Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 571:

  An application developer is using an AWS Lambda function that must use AWS KMS to perform encrypt and decrypt operations for API keys that are less than 2 KB. Which key policy would allow the application to do this while granting least privilege?

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  B. Option B

  ---

  Explanation/Reference:

• Question 572:

  A large corporation is creating a multi-account strategy and needs to determine how its employees should access the AWS infrastructure.

  Which of the following solutions would provide the MOST scalable solution?

  A. Create dedicated IAM users within each AWS account that employees can assume through federation based upon group membership in their existing identity provider
  B. Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider Use cross-account roles to allow the federated users to assume their target role in the resource accounts.
  C. Configure the AWS Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access AWS resources directly
  D. Configure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider allowing users to assume the role based off their SAML token
  B. Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider Use cross-account roles to allow the federated users to assume their target role in the resource accounts.

  ---

  Explanation/Reference:

  Source : AWS Best Pratices SRA https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/account-structure.html

• Question 573:

  Some highly sensitive analytics workloads are to be moved to Amazon EC2 hosts. Threat modeling has found that a risk exists where a subnet could be maliciously or accidentally exposed to the internet. Which of the following mitigations should be recommended?

  A. Use AWS Config to detect whether an Internet Gateway is added and use an AWS Lambda function to provide auto-remediation.
  B. Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses.
  C. Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet.
  D. Move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.
  A. Use AWS Config to detect whether an Internet Gateway is added and use an AWS Lambda function to provide auto-remediation.

  ---

  Explanation/Reference:

  By default, Private instance has a private IP address, but no public IP address. These instances can communicate with each other, but can't access the Internet. You can enable Internet access for an instance launched into a nondefault subnet by attaching an Internet gateway to its VPC (if its VPC is not a default VPC) and associating an Elastic IP address with the instance. Alternatively, to allow an instance in your VPC to initiate outbound connections to the Internet but prevent unsolicited inbound connections from the Internet, you can use a network address translation (NAT) instance. NAT maps multiple private IP addresses to a single public IP address. A NAT instance has an Elastic IP address and is connected to the Internet through an Internet gateway.You can connect an instance in a private subnet to the Internet through the NAT instance, which routes traffic from the instance to the Internet gateway, and routes any responses to the instance.

• Question 574:

  A company's security engineer has been tasked with restricting a contractor's 1AM account access to the company's Amazon EC2 console without providing access to any other AWS services The contractors 1AM account must not be able to gain access to any other AWS service, even it the 1AM account rs assigned additional permissions based on 1AM group membership What should the security engineer do to meet these requirements''

  A. Create an mime 1AM user policy that allows for Amazon EC2 access for the contractor's 1AM user
  B. Create an 1AM permissions boundary policy that allows Amazon EC2 access Associate the contractor's 1AM account with the 1AM permissions boundary policy
  C. Create an 1AM group with an attached policy that allows for Amazon EC2 access Associate the contractor's 1AM account with the 1AM group
  D. Create a 1AM role that allows for EC2 and explicitly denies all other services Instruct the contractor to always assume this role
  B. Create an 1AM permissions boundary policy that allows Amazon EC2 access Associate the contractor's 1AM account with the 1AM permissions boundary policy

• Question 575:

  A company's AWS account consists of approximately 300 IAM users. Now there is a mandate that an access change is required for 100 IAM users to have unlimited privileges to S3.As a system administrator, how can you implement this effectively so that there is no need to apply the policy at the individual user level?

  Please select:

  A. Create a new role and add each user to the IAM role
  B. Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group
  C. Create a policy and apply it to multiple users using a JSON script
  D. Create an S3 bucket policy with unlimited access which includes each user's AWS account ID
  B. Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group

  ---

  Explanation/Reference:

  Option A is incorrect since you don't add a user to the IAM Role Option C is incorrect since you don't assign multiple users to a policy Option D is incorrect since this is not an ideal approach An IAM group is used to collectively manage users who need the same set of permissions.

  By having groups, it becomes easier to manage permissions. So if you change the permissions on the group scale, it will affect all the users in that group For more information on IAM Groups, just browse to the below URL: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_eroups.html The correct answer is: Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group

• Question 576:

  A large government organization is moving to the cloud and has specific encryption requirements. The first workload to move requires that a customer's data be immediately destroyed when the customer makes that request.

  Management has asked the security team to provide a solution that will securely store the data, allow only authorized applications to perform encryption and decryption, and allow for immediate destruction of the data.

  Which solution will meet these requirements?

  A. Use AWS Secrets Manager and an AWS SDK to create a unique secret for the customer-specific data.
  B. Use AWS Key Management Service (AWS KMS) and the AWS Encryption SDK to generate and store a data encryption key for each customer.
  C. Use AWS Key Management Service (AWS KMS) with service-managed keys to generate and store customer-specific data encryption keys.
  D. Use AWS Key Management Service (AWS KMS) and create an AWS CloudHSM custom key store. Use CloudHSM to generate and store a new CMK for each customer.
  A. Use AWS Secrets Manager and an AWS SDK to create a unique secret for the customer-specific data.

• Question 577:

  Your company has defined a number of EC2 Instances over a period of 6 months. They want to know if any of the security groups allow unrestricted access to a resource. What is the best option to accomplish this requirement?

