Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 551:

  A company's data lake uses Amazon S3 and Amazon Athena. The company's security engineer has been asked to design an encryption solution that meets the company's data protection requirements. The encryption solution must work with Amazon S3 and keys managed by the company. The encryption solution must be protected in a hardware security module that is validated to Federal information Processing Standards (FIPS) 140-2 Level 3.

  Which solution meets these requirements?

  A. Use client-side encryption with an AWS KMS customer-managed key implemented with the AWS Encryption SDK
  B. Use AWS CloudHSM to store the keys and perform cryptographic operations Save the encrypted text in Amazon S3
  C. Use an AWS KMS customer-managed key that is backed by a custom key store using AWS CloudHSM
  D. Use an AWS KMS customer-managed key with the bring your own key (BYOK) feature to import a key stored in AWS CloudHSM
  A. Use client-side encryption with an AWS KMS customer-managed key implemented with the AWS Encryption SDK

  ---

  Explanation/Reference:

• Question 552:

  A customer has an instance hosted in the AWS Public Cloud. The VPC and subnet used to host the Instance have been created with the default settings for the Network Access Control Lists. They need to provide an IT Administrator secure access to the underlying instance. How can this be accomplished.

  Please select:

  A. Ensure the Network Access Control Lists allow Inbound SSH traffic from the IT Administrator's Workstation
  B. Ensure the Network Access Control Lists allow Outbound SSH traffic from the IT Administrator's Workstation
  C. Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation
  D. Ensure that the security group allows Outbound SSH traffic from the IT Administrator's Workstation
  C. Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation

  ---

  Explanation/Reference:

  Options A and B are invalid as default NACL rule will allow all inbound and outbound traffic. The requirement is that the IT administrator should be able to access this EC2 instance from his workstation. For that we need to enable the Security Group of EC2 instance to allow traffic from the IT administrator's workstation. Hence option C is correct. Option D is incorrect as we need to enable the Inbound SSH traffic on the EC2 instance Security Group since the traffic originate' , from the IT admin's workstation. The correct answer is: Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation

• Question 553:

  A company does not allow the permanent installation of SSH keys onto an Amazon Linux 2 EC2 instance. However, three employees who have IAM user accounts require access to the EC2 instance. The employees must use an SSH

  session to perform critical duties.

  How can a security engineer provide the appropriate access to the EC2 instance to meet these requirements?

  A. Use AWS Systems Manager Inventory to select the EC2 instance and connect. Provide the IAM user accounts with the permissions to use Systems Manager Inventory.
  B. Use AWS Systems Manager Run Command to open an SSH connection to the EC2 instance. Provide the IAM user accounts with the permissions to use Run Command.
  C. Use AWS Systems Manager Session Manager. Provide the IAM user accounts with the permissions to use Systems Manager Session Manager.
  D. Connect to the EC2 instance as the ec2-user through the AWS Management Console's EC2 SSH client method. Provide the IAM user accounts with access to use the EC2 service in the AWS Management Console.
  C. Use AWS Systems Manager Session Manager. Provide the IAM user accounts with the permissions to use Systems Manager Session Manager.

  ---

  Explanation/Reference:

• Question 554:

  Your team is experimenting with the API gateway service for an application. There is a need to implement a custom module which can be used for authentication/authorization for calls made to the API gateway. How can this be achieved?

  Please select:

  A. Use the request parameters for authorization
  B. Use a Lambda authorizer
  C. Use the gateway authorizer
  D. Use CORS on the API gateway
  B. Use a Lambda authorizer

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following An Amazon API Gateway Lambda authorizer (formerly known as a custom authorize?) is a Lambda function that you provide to control access to your API methods. A Lambda authorizer uses bearer token authentication strategies, such as OAuth or SAML. It can also use information described by headers, paths, query strings, stage variables, or context variables request parameters. Options A,C and D are invalid because these cannot be used if you need a custom authentication/authorization for calls made to the API gateway For more information on using the API gateway Lambda authorizer please visit the URL: https://docs.aws.amazon.com/apisateway/latest/developerguide/apieateway-use-lambda-authorizer.htmll The correct answer is: Use a Lambda authorizer

• Question 555:

  A security engineer needs to build a solution to turn AWS CloudTrail back on in multiple AWS Regions in case it is ever turned off. What is the MOST efficient way to implement this solution?

  A. Use AWS Config with a managed rule to trigger the AWS-EnableCloudTrail remediation.
  B. Create an Amazon EventBridge (Amazon CloudWatch Events) event with a cloudtrail.amazonaws.com event source and a StartLogging event name to trigger an AWS Lambda function to call the StartLogging API.
  C. Create an Amazon CloudWatch alarm with a cloudtrail.amazonaws.com event source and a StopLogging event name to trigger an AWS Lambda function to call the StartLogging API.
  D. Monitor AWS Trusted Advisor to ensure CloudTrail logging is enabled.
  A. Use AWS Config with a managed rule to trigger the AWS-EnableCloudTrail remediation.

  ---

  Explanation/Reference:

  To ensure that CloudTrail remains enabled in your account, AWS Config provides the cloudtrail-enabled managed rule. If CloudTrail is turned off, the cloudtrail-enabled rule automatically re-enables it by using automatic remediation.

• Question 556:

  Which technique can be used to integrate AWS IAM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service?

  Please select:

  A. Use an IAM policy that references the LDAP account identifiers and the AWS credentials.
  B. Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP.
  C. Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials.
  D. Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated.
  B. Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP.

  ---

  Explanation/Reference:

  On the AWS Blog site the following information is present to help on this context

  The newly released whitepaper. Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth, will help you integrate your existing LDAP-based user directory with AWS. When you integrate your existing directory with AWS, your users can

  access AWS by using their existing credentials. This means that your users don't need to maintain yet another user name and password just to access AWS resources. Option A.C and D are all invalid because in this sort of configuration, you

  have to use SAML to enable single sign on.

  For more information on integrating AWS with LDAP for Single Sign-On, please visit the following URL:

  https://aws.amazon.eom/blogs/security/new-whitepaper-sinEle-sign-on-inteErating-aws-openldap-and-shibboleth/

  The correct answer is: Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP.

• Question 557:

  A company has a set of EC2 Instances hosted in AWS. The EC2 Instances have EBS volumes which is used to store critical information. There is a business continuity requirement to ensure high availability for the EBS volumes. How can you achieve this?

  A. Use lifecycle policies for the EBS volumes
  B. Use EBS Snapshots
  C. Use EBS volume replication D. Use EBS volume encryption
  B. Use EBS Snapshots

  ---

  Explanation/Reference:

  Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations as part of normal operation of those services and at no additional charge. However, Amazon EBS replication is stored within the same availability zone, not across multiple zones; therefore, it is highly recommended that you conduct regular snapshots to Amazon S3 for long-term data durability Option A is invalid because there is no lifecycle policy for EBS volumes Option C is invalid because there is no EBS volume replication Option D is invalid because EBS volume encryption will not ensure business continuity For information on security for Compute Resources, please visit the below URL: https://d1.awsstatic.com/whitepapers/Security/Security_Compute_Services_Whitepaper.pdf

• Question 558:

  A security engineer is defining the controls required to protect the AWS account root user credentials in an AWS Organizations hierarchy. The controls should also limit the impact in case these credentials have been compromised.

  Which combination of controls should the security engineer propose? (Choose three.)

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  E. Option E
  F. Option F
  A. Option A
  D. Option D
  F. Option F

• Question 559:

  A software-as-a-service (SaaS) company hosts an application on AWS in a VPC. External customers will use the application on their own Amazon EC2 instances. To access the application, the customers need to install a client application on

  an EC2 instance in a VPC in their AWS accounts.

  A security engineer is designing a solution to allow communication between the client software and the SaaS application. The solution must maximize scalability and security.

  Which combination of actions will meet these requirements? (Choose two.)

  A. Create a Network Load Balancer (NLB) in the VPC in the SaaS company account. Use the NLB for TLS termination and load balancing. Use EC2 instances as targets for the NLB.
  B. Create a Network Load Balancer (NLB) in the VPCs in the customer accounts. Use the NLB for TLS termination and load balancing. Use EC2 instances as targets for the NLB.
  C. Create an AWS PrivateLink endpoint service in the VPCs in the customer accounts. Create a PrivateLink interface endpoint in the VPC in the SaaS company account.
  D. Create an AWS PrivateLink endpoint service in the VPC in the SaaS company account. Create a PrivateLink interface endpoint in the VPCs in the customer accounts.
  E. Create a VPC peering connection between the VPC in the SaaS company account and the VPCs in the customer accounts. Create the required routes for a VPC peering connection.
  B. Create a Network Load Balancer (NLB) in the VPCs in the customer accounts. Use the NLB for TLS termination and load balancing. Use EC2 instances as targets for the NLB.
  E. Create a VPC peering connection between the VPC in the SaaS company account and the VPCs in the customer accounts. Create the required routes for a VPC peering connection.

• Question 560:

  A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data from production host running inside AWS (Account 1). The threat was documented as follows:

  Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials for an AWS account (Account 2) they control and uploading data to an Amazon S3 bucket within their control.

  Server X has outbound internet access configured via a proxy server. Legitimate access to S3 is required so that the application can upload encrypted files to an S3 bucket. Server X is currently using an IAM instance role. The proxy server is

  not able to inspect any of the server communication due to TLS encryption.

  Which of the following options will mitigate the threat? (Choose two.)

  A. Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.
  B. Block outbound access to public S3 endpoints on the proxy server.
  C. Configure Network ACLs on Server X to deny access to S3 endpoints.
  D. Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application server.
  E. Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted application config file.
  A. Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.
  B. Block outbound access to public S3 endpoints on the proxy server.