AWS SCS-C01 Certified Security Speciality Practice Exam Set 5

Your company has been using AWS for the past 2 years. They have separate 53 buckets for logging the various AWS services that have been used. They have hired an external vendor for analyzing their log files. They have their own AWS account. What Is the best way to ensure that the partner account can access the log files in the company account for analysis. Choose 2 answers from the options given below Please select:


Options are :

  • Ensure the lAM user has access for read-only to the 53 buckets
  • Create an lAM Role in the company account (Correct)
  • Ensure the lAM Role has access for read-only to the S3 buckets (Correct)
  • Create an lAM user In the company account

Answer : Create an lAM Role in the company account Ensure the lAM Role has access for read-only to the S3 buckets

Your company has defined a set of S3 buckets in AWS. They need to monitor the S3 buckets and know the source IP address and the person who make requests to the S3 bucket. How can this be achieved?


Options are :

  • Enable VPC flow logs to know the source IP addresses
  • Monitor the 53 API calls by using Cloud watch logging
  • Monitor the S3 API calls by using Cloud trail logging (Correct)
  • Enable AWS Inspector for the 53 bucket

Answer : Monitor the S3 API calls by using Cloud trail logging

You need to establish a secure backup and archiving solution for your company, using AWS. Documents should be immediately accessible for three months and available for five years for compliance reasons. Which AWS service fulfills these requirements in the most cost-effective way?


Options are :

  • Use Direct Connect to upload data to S3 and use AM policies to move the data into Glacier for long-term archiving.
  • Upload data to S3 and use lifecycle policies to move the data Into Glacier for long-term archiving. (Correct)
  • Upload the data on EBS, use lifecycle policies to move EBS snapshots into S3 and later into Glacier for long term archiving.
  • Use Storage Gateway to store data to 53 and use lifecycle policies to move the data into Red shift for long term archiving.

Answer : Upload data to S3 and use lifecycle policies to move the data Into Glacier for long-term archiving.

Your developer is using the KMS service and an assigned key in their Java program. They get the below erro when running the code arn:aws:iam::1 1374538871 2:user!UserB Is not authorized to perform: kms:DescribeKey Which of the following could help resolve the issue? Please select:


Options are :

  • Ensure that User B is given the right permissions in the Key policy (Correct)
  • Ensure that User B is given the right lAM role to access the key
  • Ensure that User B Is given the right permissions In the lAM policy
  • Ensure that User B is given the right permissions in the Bucket policy

Answer : Ensure that User B is given the right permissions in the Key policy

A company continually generates sensitive records that it stores in an S3 bucket. All objects in the bucket are encrypted using SSEK MS using one of the company?s CMKs. Company compliance policies require that no more than one month of data be encrypted using the same encryption key. What solution below will meet the company?s requirements?


Options are :

  • Trigger a Lambda function with a monthly Cloud Watch event that rotates the key material in the CMK.
  • Trigger a Lambda function with a monthly Cloud Watch event that creates a new CMK and updates the S3 bucket to use the new CMK (Correct)
  • Trigger a Lambda function with a monthly Cloud Watch event that creates a new CMK. updates the 53 bucket to use the new CMK. an deletes the old CMK.
  • Configure the CMK to rotate the key material every month.

Answer : Trigger a Lambda function with a monthly Cloud Watch event that creates a new CMK and updates the S3 bucket to use the new CMK

A company is planning on using AWS EC2 and AWS Cloud front for their web application. For which one of the below attacks is usage of Cloud front most suited for?


Options are :

  • SQL Injection (Correct)
  • Malware attacks
  • DDo Sattacks
  • Cross side scripting

Answer : SQL Injection

You are planning to use AWS Config to check the configuration of the resources in your AWS account. You are planning on using an existing lAM role and using it for the AWS Config resource. Which of the following 0 required to ensure the AWS config service can work as required? Please select


Options are :

  • Ensure that there is a group policy in place for the AWS Config service within the role Your answer Is correct.
  • Ensure that there is a trust policy in place for the AWS Config service within the role (Correct)
  • Ensure that there is a user policy in place for the AWS Config service within the role
  • Ensure that there Is a grant policy In place for the AWS Conflg service within the role

Answer : Ensure that there is a trust policy in place for the AWS Config service within the role

You are planning on using the AWS KMS service for managing keys for your application. For which of the following can the KMS CMK keys be used for encrypting? Choose 2 answers from the options given below Please select:


Options are :

  • Image Objects
  • RSA Keys (Correct)
  • Large files
  • Password (Correct)

Answer : RSA Keys Password

A company hosts critical data in an S3 bucket. Even though they have assigned the appropriate permissions to the bucket, they are still worried about data deletion. What measures can be taken to restrict the risk of data deletion on the bucket. Choose 2 answers from the options given below


Options are :

  • Enable MFA Delete in the bucket policy (Correct)
  • Enable data in transit for the objects In the bucket
  • Enable data at rest for the objects in the bucket
  • Enable versioning on the S3 bucket (Correct)

Answer : Enable MFA Delete in the bucket policy Enable versioning on the S3 bucket

You have private video content in 53 that you want to serve to subscribed users on the Internet. User IDs, credentials, and subscriptions are stored in an Amazon RDS database. Which configuration will allow you to securely serve private content to your users? Please select:


Options are :

  • Generate pre-signed URL5 for each user as they request access to protected 53 content v (Correct)
  • Create a Cloud Front Origin Identity user for your subscribed users and assign the Get Object permission to this user
  • Create an 53 bucket policy that limits access to your private content to only your subscribed users? credentials
  • Create an AM user for each subscribed user and assign the Get Object permission to each lAM user

Answer : Generate pre-signed URL5 for each user as they request access to protected 53 content v

Which of the following is the correct sequence of how KMS manages the keys when used along with the Red shift cluster service Please select:


Options are :

  • The master keys encrypts the cluster key, database key and data encryption keys
  • The master keys encrypts the data encryption keys. The data encryption keys encrypts the database key
  • The master keys encrypts the cluster key. The cluster key encrypts the database key. The database key encrypts the data encryption keys. (Correct)
  • The master keys encrypts the database key. The database key encrypts the data encryption keys.

Answer : The master keys encrypts the cluster key. The cluster key encrypts the database key. The database key encrypts the data encryption keys.

A company wants to use Cloud trail for logging all API activity. They want to segregate the logging of data events and management events. How can this be achieved? Choose 2 answers from the options given below Please select:


Options are :

  • Create one trail that logs data events to an S3 bucket (Correct)
  • Create one Cloud trail log group for data events
  • Create another trail that logs management events to another S3 bucket (Correct)
  • Create another Cloud trail log group for management events

Answer : Create one trail that logs data events to an S3 bucket Create another trail that logs management events to another S3 bucket

Your company is planning on developing an application in AWS. This is a web based application. The application users will use their facebook or google Identities for authentication. You want to have the ability to manage user profiles without having to add extra coding to manage this. Which of the below would assist in this.


Options are :

  • Create a SAML provider in AWS
  • Create an OIDC identity provider in AWS
  • Use AWS Cognito to manage the user profiles (Correct)
  • Use lAM users to manage the user profiles

Answer : Use AWS Cognito to manage the user profiles

A web application runs in a VPC on EC2 instances behind an ELB Application Load Balancer. The application stores data in an RD My SQL DB instance. A Linux bastion host is used to apply schema updates to the database - administrators connect to the host SSH from a corporate workstation. The following security groups are applied to the infrastructure- • sgLB — associated with the ELB sgWeb - associated with the EC2 instances. • sgDB - associated with the database sgBastion — associated with the bastion host Which security group configuration will allow the application to be secure and functional?


Options are :

  • sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLB sgDB :allow port 3306 traffic from sgWeb and sgBastlon sgBastion: allow port 22 traffic from the VPC IP address range
  • sgLB allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb ;allow port 80 and 443 traffic from sgLB sgDB :allow port 3306 traffic from sgWeb and sgLB sgBastion: allow port 22 traffic from the VPC IP address range
  • sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from 0.0.0.0/0 sgDB ;allow port 3306 traffic from sgWeb and sgBastion sgBastlon: allow port 22 traffic from the corporate IP address range
  • sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 4.43 traffic from SgLB sgDB :allow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the corporate lP address range (Correct)

Answer : sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 4.43 traffic from SgLB sgDB :allow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the corporate lP address range

An organization has setup multiple lAM users. The organization wants that each lAM user accesses the lAM console only within the organization and not from outside. How can it achieve this? Please select:


Options are :

  • Create an lAM policy with a condition which denies access when the IP address range is not from the organization (Correct)
  • Create an lAM policy with VPC and allow a secure gateway between the organization and AWS Console
  • Create an lAM policy with the security group and use that security group for AWS console login
  • Configure the EC2 instance security group which allows traffic only from the organizations IP range

Answer : Create an lAM policy with a condition which denies access when the IP address range is not from the organization

Your company is planning on developing an application in AWS. This is a web based application. The application users will use their facebook or google Identities for authentication. Which of the following is step you include in your Implementation for the web application?


Options are :

  • Create a SAML provider in AWS
  • Ensure the Security Groups in the VPC only allow requests from the Google and Facebook Authenticatio servers.
  • Create an OIDC identity provider in AWS (Correct)
  • Create an OIDC provider In both Google and Facebook

Answer : Create an OIDC identity provider in AWS

Your company has the following setup in AWS ? a. A set of EC2 Instances hosting a web application b. An application load balancer placed in front of the EC2 instances There seems to be a set of malicious requests coming from a set of IP addresses. Which of the following can be used to protect against these requests? Please select:


Options are :

  • Use VPC Flow Logs to block the IP addresses
  • Use Security Groups to block the IP addresses
  • Use AWS inspector to block the iP addresses
  • Use AWS WAF to block The IP addresses (Correct)

Answer : Use AWS WAF to block The IP addresses

Company policy requires that all insecure server protocols, such as FTP, Telnet, HTTP, etc be disabled on all servers. The security team would like to regularly check all servers to ensure compliance with this requirement by using a scheduled Cloud Watch event to trigger a review of the current Infrastructure. What process will check compliance of the company?s EC2 instances?


Options are :

  • Query the Trusted Advisor API for all best practice security checks and check for „action recommended” status.
  • Trigger an AWS Configure Rules evaluation of the restricted-common-ports rule against every EC2 instance (Correct)
  • Run an Amazon Inspector assessment using the Runtime Behavior Analysis rules package against every EC2
  • Enable a Guard Duty threat detection analysis targeting the port configuration on every EC2 instance.

Answer : Trigger an AWS Configure Rules evaluation of the restricted-common-ports rule against every EC2 instance

Your company has an external web site. This web site needs to access the objects in an S3 bucket. Which of the following would allow the web site to access the objects in the most secure manner? Please select:


Options are :

  • Use the aws:Referer key in the condition clause for the bucket policy (Correct)
  • Grant a role that can be assumed by the web site
  • Grant public access for the bucket via the bucket policy
  • Use the aws:sites key in the condition clause for the bucket policy

Answer : Use the aws:Referer key in the condition clause for the bucket policy

Your company has been using AWS for hosting EC2 Instances for their web and database applications. They want to have a compliance check to see the following Whether any ports are left open other than admin ones like SSH and RDP • Whether any ports to the database server other than ones from the web server security group are open Which of the following can help achieve this in the easiest way possible. You don?t want to carry out an extra configuration changes?


Options are :

  • AWS Config
  • AWS Trusted Advisor (Correct)
  • AWS Inspector
  • AWS Guard Duty

Answer : AWS Trusted Advisor

Your company has an EC2 Instance hosted in AWS. This EC2 Instance hosts an application. Currently this application Is experiencing a number of issues. You need to inspect the network packets to see what the typ of error that is occurring? Which one of the below steps can help address this issue?


Options are :

  • Use a network monitoring tool provided by an AWS partner.
  • Use Cloudwatch metric
  • Use another instance. Setup a port to promiscuous mode? and sniff the traffic to analyze the packets (Correct)
  • Use the VPC Flow Logs

Answer : Use another instance. Setup a port to promiscuous mode? and sniff the traffic to analyze the packets

You have an Amazon VPC that has a private subnet and a public subnet in which you have a NAT instance server. You have created a group of EC2 instances that configure themselves at startup by downloading a bootstrapping script from S3 that deploys an application via GIT. Which one of the following setups would give us the highest level of security? Choose the correct answer from the options given below.


Options are :

  • EC2 instances in our public subnet, no EIP5, route outgoing traffic via the 1GW (Correct)
  • EC2 instances in our private subnet no EIP5. route outgoing traffic via the NAT (Correct)
  • EC2 Instance In our private subnet. assigned EIP5, and route our outgoing traffic via our 1GW
  • EC2 instances in our public subnet, assigned EIPs, and route outgoing traffic via the NAT

Answer : EC2 instances in our public subnet, no EIP5, route outgoing traffic via the 1GW EC2 instances in our private subnet no EIP5. route outgoing traffic via the NAT

Your team is experimenting with the API gateway service for an application. There is a need to implement a custom module which can be used for authentication/authorization for calls made to the API gateway. How can this be achieved?


Options are :

  • Use the request parameters for authorization
  • Use a Lambda authorizer (Correct)
  • Use CORS on the API gateway
  • Use the gateway authorizer

Answer : Use a Lambda authorizer

A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user Is planning to host a web server In the pub subnet with port 80 and a Database server in the private subnet with port 3306. The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). which of the below mentioned entries is required in the private subnet database security group DBSecGrp? Please select:


Options are :

  • Allow Outbound on port 3306 for Destination Web Server Security Group WebSecGrp
  • Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp. (Correct)
  • Allow Inbound on port 3306 from source 20.0.0.0/16
  • Allow Outbound on port 80 for Destination NAT Instance IP

Answer : Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.

A company is planning on using AWS for hosting their applications. They want complete separation and isolation of their production, testing and development environments. Which of the following is an ideal way to design such a setup? Please select:


Options are :

  • Use separate lAM Policies for each of the environments
  • Use separate lAM Roles for each of the environments
  • Use separate VPC?S for each of the environments
  • Use separate AWS accounts for each of the environments (Correct)

Answer : Use separate AWS accounts for each of the environments

Your company has many AWS accounts defined and all are managed via AWS Organizations. One AWS account has an S3 bucket that has critical data. How can we ensure that all the users in the AWS organization have access to this bucket?


Options are :

  • Ensure the bucket policy has a condition which involves aws:Org ID
  • Ensure the bucket policy has a condition which Involves aws: Account Number
  • Ensure the bucket policy has a condition which involves aws: Principal lD
  • Ensure the bucket policy has a condition which involves aws: Principal Org D (Correct)

Answer : Ensure the bucket policy has a condition which involves aws: Principal Org D

A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user Is planning to host a web server In the pub subnet with port 80 and a Database server in the private subnet with port 3306. The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). which of the below mentioned entries is required in the private subnet database security group DBSecGrp? Please select:


Options are :

  • Allow Outbound on port 80 for Destination NAT Instance IP
  • Allow Inbound on port 3306 from source 20.0.0.0/16
  • Allow Outbound on port 3306 for Destination Web Server Security Group WebSecGrp
  • Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp (Correct)

Answer : Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp

Which of the below services can be integrated with the AWS Web application firewall service. Choose 2 answers from the options given below Please select:


Options are :

  • AWS Lambda
  • AWS Cloud front (Correct)
  • AWS Classic Load Balancer
  • AWS Application Load Balancer (Correct)

Answer : AWS Cloud front AWS Application Load Balancer

Your company is planning on using AWS EC2 and ELB for deployment for their web applications. The securil policy mandates that all traffic should be encrypted. Which of the following options will ensure that this requirement Is met. Choose 2 answers from the options below.


Options are :

  • Ensure the HTTPS listener sends requests to the instances on port 443 (Correct)
  • Ensure the load balancer listens on port 443 (Correct)
  • Ensure the I-ITTPS listener sends requests to the instances on port 80
  • Ensure the load balancer listens on port 80

Answer : Ensure the HTTPS listener sends requests to the instances on port 443 Ensure the load balancer listens on port 443

Your company is planning on AWS on hosting its AWS resources. There is a company policy which mandates that all security keys are completed managed within the company Itself. Which of the following is the correct measure of following this policy? Please select:


Options are :

  • Use S3 server-side encryption
  • Using the AWS KMS service for creation of the keys and the company managing the key lifecycle thereafter.
  • Generating the key pairs for the EC2 Instances using puttygen (Correct)
  • Use the EC2 Key pairs that come with AWS

Answer : Generating the key pairs for the EC2 Instances using puttygen

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions