Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 601:

  A Security Engineer is working with the development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an AWS KMS customer master key (CMK) to encrypt the data on Amazon S3. The inventory data on Amazon S3 will be shared of vendors. All vendors will use AWS principals from their own AWS accounts to access the data on Amazon S3. The vendor list may change weekly, and the solution must support cross-account access.

  What is the MOST efficient way to manage access control for the KMS CMK7?

  A. Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.
  B. Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.
  C. Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access.
  D. Use delegated access across AWS accounts by using IAM roles to manage key access.Programmatically update the IAM trust policy to manage cross-account vendor access.
  A. Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.

• Question 602:

  A company's development team is designing an application using AWS Lambda and Amazon Elastic Container Service (Amazon ECS). The development team needs to create IAM roles to support these systems. The company's security team wants to allow the developers to build IAM roles directly, but the security team wants to retain control over the permissions the developers can delegate to those roles. The development team needs access to more permissions than those required for the application's AWS services. The solution must minimize management overhead.

  How should the security team prevent privilege escalation for both teams?

  A. Enable AWS CloudTrail. Create a Lambda function that monitors the event history for privilege escalation events and notifies the security team.
  B. Create a managed IAM policy for the permissions required. Reference the IAM policy as a permissions boundary within the development team's IAM role.
  C. Enable AWS Organizations Create an SCP that allows the IAM CreateUser action but that has a condition that prevents API calls other than those required by the development team
  D. Create an IAM policy with a deny on the IAMCreateUser action and assign the policy to the development team. Use a ticket system to allow the developers to request new IAM roles for their applications. The IAM roles will then be created by the security team.
  A. Enable AWS CloudTrail. Create a Lambda function that monitors the event history for privilege escalation events and notifies the security team.

• Question 603:

  Your company hosts a large section of EC2 instances in AWS. There are strict security rules governing the EC2 Instances. During a potential security breach , you need to ensure quick investigation of the underlying EC2 Instance. Which of the following service can help you quickly provision a test environment to look into the breached instance.

  Please select:

  A. AWS Cloudwatch
  B. AWS Cloudformation
  C. AWS Cloudtrail
  D. AWS Config
  B. AWS Cloudformation

  ---

  Explanation/Reference:

  The AWS Security best practises mentions the following Unique to AWS, security practitioners can use CloudFormation to quickly create a new, trusted environment in which to conduct deeper investigation. The CloudFormation template can pre-configure instances in an isolated environment that contains all the necessary tools forensic teams need to determine the cause of the incident This cuts down on the time it takes to gather necessary tools, isolates systems under examination, and ensures that the team is operating in a clean room. Option A is incorrect since this is a logging service and cannot be used to provision a test environment Option C is incorrect since this is an API logging service and cannot be used to provision a test environment Option D is incorrect since this is a configuration service and cannot be used to provision a test environment For more information on AWS Security best practises, please refer to below URL: https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pd1 The correct answer is: AWS Cloudformation

• Question 604:

  A security engineer needs to create an Amazon S3 bucket policy to grant least privilege read access to IAM user accounts that are named User1, User2 and User3. These IAM user accounts are members of the AuthorizedPeople IAM group. The security engineer drafts the following S3 bucket policy:

  

  When the security engineer tries to add the policy to the S3 bucket, the following message appears: "Missing required field Principal." The security engineer is adding a Principal element to the policy. The addition must provide read access to only User1, User2 and User3. Which solution meets these requirements?

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  A. Option A

  ---

  Explanation/Reference:

  You can specify any of the following principals in a policy:

  -AWS account and root user

  -IAM roles

  -Role sessions

  -IAM users

  -Federated user sessions

  -AWS services

  -All principals You cannot identify a user group as a principal in a policy (such as a resource-based policy) because groups relate to permissions, not authentication, and principals are authenticated IAM entities. Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

• Question 605:

  You have enabled Cloudtrail logs for your company's AWS account. In addition, the IT Security department has mentioned that the logs need to be encrypted. How can this be achieved?

  Please select:

  A. Enable SSL certificates for the Cloudtrail logs
  B. There is no need to do anything since the logs will already be encrypted
  C. Enable Server side encryption for the trail
  D. Enable Server side encryption for the destination S3 bucket
  B. There is no need to do anything since the logs will already be encrypted

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following. By default CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE). You can also choose to encryption your log files with an AWS Key Management Service (AWS KMS) key. You can store your log files in your bucket for as long as you want. You can also define Amazon S3 lifecycle rules to archive or delete log files automatically. If you want notifications about lo file delivery and validation, you can set up Amazon SNS notifications. Option A.C and D are not valid since logs will already be encrypted For more information on how Cloudtrail works, please visit the following URL: https://docs.aws.amazon.com/awscloudtrail/latest/usereuide/how-cloudtrail-works.htmll The correct answer is: There is no need to do anything since the logs will already be encrypted

• Question 606:

  Your company has just started using AWS and created an AWS account. They are aware of the potential issues when root access is enabled. How can they best safeguard the account when it comes to root access? Choose 2 answers fro the options given below

  Please select:

  A. Delete the root access account
  B. Create an Admin IAM user with the necessary permissions
  C. Change the password for the root account.
  D. Delete the root access keys
  B. Create an Admin IAM user with the necessary permissions
  D. Delete the root access keys

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following All AWS accounts have root user credentials (that is, the credentials of the account owner). These credentials allow full access to all resources in the account. Because you cant restrict permissions for root user credentials, we recommend that you delete your root user access keys. Then create AWS Identity and Access Management (IAM) user credentials for everyday interaction with AWS. Option A is incorrect since you cannot delete the root access account Option C is partially correct but cannot be used as the ideal solution for safeguarding the account For more information on root access vs admin IAM users, please refer to below URL: https://docs.aws.amazon.com/eeneral/latest/er/root-vs-iam.html The correct answers are: Create an Admin IAM user with the necessary permissions. Delete the root access keys

• Question 607:

  Your company has a set of 1000 EC2 Instances defined in an AWS Account. They want to effectively automate several administrative tasks on these instances. Which of the following would be an effective way to achieve this?

  Please select:

  A. Use the AWS Systems Manager Parameter Store
  B. Use the AWS Systems Manager Run Command
  C. Use the AWS Inspector
  D. Use AWS Config
  B. Use the AWS Systems Manager Run Command

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following AWS Systems Manager Run Command lets you remotely and securely manage the configuration of your managed instances. A managed instance is any Amazon EC2 instance or on-premises machine in your hybrid environment that has been configured for Systems Manager. Run Command enables you to automate common administrative tasks and perform ad hoc configuration changes at scale. You can use Run Command from the AWS console, the AWS Command Line Interface, AWS Tools for Windows PowerShell, or the AWS SDKs. Run Command is offered at no additional cost. Option A is invalid because this service is used to store parameter Option C is invalid because this service is used to scan vulnerabilities in an EC2 Instance. Option D is invalid because this service is used to check for configuration changes For more information on executing remote commands, please visit the below U https://docs.aws.amazon.com/systems-manaEer/latest/usereuide/executeremote-commands.htmll The correct answer is: Use the AWS Systems Manager Run Command

• Question 608:

  A company requires that data stored in AWS be encrypted at rest. Which of the following approaches achieve this requirement? Select 2 answers from the options given below.

  Please select:

  A. When storing data in Amazon EBS, use only EBS-optimized Amazon EC2 instances.
  B. When storing data in EBS, encrypt the volume by using AWS KMS.
  C. When storing data in Amazon S3, use object versioning and MFA Delete.
  D. When storing data in Amazon EC2 Instance Store, encrypt the volume by using KMS.
  E. When storing data in S3, enable server-side encryption.
  B. When storing data in EBS, encrypt the volume by using AWS KMS.
  E. When storing data in S3, enable server-side encryption.

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following To create an encrypted Amazon EBS volume, select the appropriate box in the Amazon EBS section of the Amazon EC2 console. You can use a custom customer master key (CMK) by

  choosing one from the list that appears below the encryption box. If you do not specify a custom CMK, Amazon EBS uses the AWS-managed CMK for Amazon EBS in your account. If there is no AWS-managed CMK for Amazon EBS in your

  account, Amazon EBS creates one.

  Data protection refers to protecting data while in-transit (as it travels to and from Amazon S3) and at rest (while it is stored on disks in Amazon S3 data centers). You can protect data in transit by using SSL or by using client-side encryption.

  You have the following options of protecting data at rest in Amazon S3.

  Use Server-Side Encryption - You request Amazon S3 to encrypt your object before saving it on disks in its data centers and decrypt it when you download the objects. Use Client-Side Encryption - You can encrypt data client-side and upload

  the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.

  Option A is invalid because using EBS-optimized Amazon EC2 instances alone will not guarantee protection of instances at rest.

  Option C is invalid because this will not encrypt data at rest for S3 objects.

  Option D is invalid because you don't store data in Instance store. For more information on EBS encryption, please visit the below URL:

  https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.html

  For more information on S3 encryption, please visit the below URL:

  https://docs.aws.amazon.com/AmazonS3/latest/dev/UsinEEncryption.html

  The correct answers are: When storing data in EBS, encrypt the volume by using AWS KMS. When storing data in S3, enable server-side encryption.

• Question 609:

  A company has two AWS accounts, each containing one VPC. The first VPC has a VPN connection with its corporate network. The second VPC, without a VPN, hosts an Amazon Aurora database cluster in private subnets. Developers manage the Aurora database from a bastion host in a public subnet as shown in the image.

  

  A security review has flagged this architecture as vulnerable, and a Security Engineer has been asked to make this design more secure. The company has a short deadline and a second VPN connection to the Aurora account is not possible. How can a Security Engineer securely set up the bastion host?

  A. Move the bastion host to the VPC with VPN connectivity. Create a VPC peering relationship between the bastion host VPC and Aurora VPC.
  B. Create a SSH port forwarding tunnel on the Developer's workstation to the bastion host to ensure that only authorized SSH clients can access the bastion host.
  C. Move the bastion host to the VPC with VPN connectivity. Create a cross-account trust relationship between the bastion VPC and Aurora VPC, and update the Aurora security group for the relationship.
  D. Create an AWS Direct Connect connection between the corporate network and the Aurora account, and adjust the Aurora security group for this connection.
  A. Move the bastion host to the VPC with VPN connectivity. Create a VPC peering relationship between the bastion host VPC and Aurora VPC.

• Question 610:

  A Security Engineer must implement mutually authenticated TLS connections between containers that communicate inside a VPC.

  Which solution would be MOST secure and easy to maintain?

  A. Use AWS Certificate Manager to generate certificates from a public certificate authority and deploy them to all the containers.
  B. Create a self-signed certificate in one container and use AWS Secrets Manager to distribute the certificate to the other containers to establish trust.
  C. Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then create the private keys in the containers and sign them using the ACM PCA API.
  D. Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use AWS Certificate Manager to generate the private certificates and deploy them to all the containers.
  D. Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use AWS Certificate Manager to generate the private certificates and deploy them to all the containers.