AWS SCS-C01 Certified Security Speciality Practice Exam Set 1

A company had developed an incident response plan 18 months ago. Regular implementations of the response plan are carried out. No changes have been made to the response plan have been made since its creation. Which of the following is a right statement with regards to the plan? Please select:


Options are :

  • The response plan Is complete in Its entirety
  • It places too much emphasis on already implemented security controls.
  • The response plan does not cater to new services
  • The response plan is not implemented on a regular basis (Correct)

Answer : The response plan is not implemented on a regular basis

AWS SOA-C00 Certified Sys Ops Administrator Associate Exam Set 7

You work as an administrator for a company. The company hosts a number of resources using AWS. There is an incident of a suspicious API activity which occurred 11 days ago. The Security Admin has asked to get the API activity from that point in time. How can this be achieved?


Options are :

  • Search the Cloud Watch logs to find for the suspicious activity which occurred 11 days ago
  • Search the Cloud Watch metrics to find for the suspicious activity which occurred 11 days ago
  • Use AWS Config to get the API calls which were made 11 days ago.
  • Search the Cloud trail event history on the API events which occurred 11 days ago (Correct)

Answer : Search the Cloud trail event history on the API events which occurred 11 days ago

You have a requirement to conduct penetration testing on the AWS Cloud for a couple of EC2 Instances. Ho. could you go about doing this? Choose 2 right answers from the options given below. Please select:


Options are :

  • Get prior approval from AWS for conducting the test (Correct)
  • Work with an AWS partner and no need for prior approval request from AWS
  • Use a pre-approved penetration testing tool. (Correct)
  • Choose any of the AWS instance type

Answer : Get prior approval from AWS for conducting the test Use a pre-approved penetration testing tool.

A company stores critical data in an 53 bucket. There is a requirement to ensure that an extra level of security is added to the 53 bucket. In addition , it should be ensured that objects are available In a second a region if the primary one goes down, Which of the following can help fulfill these requirements? Choose 2 answers from the options given below Please select:


Options are :

  • Enable the Bucket ACL and add a condition for { “Null: { aws: Multi Factor Auth Age”: true )}
  • Enable bucket versioning and enable Master Pays
  • For the Bucket policy add a condition for { „Null”: { “aws :Multi Factor Auth Age”: true)) (Correct)
  • Enable bucket versioning and also enable CRR

Answer : For the Bucket policy add a condition for { „Null”: { “aws :Multi Factor Auth Age”: true))

Certification : Get AWS Certified Solutions Architect in 1 Day (2018 Update) Set 4

You have a set of Customer keys created using the AWS KMS service. These keys have been used for around 6 months. You are now trying to use the new KMS features for the existing set of key?s but are not able to do so. What could be the reason for this. Please select:


Options are :

  • You have not explicitly given access via the key policy (Correct)
  • You have not explicitly given access via the IAM policy
  • You have not given access via the IAM roles *
  • You have not explicitly given access iia AM users

Answer : You have not explicitly given access via the key policy

A company has an existing AWS account and a set of critical resources hosted in that account. The employ who was In-charge of the root account has left the company. What must be now done to secure the account Choose 3 answers from the options given below.


Options are :

  • Change the access keys for all IAM users (Correct)
  • Delete the access keys for the root account
  • Confirm MFA to a secure device (Correct)
  • Change the password for all IAM users
  • Change the password for the root account
  • Delete all custom created IAM policies (Correct)

Answer : Change the access keys for all IAM users Confirm MFA to a secure device Delete all custom created IAM policies

You have an EBS volume attached to an EC2 Instance which uses KMS for Encryption. Someone has now gone ahead and deleted the Customer Key which was used for the EBS encryption. What should be done to ensure the data can be decrypted?


Options are :

  • Create a new Customer Key using KMS and attach it to the existing volume
  • Request AWS Support to recover the key
  • Copy the data from the EBS volume before detaching it from the Instance (Correct)
  • . Use AWS Configure to recover the key

Answer : Copy the data from the EBS volume before detaching it from the Instance

AWS DVA-C01 Certified Developer Associate Practice Exam Set 3

You are planning on hosting a web application on AWS. You create an EC2 Instance in a public subnet. This instance needs to connect to an EC2 Instance that will host an Oracle database. Which of the following steps should be followed to ensure a secure setup Is In place? Select 2 answers. Please select:


Options are :

  • Place the EC2 Instance with the Oracle database In a separate private subnet (Correct)
  • Create a database security group and ensure the web security group to allowed incoming access
  • Place the EC2 Instance with the Oracle database in the same public subnet as the Web server for faster communication.
  • Ensure the database security group allows incoming traffic from 0.0.0.0/0

Answer : Place the EC2 Instance with the Oracle database In a separate private subnet

Your company has created a set of keys using the AWS KMS service. They need to ensure that each key is only used for certain services. For example, they want one key to be used only for the S3 service. How can this be achieved? Please select:


Options are :

  • Create a bucket policy that allows the key to be accessed by only the S3 service.
  • Define an lAM user, allocate the key and then assign the permissions to the required service
  • Use the kms:ViaService condition in the Key policy (Correct)
  • Create an lAM policy that allows the key to be accessed by only the S3 service.

Answer : Use the kms:ViaService condition in the Key policy

A customer has an instance hosted in the AWS Public Cloud. The VPC and subnet used to host the Instance have been created with the default settings for the Network Access Control Lists. They need to provide an IT Administrator secure access to the underlying instance. How can this be accomplished?


Options are :

  • Ensure that the security group allows Inbound SSH traffic from the IT Administrators Workstation (Correct)
  • Ensure that the security group allows Outbound SSH traffic from the IT Administrators Workstation
  • Ensure the Network Access Control Lists allow Outbound SSH traffic from the IT Administrators Workstation
  • Ensure the Network Access Control Lists allow Inbound SSH traffic from the IT Administrators Workstation

Answer : Ensure that the security group allows Inbound SSH traffic from the IT Administrators Workstation

AWS Develops Engineer Professional Practice Final File Exam Set 7

You currently have an S3 bucket hosted in an AWS Account. It holds information that needs be accessed by a partner account. Which is the MOST secure way to allow the partner account to access the S3 bucket in your account? Select 3 options. Please select:


Options are :

  • Ensure an lAM user Is created which can be assumed by the partner account.
  • Provide the ARN for the role to the partner account (Correct)
  • Provide the Account Id to the partner account
  • Provide access keys for your account to the partner account
  • Ensure the partner uses an external Id when making the request (Correct)
  • Ensure an AM role is created which can be assumed by the partner account. (Correct)

Answer : Provide the ARN for the role to the partner account Ensure the partner uses an external Id when making the request Ensure an AM role is created which can be assumed by the partner account.

Your application currently uses customer keys which are generated via AWS KMS in the US east region. Y now want to use the same set of keys from the EU-Central region. How can this be accomplished? Please select:


Options are :

  • Use the backing key from the US east region and use it in the EUCentral region (Correct)
  • Use key rotation and rotate the existing keys to the EUCentral region
  • This is not possible since keys from KMS are region specific
  • Export the key from the US east region and import them into the EUCentral region

Answer : Use the backing key from the US east region and use it in the EUCentral region

You are trying to use the Systems Manager to patch a set of EC2 systems. Some of the systems are not getting covered in the patching process. Which of the following can be used to troubleshoot the issue? Choose 3 answers from the options given below. Please select:


Options are :

  • Check to see If the AM user has the right permissions for EC2 (Correct)
  • Check to see if the right role has been assigned to the EC2 Instances „ (Correct)
  • Ensure that agent is running on the Instances. (Correct)
  • Check the Instance status by using the Health API.

Answer : Check to see If the AM user has the right permissions for EC2 Check to see if the right role has been assigned to the EC2 Instances „ Ensure that agent is running on the Instances.

AWS Solutions Architect - Associate SAA-C01 Practice Exams Set 15

You need to have a cloud security device which would allow to generate encryption keys based on FIPS 140-2 Level 3. select Which of the following can be used for this purpose. ?


Options are :

  • AWS managed keys (Correct)
  • AWS Customer Keys
  • AWS Cloud HSM
  • AWS KMS

Answer : AWS managed keys

You are responsible to deploying a critical application onto AWS. Part of the requirements for this application is to ensure that the controls set for this application met PCI compliance. Also there is a need to monitor web application logs to identify any malicious activity. Which of the following services can be used to fulfill this requirement. Choose 2 answers from the options given below Please select:


Options are :

  • Amazon VPC Flow Logs
  • AWS Configure
  • Amazon Cloud trail (Correct)
  • Amazon Cloud watch Logs (Correct)

Answer : Amazon Cloud trail Amazon Cloud watch Logs

An EC2 Instance hosts a Java based application that access a Dynamo DB table. This EC2 Instance is currently serving production based users. Which of the following is a secure way of ensuring that the EC2 Instance access the Dynamo DB table


Options are :

  • Use IAM Access Keys with the right permissions to interact with Dynamo DB and assign it to the EC2 Insani
  • Use KMS keys with the right permissions to Interact with Dynamo DB and assign It to the EC2 Instance
  • Use IAM Access Groups with the right permissions to interact with Dynamo DB and assign it to the EC2 Instance
  • Use IAM Roles with permissions to interact with Dynamo DS and assign It to the EC2 Instance (Correct)

Answer : Use IAM Roles with permissions to interact with Dynamo DS and assign It to the EC2 Instance

AWS Solutions Architect Associate 2019 with Practice Test Set 3

An application running on EC2 instances processes sensitive information stored on Amazon 53. The information is accessed over the Internet. The security team is concerned that the Internet connectivity to Amazon S3 is a security risk. Which solution will resolve the security concern?


Options are :

  • Access the data through an Internet Gateway.
  • Access the data through a VPN connection.
  • Access the data through a VPC endpoint for Amazon 53 „ (Correct)
  • Access the data through a NAT Gateway

Answer : Access the data through a VPC endpoint for Amazon 53 „

One of the EC2 Instances in your company has been compromised. What steps would you take to ensure that you could apply digital forensics on the Instance. Select 2 answers from the options given below


Options are :

  • Terminate the instance (Correct)
  • Create a separate forensic instance (Correct)
  • Remove the role applied to the Ec2 Instance
  • Ensure that the security groups only allow communication to this forensic instance

Answer : Terminate the instance Create a separate forensic instance

You are building a system to distribute confidential training videos to employees. Using CloudFront, what method could be used to serve content that is stored in 53, but not publicly accessible from 53 directly? Please select:


Options are :

  • Create an Origin Access Identity (OAI) for Cloud Front and grant access to the objects in your S3 bucket to that OAI. (Correct)
  • Create an Identity and Access Management (IAM) User for Cloud Front and grant access to the objects in your 53 bucket to that IAM User
  • Create a 53 bucket policy that lists the Cloud Front distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).
  • Add the Cloud Front account security group to the appropriate S3 bucket policy.

Answer : Create an Origin Access Identity (OAI) for Cloud Front and grant access to the objects in your S3 bucket to that OAI.

AWS Develops Engineer Professional Practice Final File Exam Set 8

You have a set of application , database and web servers hosted in AWS. The web servers are placed behind an ELB. There are separate security groups for the application, database and web servers. The network security groups have been defined accordingly. There is an issue with the communication between the application and database servers. In order to troubleshoot the issue between just the application and database server, what is the ideal set of MINIMAL steps you would take .


Options are :

  • Check the Outbound security rules for the database security group Check the Inbound security rules for the application security group
  • Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group
  • Check the both the Inbound and Outbound security rules for the database security group Check the Inbound security rules for the application security group (Correct)
  • Check the Outbound security rules for the database security group Check the both the Inbound and Outbound security rules for the application security group

Answer : Check the both the Inbound and Outbound security rules for the database security group Check the Inbound security rules for the application security group

You need to inspect the running processes on an EC2 Instance that may have a security issue. How can you achieve this in the easiest way possible. Also you need to ensure that the process does not interfere with the continuous running of the instance. Please select:


Options are :

  • Use AWS Configure to see the changed process information on the server
  • Use the SSM Run command to send the list of running processes information to an S3 bucket. (Correct)
  • Use AWS Cloud watch to record the processes running on the server
  • Use AWS Cloud trail to record the processes running on the server to an S3 bucket

Answer : Use the SSM Run command to send the list of running processes information to an S3 bucket.

A company is planning on extending their on-premise AWS Infrastructure to the AWS Cloud. They need to have a solution that would give core benefits of traffic encryption and ensure latency is kept to a minimum Which of the following would help fulfill this requirement? Choose 2 answers from the options given below Please select:


Options are :

  • AWS VPC Peering
  • AWS NAT gateways
  • AWS VPN (Correct)
  • AWS Direct Connect

Answer : AWS VPN

AWS Certification

A company is planning to run a number of Admin related scripts using the AWS Lambda service. There is a need to understand if there are any errors encountered when the script run. How can this be accomplished in the most effective manner?


Options are :

  • Use Cloud watch metrics and logs to watch for errors (Correct)
  • Use the AWS Inspector service to monitor for errors
  • Use the AWS Config service to monitor for errors
  • Use Cloud trail to monitor for errors

Answer : Use Cloud watch metrics and logs to watch for errors

Your company hosts critical data in an S3 bucket. There is a requirement to ensure that all data is encrypted. There Is also metadata about the Information stored in the bucket that needs to be encrypted as well. Which of the below measures would you take to ensure that the metadata is encrypted?


Options are :

  • Put the metadata in the S3 bucket itself.
  • Put the metadata in a Dynamo DB table and ensure the table is encrypted during creation time (Correct)
  • Put the metadata as metadata for each object in the 53 bucket and then enable 53 Server side encryption
  • Put the metadata as metadata for each object in the S3 bucket and then enable 53 Server KMS encryption.

Answer : Put the metadata in a Dynamo DB table and ensure the table is encrypted during creation time

You need to ensure that the cloud trail logs which are being delivered in your AWS account is encrypted. How can this be achieved in the easiest way possible?


Options are :

  • Enable S3-SSE for the underlying bucket which receives the log files
  • Don?t do anything since Cloud Trail logs are automatically encrypted. (Correct)
  • Enable KMS encryption for the logs which are sent to Cloud watch
  • Enable S3-KMS for the underlying bucket which receives the log files

Answer : Don?t do anything since Cloud Trail logs are automatically encrypted.

AWS DVA-C01 Certified Developer Associate Practice Exam Set 2

A company has resources hosted in their AWS Account. There is a requirement to monitor all API activity for all regions. The audit needs to be applied for future regions as well Which of the following can be used to fulfill this requirement.


Options are :

  • Ensure Cloud trail for each region. Then enable for each future region.
  • Ensure one Cloud trail trail Is enabled for all regions. (Correct)
  • Create a Cloud trail for each region. Use Cloud formation to enable the trail for all future regions.
  • Create a Cloud trail for each region. Use AWS Config to enable the trail for all future regions.

Answer : Ensure one Cloud trail trail Is enabled for all regions.

You are trying to use the AWS Systems Manager run command on a set of Instances. The run command is not working on a set of Instances. What can you do to diagnose the issue? Choose 2 answers from the options given below


Options are :

  • Ensure the right AMI is used for the Instance
  • Ensure that the SSM agent is running on the target machine (Correct)
  • Ensure the security groups allow outbound communication for the Instance
  • Check the Ivar/log/amazon/ssm/errors.log file (Correct)

Answer : Ensure that the SSM agent is running on the target machine Check the Ivar/log/amazon/ssm/errors.log file

A company hosts data in S3. There is now a mandate that going forward all data in the S3 bucket needs to encrypt at rest. How can this be achieved? Please select:


Options are :

  • Use AWS Access keys to encrypt the data
  • Enable server side encryption on the S3 bucket (Correct)
  • Enable MFA on the 53 bucket
  • Use SSL certificates to encrypt the data

Answer : Enable server side encryption on the S3 bucket

AWS SCS-C01 Certified Security Speciality Practice Exam Set 1

Your company currently has a set of EC2 Instances hosted in a VPC. The IT Security department is suspecting a possible DDos attack on the instances. What can you do to zero In on the lP addresses which are receiving a flurry of requests.


Options are :

  • Use AWS Config to get the IP addresses accessing the EC2 Instances
  • Use VPC Flow logs to get the IP addresses accessing the EC2 Instances (Correct)
  • Use AWS Trusted Advisor to get the IP addresses accessing the EC2 Instances
  • Use AWS Cloud trail to get the IP addresses accessing the EC2 Instances

Answer : Use VPC Flow logs to get the IP addresses accessing the EC2 Instances

You are working for a company and been allocated the task for ensuring that there is a federated authentication mechanism setup between AWS and their On-premise Active Directory. Which of the following are Important steps that need to be covered In this process? Choose 2 answers from the options given below.


Options are :

  • Configure AWS as the relying party in Active Directory
  • Ensure the right match is in place for On-premise AD Groups and AM Groups.
  • Configure AWS as the relying party in Active Directory Federation services (Correct)
  • Ensure the right match is In place for On-premise AD Groups and IAM Roles. (Correct)

Answer : Configure AWS as the relying party in Active Directory Federation services Ensure the right match is In place for On-premise AD Groups and IAM Roles.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions