Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 561:

  A company's security team suspects that an insider threat is present. The security team is basing its suspicion on activity that occurred in one of the company's AWS accounts. The activity was performed with the AWS account root user credentials. The root user has no access keys. The company uses AWS Organizations, and the account where the activity occurred is in an OU. A security engineer needs to take away the root user's ability to make any updates to the account. The root user password cannot be changed to accomplish this goal.

  Which solution will meet these requirements?

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  C. Option C

• Question 562:

  A company plans to move most of its IT infrastructure to AWS. They want to leverage their existing on-premises Active Directory as an identity provider for AWS. Which combination of steps should a Security Engineer take to federate the company's on- premises Active Directory with AWS? (Choose two.)

  A. Create IAM roles with permissions corresponding to each Active Directory group.
  B. Create IAM groups with permissions corresponding to each Active Directory group.
  C. Configure Amazon Cloud Directory to support a SAML provider.
  D. Configure Active Directory to add relying party trust between Active Directory and AWS.
  E. Configure Amazon Cognito to add relying party trust between Active Directory and AWS.
  A. Create IAM roles with permissions corresponding to each Active Directory group.
  D. Configure Active Directory to add relying party trust between Active Directory and AWS.

  ---

  Explanation/Reference:

  https://aws.amazon.com/blogs/security/how-to-establish-federated-access-to-your-aws-resources-by-using-active-directory-user-attributes/

• Question 563:

  Which of the following bucket policies will ensure that objects being uploaded to a bucket called 'demo' are encrypted.

  Please select:

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  A. Option A

  ---

  Explanation/Reference:

  The condition of "s3:x-amz-server-side-encryption":"aws:kms" ensures that objects uploaded need to be encrypted.

  Options B,C and D are invalid because you have to ensure the condition of ns3:x-amz- server-side-encryption":"aws:kms" is present For more information on AWS KMS best practices, just browse to the below URL:

  https://dl.awsstatic.com/whitepapers/aws-kms-best-praaices.pdf

  

• Question 564:

  A company has two VPCs that are in the same AWS account. One VPC is located in the us-east-1 Region, and the other VPC is located in the us-west-2 region. The VPCs have an active VPC peering connection with each other, and the route tables for each VPC are configured to route network traffic properly between each VPC.

  An Amazon Aurora DB instance exists in the VPC in us-east-1, and the DB instance's security group controls access to the DB instance. An Auto Scaling group is running in the VPC in us-west-2. The Auto Scaling group is continually adding and removing Amazon EC2 instances because of fluctuations in the demand for capacity. Every EC2 instance that launches as part of the Auto Scaling group belongs to a security group that is specific to the Auto Scaling group.

  A security engineer needs to configure a solution that allows the EC2 instances to access the DB instance that is located in us-east-1.

  Which solution will meet these requirements with the LEAST amount of effort?

  A. Add the ID of the DB instance's security group to the inbound rules of the EC2 instances’ security group.
  B. Add the subnets used by the Auto Scaling group of the VPC in us-west-2 to the DB instance's security group,
  C. Add the private IP address of each EC2 instance from the Auto Scaling group to the DB instance's security group.
  D. Add the ID of the EC2 instances’ security group to the inbound rules of the DB instance's securely group.
  A. Add the ID of the DB instance's security group to the inbound rules of the EC2 instances’ security group.

  ---

  Explanation/Reference:

• Question 565:

  An AWS account administrator created an IAM group and applied the following managed policy to require that each individual user authenticate using multi-factor authentication: After implementing the policy, the administrator receives reports that users are unable to perform Amazon EC2 commands using the AWS CLI. What should the administrator do to resolve this problem while still enforcing multi-factor authentication?

  

  A. Change the value of aws MultiFactorAuthPresent to true.
  B. Instruct users to run the aws sts get-session-token CLI command and pass the multi- factor authentication --serial-number and --token-code parameters. Use these resulting values to make API/CLI calls
  C. Implement federated API/CLI access using SAML 2.0, then configure the identity provider to enforce multi-factor authentication.
  D. Create a role and enforce multi-factor authentication in the role trust policy Instruct users to run the sts assume-role CLI command and pass --serial-number and --token-code parameters Store the resulting values in environment variables. Add sts:AssumeRole to NotAction in the policy.
  B. Instruct users to run the aws sts get-session-token CLI command and pass the multi- factor authentication --serial-number and --token-code parameters. Use these resulting values to make API/CLI calls

  ---

  Explanation/Reference:

• Question 566:

  Which of the following are valid event sources that are associated with web access control lists that trigger AWS WAF rules? (Choose two.)

  A. Amazon S3 static web hosting
  B. Amazon CloudFront distribution
  C. Application Load Balancer
  D. Amazon Route 53
  E. VPC Flow Logs
  B. Amazon CloudFront distribution
  C. Application Load Balancer

  ---

  Explanation/Reference:

  A web access control list (web ACL) gives you fine-grained control over the web requests that your Amazon API Gateway API, Amazon CloudFront distribution or Application Load Balancer responds to.

• Question 567:

  A company's security engineer receives an abuse notification from AWS. The notification indicates that someone is hosting malware from the company's AWS account. After investigation, the security engineer finds a new Amazon S3 bucket that an IAM user created without authorization.

  Which combination of steps should the security engineer take to MINIMIZE the consequences of this compromise? (Choose three.)

  A. Encrypt all AWS CloudTrail logs.
  B. Turn on Amazon GuardDuty.
  C. Change the password for all IAM users.
  D. Rotate or delete all AWS access keys.
  E. Take snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes.
  F. Delete any resources that are unrecognized or unauthorized.
  B. Turn on Amazon GuardDuty.
  D. Rotate or delete all AWS access keys.
  E. Take snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes.

  ---

  Explanation/Reference:

• Question 568:

  A company has a VPC with several Amazon EC2 instances behind a NAT gateway. The company's security policy states that all network traffic must be logged and must include the original source and destination IP addresses. The existing VPC Flow Logs do not include this information. A security engineer needs to recommend a solution.

  Which combination of steps should the security engineer recommend? (Choose two.)

  A. Edit the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.
  B. Delete and recreate the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.
  C. Change the destination to Amazon CloudWatch Logs.
  D. Include the pkt-srcaddr and pkt-dstaddr fields in the log format.
  E. Include the subnet-id and instance-id fields in the log format.
  B. Delete and recreate the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.
  D. Include the pkt-srcaddr and pkt-dstaddr fields in the log format.

  ---

  Explanation/Reference:

  Reference: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html

• Question 569:

  You are building a system to distribute confidential training videos to employees. Using CloudFront, what method could be used to serve content that is stored in S3, but not publicly accessible from S3 directly?

  Please select:

  A. Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAl.
  B. Add the CloudFront account security group "amazon-cf/amazon-cf-sg" to the appropriate S3 bucket policy.
  C. Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User.
  D. Create a S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).
  A. Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAl.

  ---

  Explanation/Reference:

  You can optionally secure the content in your Amazon S3 bucket so users can access it through CloudFront but cannot access it directly by using Amazon S3 URLs.

  This prevents anyone from bypassing CloudFront and using the Amazon S3 URL to get content that you want to restrict access to. This step isn't required to use signed URLs, but we recommend it To require that users access your content through CloudFront URLs, you perform the following tasks: Create a special CloudFront user called an origin access identity. Give the origin access identity permission to read the objects in your bucket. Remove permission for anyone else to use Amazon S3 URLs to read the objects. Option B,C and D are all automatically invalid, because the right way is to ensure to create Origin Access Identity (OAI) for CloudFront and grant access accordingly. For more information on serving private content via Cloudfront, please visit the following URL: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.ht mll The correct answer is: Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket t that OAI. You can optionally secure the content in your Amazon S3 bucket so users can access it through CloudFront but cannot access it directly by using Amazon S3 URLs. This prevents anyone from bypassing CloudFront and using the Amazon S3 URL to get content that you want to restrict access to. This step isn't required to use signed URLs, but we recommend it To require that users access your content through CloudFront URLs, you perform the following tasks: Create a special CloudFront user called an origin access identity. Give the origin access identity permission to read the objects in your bucket. Remove permission for anyone else to use Amazon S3 URLs to read the objects. Option B,C and D are all automatically invalid, because the right way is to ensure to create Origin Access Identity (OAI) for CloudFront and grant access accordingly. For more information on serving private content via Cloudfront, please visit the following URL: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.ht mll The correct answer is: Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket t that OAI.

• Question 570:

  A company recently set up Amazon GuardDuty and is receiving a high number of findings from IP addresses within the company. A security engineer has verified that these IP addresses are trusted and allowed. Which combination of steps should the security engineer take to configure GuardDuty so that it does not produce findings for these IP addresses? (Choose two.)

  A. Create a plaintext configuration file that contains the trusted IP addresses.
  B. Create a JSON configuration file that contains the trusted IP addresses.
  C. Upload the configuration file directly to GuardDuty.
  D. Upload the configuration file to Amazon S3. Add a new trusted IP list to GuardDuty that points to the file.
  E. Manually copy and paste the configuration file data into the trusted IP list in GuardDuty.
  D. Upload the configuration file to Amazon S3. Add a new trusted IP list to GuardDuty that points to the file.
  E. Manually copy and paste the configuration file data into the trusted IP list in GuardDuty.