Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 581:

  A Security Engineer received an AWS Abuse Notice listing EC2 instance IDs that are reportedly abusing other hosts.

  Which action should the Engineer take based on this situation? (Choose three.)

  A. Use AWS Artifact to capture an exact image of the state of each instance.
  B. Create EBS Snapshots of each of the volumes attached to the compromised instances.
  C. Capture a memory dump.
  D. Log in to each instance with administrative credentials to restart the instance.
  E. Revoke all network ingress and egress except for to/from a forensics workstation.
  F. Run Auto Recovery for Amazon EC2.
  B. Create EBS Snapshots of each of the volumes attached to the compromised instances.
  E. Revoke all network ingress and egress except for to/from a forensics workstation.
  F. Run Auto Recovery for Amazon EC2.

• Question 582:

  An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise's account. The enterprise has internal

  security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other

  third party. Which of the following would meet all of these conditions?

  Please select:

  A. From the AWS Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.
  B. Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application. Create a new access and secret key for the user and provide these credentials to the SaaS provider.
  C. Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.
  D. Create an IAM role for EC2 instances, assign it a policy that allows only the actions required tor the Saas application to work, provide the role ARN to the SaaS provider to use when launching their application instances.
  C. Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.

  ---

  Explanation/Reference:

  The below diagram from an AWS blog shows how access is given to other accounts for the services in your own account

  

  Options A and B are invalid because you should not user IAM users or IAM Access keys

  Options D is invalid because you need to create a role for cross account access For more information on Allowing access to external accounts, please visit the below URL:

  |https://aws.amazon.com/blogs/apn/how-to-best-architect-your-aws-marketplace-saas-subscription-across-multiple-aws-accounts;

  The correct answer is: Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.

• Question 583:

  During a recent internal investigation, it was discovered that all API logging was disabled in a production account, and the root user had created new API keys that appear to have been used several times.

  What could have been done to detect and automatically remediate the incident?

  A. Using Amazon Inspector, review all of the API calls and configure the inspector agent to leverage SNS topics to notify security of the change to AWS CloudTrail, and revoke the new API keys for the root user.
  B. Using AWS Config, create a config rule that detects when AWS CloudTrail is disabled, as well as any calls to the root user create-api-key. Then use a Lambda function to re- enable CloudTrail logs and deactivate the root API keys.
  C. Using Amazon CloudWatch, create a CloudWatch event that detects AWS CloudTrail deactivation and a separate Amazon Trusted Advisor check to automatically detect the creation of root API keys. Then use a Lambda function to enable AWS CloudTrail and deactivate the root API keys.
  D. Using Amazon CloudTrail, create a new CloudTrail event that detects the deactivation of CloudTrail logs, and a separate CloudTrail event that detects the creation of root API keys. Then use a Lambda function to enable CloudTrail and deactivate the root API keys.
  B. Using AWS Config, create a config rule that detects when AWS CloudTrail is disabled, as well as any calls to the root user create-api-key. Then use a Lambda function to re- enable CloudTrail logs and deactivate the root API keys.

  ---

  Explanation/Reference:

  https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-enabled.html https://docs.aws.amazon.com/config/latest/developerguide/iam-root-access-key-check.html

• Question 584:

  A company has an application hosted in an Amazon EC2 instance and wants the application to access secure strings stored in AWS Systems Manager Parameter Store. When the application tries to access the secure string key value, it fails. Which factors could be the cause of this failure? (Choose two.)

  A. The EC2 instance role does not have decrypt permissions on the AWS Key Management Sen/ice (AWS KMS) key used to encrypt the secret
  B. The EC2 instance role does not have read permissions to read the parameters In Parameter Store
  C. Parameter Store does not have permission to use AWS Key Management Service (AWS KMS) to decrypt the parameter
  D. The EC2 instance role does not have encrypt permissions on the AWS Key Management Service (AWS KMS) key associated with the secret
  E. The EC2 instance does not have any tags associated.
  B. The EC2 instance role does not have read permissions to read the parameters In Parameter Store
  C. Parameter Store does not have permission to use AWS Key Management Service (AWS KMS) to decrypt the parameter

  ---

  Explanation/Reference:

• Question 585:

  A Developer signed in to a new account within an AWS Organizations organizations unit (OU) containing multiple accounts. Access to the Amazon S3 service is restricted with the following SCP:

  

  How can the Security Engineer provide the Developer with Amazon S3 access without affecting other accounts?

  A. Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.
  B. Add an IAM policy for the Developer, which grants S3 access.
  C. Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.
  D. Add an allow list for the Developer account for the S3 service.
  C. Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.

  ---

  Explanation/Reference:

  A- Effect still exist because of inheritance nature of SCP in OU hierarchy.

  https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html#scp-about-inheritance

  B- IAM policy is unable to override SCP at its OU.

  D- S3 bucket policy is also unable to override SCP.

• Question 586:

  A company hosts business-critical applications on Amazon EC2 instances in a VPC. The VPC uses default DHCP options sets. A security engineer needs to log all DNS queries that internal resources make in the VPC. The security engineer also must create a list of the most common DNS queries over time.

  Which solution will meet these requirements?