  Please select:

  A. Use AWS Inspector to inspect all the security Groups
  B. Use the AWS Trusted Advisor to see which security groups have compromised access.
  C. Use AWS Config to see which security groups have compromised access.
  D. Use the AWS CLI to query the security groups and then filter for the rules which have unrestricted accessd
  B. Use the AWS Trusted Advisor to see which security groups have compromised access.

  ---

  Explanation/Reference:

  The AWS Trusted Advisor can check security groups for rules that allow unrestricted access to a resource. Unrestricted access increases opportunities for malicious activity (hacking, denial-of-service attacks, loss of data). If you go to AWS Trusted Advisor, you can see the details

  

  Option A is invalid because AWS Inspector is used to detect security vulnerabilities in instances and not for security groups. Option C is invalid because this can be used to detect changes in security groups but not show you security groups that have compromised access. Option Dis partially valid but would just be a maintenance overhead For more information on the AWS Trusted Advisor, please visit the below URL: https://aws.amazon.com/premiumsupport/trustedadvisor/best-practices; The correct answer is: Use the AWS Trusted Advisor to see which security groups have compromised access.

• Question 578:

  A company is collecting AWS CloudTrail log data from multiple AWS accounts by managing individual trails in each account and forwarding log data to a centralized Amazon S3 bucket residing in a log archive account. After CloudTrail introduced support for AWS Organizations trails, the company decided to further centralize management and automate deployment of the CloudTrail logging capability across all of its AWS accounts.

  The company's security engineer created an AWS Organizations trail in the master account, enabled server-side encryption with AWS KMS managed keys (SSE-KMS) for the log files, and specified the same bucket as the storage location. However, the engineer noticed that logs recorded by the new trail were not delivered to the bucket.

  Which factors could cause this issue? (Select TWO.)

  A. The CMK key policy does not allow CloudTrail to make encrypt and decrypt API calls against the key.
  B. The CMK key policy does not allow CloudTrail to make GenerateDataKey API calls against the key.
  C. The IAM role used by the CloudTrail trail does not have permissions to make PutObject API calls against a folder created for the Organizations trail.
  D. The S3 bucket policy does not allow CloudTrail to make PutObject API calls against a folder created for the Organizations trail.
  E. The CMK key policy does not allow the IAM role used by the CloudTrail trail to use the key for crypto graphicaI operations.
  A. The CMK key policy does not allow CloudTrail to make encrypt and decrypt API calls against the key.
  D. The S3 bucket policy does not allow CloudTrail to make PutObject API calls against a folder created for the Organizations trail.

• Question 579:

  A company's Security Engineer is copying all application logs to centralized Amazon S3 buckets. Currently, each of the company's application is in its own AWS account, and logs are pushed into S3 buckets associated with each account. The Engineer will deploy an AWS Lambda function into each account that copies the relevant log files to the centralized S3 bucket.

  The Security Engineer is unable to access the log files in the centralized S3 bucket. The Engineer's IAM user policy from the centralized account looks like this:

  

  The centralized S3 bucket policy looks like this:

  

  Why is the Security Engineer unable to access the log files?

  A. The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.
  B. The object ACLs are not being updated to allow the users within the centralized account to access the objects
  C. The Security Engineers IAM policy does not grant permissions to read objects in the S3 bucket
  D. The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level.
  B. The object ACLs are not being updated to allow the users within the centralized account to access the objects

  ---

  Explanation/Reference:

  1.

  Both the bucket and user are in the same account. It says in the question that the Security Engineer's account is defined in the centralized account. The bucket policy is also in the centralized account. So we are not assuming any roles that would apply to the answer.

  2.

  You have to look at all applicable policies and evaluate together. We start with an explicit deny. Then we look at IAM, there is an explicit allow for the Security Engineer for s3:Get and s3:List. Then we look at bucket policy. There's no explicit deny's there and we still have the explicit allow being applied. Finally, we look at bucket ACL. Since it isn't presented in the question, we can only assume that there is an ACL that explicitly denies any principal's other than the ones listed in the ACL.

• Question 580:

  A company's development team is designing an application using AWS Lambda and Amazon Elastic Container Service (Amazon ECS). The development team needs to create IAM roles to support these systems. The company's security team wants to allow the developers to build IAM roles directly, but the security team wants to retain control over the permissions the developers can delegate to those roles. The development team needs access to more permissions than those required for application's AWS services. The solution must minimize management overhead.

  How should the security team prevent privilege escalation for both teams?

  A. Enable AWS CloudTrail. Create a Lambda function that monitors the event history for privilege escalation events and notifies the security team.
  B. Create a managed IAM policy for the permissions required. Reference the IAM policy as a permissions boundary within the development team's IAM role.
  C. Enable AWS Organizations. Create an SCP that allows the iam:CreateUser action but that has a condition that prevents API calls other than those required by the development team.
  D. Create an IAM policy with a deny on the iam:CreateUser action and assign the policy to the development team. Use a ticket system to allow the developers to request new IAM roles for their applications. The IAM roles will then be created by the security team.
  C. Enable AWS Organizations. Create an SCP that allows the iam:CreateUser action but that has a condition that prevents API calls other than those required by the development team.