AWS SCS-C01 Certified Security Speciality Practice Exam Set 2

How can you ensure that instance in an VPC does not use AWS DNS for routing DNS requests. You want to use your own managed DNS instance. How can this be achieved?


Options are :

  • Create a new DHCP options set and replace the existing one (Correct)
  • Change the route table for the VPC
  • change the subnet configuration to allow DNS requests from the new DNS Server
  • Change the existing DHCP options set

Answer : Create a new DHCP options set and replace the existing one

You need to have a requirement to store objects in an 53 bucket with a key that is automatically managed and rotated. Which of the following can be used for this purpose?


Options are :

  • AWS S3 Server side encryption (Correct)
  • AWS KMS
  • AWS Cloud HSM
  • AWS Customer Keys

Answer : AWS S3 Server side encryption

Your company manages thousands of EC2 Instances. There is a mandate to ensure that all servers don?t ha any critical security flaws. Which of the following can be done to ensure this? Choose 2 answers from the options given below.


Options are :

  • Use AWS Inspector to ensure that the servers have no critical flaws (Correct)
  • Use AWS SSM to patch the servers
  • Use AWS Inspector to patch the servers
  • Use AWS Config to ensure that the servers have no critical flaws.

Answer : Use AWS Inspector to ensure that the servers have no critical flaws

Which technique can be used to integrate AWS lAM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service? Please select:


Options are :

  • Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP (Correct)
  • Use an lAM policy that references the LDAP account identifiers and the AWS credentials
  • Use lAM roles to automatically rotate the lAM credentials when LDAP credentials are updated.
  • Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials.

Answer : Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP

Your company has a requirement to work with a Dynamo DB table. There is a security mandate that all data should be encrypted at rest. What is the easiest way to accomplish this for Dynamo DB. Please select:


Options are :

  • Encrypt the table using AWS KMS after it is created
  • Use S3 buckets to encrypt the data before sending it to Dynamo DB
  • Use the AWS SDK to encrypt the data before sending it to the Dynamo DB table
  • Encrypt the Dynamo DB table using KMS during its creation (Correct)

Answer : Encrypt the Dynamo DB table using KMS during its creation

Development teams in your organization use 53 buckets to store the log files for various application hosted in development environments in AWS. The developers want to keep the logs for one month for troubleshooting purposes, and then purge the logs. What feature will enable this requirement?


Options are :

  • Adding a bucket policy on the S3 bucket.
  • Enabling CORS on the S3 bucket.
  • Configuring lifecycle configuration rules on the S3 bucket (Correct)
  • Creating an lAM policy for the S3 bucket.

Answer : Configuring lifecycle configuration rules on the S3 bucket

A company is using a Red shift cluster to store their data warehouse. There is a requirement from the Internal IT Security team to ensure that data gets encrypted for the Red shift database. How can this be achieved?


Options are :

  • Use AWS KMS Customer Default master key (Correct)
  • Use SSL/TLS for encrypting the data 1?
  • Use 53 Encryption
  • Encrypt the EBS volumes of the underlying EC2 Instances

Answer : Use AWS KMS Customer Default master key

You have a requirement to serve up private content using the keys available with Cloudfront. How can this be achieved?


Options are :

  • Add the keys to the backend distribution.
  • Add the keys to the S3 bucket
  • Create pie-signed URL5 (Correct)
  • Use AWS Access keys

Answer : Create pie-signed URL5

A windows machine in one VPC needs to join the AD domain in another VPC. VPC Peering has been established. But the domain join is not working. What Is the other step that needs to be followed to ensure that the AD domain join can work as intended Please select:


Options are :

  • Change the VPC peering connection to a Direct Connect connection
  • Change the VPC peering connection to a VPN connection
  • Ensure the security groups for the AD hosted subnet has the right rule for relevant subnets (Correct)
  • Ensure that the AD is placed In a public subnet

Answer : Ensure the security groups for the AD hosted subnet has the right rule for relevant subnets

One of your company?s EC2 Instances have been compromised. The company has strict policies and needs a thorough investigation on to finding the culprit for the security breach. What would you do in this case. Choose 3 answers from the options given below. Please select:


Options are :

  • Isolate the machine from the network
  • Ensure that all access keys are rotated. (Correct)
  • Take a snapshot of the EBS volume (Correct)
  • Make sure that logs are stored securely for auditing and troubleshooting purpose
  • Ensure all passwords for all lAM users are changed (Correct)

Answer : Ensure that all access keys are rotated. Take a snapshot of the EBS volume Ensure all passwords for all lAM users are changed

When you enable automatic key rotation for an existing CMK key where the backing key is managed by AWS, after how long is the key rotated?


Options are :

  • After3years
  • After 36Sdays (Correct)
  • After 128 days
  • After 30 days

Answer : After 36Sdays

Your company has a set of EC2 Instances that are placed behind an ELB. Some of the applications hosted on these Instances communicate via a legacy protocol. There Is a security mandate that all traffic between the client and the EC2 Instances need to be secure. How would you accomplish this?


Options are :

  • Use a Classic Load balancer and terminate the SSL connection at the EC2 Instances (Correct)
  • Use an Application Load balancer and terminate the SSL connection at the ELB
  • Use a Classic Load balancer and terminate the SSL connection at the ELB
  • Use an Application Load balancer and terminate the SSL connection at the EC2 Instances

Answer : Use a Classic Load balancer and terminate the SSL connection at the EC2 Instances

Your IT Security department has mandated that all data on EBS volumes created for underlying EC2 Instances need to be encrypted. Which of the following can help achieve this? Please select:


Options are :

  • IAM Access Key
  • AWS Certificate Manager
  • API Gateway with STS
  • AWS KMSAPI (Correct)

Answer : AWS KMSAPI

You have been given a new brief from your supervisor for a client who needs a web application set up on AWS. The most Important requirement is that My SQL must be used as the database, and this database must not be hosted in the public cloud, but rather at the client?s data center due to security risks. Which of the following solutions would be the best to assure that the client?s requirements are met? Choose the correct answer from the options below Please select:


Options are :

  • Build the application server on a public subnet and the database at the client?s data center. Connect them with a VPN connection which uses IPsec. (Correct)
  • Build the application server on a public subnet and the database on a private subnet with a NAT Instance between them.
  • Build the application server on a public subnet and build the database in a private subnet with a secure ssh connection to the private subnet from the client?s data center.
  • Use the public subnet for the application server and use RDS with a storage gateway to access and synchronize the data securely from the local data center

Answer : Build the application server on a public subnet and the database at the client?s data center. Connect them with a VPN connection which uses IPsec.

Your company has a set of EC2 Instances defined in AWS. They need to ensure that all traffic packets are monitored and inspected for any security threats. How can this be achieved? Choose 2 answers from the options given below Please select:


Options are :

  • Use Network Access control lists logging
  • Use a host based intrusion detect Ion system (Correct)
  • Use a third party firewall installed on a central EC2 Instance . (Correct)
  • Use VPC Flow logs

Answer : Use a host based intrusion detect Ion system Use a third party firewall installed on a central EC2 Instance .

Your team is designing a web application. The users for this web application would need to sign in via an external ID provider such as face book or Google. Which of the following AWS service would you use for authentication?


Options are :

  • AWS Cognito (Correct)
  • AWS Config
  • CAWS IAM
  • AWS SAML

Answer : AWS Cognito

You are devising a policy to allow users to have the ability to access objects in a bucket called app bucket. You define the below custom bucket policy { “ID”: “Pollcy l 502987489630”, “Version”: “2012-10-17”, “Statement”: [ “Sid”: “Stmtl 502987487640”, “Action”: [ “s3:GetObject”, “s3:GetObjectVersion ” “Effect”: “Allow”, “Resource”: “arn:aws:s3:::appbucket”, “Principal”: But when you try to apply the policy you get the error “Action does not apply to any resource(s) in statement.” What should be done to rectify the error Please select:


Options are :

  • Verify that the policy has the same name as the bucket name. If not, make it the same
  • Change the IAM permissions by applying Put Bucket Policy permissions.
  • Create the bucket “app bucket” and then apply the policy.
  • Change the Resource section to arn:aws:s3:::app bucket I* (Correct)

Answer : Change the Resource section to arn:aws:s3:::app bucket I*

You need to create a linux EC2 instance in AWS. Which of the following steps is used to ensure secure authentication to the EC2 Instance from a windows machine. Choose 2 answers from the options given below?


Options are :

  • Ensure to create a strong password for logging into the EC2 Instance (Correct)
  • Use the private key to log into the instance (Correct)
  • Ensure the password is passed securely using SSL
  • Create a key pair using putty

Answer : Ensure to create a strong password for logging into the EC2 Instance Use the private key to log into the instance

You are designing a custom IAM policy that would allow uses to list buckets in 53 only if they are MFA authenticated. Which of the following would best match this requirement?


Options are :

  • „Version”: “201 2-1 0-17”. “Statement”: { “Effect”: “Allow”, “Action”: [ “s3:ListAllMyBuckets”. “s3:GetBucketLocation” “Resource”: “Resource”: “arn:aws:s3:::t”, “Condition”: ( “aws: Multi Factor Auth Present”:true ) )
  • Please select: “Version”: “2012-10-17”, “Statement”: { “Effect”: “Allow”, “Action”: [ “s3:ListAllMyBuckets”. “s3:GetBucketLocation” 1. „Resource?: “Resource”: arn:aws:s3:::*, “Condition”: { “Bool”: f”aws: Multi Factor Auth Present”: true) ) ) ) (Correct)
  • “Version”: “2012-1 0-1 7”, “Statement”: { „Effect”: “All ow? “Action”: [ “s3:ListAllMyBuckets”, “s3:GetBucketLocation” “Resource”: “Resource”: “arn:aws:s3:: :*hI, Condition”: { “Bool”: (“aws:MultiFactorAuthPresent”:false) )
  • “Version”: “2012-10-17”, “Statement”: ( “Effect”: “Allow”. TMAction”: [ “s3:ListAllMyBuckets”, “s3:GetBucketLocation” 1. “Resource”: “Resource”: Iarn:aws:s3:::*, “Condition”: ( “aws:M ultiFactorAuthPresent”:false )

Answer : Please select: “Version”: “2012-10-17”, “Statement”: { “Effect”: “Allow”, “Action”: [ “s3:ListAllMyBuckets”. “s3:GetBucketLocation” 1. „Resource?: “Resource”: arn:aws:s3:::*, “Condition”: { “Bool”: f”aws: Multi Factor Auth Present”: true) ) ) )

In order to encrypt data in transit for a connection to an AWS RDS instance, which of the following would you implement


Options are :

  • Data Keys from Cloud HSM
  • Transparent data encryption
  • Data keys from AWS KMS
  • SSL from your application (Correct)

Answer : SSL from your application

A Lambda function reads metadata from an S3 object and stores the metadata in a Dynamo DB table. The function is triggered whenever an object is stored within the 53 bucket. How should the Lambda function be given access to the Dynamo DB table? Please select:


Options are :

  • Create a VPC endpoint for Dynamo Ds within a VPC. Configure the Lambda function to access resources in the VPC.
  • Create a resource policy that grants the Lambda function permissions to write to the Dynamo DB table. Attach the policy to the Dynamo DB table.
  • Create an IAM user with permissions to write to the Dynamo DB table. Store an access key for that user in the Lambda environment variables
  • Create an IAM service role with permissions to write to the Dynamo DB table, Associate that role with the Lambda function. (Correct)

Answer : Create an IAM service role with permissions to write to the Dynamo DB table, Associate that role with the Lambda function.

An employee keeps terminating EC2 instances on the production environment. You?ve determined the best way to ensure this doesn?t happen is to add an extra layer of defence against terminating the instances. What Is the best method to ensure the employee does not terminate the production Instances? Choose the 2 correct answers from the options below Please select:


Options are :

  • Modify the lAM policy on the user to require MFA before deleting EC2 instances
  • Tag the instance with a production-identifying tag and modify the employees group to allow only start. sto and reboot API calls and not the terminate instance call. (Correct)
  • Tag the instance with a production-identifying tag and add resource-level permissions to the employee user with an explicit deny on the terminate API call to instances with the production tag. ..„
  • Modify the AM policy on the user to require MFA before deleting EC2 Instances and disable MFA access to the employee

Answer : Tag the instance with a production-identifying tag and modify the employees group to allow only start. sto and reboot API calls and not the terminate instance call.

A company is hosting a website that must be accessible to users for HTTPS traffic. Also port 22 should be open for administrative purposes. Which of the following security group configurations are the MOST secure but still functional to support these requirements? Choose 2 answers from the options given below


Options are :

  • Port 443 coming from 10.0.0.0/16
  • Port 22 coming from 0.0.0.0/0
  • Port 443 coming from 0.0.0.0/0 (Correct)
  • Port 22 coming from 10.0.0.0/16 (Correct)

Answer : Port 443 coming from 0.0.0.0/0 Port 22 coming from 10.0.0.0/16

A Devops team is currently looking at the security aspect of their Cl/CD pipeline. They are making use of AWS resources for their Infrastructure. They want to ensure that the EC2 Instances don?t have any high security vulnerabilities. They want to ensure a complete Dev Sec Ops process. How can this be achieved?


Options are :

  • Use AWS Inspector API?s in the pipeline for the EC2 Instances (Correct)
  • Use AWS Security Groups to ensure no vulnerabilities are present
  • Use AWS Config to check the state of the EC2 instance for any sort of security issues.
  • Use AWS Trusted Advisor API?S In the pipeline for the EC2 Instances

Answer : Use AWS Inspector API?s in the pipeline for the EC2 Instances

You have a web site that is sitting behind AWS Cloud front. You need to protect the web site against threats such as SQL injection and Cross site scripting attacks. Which of the following service can help in such a scenario Please select:


Options are :

  • AWS Configuration
  • AWS Inspector
  • AWS Trusted Advisor
  • AWS WAF (Correct)

Answer : AWS WAF

A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a private VPC subnet that was created with default ACL settings. The IT Security department has a suspicion that a DDos attack is coming from a suspecting IP. How can you protect the subnets from this attack? Please select:


Options are :

  • Change the Outbound NACL to deny access from the suspecting lP
  • Change the Outbound Security Groups to deny access from the suspecting IP
  • Change the In bound Security Groups to deny access from the suspecting IP
  • Change the Inbound NACL to deny access from the suspecting IP (Correct)

Answer : Change the Inbound NACL to deny access from the suspecting IP

A large organization is planning on AWS to host their resources. They have a number of autonomous departments that wish to use AWS. What could be the strategy to adopt for managing the accounts. Please select:


Options are :

  • Use multiple AWS accounts, each account for each department
  • Use multiple lAM roles, each group for each department
  • Use multiple lAM groups. each group for each department
  • Use multiple VPC?s in the account each VPC for each department (Correct)

Answer : Use multiple VPC?s in the account each VPC for each department

A company has a large set of keys defined in AWS KMS. Their developers frequently use the keys for the applications being developed. What is one of the ways that can be used to reduce the cost of accessing the keys In the AWS KMS service.


Options are :

  • Use the right key policy
  • Create an alias of the key
  • Enable rotation of the keys
  • Use Data key caching (Correct)

Answer : Use Data key caching

A company wants to have an Intrusion detection system available for their VPC in AWS. They want to have complete control over the system. Which of the following would be ideal to implement?


Options are :

  • Use AWS WAF to catch all intrusions occurring on the systems in the VPC
  • Use VPC Flow logs to detect the Issues and flag them accordingly (Correct)
  • Use a custom solution available In the AWS Marketplace
  • Use AWS Cloud watch to monitor all traffic (Correct)

Answer : Use VPC Flow logs to detect the Issues and flag them accordingly Use AWS Cloud watch to monitor all traffic

Your company use AWS KMS for management of its customer keys. From time to time , there is a requirement to delete existing keys as part of housekeeping activities. What can be done during the deletion process to verify that the key is no longer being used?


Options are :

  • Use Cloud Trail to see if any KMS API request has been issued against existing keys (Correct)
  • Change the lAM policy for the keys to see if other services are using the keys
  • Rotate the keys once before deletion to see if other services are using the keys
  • Use Key policies to see the access level for the keys

Answer : Use Cloud Trail to see if any KMS API request has been issued against existing keys

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions