Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 611:

  A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2 instances. The company security policy states that application logs for the reporting service must be centrally collected. What is the MOST efficient way to meet these requirements?

  A. Write an AWS Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket.
  B. Enable AWS CloudTrail logging for the AWS account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail.
  C. Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync.
  D. Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.
  D. Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.

  ---

  Explanation/Reference:

  https://aws.amazon.com/blogs/aws/cloudwatch-log-service/

• Question 612:

  A company has an encrypted Amazon S3 bucket. An Application Developer has an IAM policy that allows access to the S3 bucket, but the Application Developer is unable to access objects within the bucket. What is a possible cause of the issue?

  A. The S3 ACL for the S3 bucket fails to explicitly grant access to the Application Developer
  B. The AWS KMS key for the S3 bucket fails to list the Application Developer as an administrator
  C. The S3 bucket policy fails to explicitly grant access to the Application Developer
  D. The S3 bucket policy explicitly denies access to the Application Developer
  C. The S3 bucket policy fails to explicitly grant access to the Application Developer

• Question 613:

  Your development team has started using AWS resources for development purposes. The AWS account has just been created. Your IT Security team is worried about possible leakage of AWS keys. What is the first level of measure that should be taken to protect the AWS account.

  Please select:

  A. Delete the AWS keys for the root account
  B. Create IAM Groups
  C. Create IAM Roles
  D. Restrict access using IAM policies
  A. Delete the AWS keys for the root account

  ---

  Explanation/Reference:

  The first level or measure that should be taken is to delete the keys for the IAM root user When you log into your account and go to your Security Access dashboard, this is the first step that can be seen

  

  Option B and C are wrong because creation of IAM groups and roles will not change the impact of leakage of AWS root access keys Option D is wrong because the first key aspect is to protect the access keys for the root account For more information on best practises for Security Access keys, please visit the below URL: https://docs.aws.amazon.com/eeneral/latest/gr/aws-access-keys-best-practices.html The correct answer is: Delete the AWS keys for the root account

• Question 614:

  A company is running third-party WAF software on AWS. The company's security team discovers that the third-party WAF software has vulnerabilities that can lead to server-side request forgery (SSRF) attacks. Because of this discovery, the security team mandates that the entire AWS infrastructure must use version 2 of the instance metadata service (IMDSv2).

  At the planned completion of the implementation of IMDSv2, the security team uses the Amazon CloudWatch metric Amazon EC2:MetadataNoToken and determines that hundreds of old IMDSv1 requests still are occurring each day. The security team is willing to risk the availability of the company's application to finish this implementation.

  Which combination of steps should the security team take to complete the migration to IMDSv2 in the AWS environment? (Choose two.)

  A. Write and enforce an IAM policy that denies the ec2:runinstances action when the ec2:MetadataHttpTokens condition key is not set to required.
  B. Use the ec2 modify-instance-metadata-options command from the AWS CLI with the http-put-response-hop-limit 0 option.
  C. Use the ec2 modify-instance-metadata-options command from the AWS CLI with the --http-tokens required option.
  D. Modify instance security groups to deny all outbound HTTP traffic to 169.254.169.254.
  E. From each of the AWS account EC2 instances run the following command: TOKEN= 'curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" ' curl http://169.254.169.254/latest/meta-data/profile -H "X-aws-ec2-metadata-token: $TOKEN"
  C. Use the ec2 modify-instance-metadata-options command from the AWS CLI with the --http-tokens required option.
  E. From each of the AWS account EC2 instances run the following command: TOKEN= 'curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" ' curl http://169.254.169.254/latest/meta-data/profile -H "X-aws-ec2-metadata-token: $TOKEN"

  ---

  Explanation/Reference:

  Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html

• Question 615:

  An application has been built with Amazon EC2 instances that retrieve messages from Amazon SQS. Recently, IAM changes were made and the instances can no longer retrieve messages.

  What actions should be taken to troubleshoot the issue while maintaining least privilege. (Select two.)

  A. Configure and assign an MFA device to the role used by the instances.
  B. Verify that the SQS resource policy does not explicitly deny access to the role used by the instances.
  C. Verify that the access key attached to the role used by the instances is active.
  D. Attach the AmazonSQSFullAccess managed policy to the role used by the instances.
  E. Verify that the role attached to the instances contains policies that allow access to the queue.
  B. Verify that the SQS resource policy does not explicitly deny access to the role used by the instances.
  E. Verify that the role attached to the instances contains policies that allow access to the queue.

• Question 616:

  A developer reported that AWS CloudTrail was disabled on their account. A security engineer investigated the account and discovered the event was undetected by the current security solution. The security engineer must recommend a solution that will detect future changes to the CloudTrail configuration and send alerts when changes occur.

  What should the security engineer do to meet these requirements?

  A. Use AWS Resource Access Manager (AWS RAM) to monitor the AWS CloudTrail configuration. Send notifications using Amazon SNS.
  B. Create an Amazon CloudWatch Events rule to monitor Amazon GuardDuty findings.Send email notifications using Amazon SNS.
  C. Update security contact details in AWS account settings for AWS Support to send alerts when suspicious activity is detected.
  D. Use Amazon Inspector to automatically detect security issues. Send alerts using Amazon SNS.
  A. Use AWS Resource Access Manager (AWS RAM) to monitor the AWS CloudTrail configuration. Send notifications using Amazon SNS.

  ---

  Explanation/Reference:

  Reference: https://docs.aws.amazon.com/ram/latest/userguide/ram-ug.pdf

• Question 617:

  A company's AWS CloudTrail logs are all centrally stored in an Amazon S3 bucket. The security team controls the company's AWS account. The security team must prevent unauthorized access and tampering of the CloudTrail logs.

  Which combination of steps should the security team take? (Choose three.)

  A. Configure server-side encryption with AWS KMS managed encryption keys (SSE-KMS)
  B. Compress log file with secure gzip.
  C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to notify the security team of any modifications on CloudTrail log files.
  D. Implement least privilege access to the S3 bucket by configuring a bucket policy.
  E. Configure CloudTrail log file integrity validation.
  F. Configure Access Analyzer for S3.
  B. Compress log file with secure gzip.
  C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to notify the security team of any modifications on CloudTrail log files.
  E. Configure CloudTrail log file integrity validation.

• Question 618:

  A company's security engineer must record when specific AWS Lambda functions are invoked. The logs must include the AWS principal that invoked the function. External sources and the company's developers deliver the Lambda function code by using a variety of languages such as Python, Node.js, and Golang. The security engineer has created an AWS CloudTrail trail with default configuration for the AWS account.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Update the Lambda function code to extract the AWS principal from the Lambda context and to write a log entry when the function to be monitored is invoked.
  B. Use Amazon EventBridge (Amazon CloudWatch Events) to configure a rule and custom pattern for lambda:invoke events with a filter on the functions to monitor. Invoke another Lambda function to write the EventBridge (CloudWatch Events) data to Amazon CloudWatch Logs.
  C. Modify the existing CloudTrail trail. Configure the existing CloudTrail trail to monitor Lambda functions as data events.
  D. Create a Lambda layer that provides CloudTrail with a log event that includes the Lambda context when the function is invoked. Attach this layer to all Lambda functions that must be monitored.
  C. Modify the existing CloudTrail trail. Configure the existing CloudTrail trail to monitor Lambda functions as data events.

  ---

  Explanation/Reference:

• Question 619:

  You need to have a cloud security device which would allow to generate encryption keys based on FIPS 140-2 Level 3. Which of the following can be used for this purpose.

  Please select:

  A. AWS KMS
  B. AWS Customer Keys
  C. AWS managed keys
  D. AWS Cloud HSM
  A. AWS KMS
  D. AWS Cloud HSM

  ---

  Explanation/Reference:

  AWS Key Management Service (KMS) now uses FIPS 140-2 validated hardware security modules (HSM) and supports FIPS 140-2 validated endpoints, which provide independent assurances about the confidentiality and integrity of your keys. All master keys in AWS KMS regardless of their creation date or origin are automatically protected using FIPS 140-2 validated HSMs. defines four levels of security, simply named "Level 1'' to "Level 4". It does not specify in detail what level of security is required by any particular application. ?FIPS 140-2 Level 1 the lowest, imposes very limited requirements; loosely, all components must be "production-grade" anc various egregious kinds of insecurity must be absent ?FIPS 140-2 Level 2 adds requirements for physical tamper-evidence and role-based authentication. ?FIPS 140-2 Level 3 adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to sensitive information contained in the module) and identity- based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces. ?FIPS 140-2 Level 4 makes the physical security requirements more stringent and requires robustness against environmental attacks. AWSCIoudHSM provides you with a FIPS 140-2 Level 3 validated single-tenant HSM cluster in your Amazon Virtual Private Cloud (VPQ to store and use your keys. You have exclusive control over how your keys are used via an authentication mechanism independent from AWS. You interact with keys in your AWS CloudHSM cluster similar to the way you interact with your applications running in Amazon EC2. AWS KMS allows you to create and control the encryption keys used by your applications and supported AWS services in multiple regions around the world from a single console. The service uses a FIPS 140-2 validated HSM to protect the security of your keys. Centralized management of all your keys in AWS KMS lets you enforce who can use your keys under which conditions, when they get rotated, and who can manage them. AWS KMS HSMs are validated at level 2 overall and at level 3 in the following areas:

  1.

  Cryptographic Module Specification

  2.

  Roles, Services, and Authentication

  3.

  Physical Security

  4.

  Design Assurance So I think that we can have 2 answers for this question. Both A and D. https://aws.amazon.com/blo15s/security/aws-key-management-service-now-ffers-flps-140-2-validated-cryptographic-m-enabling-easier-adoption-of-the-service-for-regulated-workloads/ https://a ws.amazon.com/cloudhsm/faqs/ https://aws.amazon.com/kms/faqs/ https://en.wikipedia.org/wiki/RPS The AWS Documentation mentions the following AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs. CloudHSM offers you the flexibility to integrate with your applications using industry- standard APIs, such as PKCS#11, Java Cryptography Extensions ()CE). and Microsoft CryptoNG (CNG) libraries. CloudHSM is also standards-compliant and enables you to export all of your keys to most other commercially-available HSMs. It is a fully-managed service that automates time-consuming administrative tasks for you, such as hardware provisioning, software patching, high-availability, and backups. CloudHSM also enables you to scale quickly by adding and removing HSM capacity on-demand, with no up-front costs. All other options are invalid since AWS Cloud HSM is the prime service that offers FIPS 140-2 Level 3 compliance For more information on CloudHSM, please visit the following url https://aws.amazon.com/cloudhsm; The correct answers are: AWS KMS, AWS Cloud HSM

• Question 620:

  You want to ensure that you keep a check on the Active EBS Volumes, Active snapshots and Elastic IP addresses you use so that you don't go beyond the service limit. Which of the below services can help in this regard? Please select:

  A. AWS Cloudwatch
  B. AWS EC2
  C. AWS Trusted Advisor
  D. AWS SNS
  C. AWS Trusted Advisor

  ---

  Explanation/Reference:

  Below is a snapshot of the service limits that the Trusted Advisor can monitor

  

  Option A is invalid because even though you can monitor resources, it cannot be checked against the service limit.

  Option B is invalid because this is the Elastic Compute cloud service Option D is invalid because it can be send notification but not check on service limit For more information on the Trusted Advisor monitoring, please visit the below URL:

  https://aws.amazon.com/premiumsupport/ta-faqs

  The correct answer is: AWS Trusted Advisor