Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 661:

  A security team is creating a response plan in the event an employee executes unauthorized actions on AWS infrastructure. They want to include steps to determine if the employee's IAM permissions changed as part of the incident.

  What steps should the team document in the plan?

  Please select:

  A. Use AWS Config to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
  B. Use Made to examine the employee's IAM permissions prior to the incident and compare them to the employee's A current IAM permissions.
  C. Use CloudTrail to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
  D. Use Trusted Advisor to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
  A. Use AWS Config to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.

  ---

  Explanation/Reference:

  You can use the AWSConfig history to see the history of a particular item. The below snapshot shows an example configuration for a user in AWS Config

  

  Option B,C and D are all invalid because these services cannot be used to see the history of a particular configuration item. This can only be accomplished by AWS Config. For more information on tracking changes in AWS Config, please visit the below URL: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/TrackineChanees.htmll

  The correct answer is: Use AWS Config to examine the employee's IAM permissions prior to the incident and compare them the employee's current IAM permissions.

• Question 662:

  A large organization is planning on AWS to host their resources. They have a number of autonomous departments that wish to use AWS. What could be the strategy to adopt for managing the accounts.

  Please select:

  A. Use multiple VPCs in the account each VPC for each department
  B. Use multiple IAM groups, each group for each department
  C. Use multiple IAM roles, each group for each department
  D. Use multiple AWS accounts, each account for each department
  D. Use multiple AWS accounts, each account for each department

  ---

  Explanation/Reference:

  A recommendation for this is given in the AWS Security best practices Option A is incorrect since this would be applicable for resources in a VPC Options B and C are incorrect since operationally it would be difficult to manage For more information on AWS Security best practices please refer to the below URL https://d1.awsstatic.com/whitepapers/Security/AWS Security Best Practices.pdl The correct answer is: Use multiple AWS accounts, each account for each department

  

• Question 663:

  A company wants to have a secure way of generating, storing and managing cryptographic exclusive access for the keys. Which of the following can be used for this purpose?

  Please select:

  A. Use KMS and the normal KMS encryption keys
  B. Use KMS and use an external key material
  C. Use S3 Server Side encryption
  D. Use Cloud HSM
  D. Use Cloud HSM

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) instances within the AWS cloud. AWS and AWS Marketplace partners offer a variety of solutions for protecting sensitive data within the AWS platform, but for some applications and data subject to contractual or regulatory mandates for managing cryptographic keys, additional protection may be necessary. CloudHSM complements existing data protection solutions and allows you to protect your encryption keys within HSMs that are desigr and validated to government standards for secure key management. CloudHSM allows you to securely generate, store and manage cryptographic keys used for data encryption in a way that keys are accessible only by you. Option A.B and Care invalid because in all of these cases, the management of the key will be with AWS. Here the question specifically mentions that you want to have exclusive access over the keys. This can be achieved with Cloud HSM For more information on CloudHSM, please visit the following URL: https://aws.amazon.com/cloudhsm/faq: The correct answer is: Use Cloud HSM

• Question 664:

  A security engineer is attempting to push a Linux-based container image to an Amazon Elastic Container Registry (Amazon ECR) repository that is in the us-east-1 Region. The security engineer has retrieved an authentication token by using the aws ecr get-login-password AWS CLI command within the last 4 hours. The security engineer has confirmed that the correct permissions are in place to push the container image to the repository.

  When the security engineer tries to push the container image, the security engineer receives the following error: “no basic auth credentials”. What should the security engineer do to resolve this error?

  A. Obtain a new authorization token.
  B. Configure the AWS CLI to use us-east-1.
  C. Modify the aws-auth-cm.yaml file to include the IAM role for the security engineer.
  D. Activate AWS Security Token Service (AWS STS) in us-east-1.
  C. Modify the aws-auth-cm.yaml file to include the IAM role for the security engineer.

  ---

  Explanation/Reference:

• Question 665:

  A company's application runs on an Amazon EC2 instance and stores objects in an Amazon S3 bucket. The EC2 instance is using an instance profile that provides access to read and write objects in the S3 bucket. The S3 bucket contains objects and has not been configured for any encryption at rest. The company is adopting a new security policy that mandates encryption at rest for all S3 buckets, encryption at rest for all objects in S3 buckets, and key rotation once every year.

  What should a security engineer do to meet these requirements?

  A. Enable server-side encryption with Amazon S3 managed encryption keys (SSE-S3) for the S3 bucket. Configure annual automatic key rotation. Use an S3 Batch Operations job with the COPY command to change all the objects in the S3 bucket to use the SSE-S3 key. Configure the EC2 instance profile with permissions to use the SSE-S3 key. Configure S3 data events to encrypt an object during a write operation.
  B. Create a new AWS Key Management Service (AWS KMS) customer managed key. Configure annual automatic key rotation. Enable server-side encryption with AWS KMS keys (SSE-KMS) for the S3 bucket. Add a bucket policy to the S3 bucket to enforce SSE-KMS encryption. Configure the EC2 instance profile with permissions to use the customer managed key.
  C. Create a new AWS Key Management Service (AWS KMS) customer managed key. Configure annual automatic key rotation. Enable server-side encryption with AWS KMS keys (SSE-KMS) for the S3 bucket. Use an S3 Batch Operations job with the COPY command to change all the objects in the S3 bucket to use the customer managed key. Configure the EC2 instance profile with permissions to use the customer managed key.
  D. Enable server-side encryption with Amazon S3 managed encryption keys (SSE-S3) for the S3 bucket. Configure annual automatic key rotation. Configure the EC2 instance profile with permissions to use the SSE-S3 key. Use the AWS CLI to copy the S3 objects in place by specifying the SSE-S3 key as the encryption key. Configure S3 data events to encrypt an object during a write operation.
  C. Create a new AWS Key Management Service (AWS KMS) customer managed key. Configure annual automatic key rotation. Enable server-side encryption with AWS KMS keys (SSE-KMS) for the S3 bucket. Use an S3 Batch Operations job with the COPY command to change all the objects in the S3 bucket to use the customer managed key. Configure the EC2 instance profile with permissions to use the customer managed key.

  ---

  Explanation/Reference:

• Question 666:

  A Security Engineer is implementing a solution to allow users to seamlessly encrypt Amazon S3 objects without having to touch the keys directly. The solution must be highly scalable without requiring continual management. Additionally, the organization must be able to immediately delete the encryption keys.

  Which solution meets these requirements?

  A. Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary.
  B. Use KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.
  C. Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.
  D. Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the key if necessary.
  C. Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.

  ---

  Explanation/Reference:

  https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-delete-key-material.html

• Question 667:

  Development teams in your organization use S3 buckets to store the log files for various applications hosted ir development environments in AWS. The developers want to keep the logs for one month for troubleshooting purposes, and then purge the logs. What feature will enable this requirement?

  Please select:

  A. Adding a bucket policy on the S3 bucket.
  B. Configuring lifecycle configuration rules on the S3 bucket.
  C. Creating an IAM policy for the S3 bucket.
  D. Enabling CORS on the S3 bucket.
  B. Configuring lifecycle configuration rules on the S3 bucket.

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following on lifecycle policies Amazon Lifecycle configuration enables you to specify the lifecycle management of objects in a bucket. The configuration is a set of one or more rules, where each rule

  defines an action for Amazon S3 to apply to a group of objects. These actions can be classified a follows:

  Transition actions - In which you define when objects transition to another . For example, you may choose to transition objects to the STANDARDJA (IA, for infrequent access) storage class 30 days after creation, or archive objects to the

  GLACIER storage class one year after creation. Expiration actions - In which you specify when the objects expire. Then Amazon S3 deletes the expired objects on your behalf.

  Option A and C are invalid because neither bucket policies neither IAM policy's can control the purging of logs

  Option D is invalid CORS is used for accessing objects across domains and not for purging of logs For more information on AWS S3 Lifecycle policies, please visit the following URL:

  com/AmazonS3/latest/d

  The correct answer is: Configuring lifecycle configuration rules on the S3 bucket.

• Question 668:

  A company is ready to deploy a public web application. The company will use AWS and will host the application on an Amazon EC2 instance. The company must use SSL/TLS encryption. The company is already using AWS Certificate Manager (ACM) and will export a certificate for use with the deployment.

  How can a security engineer deploy the application to meet these requirements?

  A. Put the EC2 instance behind an Application Load Balancer (ALB). In the EC2 console, associate the certificate with the ALB by choosing HTTPS and 443.
  B. Put the EC2 instance behind a Network Load Balancer. Associate the certificate with the EC2 instance.
  C. Put the EC2 instance behind a Network Load Balancer (NLB). In the EC2 console, associate the certificate with the NLB by choosing HTTPS and 443.
  D. Put the EC2 instance behind an Application Load Balancer. Associate the certificate with the EC2 instance.
  A. Put the EC2 instance behind an Application Load Balancer (ALB). In the EC2 console, associate the certificate with the ALB by choosing HTTPS and 443.

  ---

  Explanation/Reference:

• Question 669:

  A security engineer is responsible for providing secure access to AWS resources for thousands of developer in a company's corporate identity provider (idp). The developers access a set of AWS services from the corporate premises using IAM credential. Due to the velum of require for provisioning new IAM users, it is taking a long time to grant access permissions. The security engineer receives reports that developer are sharing their IAM credentials with others to avoid provisioning delays. The causes concern about overall security for the security engineer.

  Which actions will meet the program requirements that address security?

  A. Create an Amazon CloudWatch alarm for AWS CloudTrail Events Create a metric filter to send a notification when me same set of IAM credentials is used by multiple developer
  B. Create a federation between AWS and the existing corporate IdP Leverage IAM roles to provide federated access to AWS resources
  C. Create a VPN tunnel between the corporate premises and the VPC Allow permissions to all AWS services only if it originates from corporate premises.
  D. Create multiple IAM rotes for each IAM user Ensure that users who use the same IAM credentials cannot assume the same IAM role at the same time.
  B. Create a federation between AWS and the existing corporate IdP Leverage IAM roles to provide federated access to AWS resources

  ---

  Explanation/Reference:

  Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html

• Question 670:

  A company wants to prevent public exposure of data that is stored in Amazon S3.

  Which combination of steps should a security engineer take to meet this requirement? (Choose two.)

  A. Turn on S3 Block Public Access.
  B. Enforce S3 bucket encryption by using server-side encryption with AWS KMS managed keys (SSE-KMS).
  C. Enforce S3 bucket encryption by using server-side encryption with Amazon S3 managed encryption keys (SSE-S3).
  D. Use S3 Storage Lens.
  E. Use Amazon Macie.
  A. Turn on S3 Block Public Access.
  C. Enforce S3 bucket encryption by using server-side encryption with Amazon S3 managed encryption keys (SSE-S3).

  ---

  Explanation/Reference: