Amazon SCS-C01 Online Practice Questions and Exam Preparation

Amazon SCS-C01 Online Questions & Answers

• Question 71:

  A development team recently deployed a Java application on a default AWS Elastic Beanstalk environment. The application is unable to connect to an Amazon S3 bucket that has a default configuration in the same account. What should a security engineer do to troubleshoot this issue?

  A. Confirm that the Elastic Beanstalk service role has access to Amazon S3.
  B. Confirm that the Elastic Beanstalk instance profile has access to Amazon S3.
  C. Confirm that the AWSElasticBeanstalkFullAccess managed policy is attached to the Elastic Beanstalk environment.
  D. Confirm that the S3 bucket policy allows access from the Elastic Beanstalk application ARN.
  D. Confirm that the S3 bucket policy allows access from the Elastic Beanstalk application ARN.

  ---

  Explanation/Reference:

  Reference: https://aws.amazon.com/premiumsupport/knowledge-center/elastic-beanstalk-s3-bucket-instance/

• Question 72:

  An employee keeps terminating EC2 instances on the production environment. You've determined the best way to ensure this doesn't happen is to add an extra layer of defense against terminating the instances. What is the best method to ensure the employee does not terminate the production instances? Choose the 2 correct answers from the options below

  Please select:

  A. Tag the instance with a production-identifying tag and add resource-level permissions to the employee user with an explicit deny on the terminate API call to instances with the production tag. <
  B. Tag the instance with a production-identifying tag and modify the employees group to allow only start stop, and reboot API calls and not the terminate instance call.
  C. Modify the IAM policy on the user to require MFA before deleting EC2 instances and disable MFA access to the employee
  D. Modify the IAM policy on the user to require MFA before deleting EC2 instances
  A. Tag the instance with a production-identifying tag and add resource-level permissions to the employee user with an explicit deny on the terminate API call to instances with the production tag. <
  B. Tag the instance with a production-identifying tag and modify the employees group to allow only start stop, and reboot API calls and not the terminate instance call.

  ---

  Explanation/Reference:

  Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type -- you can quickly identify a specific resource based on the tags you've assigned to it. Each tag consists of a key and an optional value, both of which you define Options CandD are incorrect because it will not ensure that the employee cannot terminate the instance. For more information on tagging answer resources please refer to the below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Usins_Tags.htmll The correct answers are: Tag the instance with a production-identifying tag and add resource-level permissions to the employe user with an explicit deny on the terminate API call to instances with the production tag.. Tag the instance with a production-identifying tag and modify the employees group to allow only start stop, and reboot API calls and not the terminate instance

• Question 73:

  You have a requirement to serve up private content using the keys available with Cloudfront. How can this be achieved?

  Please select:

  A. Add the keys to the backend distribution.
  B. Add the keys to the S3 bucket
  C. Create pre-signed URL's
  D. Use AWS Access keys
  C. Create pre-signed URL's

  ---

  Explanation/Reference:

  Option A and B are invalid because you will not add keys to either the backend distribution or the S3 bucket. Option D is invalid because this is used for programmatic access to AWS resources You can use Cloudfront key pairs to create a trusted pre-signed URL which can be distributed to users Specifying the AWS Accounts That Can Create Signed URLs and Signed Cookies (Trusted Signers) Topics Creating CloudFront Key Pairs for Your Trusted Signers Reformatting the CloudFront Private Key (.NET and Java Only) Adding Trusted Signers to Your Distribution Verifying that Trusted Signers Are Active (Optional) 1 Rotating CloudFront Key Pairs To create signed URLs or signed cookies, you need at least one AWS account that has an active CloudFront key pair. This accou is known as a trusted signer. The trusted signer has two purposes: As soon as you add the AWS account ID for your trusted signer to your distribution, CloudFront starts to require that users us signed URLs or signed cookies to access your objects. ' When you create signed URLs or signed cookies, you use the private key from the trusted signer's key pair to sign a portion of the URL or the cookie. When someone requests a restricted object CloudFront compares the signed portion of the URL or cookie with the unsigned portion to verify that the URL or cookie hasn't been tampered with. CloudFront also verifies that the URL or cookie is valid, meaning, for example, that the expiration date and time hasn't passed. For more information on Cloudfront private trusted content please visit the following URL: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted The correct answer is: Create pre-signed URL's

• Question 74:

  A security engineer needs to configure monitonng and auditing for AWS Lambda.

  Which combination of actions using AWS services should the security engineer take to accomplish this goal? (Select TWO.)

  A. Use AWS Config to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.
  B. Use AWS CloudTrail to implement governance, compliance, operational, and risk auditing for Lambda.
  C. Use Amazon Inspector to automatically monitor for vulnerabilities and perform governance, compliance, operational, and risk auditing for Lambda.
  D. Use AWS Resource Access Manager to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.
  E. Use Amazon Macie to discover, classify, and protect sensitive data being executed inside the Lambda function.
  A. Use AWS Config to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.
  B. Use AWS CloudTrail to implement governance, compliance, operational, and risk auditing for Lambda.

• Question 75:

  A user is implementing a third-party web application on an Amazon EC2 instance. All client communications must be over HTTPS, and traffic must be terminated before it reaches the instance. Communication to the instance must be over port

  80. Company policy requires that workloads reside in private subnets.

  Which solution meets these requirements?

  A. Create an Application Load Balancer. Add an HTTP listener for port 80 to redirect traffic to HTTPS on port 443. Add another listener with an AWS Certificate Manager (ACM) certificate for termination and a rule that forwards to the target instance through port 80.
  B. Allocate an Elastic IP address that has SSL termination activated. Associate the Elastic IP address with the instance on port 80.
  C. Create a Gateway Load Balancer. Add an HTTP listener for port 80 to redirect traffic to HTTPS on port 443. Add another listener with an AWS Certificate Manager (ACM) certificate for termination and a rule that forwards to the target instance through port 80.
  D. Implement a Network Load Balancer. Add an HTTP listener for port 80 to redirect traffic to HTTPS on port 443. Add another listener with an AWS Certificate Manager (ACM) certificate for termination and a rule that forwards to the target instance through port 80.
  D. Implement a Network Load Balancer. Add an HTTP listener for port 80 to redirect traffic to HTTPS on port 443. Add another listener with an AWS Certificate Manager (ACM) certificate for termination and a rule that forwards to the target instance through port 80.

• Question 76:

  A company requires that IP packet data be inspected for invalid or malicious content.

  Which of the following approaches achieve this requirement? (Choose two.)

  A. Configure a proxy solution on Amazon EC2 and route all outbound VPC traffic through it. Perform inspection within proxy software on the EC2 instance.
  B. Configure the host-based agent on each EC2 instance within the VPC. Perform inspection within the host-based agent.
  C. Enable VPC Flow Logs for all subnets in the VPC. Perform inspection from the Flow Log data within Amazon CloudWatch Logs.
  D. Configure Elastic Load Balancing (ELB) access logs. Perform inspection from the log data within the ELB access log files.
  E. Configure the CloudWatch Logs agent on each EC2 instance within the VPC. Perform inspection from the log data within CloudWatch Logs.
  A. Configure a proxy solution on Amazon EC2 and route all outbound VPC traffic through it. Perform inspection within proxy software on the EC2 instance.
  B. Configure the host-based agent on each EC2 instance within the VPC. Perform inspection within the host-based agent.

  ---

  Explanation/Reference:

  "EC2 Instance IDS/IPS solutions offer key features to help protect your EC2 instances. This includes alerting administrators of malicious activity and policy violations, as well as identifying and taking action against attacks. You can use AWS services and third party IDS/IPS solutions offered in AWS Marketplace to stay one step ahead of potential attackers."

• Question 77:

  A security engineer needs to implement automation for AWS resources at scale. The goal is to block traffic to and from suspicious remote hosts by specifying IP addresses that are associated with known command and control servers for botnets. The security engineer is using AWS Step Functions to orchestrate the solution.

  What should the security engineer do to meet these requirements?

  A. Use Amazon GuardDuty to detect suspicious communication. Use an Amazon DynamoDB table to store IP addresses of suspected malicious hosts. Use AWS. Lambda functions to update the DynamoDB table and to update an AWS WAF web ACL rule to block the traffic.
  B. Use Amazon GuardDuty to detect suspicious communication. Use an Amazon DynamoDB table to store IP addresses of suspected malicious hosts. Use AWS Lambda functions to update the DynamoDB table and to update an AWS Network Firewall rule group to block the traffic.
  C. Use Amazon Inspector to detect suspicious communication. Use an Amazon DynamoDB table to store IP addresses of suspected malicious hosts. Use AWS Lambda functions to update the DynamoDB table and to update an AWS WAF web ACL rule to block the traffic.
  D. Use Traffic Mirroring. Direct the mirrored traffic to an Amazon EC2 instance that has the Amazon Inspector agent configured to search for suspicious communication. Use an Amazon DynamoDB table to store IP addresses of suspected malicious hosts. Use AWS Lambda functions to update the DynamoDB table and to update an AWS Network Firewall rule group to block the traffic.
  B. Use Amazon GuardDuty to detect suspicious communication. Use an Amazon DynamoDB table to store IP addresses of suspected malicious hosts. Use AWS Lambda functions to update the DynamoDB table and to update an AWS Network Firewall rule group to block the traffic.

  ---

  Explanation/Reference:

• Question 78:

  A security engineer needs to ensure their company's use of AWS meets AWS security best practices. As part of this, the AWS account root user must not be used for daily work. The root user must be monitored for use, and the security team must be alerted as quickly as possible if the root user is used.

  Which solution meets these requirements?

  A. Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification.
  B. Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification logs from S3 and generate notifications using Amazon SNS.
  C. Set up a rule in AWS config to trigger root user events. Trigger an AWS Lambda function and generate notifications using Amazon SNS.
  D. Use Amazon Inspector to monitor the usage of the root user and generate notifications using Amazon SNS
  C. Set up a rule in AWS config to trigger root user events. Trigger an AWS Lambda function and generate notifications using Amazon SNS.

  ---

  Explanation/Reference:

• Question 79:

  A company wants to have an Intrusion detection system available for their VPC in AWS. They want to have complete control over the system. Which of the following would be ideal to implement? Please select:

  A. Use AWS WAF to catch all intrusions occurring on the systems in the VPC
  B. Use a custom solution available in the AWS Marketplace
  C. Use VPC Flow logs to detect the issues and flag them accordingly.
  D. Use AWS Cloudwatch to monitor all traffic
  B. Use a custom solution available in the AWS Marketplace

  ---

  Explanation/Reference:

  Sometimes companies want to have custom solutions in place for monitoring Intrusions to their systems. In such a case, you can use the AWS Marketplace for looking at custom solutions.

  

  Option A.C and D are all invalid because they cannot be used to conduct intrusion detection or prevention. For more information on using custom security solutions please visit the below URL https://d1.awsstatic.com/Marketplace/security/AWSMP_Security_Solution%200verview.pdf For more information on using custom security solutions please visit the below URL: https://d1 .awsstatic.com/Marketplace/security/AWSMP Security Solution%20Overview.pdf

  The correct answer is: Use a custom solution available in the AWS Marketplace

• Question 80:

  A Security Engineer must design a solution that enables the Incident Response team to audit for changes to a user's IAM permissions in the case of a security incident. How can this be accomplished?

  A. Use AWS Config to review the IAM policy assigned to users before and after the incident.
  B. Run the GenerateCredentialReport via the AWS CLI, and copy the output to Amazon S3 daily for auditing purposes.
  C. Copy AWS CloudFormation templates to S3, and audit for changes from the template.
  D. Use Amazon EC2 Systems Manager to deploy images, and review AWS CloudTrail logs for changes.
  A. Use AWS Config to review the IAM policy assigned to users before and after the incident.

  ---

  Explanation/Reference:

  https://aws.amazon.com/blogs/security/how-to-record-and-govern-your-iam-resource-configurations-using-aws-config/