Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 631:

  A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet with port 80 and a Database server in the private subnet with port 3306. The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). which of the below mentioned entries is required in the private subnet database security group DBSecGrp?

  Please select:

  A. Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.
  B. Allow Inbound on port 3306 from source 20.0.0.0/16
  C. Allow Outbound on port 3306 for Destination Web Server Security Group WebSecGrp.
  D. Allow Outbound on port 80 for Destination NAT Instance IP
  A. Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.

  ---

  Explanation/Reference:

  Since the Web server needs to talk to the database server on port 3306 that means that the database server should allow incoming traffic on port 3306. The below table from the aws documentation shows how the security groups should be set up.

  

  Option B is invalid because you need to allow incoming access for the database server from the WebSecGrp security group.

  Options C and D are invalid because you need to allow Outbound traffic and not inbound traffic For more information on security groups please visit the below Link:

  http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC Scenario2.html The correct answer is: Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.

• Question 632:

  A developer 15 building a serverless application hosted on AWS that uses Amazon Redshift in a data store. The application has separate modules for read/write and read-only functionality. The modules need their own database users tor compliance reasons. Which combination of steps should a security engineer implement to grant appropriate access' (Select TWO )

  A. Configure cluster security groups for each application module to control access to database users that are required for read-only and read/write.
  B. Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write
  C. Configure an 1AM poky for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call
  D. Create focal database users for each module
  E. Configure an 1AM policy for each module Specify the ARN of an 1AM user that allows the GetClusterCredentials API call
  A. Configure cluster security groups for each application module to control access to database users that are required for read-only and read/write.
  E. Configure an 1AM policy for each module Specify the ARN of an 1AM user that allows the GetClusterCredentials API call

• Question 633:

  A security team must present a daily briefing to the CISO that includes a report of which of the company's thousands of EC2 instances and on-premises servers are missing the latest security patches. All instances/servers must be brought into compliance within 24 hours so they do not show up on the next day's report. How can the security team fulfill these requirements?

  Please select:

  A. Use Amazon QuickSight and Cloud Trail to generate the report of out of compliance instances/servers. Redeploy all out of compliance instances/servers using an AMI with the latest patches.
  B. Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Use Systems Manager Patch Manger to install the missing patches.
  C. Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Redeploy all out of1 compliance instances/servers using an AMI with the latest patches.
  D. Use Trusted Advisor to generate the report of out of compliance instances/servers. Use Systems Manger Patch Manger to install the missing patches.
  B. Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Use Systems Manager Patch Manger to install the missing patches.

  ---

  Explanation/Reference:

  Use the Systems Manger Patch Manger to generate the report and also install the missing patches The AWS Documentation mentions the following AWS Systems Manager Patch Manager automates the process of patching managed instances with security-related updates. For Linux-based instances, you can also install patches for non-security updates. You can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type. This includes supported versions of Windows, Ubuntu Server, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), and Amazon Linux. You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches. Option A is invalid because Amazon QuickSight and Cloud Trail cannot be used to generate the list of servers that don't meet compliance needs. Option C is wrong because deploying instances via new AMI'S would impact the applications hosted on these servers Option D is invalid because Amazon Trusted Advisor cannot be used to generate the list of servers that don't meet compliance needs. For more information on the AWS Patch Manager, please visit the below URL: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html The correct answer is: Use Systems Manger Patch Manger to generate the report of out of compliance instances/servers. Use Systems Manager Patch Manger to install the missing patches.

• Question 634:

  A security engineer receives an AWS abuse email message. According to the message, an Amazon EC2 instance that is running in the security engineer's AWS account is sending phishing email messages.

  The EC2 instance is part of an application that is deployed in production. The application runs on many EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple subnets

  and multiple Availability Zones.

  The instances normally communicate only over the HTTP, HTTPS, and MySQL protocols. Upon investigation, the security engineer discovers that email messages are being sent over port 587. All other traffic is normal.

  The security engineer must create a solution that contains the compromised EC2 instance, preserves forensic evidence for analysis, and minimizes application downtime. Which combination of steps must the security engineer take to meet these requirements? (Choose three.)

  A. Add an outbound rule to the security group that is attached to the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.
  B. Add an outbound rule to the network ACL for the subnet that contains the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.
  C. Gather volatile memory from the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then take a snapshot of the compromised EC2 instance.
  D. Take a snapshot of the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then gather volatile memory from the compromised EC2 instance.
  E. Move the compromised EC2 instance to an isolated subnet that has a network ACL that has no inbound rules or outbound rules.
  F. Replace the existing security group that is attached to the compromised EC2 instance with a new security group that has no inbound rules or outbound rules.
  B. Add an outbound rule to the network ACL for the subnet that contains the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.
  C. Gather volatile memory from the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then take a snapshot of the compromised EC2 instance.
  F. Replace the existing security group that is attached to the compromised EC2 instance with a new security group that has no inbound rules or outbound rules.

  ---

  Explanation/Reference:

  A - Not correct - SG cannot add outbound rule to deny B - Correct - NACL to deny outbound C - Correct - Before suspending gather volatile memory, after suspending take snapshot D - Not Correct - Suspending before gathering volatile memory may clear the memory E - Can do but F is better option F - Correct - Isolate the EC2 instance

• Question 635:

  A Developer who is following AWS best practices for secure code development requires an application to encrypt sensitive data to be stored at rest, locally in the application, using AWS KMS. What is the simplest and MOST secure way to decrypt this data when required?

  A. Request KMS to provide the stored unencrypted data key and then use the retrieved data key to decrypt the data.
  B. Keep the plaintext data key stored in Amazon DynamoDB protected with IAM policies. Query DynamoDB to retrieve the data key to decrypt the data
  C. Use the Encrypt API to store an encrypted version of the data key with another customer managed key. Decrypt the data key and use it to decrypt the data when required.
  D. Store the encrypted data key alongside the encrypted data. Use the Decrypt API to retrieve the data key to decrypt the data when required.
  D. Store the encrypted data key alongside the encrypted data. Use the Decrypt API to retrieve the data key to decrypt the data when required.

  ---

  Explanation/Reference:

  We recommend that you use the following pattern to locally encrypt data: call the GenerateDataKey API, use the key returned in the Plaintext response field to locally encrypt data, and then erase the plaintext data key from memory. Store the encrypted data key (contained in the CiphertextBlob field) alongside of the locally encrypted data. The Decrypt API returns the plaintext key from the encrypted key.

• Question 636:

  Your company currently has a set of EC2 Instances hosted in a VPC. The IT Security department is suspecting a possible DDos attack on the instances. What can you do to zero in on the IP addresses which are receiving a flurry of requests.

  Please select:

  A. Use VPC Flow logs to get the IP addresses accessing the EC2 Instances
  B. Use AWS Cloud trail to get the IP addresses accessing the EC2 Instances
  C. Use AWS Config to get the IP addresses accessing the EC2 Instances
  D. Use AWS Trusted Advisor to get the IP addresses accessing the EC2 Instances
  A. Use VPC Flow logs to get the IP addresses accessing the EC2 Instances

  ---

  Explanation/Reference:

  With VPC Flow logs you can get the list of IP addresses which are hitting the Instances in your VPC You can then use the information in the logs to see which external IP addresses are sending a flurry of requests which could be the potential threat foi a DDos attack.

  Option B is incorrect Cloud Trail records AWS API calls for your account. VPC FLowlogs logs network traffic for VPC, subnets. Network interfaces etc. As per AWS, VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC where as AWS CloudTrail, is a service that captures API calls and delivers the log files to an Amazon S3 bucket that you specify. Option C is invalid this is a config service and will not be able to get the IP addresses Option D is invalid because this is a recommendation service and will not be able to get the IP addresses For more information on VPC Flow Logs, please visit the following URL: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html The correct answer is: Use VPC Flow logs to get the IP addresses accessing the EC2 Instances

• Question 637:

  You are working for a company and been allocated the task for ensuring that there is a federated authentication mechanism setup between AWS and their On-premise Active Directory. Which of the following are important steps that need to be covered in this process? Choose 2 answers from the options given below.

  Please select:

  A. Ensure the right match is in place for On-premise AD Groups and IAM Roles.
  B. Ensure the right match is in place for On-premise AD Groups and IAM Groups.
  C. Configure AWS as the relying party in Active Directory
  D. Configure AWS as the relying party in Active Directory Federation services
  A. Ensure the right match is in place for On-premise AD Groups and IAM Roles.
  D. Configure AWS as the relying party in Active Directory Federation services

  ---

  Explanation/Reference:

  The AWS Documentation mentions some key aspects with regards to the configuration of On-premise AD with AWS One is the Groups configuration in AD Active Directory Configuration Determining how you will create and delineate your AD groups and IAM roles in AWS is crucial to how you secure access to your account and manage resources. SAML assertions to the AWS environment and the respective IAM role access will be managed through regular expression (regex) matching between your on-premises AD group name to an AWS IAM role. One approach for creating the AD groups that uniquely identify the AWS IAM role mapping is by selecting a common group naming convention. For example, your AD groups would start with an identifier, for example, AWS-, as this will distinguish your AWS groups from others within the organization. Next include the 12-digitAWS account number. Finally, add the matching role name within the AWS account. Here is an example:

  

  And next is the configuration of the relying party which is AWS ADFS federation occurs with the participation of two parties; the identity or claims provider (in this case the owner of the identity repository - Active Directory) and the relying party,

  which is another application that wishes to outsource authentication to the identity provider; in this case Amazon Secure Token Service (STS). The relying party is a federation partner that is represented by a claims provider trust in the

  federation service. Option B is invalid because AD groups should not be matched to IAM Groups Option C is invalid because the relying party should be configured in Active Directory Federation services For more information on the federated

  access, please visit the following URL:

  1 https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/

  The correct answers are: Ensure the right match is in place for On-premise AD Groups and IAM Roles., Configure AWS as the relying party in Active Directory Federation services

• Question 638:

  An application makes calls to AWS services using the AWS SDK. The application runs on Amazon EC2 instances with an associated IAM role. When the application attempts to access an object within an Amazon S3 bucket; the Administrator receives the following error message: HTTP 403: Access Denied.

  Which combination of steps should the Administrator take to troubleshoot this issue? (Select three.)

  A. Confirm that the EC2 instance's security group authorizes S3 access.
  B. Verify that the KMS key policy allows decrypt access for the KMS key for this IAM principle.
  C. Check the S3 bucket policy for statements that deny access to objects.
  D. Confirm that the EC2 instance is using the correct key pair.
  E. Confirm that the IAM role associated with the EC2 instance has the proper privileges.
  F. Confirm that the instance and the S3 bucket are in the same Region.
  B. Verify that the KMS key policy allows decrypt access for the KMS key for this IAM principle.
  C. Check the S3 bucket policy for statements that deny access to objects.
  E. Confirm that the IAM role associated with the EC2 instance has the proper privileges.

• Question 639:

  A company's Security Officer is concerned about the risk of AWS account root user logins and has assigned a Security Engineer to implement a notification solution for near-real-time alerts upon account root user logins. How should the Security Engineer meet these requirements?

  A. Create a cron job that runs a script lo download the AWS IAM security credentials We. parse the file for account root user logins and email the Security team's distribution 1st
  B. Run AWS CloudTrail logs through Amazon CloudWatch Events to detect account roo4 user logins and trigger an AWS Lambda function to send an Amazon SNS notification to the Security team's distribution list.
  C. Save AWS CloudTrail logs to an Amazon S3 bucket in the Security team's account Process the CloudTrail logs with the Security Engineer's logging solution for account root user logins Send an Amazon SNS notification to the Security team upon encountering the account root user login events
  D. Save VPC Plow Logs to an Amazon S3 bucket in the Security team's account and process the VPC Flow Logs with their logging solutions for account root user logins Send an Amazon SNS notification to the Security team upon encountering the account root user login events
  B. Run AWS CloudTrail logs through Amazon CloudWatch Events to detect account roo4 user logins and trigger an AWS Lambda function to send an Amazon SNS notification to the Security team's distribution list.

• Question 640:

  A developer at a company uses an SSH key to access multiple Amazon EC2 instances. The company discovers that the SSH key has been posted on a public GitHub repository. A security engineer verifies that the key has not been used recently.

  How should the security engineer prevent unauthorized access to the EC2 instances?

  A. Delete the key pair from the EC2 console. Create a new key pair.
  B. Use the ModifylnstanceAttribute API operation to change the key on any EC2 instance that is using the key.
  C. Restrict SSH access in the security group to only known corporate IP addresses.
  D. Update the key pair in any AMI that is used to launch the EC2 instances. Restart the EC2 instances.
  C. Restrict SSH access in the security group to only known corporate IP addresses.