AWS SCS-C01 Certified Security Speciality Practice Exam Set 4

Your company has confidential documents stored in the simple storage service. Due to compliance


Options are :

  • Enable Cross region replication for the S3 bucket (Correct)
  • Create a snapshot of the 53 bucket and copy it to another region
  • Apply Multi-AZ for the underlying 53 bucket
  • Copy the data to an EBS Volume in another Region

Answer : Enable Cross region replication for the S3 bucket

You need to ensure that objects in an S3 bucket are available in another region. This is because of the criticality of the data that is hosted In the S3 bucket. How can you achieve this in the easiest way possible?


Options are :

  • Create an 53 snapshot in the destination region
  • Enable cross region replication for the bucket (Correct)
  • Write a script to copy the objects to another bucket in the destination region
  • Enable versioning which will copy the objects to the destination region

Answer : Enable cross region replication for the bucket

You have enabled Cloud trail logs for your company?s AWS account. In addition, the IT Security department has mentioned that the logs need to be encrypted. How can this be achieved? Please select


Options are :

  • Enable Server side encryption for the trail
  • Enable SSL certificates for the Cloud trail logs
  • There is no need to do anything since the logs will already be encrypted (Correct)
  • Enable Server side encryption for the destination S3 bucket

Answer : There is no need to do anything since the logs will already be encrypted

AWS Solutions Architect Associate 2019 with Practice Test Set 7

A company has several Customer Master Keys (CMK), some of which have imported key material. Each CMK must be rotated annually. What two methods can the security team use to rotate each key?


Options are :

  • Use the CLI or console to explicitly rotate an existing CMK
  • Import new key material to an existing CMK
  • Enable automatic key rotation for a CMK (Correct)
  • Import new key material to a new CMK Point the key alias to the new CMK.
  • Delete an existing CMK and a new default CMK will be created

Answer : Enable automatic key rotation for a CMK

A security team must present a daily briefing to the CISO that includes a report of which of the company?s thousands of EC2 instances and on-premises servers are missing the latest security patches. All instances/servers must be brought into compliance within 24 hours so they do not show up on the next day?s report. How can the security team fulfill these requirements?


Options are :

  • Use Systems Manger Patch Manger to generate the report of out of compliance Instances) servers. Redeploy all out of compliance instances/servers using an AMI with the latest patches.
  • Use Trusted Advisor to generate the report of out of compliance instances/ servers. Use Systems Manger Patch Manger to install the missing patches.
  • Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Use Systems Manager Patch Mang to install the missing patches. (Correct)
  • Use Amazon Quick Sight and Cloud Trail to generate the report of out of compliance instances/servers. Redeploy all out of compliance Instances/servers using an AMI with the latest patches.

Answer : Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Use Systems Manager Patch Mang to install the missing patches.

A security team is creating a response plan in the event an employee executes unauthorized actions on AWS infrastructure. They want to include steps to determine if the employee?s IAM permissions changed as part of the incident. What steps should the team document In the plan?


Options are :

  • Use AWS Configure to examine the employee?s IAM permissions prior to the incident and compare them to the employee?s current PAM permissions. (Correct)
  • Use Trusted Advisor to examine the employee?s PAM permissions prior to the incident and compare them to the employee?s current IAM permissions.
  • Use Cloud Trail to examine the employee?s IAM permissions prior to the incident and compare them to the employee?s current IAM permissions
  • Use Made to examine the employee?s IAM permissions prior to the incident and compare them to the employee?s current IAM permissions.

Answer : Use AWS Configure to examine the employee?s IAM permissions prior to the incident and compare them to the employee?s current PAM permissions.

AWS SAP-C00 Certified Solution Architect Professional Exam Set 5

A company is deploying a new web application on AWS. Based on their other web applications, they anticipate being the target of frequent DD0S attacks. Which steps can the company use to protect their application? Select 2 answers from the options given below. Please select


Options are :

  • Use Cloud Front and AWS WAF to prevent malicious traffic from reaching the application (Correct)
  • Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic.
  • Associate the EC2 instances with a security group that blocks traffic from blacklisted IP addresses.
  • Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious traffic
  • Enable Guard Duty to block malicious traffic from reaching the application

Answer : Use Cloud Front and AWS WAF to prevent malicious traffic from reaching the application

A company has a set of resources defined in AWS. It is mandated that all API calls to the resources be monitored. Also all API calls must be stored for lookup purposes. Any log data greater than 6 months must be archived. Which of the following meets these requirements? Choose 2 answers from the options given below. Each answer forms part of the solution? Please select:


Options are :

  • Ensure a lifecycle policy is defined on the S3 bucket to move the data to Amazon Glacier after 6 months.
  • Ensure a lifecycle policy is defined on the 53 bucket to move the data to EBS volumes after 6 months.
  • Enable Cloud Trail logging in all accounts into Amazon Glacier
  • Enable Cloud Trail logging in all accounts into S3 buckets (Correct)

Answer : Enable Cloud Trail logging in all accounts into S3 buckets

Your company is planning on hosting an internal network in AWS, They want machines in the VPC to authenticate using private certificates. They want to minimize the work and maintenance in working with certificates. What is the ideal way to fulfill this requirement.


Options are :

  • Consider using AWS Access keys to generate the certificates
  • Consider using AWS Trusted Advisor for managing the certificates
  • Turn on VPC Flow Logs and carry out the penetration test (Correct)
  • Consider using Windows Server 2016 Certificate Manager

Answer : Turn on VPC Flow Logs and carry out the penetration test

Certification : Get AWS Certified Solutions Architect in 1 Day (2018 Update) Set 14

You have just received an email from AWS Support stating that your AWS account might have been compromised. Which of the following steps would you look to carry Out immediately. Choose 3 answers from the options below. Please select:


Options are :

  • Rotate all lAM access keys (Correct)
  • Keep all resources running to avoid disruption
  • Change the password for all lAM users. (Correct)
  • Change the root account password.

Answer : Rotate all lAM access keys Change the password for all lAM users.

Your company has defined a number of EC2 Instances over a period of 6 months. They want to know if any of the security groups allow unrestricted access to a resource. What is the best option to accomplish this requirement?


Options are :

  • Use the AWS CLI to query the security groups and then filter for the rules which have unrestricted access
  • Use AWS Inspector to inspect all the security Groups
  • Use the AWS Trusted Advisor to see which security groups have compromised access. (Correct)
  • Use AWS Configure to see which security groups have compromised access.

Answer : Use the AWS Trusted Advisor to see which security groups have compromised access.

Your development team has started using AWS resources for development purposes. The AWS account has just been created. Your IT Security team is worried about possible leakage of AWS keys. What is the first level of measure that should be taken to protect the AWS account ?


Options are :

  • Create AM Groups (Correct)
  • Restrict access using AM policies
  • Delete the AWS keys for the root account
  • Create AM Roles

Answer : Create AM Groups

AWS Certification

You have a set of Keys defined using the AWS KMS service. You want to stop using a couple of keys, but are not sure of which services are currently using the keys. Which of the following would be a safe option to stop using the keys from further usage?


Options are :

  • Set an alias for the key
  • Disable the keys (Correct)
  • Delete the keys since anyway there is a 7 day waiting period before deletion
  • Change the key material for the key

Answer : Disable the keys

An application running on EC2 instances in a VPC must call an external web service via TLS (port 443). The instances run in public subnets. Which configurations below allow the application to function and minimize the exposure of the Instances? Select 2 answers from the options given below


Options are :

  • A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on port 443
  • A network ACL with a rule that allows outgoing traffic on port 443.
  • A security group with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.
  • A security group with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports.
  • A security group with a rule that allows outgoing traffic on port 443
  • A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports (Correct)

Answer : A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports

A company has external vendors that must deliver files to the company. These vendors have cross-account that gives them permission to upload objects to one of the company?s S3 buckets. What combination of steps must the vendor follow to successfully deliver a file to the company? Select 2 answers from the options given below ?


Options are :

  • Add a grant to the objects ACL giving full permissions to bucket owner
  • Add a bucket policy to the bucket that grants the bucket owner full permissions to the object
  • Encrypt the object with a KMS key controlled by the company.
  • Upload the file to the company?s S3 bucket as an object (Correct)
  • Attach an lAM role to the bucket that grants the bucket owner full permissions to the object

Answer : Upload the file to the company?s S3 bucket as an object

AWS Certification

You want to launch an EC2 Instance with your own key pair in AWS. How can you achieve this? Choose 2 answers from the options given below. Each option forms part of the solution?


Options are :

  • Import the public key pair into EC2 (Correct)
  • Import the private key pair into EC2 (Correct)
  • Use a third party tool to create the Key pair
  • Create a new key pair using the AWS CLI

Answer : Import the public key pair into EC2 Import the private key pair into EC2

Your company has mandated that all calls to the AWS KMS service be recorded. How can this be achieved? Please select:


Options are :

  • Enable Cloud watch logs
  • Use Cloud watch metrics
  • Enable logging on the KMS service
  • Enable a trail in Cloud trail (Correct)

Answer : Enable a trail in Cloud trail

You are building a large-scale confidential documentation web server on AWS and all of the documentation for it will be stored on 53. One of the requirements is that it cannot be publicly accessible from S3 directly, and you will need to use Cloud Front to accomplish this. Which of the methods listed below would satisfy the requirements as outlined? Choose an answer from the options below Please select:


Options are :

  • Create an 53 bucket policy that lists the Cloud Front distribution ID as the Principal and the target bucket as the Amazon Resource Name
  • Create an Origin Access Identity (CAl) for Cloud Front and grant access to the objects in your S3 bucket to that CAl. (Correct)
  • Create an Identity and Access Management (IAM) user for Cloud Front and grant access to the objects in your 53 bucket to that IAM User.
  • Create individual policies for each bucket the documents are stored in and in that policy grant access to only Cloud Front

Answer : Create an Origin Access Identity (CAl) for Cloud Front and grant access to the objects in your S3 bucket to that CAl.

Certification : Get AWS Certified Solutions Architect in 1 Day (2018 Update) Set 4

A company hosts data in S3. There is a requirement to control access to the 53 buckets. Which are the 2 ways in which this can be achieved?


Options are :

  • Use the Secure Token service
  • Use AM user policies
  • Use AWS Access Keys
  • Use Bucket policies (Correct)

Answer : Use Bucket policies

You have an instance setup in a test environment in AWS. You installed the required application and the promoted the server to a production environment. Your IT Security team has advised that there maybe traffic flowing In from an unknown IP address to port 22. How can this be mitigated immediately? Please select:


Options are :

  • Remove the rule for incoming traffic on port 22 for the Security Group (Correct)
  • Change the AMI for the instance
  • Change the Instance type for the Instance
  • Shutdown the instance

Answer : Remove the rule for incoming traffic on port 22 for the Security Group

Which of the following is used as a secure way to log into an EC2 Linux Instance? Please select:


Options are :

  • Key pairs (Correct)
  • IAM User name and password
  • AWS Access keys
  • AWS SD keys

Answer : Key pairs

AWS SOA-C00 Certified Sys Ops Administrator Associate Exam Set 5

Your IT Security team has advised to carry out a penetration test on the resources in their company?s AWS Account. This is as part of their capability to analyze the security of the Infrastructure. What should be done first in this regard? Please select:


Options are :

  • Submit a request to AWS Support (Correct)
  • Turn on VPC Flow Logs and carry out the penetration test
  • Use a custom AWS Marketplace solution for conducting the penetration test
  • Turn on Cloud trail and carry out the penetration test

Answer : Submit a request to AWS Support

You working in the media industry and you have created a web application where users will be able to upload photos they create to your website. This web application must be able to call the S3 API In order to be able to function. Where should you store your API credentials whilst maintaining the maximum level of security?


Options are :

  • Save your API credentials in a public Github repository (Correct)
  • Dont save your API credentials. Instead create a role In lAM and assign this role to an EC2 instance when you first create It. (Correct)
  • Pass API credentials to the instance using instance userdata,
  • Save the API credentials to your PHP files.

Answer : Save your API credentials in a public Github repository Dont save your API credentials. Instead create a role In lAM and assign this role to an EC2 instance when you first create It.

A company has a legacy application that outputs all logs to a local text file. Logs from all applications running on AWS must be continually monitored for security related messages. What can be done to allow the company to deploy the legacy application on Amazon EC2 and still meet the monitoring requirement?


Options are :

  • Export the local text log files to Cloud Trail. Create a Lambda function that queries the CloudTrail logs for security incidents using Athena. One can send the log files to Cloud watch Logs. Log files can also be sent from On-premise servers. You can then specify metrics to search the logs for any specific values. And then create alarms based on these metrics.
  • Send the local text log files to Cloud Watch Logs and configure a Cloud Watch metric filter. Trigger cloud Watch alarms based on the metrics (Correct)
  • Install the Amazon Inspector agent on any EC2 instance running the legacy application. Generate Cloud Watch alerts based on any Amazon inspector findings.
  • Create a Lambda function that mounts the EBS volume with the logs and scans the logs for security incidents. Trigger the function every 5 minutes with a scheduled Cloud watch event

Answer : Send the local text log files to Cloud Watch Logs and configure a Cloud Watch metric filter. Trigger cloud Watch alarms based on the metrics

Certification : Get AWS Certified Solutions Architect in 1 Day (2018 Update) Set 15

You want to get a list of vulnerabilities for an EC2 Instance as per the guidelines set by the Center of Internet Security. How can you go about doing this?


Options are :

  • Enable AWS Guard Duty for the Instance
  • Use AWS Made
  • Use AWS Trusted Advisor
  • Use AWS Inspector (Correct)

Answer : Use AWS Inspector

A security engineer must ensure that all infrastructure launched in the company AWS account be monitored for deviation from compliance rules, specifically that all EC2 instances are launched from one of a specified list of AMIs and that all attached EBS volume are encrypted. Infrastructure not in compliance should be terminated. What combination of steps should the Engineer implement? Select 2 answers from the options given below?


Options are :

  • Set up a Cloud Watch event based on Amazon inspector findings
  • Trigger a Lambda function from a scheduled Cloud Watch event that terminates noncompliant infrastructure. (Correct)
  • Set up a Cloud Watch event based on Trusted Advisor metrics
  • Monitor compliance with AWS Configure Rules triggered by configuration changes (Correct)
  • Trigger a CLI command from a Cloud Watch event that terminates the infrastructure

Answer : Trigger a Lambda function from a scheduled Cloud Watch event that terminates noncompliant infrastructure. Monitor compliance with AWS Configure Rules triggered by configuration changes

Which of the following is not a best practice for carrying out a security audit? Please select:


Options are :

  • Conduct an audit if you ever suspect that an unauthorized person might have accessed your account
  • Conduct an audit if application instances have been added to your account
  • Whenever there are changes in your organization
  • Conduct an audit on a yearly basis (Correct)

Answer : Conduct an audit on a yearly basis

Certification : Get AWS Certified Solutions Architect in 1 Day (2018 Update) Set 6

An application running on EC2 instances in a VPC must access sensitive data in the data center. The access must be encrypted in transit and have consistent low latency. Which hybrid architecture will meet these requirements?


Options are :

  • A VPN between the VPC and the data center
  • A VPN between the VPC and the data center over a Direct Connect connection (Correct)
  • A Direct Connect connection between the VPC and data center
  • Expose the data with a public HTTPS endpoint.

Answer : A VPN between the VPC and the data center over a Direct Connect connection

A company hosts a critical web application on the AWS Cloud. This is a key revenue generating application for the company. The IT Security team is worried about potential DDos attacks against the web site. The senior management has also specified that immediate action needs to be taken In case of a potential DDos attack. What should be done In this regard?


Options are :

  • Consider using the AWS Shield Service
  • Consider using the AWS Shield Advanced Service (Correct)
  • Consider using Cloud watch logs to monitor traffic for DS attack and quickly take actions on a trigger of a potential attack.
  • Consider using VPC Flow logs to monitor traffic for Dos attack and quickly take actions on a trigger of a potential attack

Answer : Consider using the AWS Shield Advanced Service

You want to ensure that you keep a check on the Active EBS Volumes, Active snapshots and Elastic IP addresses you use so that you dontt go beyond the service limit. Which of the below services can help in this regard?


Options are :

  • AWS Trusted Advisor (Correct)
  • AWS EC2
  • AWSSNS
  • AWS Cloud watch

Answer : AWS Trusted Advisor

Certification : Get AWS Certified Solutions Architect in 1 Day (2018 Update) Set 5

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions