AWS SCS-C01 Certified Security Speciality Practice Exam Set 6

An organization has launched 5 instances: 2 for production and 3 for testing. The organization wants that one particular group of lAM users should only access the test Instances and not the production ones. How can the organization set that as a part of the policy? Please select:


Options are :

  • Define the tags on the test and production servers and add a condition to the lAM policy which allows access to specific tags (Correct)
  • Launch the test and production Instances In separate regions and allow region wise access to the group
  • Create an lAM policy with a condition which allows access to only small instances
  • Define the lAM policy which allows access based on the instance ID

Answer : Define the tags on the test and production servers and add a condition to the lAM policy which allows access to specific tags

Certification : Get AWS Certified Solutions Architect in 1 Day (2018 Update) Set 15

The CFO of a company wants to allow one of his employees to view only the AWS usage report page. Which of the below mentioned lAM policy statements allows the user to have access to the AWS usage report page? Please select:


Options are :

  • Effect: Allow?, Action: [aws-portal: ViewBilling9, “Resource?: Your answer Is incorrect.
  • Effect: Allow. “Action: [aws-portal:ViewUsage aws-portal:ViewBilling9, Resource: (Correct)
  • Effect: Allow?, NAction: AccountUsage]. Resource:
  • Effect: Allow”. “Action: [Describe9, Resource”: BilIing?

Answer : Effect: Allow. “Action: [aws-portal:ViewUsage aws-portal:ViewBilling9, Resource:

You are designing a connectivity solution between on-premises infrastructure and Amazon VPC. Your server?s on-premises will be communicating with your VPC instances. You will be establishing IPSec tunnels over the Internet. You will be using VPN gateways and terminating the IPsec tunnels on AWS-supported customer gateways. Which of the following objectives would you achieve by implementing an IPSec tunnel as outlined above?


Options are :

  • Protection of data in transit over the Internet
  • Data encryption across the Internet (Correct)
  • End-to-end protection of data in transit
  • Peer Identity authentication between VPN gateway and customer gateway
  • Data integrity protection across the Internet
  • End-to-end Identity authentication

Answer : Data encryption across the Internet

In your LAMP application, you have some developers that say they would like access to your logs. However, since you are using an AWS Auto Scaling group, your Instances are constantly being re-created. What would you do to make sure that these developers can access these log files? Choose the correct answer from the options below Please select?


Options are :

  • Give root access to your Apache servers to the developers
  • Give read-only access to your developers to the Apache servers.
  • Give only the necessary access to the Apache servers so that the developers can gain access to the log files
  • Set up a central logging server that you can use to archive your logs; archive these logs to an S3 bucket for developer-access (Correct)

Answer : Set up a central logging server that you can use to archive your logs; archive these logs to an S3 bucket for developer-access

Certification : Get AWS Certified Solutions Architect in 1 Day (2018 Update) Set 5

You company has mandated that all data in AWS be encrypted at rest. How can you achieve this for EBS volumes? Choose 2 answers from the options given below Please select:


Options are :

  • Use AWS KMS to encrypt the existing EBS volumes
  • Use Windows bit locker for EBS volumes on Windows instances (Correct)
  • Enable encryption on existing EBS volumes
  • Use TrueEncrypt for EBS volumes on Linux instances (Correct)

Answer : Use Windows bit locker for EBS volumes on Windows instances Use TrueEncrypt for EBS volumes on Linux instances

Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which three lAM best practices should you consider implementing?


Options are :

  • Assign AM users and groups configured with policies granting least privilege access
  • Configure MFA on the root account and for privileged lAM users
  • Create individual lAM users for everyone in your organization (Correct)
  • Ensure all users have been assigned and are frequently rotating a password. access ID/secret key, and X.5

Answer : Create individual lAM users for everyone in your organization

Your company is hosting a set of EC2 Instances in AWS. They want to have the ability to detect if any port scans occur on their AWS EC2 Instances. Which of the following can help in this regard? Please select:


Options are :

  • Use AWS Guard Duty to monitor any malicious port scans
  • Use AWS Inspector to consciously inspect the instances for port scans
  • Use AWS Trusted Advisor to notify of any malicious port scans (Correct)
  • Use AWS Config to notify of any malicious port scans

Answer : Use AWS Trusted Advisor to notify of any malicious port scans

Certification : Get AWS Certified Solutions Architect in 1 Day (2018 Update) Set 17

Your IT Security team has identified a number of vulnerabilities across critical EC2 Instances in the company SWS Account. Which would be the easiest way to ensure these vulnerabilities are remediated? Please select


Options are :

  • Use AWS CLI commands to download the updates and patch the servers.
  • Create AWS Lambda functions to download the updates and patch the servers.
  • Use AWS Inspector to patch the servers
  • Use AWS Systems Manager to patch the servers (Correct)

