata in thp S3 hurkpf itself.
  C. Put the metadata in a DynamoDB table and ensure the table is encrypted during creation time.

  ---

  Explanation/Reference:

  Option A ,B and D are all invalid because the metadata will not be encrypted in any case and this is a key requirement from the question. One key thing to note is that when the S3 bucket objects are encrypted, the meta data is not encrypted.

  So the best option is to use an encrypted DynamoDB table Important

  All GET and PUT requests for an object protected by AWS KMS will fail if they are not made via SSL or by using SigV4. SSE-KMS encrypts only the object data. Any object metadata is not encrypted. For more information on using KMS

  encryption for S3, please refer to below URL:

  https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html The correct answer is: Put the metadata in a DynamoDB table and ensure the table is encrypted during creation time.

• Question 545:

  A company that builds document management systems recently performed a security review of its application on AWS. The review showed that uploads of documents through signed URLs into Amazon S3 could occur in the application without encryption in transit. A security engineer must implement a solution that prevents uploads that are not encrypted in transit.

  Which solution will meet this requirement?

  A. Ensure that all client implementations are using HTTPS to upload documents into the application.
  B. Configure the s3-bucket-ssl-requests-only managed rule in AWS Config.
  C. Add an S3 bucket policy that denies all S3 actions for condition “aws:secureTransport”: “false”.
  D. Add an S3 bucket ACL with a grantee of AllUsers, a permission of WRITE, and a condition of secureTransport.
  C. Add an S3 bucket policy that denies all S3 actions for condition “aws:secureTransport”: “false”.

  ---

  Explanation/Reference:

• Question 546:

  A Developer's laptop was stolen. The laptop was not encrypted, and it contained the SSH key used to access multiple Amazon EC2 instances. A Security Engineer has verified that the key has not been used, and has blocked port 22 to all EC2 instances while developing a response plan.

  How can the Security Engineer further protect currently running instances?

  A. Delete the key-pair key from the EC2 console, then create a new key pair.
  B. Use the modify-instance-attribute API to change the key on any EC2 instance that is using the key.
  C. Use the EC2 RunCommand to modify the authorized_keys file on any EC2 instance that is using the key.
  D. Update the key pair in any AMI used to launch the EC2 instances, then restart the EC2 instances.
  C. Use the EC2 RunCommand to modify the authorized_keys file on any EC2 instance that is using the key.

• Question 547:

  Which approach will generate automated security alerts should too many unauthorized AWS API requests be identified?

  A. Create an Amazon CloudWatch metric filter that looks for API call error codes and then implement an alarm based on that metric's rate.
  B. Configure AWS CloudTrail to stream event data to Amazon Kinesis. Configure an AWS Lambda function on the stream to alarm when the threshold has been exceeded.
  C. Run an Amazon Athena SQL query against CloudTrail log files. Use Amazon QuickSight to create an operational dashboard.
  D. Use the Amazon Personal Health Dashboard to monitor the account's use of AWS services, and raise an alert if service error rates increase.
  A. Create an Amazon CloudWatch metric filter that looks for API call error codes and then implement an alarm based on that metric's rate.

  ---

  Explanation/Reference:

  https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html#cloudwatch-alarms-for-cloudtrail-authorization-failures Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/. In the navigation pane, choose Logs. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events. Choose Create Metric Filter. On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following: { ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") } Choose Assign Metric. For Filter Name, type AuthorizationFailures. For Metric Namespace, type CloudTrailMetrics. For Metric Name, type AuthorizationFailureCount.

• Question 548:

  A company has an organization in AWS Organizations. The company's security team is developing automation to capture Amazon EC2 forensic evidence within any AWS account in the organization. The company has encrypted the Amazon Elastic Block Store (Amazon EBS) volumes of all the EC2 instances in the organization by default by using the AWS managed key. The automation consists of AWS Lambda functions and AWS Step Functions state machines.

  The automation assumes an IAM role in the target AWS account. The automation takes snapshots of suspicious EC2 instances and assigns permissions to allow the security team's account to copy the snapshots. The security team has an AWS Key Management Service (AWS KMS) key to encrypt the snapshots. During testing, the automation fails to copy the snapshots into the security team's AWS account.

  Which combination of steps should the security team take so that the automation can capture EC2 forensic evidence in all AWS accounts in the organization? (Choose three.)

  A. In the target AWS account, update the KMS key policy on the AWS managed key to explicitly allow the kms:Decrypt and kms:CreateGrant actions to the automation's IAM role.
  B. In the target AWS account, create a customer managed KMS key. Update the automation's IAM role to allow the kms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, and kms:CreateGrant actions.
  C. In the security team's AWS account, update the automation's IAM role to allow the kms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, and kms:CreateGrant actions for the AWS managed key.
  D. In the security team's AWS account, update the automation's IAM role to allow the kms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, and kms:CreateGrant actions for the customer managed KMS key.
  E. In the security team's AWS account, update the automation code to take EBS snapshots and to use the AWS managed key.
  F. In the security team's AWS account, update the automation code to take EBS snapshots and to use the customer managed KMS key.
  C. In the security team's AWS account, update the automation's IAM role to allow the kms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, and kms:CreateGrant actions for the AWS managed key.
  D. In the security team's AWS account, update the automation's IAM role to allow the kms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, and kms:CreateGrant actions for the customer managed KMS key.
  E. In the security team's AWS account, update the automation code to take EBS snapshots and to use the AWS managed key.

  ---

  Explanation/Reference:

• Question 549:

  A security administrator is setting up a new AWS account. The security administrator wants to secure the data that a company stores in an Amazon S3 bucket. The security administrator also wants to reduce the chance of unintended data exposure and the potential for misconfiguration of objects that are in the S3 bucket.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Configure the S3 Block Public Access feature for the AWS account.
  B. Configure the S3 Block Public Access feature for all objects that are in the bucket.
  C. Deactivate ACLs for objects that are in the bucket.
  D. Use AWS PrivateLink for Amazon S3 to access the bucket.
  D. Use AWS PrivateLink for Amazon S3 to access the bucket.

• Question 550:

  A company has a set of resources defined in AWS. It is mandated that all API calls to the resources be monitored. Also all API calls must be stored for lookup purposes. Any log data greater than 6 months must be archived. Which of the following meets these requirements? Choose 2 answers from the options given below. Each answer forms part of the solution.

  Please select:

  A. Enable CloudTrail logging in all accounts into S3 buckets
  B. Enable CloudTrail logging in all accounts into Amazon Glacier
  C. Ensure a lifecycle policy is defined on the S3 bucket to move the data to EBS volumes after 6 months.
  D. Ensure a lifecycle policy is defined on the S3 bucket to move the data to Amazon Glacier after 6 months.
  A. Enable CloudTrail logging in all accounts into S3 buckets
  D. Ensure a lifecycle policy is defined on the S3 bucket to move the data to Amazon Glacier after 6 months.

  ---

  Explanation/Reference:

  Cloudtrail publishes the trail of API logs to an S3 bucket

  Option B is invalid because you cannot put the logs into Glacier from CloudTrail

  Option C is invalid because lifecycle policies cannot be used to move data to EBS volumes

  For more information on Cloudtrail logging, please visit the below URL:

  https://docs.aws.amazon.com/awscloudtrail/latest/usereuide/cloudtrail-find-log-files.htmll

  You can then use Lifecycle policies to transfer data to Amazon Glacier after 6 months For more information on S3 lifecycle policies, please visit the below URL:

  https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html

  The correct answers are: Enable CloudTrail logging in all accounts into S3 buckets. Ensure a lifecycle policy is defined on the bucket to move the data to Amazon Glacier after 6 months.