  A. Install the Amazon CloudWatch agent on each EC2 instance in the VPC. Use the CloudWatch agent to stream the DNS query logs to an Amazon CloudWatch Logs log group. Use CloudWatch metric filters to automatically generate metrics that list the most common DNS queries.
  B. Install a BIND DNS server in the VPC. Create a bash script to list the DNS request number of common DNS queries from the BIND logs.
  C. Create VPC flow logs for all subnets in the VPC. Stream the flow logs to an Amazon CloudWatch Logs log group. Use CloudWatch Logs Insights to list the most common DNS queries for the log group in a custom dashboard.
  D. Configure Amazon Route 53 Resolver query logging. Add an Amazon CloudWatch Logs log group as the destination. Use Amazon CloudWatch Contributor Insights to analyze the data and create time series that display the most common DNS queries.
  D. Configure Amazon Route 53 Resolver query logging. Add an Amazon CloudWatch Logs log group as the destination. Use Amazon CloudWatch Contributor Insights to analyze the data and create time series that display the most common DNS queries.

  ---

  Explanation/Reference:

• Question 587:

  A company's Security Engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other AWS services. The contractor's IAM account must not be able to gain access to any other AWS service, even if the IAM account is assigned additional permissions based on IAM group membership.

  What should the Security Engineer do to meet these requirements?

  A. Create an Inline IAM user policy that allows for Amazon EC2 access for the contractor's IAM user.
  B. Create an IAM permissions boundary policy that allows Amazon EC2 access. Associate the contractor's IAM account with the IAM permissions boundary policy.
  C. Create an IAM group with an attached policy that allows for Amazon EC2 access. Associate the contractor's IAM account with the IAM group.
  D. Create an IAM role that allows for EC2 and explicitly denies all other services. Instruct the contractor to always assume this role.
  B. Create an IAM permissions boundary policy that allows Amazon EC2 access. Associate the contractor's IAM account with the IAM permissions boundary policy.

  ---

  Explanation/Reference:

• Question 588:

  How can you ensure that instance in an VPC does not use AWS DNS for routing DNS requests. You want to use your own managed DNS instance. How can this be achieved?

  Please select:

  A. Change the existing DHCP options set
  B. Create a new DHCP options set and replace the existing one.
  C. Change the route table for the VPC
  D. Change the subnet configuration to allow DNS requests from the new DNS Server
  B. Create a new DHCP options set and replace the existing one.

  ---

  Explanation/Reference:

  In order to use your own DNS server, you need to ensure that you create a new custom DHCP options set with the IP of th custom DNS server. You cannot modify the existing set, so you need to create a new one. Option A is invalid because you cannot make changes to an existing DHCP options Set. Option C is invalid because this can only be used to work with Routes and not with a custom DNS solution. Option D is invalid because this needs to be done at the VPC level and not at the Subnet level For more information on DHCP options set, please visit the following url https://docs.aws.amazon.com/AmazonVPC/latest/UserGuideA/PC DHCP Options.html The correct answer is: Create a new DHCP options set and replace the existing one.

• Question 589:

  A company's architecture requires that its three Amazon EC2 instances run behind an Application Load Balancer (ALB). The EC2 instances transmit sensitive data between each other. Developers use SSL certificates to encrypt the traffic between the public users and the ALB. However, the Developers are unsure of how to encrypt the data in transit between the ALB and the EC2 instances and the traffic between the EC2 instances.

  Which combination of activities must the company implement to meet its encryption requirements? (Choose two.)

  A. Configure SSLTLS on the EC2 instances and configure the ALB target group to use HTTPS
  B. Ensure that all resources are in the same VPC so the default encryption provided by the VPC is used to encrypt the traffic between the EC2 instances.
  C. In the ALB. select the default encryption to encrypt the traffic between the ALB and the EC2 instances
  D. In the code for the application, include a cryptography library and encrypt the data before sending it between the EC2 instances
  E. Configure AWS Direct Connect to provide an encrypted tunnel between the EC2 instances
  A. Configure SSLTLS on the EC2 instances and configure the ALB target group to use HTTPS
  E. Configure AWS Direct Connect to provide an encrypted tunnel between the EC2 instances

  ---

  Explanation/Reference:

• Question 590:

  A company continually generates sensitive records that it stores in an S3 bucket. All objects in the bucket are encrypted using SSE-KMS using one of the company's CMKs. Company compliance policies require that no more than one month of data be encrypted using the same encryption key. What solution below will meet the company's requirements?

  Please select:

  A. Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK and updates the S3 bucket to use the new CMK.
  B. Configure the CMK to rotate the key material every month.
  C. Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK, updates the S3 bucket to use thfl new CMK, and deletes the old CMK.
  D. Trigger a Lambda function with a monthly CloudWatch event that rotates the key material in the CMK.
  A. Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK and updates the S3 bucket to use the new CMK.

  ---

  Explanation/Reference:

  You can use a Lambda function to create a new key and then update the S3 bucket to use the new key. Remember not to delete the old key, else you will not be able to decrypt the documents stored in the S3 bucket using the older key.

  Option B is incorrect because AWS KMS cannot rotate keys on a monthly basis Option C is incorrect because deleting the old key means that you cannot access the older objects Option D is incorrect because rotating key material is not

  possible. For more information on AWS KMS keys, please refer to below URL:

  https://docs.aws.amazon.com/kms/latest/developereuide/concepts.htmll

  The correct answer is: Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK and updates the S3 bucket to use the new CMK.