Answer : Use AWS Systems Manager to patch the servers

You are creating a Lambda function which will be triggered by a Cloud watch Event. The data from these events needs to be stored in a Dynamo DB table. How should the Lambda function be given access to the Dynamo DB table? Please select:


Options are :

  • Use the AWS Access keys which has access to Dynamo DB and then place it in an 53 bucket
  • Use an AM role which has permissions to the Dynamo DB table and attach it to the Lambda function (Correct)
  • Create a VPC endpoint for the Dynamo DB table. Access the VPC endpoint from the Lambda function.
  • Put the AWS Access keys in the Lambda function since the Lambda function by default is secure

Answer : Use an AM role which has permissions to the Dynamo DB table and attach it to the Lambda function

A company has a set of EC2 Instances hosted in AWS. The EC2 Instances have EBS volumes which is used to store critical information. There is a business continuity requirement to ensure high availability for the EBS volumes. How can you achieve this? Please select:


Options are :

  • Use lifecycle policies for the EBS volumes
  • Use EBS Snapshots (Correct)
  • Use EBS volume encryption
  • Use EBS volume replication

Answer : Use EBS Snapshots

Certification : Get AWS Certified Solutions Architect in 1 Day (2018 Update) Set 19

An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise?s account. The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party. Which of the following would meet all of these conditions?


Options are :

  • Create an lAM user within the enterprise account assign a user policy to the lAM user that allows only the actions required by the SaaS application. Create a new access and secret key for the user and provide these credentials to the SaaS provider.
  • From the AWS Management Console, navigate to the Security Credentials page and retrieve the access secret key for your account.
  • Create an lAM role for cross-account access allows the SaaS providers account to assume the role and assign it a policy that allows only the actions required by the SaaS application. (Correct)
  • Create an lAM role for EQ instances, assign it a policy that allows only the actions required tor the Saas application to work, provide the role ARN to the SaaS provider to use when launching their application instances.

Answer : Create an lAM role for cross-account access allows the SaaS providers account to assume the role and assign it a policy that allows only the actions required by the SaaS application.

AWS SAP-C00 Certified Solution Architect Professional Exam Set 2

You work at a company that makes use of AWS resources. One of the key security policies is to ensure that all data is encrypted both at rest and in transit. Which of the following is one of the right ways to implement this?


Options are :

  • Enabling Proxy Protocol
  • Using S3 Server Side Encryption (SSE) to store the information (Correct)
  • Enabling sticky sessions on your load balancer
  • SSL termination on the ELB

Answer : Using S3 Server Side Encryption (SSE) to store the information

Your company has defined privileged users for their AWS Account. These users are administrators for key resources defined in the company. There is now a mandate to enhance the security authentication for these users. How can this be accomplished?


Options are :

  • Enable versioning for these user accounts
  • Enable MFA for these user accounts (Correct)
  • Disable root access for the users
  • Enable accidental deletion for these user accounts

Answer : Enable MFA for these user accounts

There is a requirement for a company to transfer large amounts of data between AWS and an on-premise location. There is an additional requirement for low latency and high consistency traffic to AWS. Given these requirements how would you design a hybrid architecture? Choose the correct answer from the options below Please select:


Options are :

  • Create an IPSec tunnel for private connectivity, which increases network consistency and reduces latency
  • Provision a Direct Connect connection to an AWS region using a Direct Connect partner. (Correct)
  • Create a VPN tunnel for private connectivity, which increases network consistency and reduces latency
  • Create a VPC peering connection between AWS and the Customer gateway.

Answer : Provision a Direct Connect connection to an AWS region using a Direct Connect partner.

Certification : Get AWS Certified Solutions Architect in 1 Day (2018 Update) Set 14

Your CTO thinks your AWS account was hacked. What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated AWS engineers and doing everything they can to cover their tracks?


Options are :

  • Use AWS Config SNS Subscriptions and process events in real time.
  • Use Cloud Trail Log File Integrity Validation. . (Correct)
  • Use AWS Config Timeline forensics.
  • Use Cloud Trail backed up to AWS 53 and Glacier

Answer : Use Cloud Trail Log File Integrity Validation. .

Your company is planning on using bastion hosts for administering the servers in AWS. Which of the following Is the right way to setup the bastion host from a security perspective? Please select


Options are :

  • A Bastion host should be on a private subnet and never a public subnet due to security concerns
  • A Bastion host should maintain extremely tight security and monitoring as it is available to the public
  • A Bastion host sits on the outside of an internal network and is used as a gateway Into the private network and Is considered the critical strong point of the network
  • A Bastion host is used to SSH into the internal network to access private resources without a VPN (Correct)

Answer : A Bastion host is used to SSH into the internal network to access private resources without a VPN

You currently operate a web application In the AWS US-East region. The application runs on an auto-scaled layer of EC2 instances and an RDS Multi-AZ database. Your IT security compliance officer has tasked you to develop a reliable and durable logging solution to track changes made to your EC2,IAM and RDS resources. The solution must ensure the integrity and confidentiality of your log data. Which of these solutions would you recommend?


Options are :

  • Create a new Cloud Trail trail with one new 53 bucket to store the logs and with the global services option selected. Use lAM roles S3 bucket policies and Multi Factor Authentication (MFA) Delete on the S3 bucket that storl > your logs. (Correct)
  • Create a new Cloud Trail with one new S3 bucket to store the logs. Configure SNS to send log file delivery notifications to your management system. Use policies on the S3 bucket that stores your logs.
  • Create a new Cloud Trail trail with an existing 53 bucket to store the logs and with the global services option selected. Use 53 ACL5 and Multi Factor Authentication (MFA) Delete on the 53 bucket that stores your logs,
  • Create three new Cloud Trail trails with three new 53 buckets to store the logs one for the AWS Management console, one for AWS SDK5 and one for command line tools. Use lAM roles and 53 bucket policies on the 53 buckets that store your logs

Answer : Create a new Cloud Trail trail with one new 53 bucket to store the logs and with the global services option selected. Use lAM roles S3 bucket policies and Multi Factor Authentication (MFA) Delete on the S3 bucket that storl > your logs.

Certification : Get AWS Certified Solutions Architect in 1 Day (2018 Update) Set 5

Your company uses AWS to host its resources. They have the following requirements 1) Record all API calls and Transitions 2) Help in understanding what resources are there in the account 3) Facility to allow auditing credentials and logins Which services would suffice the above requirements


Options are :

  • Cloud Trail. PAM Credential Reports. AWS SNS
  • Cloud Trall. AWS Config. lAM Credential Reports (Correct)
  • AWS Inspector, Cloud Trail. lAM Credential Reports
  • AWS SQS, lAM Credential Reports. Cloud Trail

Answer : Cloud Trall. AWS Config. lAM Credential Reports

You are building a large-scale confidential documentation web server on AWS and all of the documentation for it will be stored on S3. One of the requirements is that it cannot be publicly accessible from S3 directly. and you will need to use Cloud Front to accomplish this. Which of the methods listed below would satisfy the requirements as outlined? Choose an answer from the options below


Options are :

  • Create an 53 bucket policy that lists the Cloud Front distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).
  • Create an Identity and Access Management (lAM) user for Cloud Front and grant access to the objects in your S3 bucket to that IAM User.
  • Create individual policies for each bucket the documents are stored in and in that policy grant access to only Cloud Front.
  • Create an Origin Access Identity (OAI) for Cloud Front and grant access to the objects in your S3 bucket to > that OAI. (Correct)

Answer : Create an Origin Access Identity (OAI) for Cloud Front and grant access to the objects in your S3 bucket to > that OAI.

You have a set of 100 EC2 Instances in an AWS account. You need to ensure that all of these instances are patched and kept to date. All of the instances are in a private subnet. How can you achieve this. Choose 2 answers from the options given below Please select:


Options are :

  • Use the AWS Inspector to patch the updates
  • Use the Systems Manager to patch the instances (Correct)
  • Ensure a NAT gateway is present to download the updates (Correct)
  • Ensure an Internet gateway is present to download the updates

Answer : Use the Systems Manager to patch the instances Ensure a NAT gateway is present to download the updates

Certification : Get AWS Certified Solutions Architect in 1 Day (2018 Update) Set 3

You have an EC2 instance with the following security configured? a. ICMP inbound allowed on Security Group b. ICMP outbound not configured on Security Group c. ICMP inbound allowed on Network ACL d. ICMP outbound denied on Network ACL If Flow logs Is enabled for the instance, which of the following flow records will be recorded. Choose 3 answers from the options give below


Options are :

  • An ACCEPT record for the request based on the Security Group (Correct)
  • A REJECT record for the response based on the Security Group
  • A REJECT record for the response based on the NACL (Correct)
  • An ACCEPT record for the request based on the NACL

Answer : An ACCEPT record for the request based on the Security Group A REJECT record for the response based on the NACL

Your CTO is very worried about the security of your AWS account. How best can you prevent hackers from completely hijacking your account? Please select:


Options are :

  • Use short but complex password on the root account and any administrators
  • Don?t write down or remember the root account password after creating the AWS account
  • Use MFA on all users and accounts, especially on the root account. (Correct)
  • Use AWS AM Geo.Lock and disallow anyone from logging in except for in your city.

Answer : Use MFA on all users and accounts, especially on the root account.

There are currently multiple applications hosted in a VPC. During monitoring it has been noticed that multiple port scans are coming in from a specific IP Address block. The Internal security team has requested that all offending IP Addresses be denied for the next 24 hours. Which of the following is the best method to quickly and temporarily deny access from the specified IP Addresses?


Options are :

  • Add a rule to all of the VPC Security Groups to deny access from the P Address block.
  • Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the lP Address block.
  • Modify the Network Ads associated with all public subnets in the VPC to deny access from the IP Address block. ..• (Correct)
  • Modify the Windows Firewall settings on all AMI?s that your organization uses in that VPC to deny access from the IP address block.

Answer : Modify the Network Ads associated with all public subnets in the VPC to deny access from the IP Address block. ..•

Certification : Get AWS Certified Solutions Architect in 1 Day (2018 Update) Set 7

Your company has a set of EC2 Instances defined in AWS. These Ec2 Instances have strict security groups attached to them. You need to ensure that changes to the Security groups are noted and acted on accordingly. How can you achieve this?


Options are :

  • Use Cloud watch metrics to monitor the activity on the Security Groups. Use filters to search for the
  • Use Cloud watch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well. „
  • Use Cloud watch logs to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.
  • Use AWS Inspector to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification. (Correct)

Answer : Use AWS Inspector to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.

You have an S3 bucket defined in AWS. You want to ensure that you encrypt the data before sending it across the wire. What Is the best way to achieve this, Please select:


Options are :

  • Enable server side encryption for the S3 bucket. This request will ensure that the data is encrypted first.
  • Use a Lambda function to encrypt the data before sending it to the 53 bucket
  • Use the AWS Encryption CLI to encrypt the data first (Correct)
  • Enable client side encryption for the 53 bucket

Answer : Use the AWS Encryption CLI to encrypt the data first

Your company looks at the gaming domain and hosts several Ec2 Instances as game servers. The servers each experience user loads in the thousands. There is a concern of DDos attacks on the EC2 Instances which could cause a huge revenue loss to the company. Which of the following can help mitigate this security concern and also ensure minimum downtime for the servers. Please select:


Options are :

  • Use VPC Flow logs to monitor the VPC and then implement NACLs to mitigate attacks
  • Use AWS inspector to protect the EC2 instances
  • Use AWS Shield Advanced to protect the EC2 instances (Correct)
  • Use AWS Trusted Advisor to protect the EC2 instances

Answer : Use AWS Shield Advanced to protect the EC2 instances

QA : AWS Certified Solutions Architect Associate

You need to create a policy and apply it for just an individual user. How could you accomplish this in the right way?


Options are :

  • Add an AM role for the user
  • Acid an AWS managed policy for the user
  • Add an inline policy for the user (Correct)
  • Add a service policy for the user

Answer : Add an inline policy for the user

A company?s AWS account consists of approximately 300 lAM users. Now there is a mandate that an access change is required for 100 lAM users to have unlimited privileges to S3.As a system administrator, how can you implement this effectively so that there is no need to apply the policy at the individual user level?


Options are :

  • Create an S3 bucket policy with unlimited access which includes each user?s AWS account ID
  • Create a new role and add each user to the lAM role
  • Use the lAM groups and add users, based upon their role. to different groups and apply the policy to group (Correct)
  • Create a policy and apply it to multiple users using a JSON script

Answer : Use the lAM groups and add users, based upon their role. to different groups and apply the policy to group

Your development team is using access keys to develop an application that has access to 53 and Dynamo DB. A new security policy has outlined that the credentials should not be older than 2 months, and should be rotated. How can you achieve this? Please select:


Options are :

  • Delete the lAM Role associated with the keys after every 2 months. Then recreate the lAM Role again.
  • Use the application to rotate the keys in every 2 months via the SDK
  • Use a script to query the creation date of the keys. If older than 2 months, create new access key and all applications to use it, inactivate the old key and delete it.. (Correct)
  • Delete the user associated with the keys after every 2 months. Then recreate the user again.

Answer : Use a script to query the creation date of the keys. If older than 2 months, create new access key and all applications to use it, inactivate the old key and delete it..

AWS SAP-C00 Certified Solution Architect Professional Exam Set 2

Your company has just set up a new central server in a VPC. There is a requirement for other teams who have their servers located In different VPC?s in the same region to connect to the central server. Which of the below options is best suited to achieve this requirement.


Options are :

  • Set up AWS DirectConnect between the central server VPC and each of the teams VPCs
  • Set up VPC peering between the central server VPC and each of the teams VPCs, (Correct)
  • Set up an IPSec Tunnel between the central server VPC and each of the teams VPC5.
  • None of the above options will work.

Answer : Set up VPC peering between the central server VPC and each of the teams VPCs,

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions