Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 671:

  Your company is planning on using AWS EC2 and ELB for deployment for their web applications. The security policy mandates that all traffic should be encrypted. Which of the following options will ensure that this requirement is met. Choose 2 answers from the options below.

  Please select:

  A. Ensure the load balancer listens on port 80
  B. Ensure the load balancer listens on port 443
  C. Ensure the HTTPS listener sends requests to the instances on port 443
  D. Ensure the HTTPS listener sends requests to the instances on port 80
  B. Ensure the load balancer listens on port 443
  C. Ensure the HTTPS listener sends requests to the instances on port 443

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following You can create a load balancer that listens on both the HTTP (80) and HTTPS (443) ports. If you specify that the HTTPS listener sends requests to the instances on port 80, the load balancer terminates the requests and communication from the load balancer to the instances is not encrypted, if the HTTPS listener sends requests to the instances on port 443, communication from the load balancer to the instances is encrypted. Option A is invalid because there is a need for secure traffic, so port 80 should not be used Option D is invalid because for the HTTPS listener you need to use port 443 For more information on HTTPS with ELB, please refer to the below Link: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.htmll The correct answers are: Ensure the load balancer listens on port 443, Ensure the HTTPS listener sends requests to the instances on port 443

• Question 672:

  A security engineer must ensure that all infrastructure launched in the company AWS account be monitored for deviation from compliance rules, specifically that all EC2 instances are launched from one of a specified list of AM Is and that all attached EBS volumes are encrypted. Infrastructure not in compliance should be terminated. What combination of steps should the Engineer implement? Select 2 answers from the options given below.

  Please select:

  A. Set up a CloudWatch event based on Trusted Advisor metrics
  B. Trigger a Lambda function from a scheduled CloudWatch event that terminates non- compliant infrastructure.
  C. Set up a CloudWatch event based on Amazon inspector findings
  D. Monitor compliance with AWS Config Rules triggered by configuration changes
  E. Trigger a CLI command from a CloudWatch event that terminates the infrastructure
  B. Trigger a Lambda function from a scheduled CloudWatch event that terminates non- compliant infrastructure.
  D. Monitor compliance with AWS Config Rules triggered by configuration changes

  ---

  Explanation/Reference:

  You can use AWS Config to monitor for such Event Option A is invalid because you cannot set Cloudwatch events based on Trusted Advisor checks.

  Option C is invalid Amazon inspector cannot be used to check whether instances are launched from a specific A

  Option E is invalid because triggering a CLI command is not the preferred option, instead you should use Lambda functions for all automation purposes. For more information on Config Rules please see the below Link:

  https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html These events can then trigger a lambda function to terminate instances For more information on Cloudwatch events please see the below Link:

  https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatlsCloudWatchEvents .

  The correct answers are: Trigger a Lambda function from a scheduled Cloudwatch event that terminates non-compliant infrastructure., Monitor compliance with AWS Config Rules triggered by configuration changes

• Question 673:

  You have a set of Customer keys created using the AWS KMS service. These keys have been used for around 6 months. You are now trying to use the new KMS features for the existing set of key's but are not able to do so. What could be the reason for this.

  Please select:

  A. You have not explicitly given access via the key policy
  B. You have not explicitly given access via the IAM policy
  C. You have not given access via the IAM roles
  D. You have not explicitly given access via IAM users
  A. You have not explicitly given access via the key policy

  ---

  Explanation/Reference:

  By default, keys created in KMS are created with the default key policy. When features are added to KMS, you need to explii update the default key policy for these keys. Option B,C and D are invalid because the key policy is the main entity used to provide access to the keys For more information on upgrading key policies please visit the following URL: https://docs.aws.ama20n.com/kms/latest/developerguide/key-policy-upgrading.html The correct answer is: You have not explicitly given access via the key policy

• Question 674:

  You need to establish a secure backup and archiving solution for your company, using AWS. Documents should be immediately accessible for three months and available for five years for compliance reasons. Which AWS service fulfills these requirements in the most cost-effective way? Choose the correct answer:

  Please select:

  A. Upload data to S3 and use lifecycle policies to move the data into Glacier for long-term archiving.
  B. Upload the data on EBS, use lifecycle policies to move EBS snapshots into S3 and later into Glacier for long-term archiving.
  C. Use Direct Connect to upload data to S3 and use IAM policies to move the data into Glacier for long-term archiving.
  D. Use Storage Gateway to store data to S3 and use lifecycle policies to move the data into Redshift for long-term archiving.
  A. Upload data to S3 and use lifecycle policies to move the data into Glacier for long-term archiving.

  ---

  Explanation/Reference:

  amazon Glacier is a secure, durable, and extremely low-cost cloud storage service for data archiving and long-term backup. Customers can reliably store large or small amounts of data for as little as $0,004 per gigabyte per month, a significant savings compared to on-premises solutions. With Amazon lifecycle policies you can create transition actions in which you define when objects transition to another Amazon S3 storage class. For example, you may choose to transition objects to the STANDARDJA (IA, for infrequent access) storage class 30 days after creation, or archive objects to the GLACIER storage class one year after creation. Option B is invalid because lifecycle policies are not available for EBS volumes Option C is invalid because IAM policies cannot be used to move data to Glacier Option D is invalid because lifecycle policies is not used to move data to Redshif For more information on S3 lifecycle policies, please visit the URL: http://docs.aws.amazon.com/AmazonS3/latest/dev/obiect-lifecycle-mgmt.html The correct answer is: Upload data to S3 and use lifecycle policies to move the data into Glacier for long-term archiving.

• Question 675:

  A company stores critical data in an S3 bucket. There is a requirement to ensure that an extra level of security is added to the S3 bucket. In addition , it should be ensured that objects are available in a secondary region if the primary one goes down. Which of the following can help fulfil these requirements? Choose 2 answers from the options given below

  Please select:

  A. Enable bucket versioning and also enable CRR
  B. Enable bucket versioning and enable Master Pays
  C. For the Bucket policy add a condition for {"Null": {"aws:MultiFactorAuthAge": true}} i
  D. Enable the Bucket ACL and add a condition for {"Null": {"aws:MultiFactorAuthAge": true}}
  A. Enable bucket versioning and also enable CRR
  C. For the Bucket policy add a condition for {"Null": {"aws:MultiFactorAuthAge": true}} i

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following Adding a Bucket Policy to Require MFA Amazon S3 supports MFA-protected API access, a feature that can enforce multi-factor authentication (MFA) for access to your Amazon S3 resources. Multi-factor authentication provides an extra level of security you can apply to your AWS environment. It is a security feature that requires users to prove physical possession of an MFA device by providing a valid MFA code. For more information, go to AWS Multi-Factor Authentication. You can require MFA authentication for any requests to access your Amazoi. S3 resources. You can enforce the MFA authentication requirement using the aws:MultiFactorAuthAge key in a bucket policy. IAM users car access Amazon S3 resources by using temporary credentials issued by the AWS Security Token Service (STS). You provide the MFA code at the time of the STS request. When Amazon S3 receives a request with MFA authentication, the aws:MultiFactorAuthAge key provides a numeric value indicating how long ago (in seconds) the temporary credential was created. If the temporary credential provided in the request was not created using an MFA device, this key value is null (absent). In a bucket policy, you can add a condition to check this value, as shown in the following example bucket policy. The policy denies any Amazon S3 operation on the /taxdocuments folder in the examplebucket bucket if the request is not MFA authenticated. To learn more about MFA authentication, see Using Multi-Factor Authentication (MFA) in AWS in the IAM User Guide.

  

  Option B is invalid because just enabling bucket versioning will not guarantee replication of objects Option D is invalid because the condition for the bucket policy needs to be set accordingly For more information on example bucket policies,

  please visit the following URL:

  https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html Also versioning and Cross Region replication can ensure that objects will be available in the destination region in case the primary region fails. For more

  information on CRR, please visit the following URL:

  https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html

  The correct answers are: Enable bucket versioning and also enable CRR, For the Bucket policy add a condition for {"Null": { "aws:MultiFactorAuthAge": true}}

• Question 676:

  Your company has been using AWS for hosting EC2 Instances for their web and database applications. They want to have a compliance check to see the following

  Whether any ports are left open other than admin ones like SSH and RDP

  Whether any ports to the database server other than ones from the web server security group are open Which of the following can help achieve this in the easiest way possible. You don't want to carry out an extra configuration changes?

  Please select:

  A. AWS Config
  B. AWS Trusted Advisor
  C. AWS Inspector D.AWSGuardDuty
  B. AWS Trusted Advisor

  ---

  Explanation/Reference:

  Trusted Advisor checks for compliance with the following security recommendations: Limited access to common administrative ports to only a small subset of addresses. This includes ports 22 (SSH), 23 (Telnet) 3389 (RDP), and 5500 (VNQ. Limited access to common database ports. This includes ports 1433 (MSSQL Server), 1434 (MSSQL Monitor), 3306 (MySQL), Oracle (1521) and 5432 (PostgreSQL). Option A is partially correct but then you would need to write custom rules for this. The AWS trusted advisor can give you all o these checks on its dashboard Option C is incorrect. Amazon Inspector needs a software agent to be installed on all EC2 instances that are included in the assessment target, the security of which you want to evaluate with Amazon Inspector. It monitors the behavior of the EC2 instance on which it is installed, including network, file system, and process activity, and collects a wide set of behavior and configuration data (telemetry), which it then passes to the Amazon Inspector service. Our question's requirement is to choose a choice that is easy to implement. Hence Trusted Advisor is more appropriate for this question. Options D is invalid because this service dont provide these details. For more information on the Trusted Advisor, please visit the following URL https://aws.amazon.com/premiumsupport/trustedadvisor> The correct answer is: AWS Trusted Advisor

• Question 677:

  Your company has been using AWS for the past 2 years. They have separate S3 buckets for logging the various AWS services that have been used. They have hired an external vendor for analyzing their log files. They have their own AWS account. What is the best way to ensure that the partner account can access the log files in the company account for analysis. Choose 2 answers from the options given below

  Please select:

  A. Create an IAM user in the company account
  B. Create an IAM Role in the company account
  C. Ensure the IAM user has access for read-only to the S3 buckets
  D. Ensure the IAM Role has access for read-only to the S3 buckets
  B. Create an IAM Role in the company account
  D. Ensure the IAM Role has access for read-only to the S3 buckets

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following To share log files between multiple AWS accounts, you must perform the following general steps. These steps are explained in detail later in this section. Create an IAM role for each account that you want to share log files with. For each of these IAM roles, create an access policy that grants read-only access to the account you want to share the log files with. Have an IAM user in each account programmatically assume the appropriate role and retrieve the log files. Options A and C are invalid because creating an IAM user and then sharing the IAM user credentials with the vendor is a direct 'NO' practise from a security perspective. For more information on sharing cloudtrail logs files, please visit the following URL https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-sharine-loes.htmll The correct answers are: Create an IAM Role in the company account Ensure the IAM Role has access for read-only to the S3 buckets

• Question 678:

  A company is using a Redshift cluster to store their data warehouse. There is a requirement from the Internal IT Security team to ensure that data gets encrypted for the Redshift database. How can this be achieved?

  Please select:

  A. Encrypt the EBS volumes of the underlying EC2 Instances
  B. Use AWS KMS Customer Default master key
  C. Use SSL/TLS for encrypting the data
  D. Use S3 Encryption
  B. Use AWS KMS Customer Default master key

  ---

  Explanation/Reference:

  The AWS Documentation mentions the following Amazon Redshift uses a hierarchy of encryption keys to encrypt the database. You can use either AWS Key Management Servic (AWS KMS) or a hardware security module (HSM) to manage the top-level encryption keys in this hierarchy. The process that Amazon Redshift uses for encryption differs depending on how you manage keys. Option A is invalid because its the cluster that needs to be encrypted Option C is invalid because this encrypts objects in transit and not objects at rest Option D is invalid because this is used only for objects in S3 buckets For more information on Redshift encryption, please visit the following URL: https://docs.aws.amazon.com/redshift/latest/memt/workine-with-db-encryption.htmll The correct answer is: Use AWS KMS Customer Default master key

• Question 679:

  A company recently deployed a new AWS account and wants to be notified immediately if a specific number of unauthorized AWS API requests are detected. A security engineer has turned on AWS CloudTrail for the account and is sending CloudTrail logs to Amazon CloudWatch.

  Which other action must the security engineer perform to receive automated alerts about unauthorized AWS API calls?

  A. Create a CloudWatch metric filter that looks for API call error codes. Configure an alarm that is based on that metric's rate to send an Amazon Simple Notification Service (Amazon SNS) notification when the threshold is exceeded.
  B. Configure CloudTrail to stream event data to Amazon Kinesis Data Streams. Configure an AWS Lambda function on the stream to initiate an alarm when the threshold is exceeded.
  C. Run an Amazon Athena SQL query against CloudTrail log files for unauthorized API requests. Use Amazon QuickSight to create an operational dashboard.
  D. Use the AWS Personal Health Dashboard to monitor the account's use of AWS services and to provide an alert if service error rates increase.
  C. Run an Amazon Athena SQL query against CloudTrail log files for unauthorized API requests. Use Amazon QuickSight to create an operational dashboard.

  ---

  Explanation/Reference:

  Reference: https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html

• Question 680:

  An organization is using Amazon CloudWatch Logs with agents deployed on its Linux Amazon EC2 instances. The agent configuration files have been checked and the application log files to be pushed are configured correctly. A review has identified that logging from specific instances is missing.

  Which steps should be taken to troubleshoot the issue? (Choose two.)

  A. Use an EC2 run command to confirm that the "awslogs" service is running on all instances.
  B. Verify that the permissions used by the agent allow creation of log groups/streams and to put log events.
  C. Check whether any application log entries were rejected because of invalid time stamps by reviewing /var/cwlogs/rejects.log.
  D. Check that the trust relationship grants the service "cwlogs.amazonaws.com" permission to write objects to the Amazon S3 staging bucket.
  E. Verify that the time zone on the application servers is in UTC.
  A. Use an EC2 run command to confirm that the "awslogs" service is running on all instances.
  B. Verify that the permissions used by the agent allow creation of log groups/streams and to put log events.

  ---

  Explanation/Reference:

  EC2 run command - can run scripts, install software, collect metrics and log files, manage patches and more. Bringing these two services together - can create CloudWatch Events rules that use EC2 Run Command to perform actions on EC2 instances or on-premises servers.