21 October, 2023

Simulation Amazon-Web-Services SCS-C01 Pdf Online

Exam Code: SCS-C01 (Practice Exam Latest Test Questions VCE PDF)
Exam Name: AWS Certified Security- Specialty
Certification Provider: Amazon-Web-Services
Free Today! Guaranteed Training- Pass SCS-C01 Exam.

Also have SCS-C01 free dumps questions for you:

Page: 1 / 27

Total 330 questions Full Exam Access

Question 1

A company had one of its Amazon EC2 key pairs compromised. A Security Engineer must identify which current Linux EC2 instances were deployed and used the compromised key pair.
How can this task be accomplished?

Obtain the list of instances by directly querying Amazon EC2 using: aws ec2 describe-instances --fi1ters "Name=key-name,Values=KEYNAMEHERE".

Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in the Amazon Inspector logs.

Obtain the output from the EC2 instance metadata using: curl http://169.254.169.254/latest/meta-data/public- keys/0/.

Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in Amazon CloudWatch Logs using: aws logs filter-log-events.

Question 2

A distributed web application is installed across several EC2 instances in public subnets residing in two Availability Zones. Apache logs show several intermittent brute-force attacks from hundreds of IP addresses at the layer 7 level over the past six months.
What would be the BEST way to reduce the potential impact of these attacks in the future?

Use custom route tables to prevent malicious traffic from routing to the instances.

Update security groups to deny traffic from the originating source IP addresses.

Use network ACLs.

Install intrusion prevention software (IPS) on each instance.

Question 3

During a recent security audit, it was discovered that multiple teams in a large organization have placed restricted data in multiple Amazon S3 buckets, and the data may have been exposed. The auditor has requested that the organization identify all possible objects that contain personally identifiable information (PII) and then determine whether this information has been accessed.
What solution will allow the Security team to complete this request?

Using Amazon Athena, query the impacted S3 buckets by using the PII query identifier functio

Then, create a new Amazon CloudWatch metric for Amazon S3 object access to alert when the objects are accessed.

Enable Amazon Macie on the S3 buckets that were impacted, then perform data classificatio

For identified objects that contain PII, use the research function for auditing AWS CloudTrail logs and S3 bucket logs for GET operations.

Enable Amazon GuardDuty and enable the PII rule set on the S3 buckets that were impacted, then perform data classificatio

Using the PII findings report from GuardDuty, query the S3 bucket logs by using Athena for GET operations.

Enable Amazon Inspector on the S3 buckets that were impacted, then perform data classificatio

For identified objects that contain PII, query the S3 bucket logs by using Athena for GET operations.

Question 4

An organization is using Amazon CloudWatch Logs with agents deployed on its Linux Amazon EC2 instances. The agent configuration files have been checked and the application log files to be pushed are configured correctly. A review has identified that logging from specific instances is missing.
Which steps should be taken to troubleshoot the issue? (Choose two.)

Use an EC2 run command to confirm that the “awslogs” service is running on all instances.

Verify that the permissions used by the agent allow creation of log groups/streams and to put log events.

Check whether any application log entries were rejected because of invalid time stamps by reviewing/var/cwlogs/rejects.log.

Check that the trust relationship grants the service “cwlogs.amazonaws.com” permission to write objects to the Amazon S3 staging bucket.

Verify that the time zone on the application servers is in UTC.

Question 5

Which of the following minimizes the potential attack surface for applications?

Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level.

Use network ACLs to provide stateful firewalls at the VPC level to prevent access to any specific AWS resource.

Use AWS Direct Connect for secure trusted connections between EC2 instances within private subnets.

Design network security in a single layer within the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) to facilitate quicker responses to threats.

Question 6

Some highly sensitive analytics workloads are to be moved to Amazon EC2 hosts. Threat modeling has found that a risk exists where a subnet could be maliciously or accidentally exposed to the internet.
Which of the following mitigations should be recommended?

Use AWS Config to detect whether an Internet Gateway is added and use an AWS Lambda function to provide auto-remediation.

Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses.

Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet.

Move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.

Question 7

A large organization is planning on AWS to host their resources. They have a number of autonomous departments that wish to use AWS. What could be the strategy to adopt for managing the accounts.
Please select:

Use multiple VPCs in the account each VPC for each department

Use multiple 1AM groups, each group for each department

Use multiple 1AM roles, each group for each department

Use multiple AWS accounts, each account for each department

Question 8

An application is currently secured using network access control lists and security groups. Web servers are located in public subnets behind an Application Load Balancer (ALB); application servers are located in private subnets.
How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose two.)

Configure the application’s EC2 instances to use NAT gateways for all inbound traffic.

Move the web servers to private subnets without public IP addresses.

Configure AWS WAF to provide DDoS attack protection for the ALB.

Require all inbound network traffic to route through a bastion host in the private subnet.

Require all inbound and outbound network traffic to route through an AWS Direct Connect connection.

Question 9

You have a 2 tier application hosted in AWS. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-123) and database security group(db-345). Which combination of the following security group rules will allow the application to be secure and functional. Choose 2 answers from the options given below.
Please select:

wg-123 -Allow ports 80 and 443 from 0.0.0.0/0

db-345 - Allow port 1433 from wg-123

wg-123 - Allow port 1433 from wg-123

db-345 -Allow ports 1433 from 0.0.0.0/0

Question 10

An organization is moving non-business-critical applications to AWS while maintaining a mission-critical application in an on-premises data center. An on-premises application must share limited confidential information with the applications in AWS. The internet performance is unpredictable.
Which configuration will ensure continued connectivity between sites MOST securely?

VPN and a cached storage gateway

AWS Snowball Edge

VPN Gateway over AWS Direct Connect

AWS Direct Connect

Question 11

Which of the following is used as a secure way to log into an EC2 Linux Instance? Please select:

1AM User name and password

Key pairs

AWS Access keys

AWS SDK keys

Question 12

You have enabled Cloudtrail logs for your company's AWS account. In addition, the IT Security department has mentioned that the logs need to be encrypted. How can this be achieved?
Please select:

Enable SSL certificates for the Cloudtrail logs

There is no need to do anything since the logs will already be encrypted

Enable Server side encryption for the trail

Enable Server side encryption for the destination S3 bucket

Question 13

A company hosts critical data in an S3 bucket. Even though they have assigned the appropriate permissions to the bucket, they are still worried about data deletion. What measures can be taken to restrict the risk of data deletion on the bucket. Choose 2 answers from the options given below
Please select:

Enable versioning on the S3 bucket

Enable data at rest for the objects in the bucket

Enable MFA Delete in the bucket policy

Enable data in transit for the objects in the bucket

My answer: -

Reference answer: AC

Reference analysis:

One of the AWS Security blogs mentions the followinj
Versioning keeps multiple versions of an object in the same bucket. When you enable it on a bucket Amazon S3 automatically adds a unique version ID to every object stored in the bucket. At that point, a simple DELETE action does not permanently delete an object version; it merely associates a delete marker with the object. If you want to permanently delete an object version, you must specify its version ID in your DELETE request.
You can add another layer of protection by enabling MFA Delete on a versioned bucket. Once you do so, you must provide your AWS accounts access keys and a valid code from the account's MFA device in order to permanently delete an object version or suspend or reactivate versioning on the bucket.
Option B is invalid because enabling encryption does not guarantee risk of data deletion. Option D is invalid because this option does not guarantee risk of data deletion.
For more information on AWS S3 versioning and MFA please refer to the below URL:
https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/
The correct answers are: Enable versioning on the S3 bucket Enable MFA Delete in the bucket policy Submit your Feedback/Queries to our Experts

Question 14

A company wants to control access to its AWS resources by using identities and groups that are defined in its existing Microsoft Active Directory.
What must the company create in its AWS account to map permissions for AWS services to Active Directory user attributes?

AWS IAM groups

AWS IAM users

AWS IAM roles

AWS IAM access keys

Question 15

A company plans to move most of its IT infrastructure to AWS. They want to leverage their existing on-premises Active Directory as an identity provider for AWS.
Which combination of steps should a Security Engineer take to federate the company’s on-premises Active Directory with AWS? (Choose two.)

Create IAM roles with permissions corresponding to each Active Directory group.

Create IAM groups with permissions corresponding to each Active Directory group.

Configure Amazon Cloud Directory to support a SAML provider.

Configure Active Directory to add relying party trust between Active Directory and AWS.

Configure Amazon Cognito to add relying party trust between Active Directory and AWS.

Question 16

A Security Engineer discovers that developers have been adding rules to security groups that allow SSH and RDP traffic from 0.0.0.0/0 instead of the organization firewall IP.
What is the most efficient way to remediate the risk of this activity?

Delete the internet gateway associated with the VPC.

Use network access control lists to block source IP addresses matching 0.0.0.0/0.

Use a host-based firewall to prevent access from all but the organization’s firewall IP.

Use AWS Config rules to detect 0.0.0.0/0 and invoke an AWS Lambda function to update the security group with the organization's firewall IP.

Question 17

A company runs an application on AWS that needs to be accessed only by employees. Most employees work from the office, but others work remotely or travel.
How can the Security Engineer protect this workload so that only employees can access it?

Add each employee’s home IP address to the security group for the application so that only those users can access the workload.

Create a virtual gateway for VPN connectivity for each employee, and restrict access to the workload from within the VPC.

Use a VPN appliance from the AWS Marketplace for users to connect to, and restrict workload access to traffic from that appliance.

Route all traffic to the workload through AWS WA

Add each employee’s home IP address into an AWS WAF rule, and block all other traffic.

Question 18

One of the EC2 Instances in your company has been compromised. What steps would you take to ensure that you could apply digital forensics on the Instance. Select 2 answers from the options given below
Please select:

Remove the role applied to the Ec2 Instance

Create a separate forensic instance

Ensure that the security groups only allow communication to this forensic instance

Terminate the instance

Question 19

A security engineer must ensure that all infrastructure launched in the company AWS account be monitored for deviation from compliance rules, specifically that all EC2 instances are launched from one of a specified list of AM Is and that all attached EBS volumes are encrypted. Infrastructure not in compliance should be terminated. What combination of steps should the Engineer implement? Select 2 answers from the options given below.
Please select:

Set up a CloudWatch event based on Trusted Advisor metrics

Trigger a Lambda function from a scheduled CloudWatch event that terminates non-compliant infrastructure.

Set up a CloudWatch event based on Amazon inspector findings

Monitor compliance with AWS Config Rules triggered by configuration changes

Trigger a CLI command from a CloudWatch event that terminates the infrastructure

Question 20

An Amazon EC2 instance is part of an EC2 Auto Scaling group that is behind an Application Load Balancer (ALB). It is suspected that the EC2 instance has been compromised.
Which steps should be taken to investigate the suspected compromise? (Choose three.)

Detach the elastic network interface from the EC2 instance.

Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.

Disable any Amazon Route 53 health checks associated with the EC2 instance.

De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.

Attach a security group that has restrictive ingress and egress rules to the EC2 instance.

Add a rule to an AWS WAF to block access to the EC2 instance.

Question 21

The Security Engineer is managing a web application that processes highly sensitive personal information. The application runs on Amazon EC2. The application has strict compliance requirements, which instruct that all incoming traffic to the application is protected from common web exploits and that all outgoing traffic from the EC2 instances is restricted to specific whitelisted URLs.
Which architecture should the Security Engineer use to meet these requirements?

Use AWS Shield to scan inbound traffic for web exploit

Use VPC Flow Logs and AWS Lambda to restrict egress traffic to specific whitelisted URLs.

Use AWS Shield to scan inbound traffic for web exploit

Use a third-party AWS Marketplace solution to restrict egress traffic to specific whitelisted URLs.

Use AWS WAF to scan inbound traffic for web exploit

Use VPC Flow Logs and AWS Lambda to restrict egress traffic to specific whitelisted URLs.

Use AWS WAF to scan inbound traffic for web exploit

Use a third-party AWS Marketplace solution to restrict egress traffic to specific whitelisted URLs.

Question 22

Your company has a set of 1000 EC2 Instances defined in an AWS Account. They want to effectively automate several administrative tasks on these instances. Which of the following would be an effective way to achieve this?
Please select:

Use the AWS Systems Manager Parameter Store

Use the AWS Systems Manager Run Command

Use the AWS Inspector

Use AWS Config

Question 23

You are planning on using the AWS KMS service for managing keys for your application. For which of the following can the KMS CMK keys be used for encrypting? Choose 2 answers from the options given below
Please select:

Image Objects

Large files

Password

RSA Keys

Question 24

A water utility company uses a number of Amazon EC2 instances to manage updates to a fleet of 2,000 Internet of Things (IoT) field devices that monitor water quality. These devices each have unique access credentials.
An operational safety policy requires that access to specific credentials is independently auditable. What is the MOST cost-effective way to manage the storage of credentials?

Use AWS Systems Manager to store the credentials as Secure Strings Parameter

Secure by using an AWS KMS key.

Use AWS Key Management System to store a master key, which is used to encrypt the credential

The encrypted credentials are stored in an Amazon RDS instance.

Use AWS Secrets Manager to store the credentials.

Store the credentials in a JSON file on Amazon S3 with server-side encryption.

Question 25

A Security Engineer is defining the logging solution for a newly developed product. Systems Administrators and Developers need to have appropriate access to event log files in AWS CloudTrail to support and troubleshoot the product.
Which combination of controls should be used to protect against tampering with and unauthorized access to log files? (Choose two.)

Ensure that the log file integrity validation mechanism is enabled.

Ensure that all log files are written to at least two separate Amazon S3 buckets in the same account.

Ensure that Systems Administrators and Developers can edit log files, but prevent any other access.

Ensure that Systems Administrators and Developers with job-related need-to-know requirements only are capable of viewing—but not modifying—the log files.

Ensure that all log files are stored on Amazon EC2 instances that allow SSH access from the internal corporate network only.

Page: 1 / 27

Total 330 questions Full Exam Access