Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 641:

  The AWS Systems Manager Parameter Store is being used to store database passwords used by an AWS Lambda function. Because this is sensitive data, the parameters are stored as type SecureString and protected by an AWS KMS key that allows access through IAM. When the function executes, this parameter cannot be retrieved as the result of an access denied error.

  Which of the following actions will resolve the access denied error?

  A. Update the ssm.amazonaws.com principal in the KMS key policy to allow kms: Decrypt.
  B. Update the Lambda configuration to launch the function in a VPC.
  C. Add a policy to the role that the Lambda function uses, allowing kms: Decrypt for the KMS key.
  D. Add lambda.amazonaws.com as a trusted entity on the IAM role that the Lambda function uses.
  C. Add a policy to the role that the Lambda function uses, allowing kms: Decrypt for the KMS key.

  ---

  Explanation/Reference:

  https://docs.amazonaws.cn/en_us/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Inte grating.Authorizing.IAM.KMSCreatePolicy.html

• Question 642:

  Attach the following SCP to the OU that contains this account:

  

  A. For each finding In the audit report, run the ec2 copy-snapshot command and use the encrypted flag specifying an AWS Key Management Service (AWS KMS) CMK
  B. Create a private AMI for the company Configure encryption for the private AMI by selecting the custom AMI in the Amazon EC2 console, the destination AWS Region and the source account s AWS Key Management Service (AWS KMS) master key.
  C. In the Amazon EC2 console, select the Always Encrypt new EBS volumes setting for each AWS Region.
  A. For each finding In the audit report, run the ec2 copy-snapshot command and use the encrypted flag specifying an AWS Key Management Service (AWS KMS) CMK

• Question 643:

  A company recently performed an annual security assessment of its AWS environment. The assessment showed that audit logs are not available beyond 90 days and that unauthorized changes to IAM policies are made without detection. How should a security engineer resolve these issues?

  A. Create an Amazon S3 lifecycle policy that archives AWS CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources.
  B. Configure AWS Artifact to archive AWS CloudTrail logs Configure AWS Trusted Advisor to provide a notification when a policy change is made to resources.
  C. Configure Amazon CloudWatch to export log groups to Amazon S3. Configure AWS CloudTrail to provide a notification when a policy change is made to resources.
  D. Create an AWS CloudTrail trail that stores audit logs in Amazon S3. Configure an AWS Config rule to provide a notif cation when a policy change is made to resources.
  A. Create an Amazon S3 lifecycle policy that archives AWS CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources.

• Question 644:

  You are planning to use AWS Configto check the configuration of the resources in your AWS account. You are planning on using an existing IAM role and using it for the AWS Config resource. Which of the following is required to ensure the AWS config service can work as required?

  Please select:

  A. Ensure that there is a trust policy in place for the AWS Config service within the role
  B. Ensure that there is a grant policy in place for the AWS Config service within the role
  C. Ensure that there is a user policy in place for the AWS Config service within the role
  D. Ensure that there is a group policy in place for the AWS Config service within the role
  A. Ensure that there is a trust policy in place for the AWS Config service within the role

  ---

  Explanation/Reference:

  

  Options B,C and D are invalid because you need to ensure a trust policy is in place and not a grant, user or group policy or more information on the IAM role permissions please visit the below Link: https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.htmll

  The correct answer is: Ensure that there is a trust policy in place for the AWS Config service within the role

• Question 645:

  A company is designing a new application stack. The design includes web servers and backend servers that are hosted on Amazon EC2 instances. The design also includes an Amazon Aurora MySQL DB cluster.

  The EC2 instances are in an Auto Scaling group that uses launch templates. The EC2 instances for the web layer and the backend layer are backed by Amazon Elastic Block Store (Amazon EBS) volumes. No layers are encrypted at rest. A

  security engineer needs to implement encryption at rest.

  Which combination of steps will meet these requirements? (Choose two.)

  A. Modify EBS default encryption setting in the target AWS Region to enable encryption. Use an Auto Scaling group instance refresh.
  B. Modify the launch templates for the web layer and the backend layer to add AWS Certificate Manager (ACM) encryption for the attached EBS volumes. Use an Auto Scaling group instance refresh.
  C. Create a new AWS Key Management Service (AWS KMS) encrypted DB cluster from a snapshot of the existing DB cluster.
  D. Apply AWS Key Management Service (AWS KMS) encryption to the existing DB cluster.
  E. Apply AWS Certificate Manager (ACM) encryption to the existing DB cluster.
  A. Modify EBS default encryption setting in the target AWS Region to enable encryption. Use an Auto Scaling group instance refresh.
  C. Create a new AWS Key Management Service (AWS KMS) encrypted DB cluster from a snapshot of the existing DB cluster.

  ---

  Explanation/Reference:

• Question 646:

  A company's security team is building a solution for logging and visualization. The solution will assist the company with the large variety and velocity of data that it receives from IAM across multiple accounts. The security team has enabled IAM CloudTrail and VPC Flow Logs in all of its accounts In addition, the company has an organization in IAM Organizations and has an IAM Security Hub master account.

  The security team wants to use Amazon Detective However the security team cannot enable Detective and is unsure why What must the security team do to enable Detective?

  A. Enable Amazon Macie so that Secunty H jb will allow Detective to process findings from Macie.
  B. Disable IAM Key Management Service (IAM KMS) encryption on CtoudTrail logs in every member account of the organization
  C. Enable Amazon GuardDuty on all member accounts Try to enable Detective in 48 hours
  D. Ensure that the principal that launches Detective has the organizations ListAccounts permission
  D. Ensure that the principal that launches Detective has the organizations ListAccounts permission

• Question 647:

  A company has a compliance requirement to rotate its encryption keys on an annual basis. A Security Engineer needs a process to rotate the KMS Customer Master Keys (CMKs) that were created using imported key material.

  How can the Engineer perform the key rotation process MOST efficiently?

  A. Create a new CMK, and redirect the existing Key Alias to the new CMK
  B. Select the option to auto-rotate the key
  C. Upload new key material into the existing CMK.
  D. Create a new CMK, and change the application to point to the new CMK
  D. Create a new CMK, and change the application to point to the new CMK

  ---

  Explanation/Reference:

• Question 648:

  Your IT Security team has identified a number of vulnerabilities across critical EC2 Instances in the company's AWS Account. Which would be the easiest way to ensure these vulnerabilities are remediated? Please select:

  A. Create AWS Lambda functions to download the updates and patch the servers.
  B. Use AWS CLI commands to download the updates and patch the servers.
  C. Use AWS inspector to patch the servers
  D. Use AWS Systems Manager to patch the servers
  D. Use AWS Systems Manager to patch the servers

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following You can quickly remediate patch and association compliance issues by using Systems Manager Run Command. You can tat either instance IDs or Amazon EC2 tags and execute the AWS-RefreshAssociation document or the AWS-RunPatchBaseline document. If refreshing the association or re-running the patch baseline fails to resolve the compliance issue, then you need to investigate your associations, patch baselines, or instance configurations to understand why the Run Command executions did not resolve the problem Options A and B are invalid because even though this is possible, still from a maintenance perspective it would be difficult to maintain the Lambda functions Option C is invalid because this service cannot be used to patch servers For more information on using Systems Manager for compliance remediation please visit the below Link: https://docs.aws.amazon.com/systems-manaeer/latest/usereuide/sysman-compliance-fixing.html The correct answer is: Use AWS Systems Manager to patch the servers

• Question 649:

  A company plans to move most of its IT infrastructure to AWS. The company wants to leverage its existing on-premises Active Directory as an identity provider for AWS. Which steps should be taken to authenticate to AWS services using the company's on- premises Active Directory? (Choose three).

  A. Create IAM roles with permissions corresponding to each Active Directory group.
  B. Create IAM groups with permissions corresponding to each Active Directory group.
  C. Create a SAML provider with IAM.
  D. Create a SAML provider with Amazon Cloud Directory.
  E. Configure AWS as a trusted relying party for the Active Directory
  F. Configure IAM as a trusted relying party for Amazon Cloud Directory.
  A. Create IAM roles with permissions corresponding to each Active Directory group.
  C. Create a SAML provider with IAM.
  E. Configure AWS as a trusted relying party for the Active Directory

  ---

  Explanation/Reference:

  https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/

• Question 650:

  A company has a customer master key (CMK) with imported key materials. Company policy requires that all encryption keys must be rotated every year. What can be done to implement the above policy?

  A. Enable automatic key rotation annually for the CMK.
  B. Use AWS Command Line Interface to create an AWS Lambda function to rotate the existing CMK annually.
  C. Import new key material to the existing CMK and manually rotate the CMK.
  D. Create a new CMK, import new key material to it, and point the key alias to the new CMK.
  D. Create a new CMK, import new key material to it, and point the key alias to the new CMK.

  ---

  Explanation/Reference:

  https://docs.aws.amazon.com/en_pv/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually "You might prefer to rotate keys manually so you can control the rotation frequency. It's also a good solution for CMKs that are not eligible for automatic key rotation, such as asymmetric CMKs, CMKs in custom key stores and CMKs with imported key material. Because the new CMK is a different resource from the current CMK, it has a different key ID and ARN. When you change CMKs, you need to update references to the CMK ID or ARN in your applications. Aliases, which associate a friendly name with a CMK, make this process easier. Use an alias to refer to a CMK in your applications. Then, when you want to change the CMK that the application uses, change the target CMK of the alias. To update the target CMK of an alias, use UpdateAlias operation in the AWS KMS API. "