SCS-C01 Online Practice Questions and Answers

Questions 4

A Security Engineer has been asked to troubleshoot inbound connectivity to a web server. This single web server is not receiving inbound connections from the internet, whereas all other web servers are functioning properly.

The architecture includes network ACLs, security groups, and a virtual security appliance. In addition, the Development team has implemented Application Load Balancers (ALBs) to distribute the load across all web servers. It is a

requirement that traffic between the web servers and the internet flow through the virtual security appliance.

The Security Engineer has verified the following:

The rule set in the Security Groups is correct

The rule set in the network ACLs is correct

The rule set in the virtual appliance is correct

Which of the following are other valid items to troubleshoot in this scenario? (Choose two.)

A. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway.

B. Verify which Security Group is applied to the particular web server's elastic network interface (ENI).

C. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance.

D. Verify the registered targets in the ALB.

E. Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.

Buy Now

Questions 5

A Security Engineer has discovered that, although encryption was enabled on the Amazon S3 bucket example bucket, anyone who has access to the bucket has the ability to retrieve the files. The Engineer wants to limit access to each IAM user can access an assigned folder only.

What should the Security Engineer do to achieve this?

A. Use envelope encryption with the AWS-managed CMK aws/s3.

B. Create a customer-managed CMK with a key policy granting "kms:Decrypt" based on the "${aws:username}" variable.

C. Create a customer-managed CMK for each user. Add each user as a key user in their corresponding key policy.

D. Change the applicable IAM policy to grant S3 access to "Resource":"arn:aws:s3:::examplebucket/${aws:username}/*"

Buy Now

Questions 6

While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host (IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following:

2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK 2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK

What action should be performed to allow the ping to work?

A. In the security group of the EC2 instance, allow inbound ICMP traffic.

B. In the security group of the EC2 instance, allow outbound ICMP traffic.

C. In the VPC's NACL, allow inbound ICMP traffic.

D. In the VPC's NACL, allow outbound ICMP traffic.

Buy Now

Questions 7

You need to create a Linux EC2 instance in AWS. Which of the following steps is used to ensure secure authentication the EC2 instance from a windows machine. Choose 2 answers from the options given below.

Please select:

A. Ensure to create a strong password for logging into the EC2 Instance

B. Create a key pair using putty

C. Use the private key to log into the instance

D. Ensure the password is passed securely using SSL

Buy Now

Questions 8

You are working for a company and been allocated the task for ensuring that there is a federated authentication mechanism setup between AWS and their On-premise Active Directory. Which of the following are important steps that need to be covered in this process? Choose 2 answers from the options given below.

Please select:

A. Ensure the right match is in place for On-premise AD Groups and IAM Roles.

B. Ensure the right match is in place for On-premise AD Groups and IAM Groups.

C. Configure AWS as the relying party in Active Directory

D. Configure AWS as the relying party in Active Directory Federation services

Buy Now

Correct Answer: AD

The AWS Documentation mentions some key aspects with regards to the configuration of On-premise AD with AWS One is the Groups configuration in AD Active Directory Configuration Determining how you will create and delineate your AD groups and IAM roles in AWS is crucial to how you secure access to your account and manage resources. SAML assertions to the AWS environment and the respective IAM role access will be managed through regular expression (regex) matching between your on-premises AD group name to an AWS IAM role. One approach for creating the AD groups that uniquely identify the AWS IAM role mapping is by selecting a common group naming convention. For example, your AD groups would start with an identifier, for example, AWS-, as this will

distinguish your AWS groups from others within the organization. Next include the 12-digitAWS account number. Finally, add the matching role name within the AWS account. Here is an example:

And next is the configuration of the relying party which is AWS ADFS federation occurs with the participation of two parties; the identity or claims provider (in this case the owner of the identity repository - Active Directory) and the relying party,

which is another application that wishes to outsource authentication to the identity provider; in this case Amazon Secure Token Service (STS). The relying party is a federation partner that is represented by a claims provider trust in the

federation service. Option B is invalid because AD groups should not be matched to IAM Groups Option C is invalid because the relying party should be configured in Active Directory Federation services For more information on the federated

access, please visit the following URL:

1 https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/

The correct answers are: Ensure the right match is in place for On-premise AD Groups and IAM Roles., Configure AWS as the relying party in Active Directory Federation services

Questions 9

Your company makes use of S3 buckets for storing data. There is a company policy that all services should have logging enabled. How can you ensure that logging is always enabled for created S3 buckets in the AWS Account?

Please select:

A. Use AWS Inspector to inspect all S3 buckets and enable logging for those where it is not enabled

B. Use AWS Config Rules to check whether logging is enabled for buckets

C. Use AWS Cloudwatch metrics to check whether logging is enabled for buckets

D. Use AWS Cloudwatch logs to check whether logging is enabled for buckets

Buy Now

Questions 10

There is a requirement for a company to transfer large amounts of data between AWS and an on-premise location. There is an additional requirement for low latency and high consistency traffic to AWS. Given these requirements how would you design a hybrid architecture? Choose the correct answer from the options below

Please select:

A. Provision a Direct Connect connection to an AWS region using a Direct Connect partner.

B. Create a VPN tunnel for private connectivity, which increases network consistency and reduces latency.

C. Create an iPSec tunnel for private connectivity, which increases network consistency and reduces latency.

D. Create a VPC peering connection between AWS and the Customer gateway.

Buy Now

Questions 11

A company Is planning to use Amazon Elastic File System (Amazon EFS) with its on-premises servers. The company has an existing AWS Direct Connect connection established between its on-premises data center and an AWS Region Security policy states that the company's on-premises firewall should only have specific IP addresses added to the allow list and not a CIDR range. The company also wants to restrict access so that only certain data center-based servers have access to Amazon EFS How should a security engineer implement this solution?

A. Add the file-system-id efs aws-region amazonaws com URL to the allow list for the data center firewall Install the AWS CLI on the data center-based servers to mount the EFS file system in the EFS security group add the data center IP range to the allow list Mount the EFS using the EFS file system name

B. Assign an Elastic IP address to Amazon EFS and add the Elastic IP address to the allow list for the data center firewall Install the AWS CLI on the data center-based servers to mount the EFS file system In the EFS security group, add the IP addresses of the data center servers to the allow list Mount the EFS using the Elastic IP address

C. Add the EFS file system mount target IP addresses to the allow list for the data center firewall In the EFS security group, add the data center server IP addresses to the allow list Use the Linux terminal to mount the EFS file system using the IP address of one of the mount targets

D. Assign a static range of IP addresses for the EFS file system by contacting AWS Support In the EFS security group add the data center server IP addresses to the allow list Use the Linux terminal to mount the EFS file system using one of the static IP addresses

Buy Now

Questions 12

A company's security team suspects that an insider threat is present. The security team is basing its suspicion on activity that occurred in one of the company's AWS accounts. The activity was performed with the AWS account root user credentials. The root user has no access keys. The company uses AWS Organizations, and the account where the activity occurred is in an OU. A security engineer needs to take away the root user's ability to make any updates to the account. The root user password cannot be changed to accomplish this goal.

Which solution will meet these requirements?

A. Option A

B. Option B

C. Option C

D. Option D

Buy Now

Questions 13

A company is outsourcing its operational support to an external company. The company's security officer must implement an access solution for delegating operational support that minimizes overhead. Which approach should the security officer take to meet these requirements?

A. Implement Amazon Cognito identity pools with a role that uses a policy that denies the actions related to Amazon Cognito API management. Allow the external company to federate through its identity provider.

B. Federate AWS Identity and Access Management (IAM) with the external company's identity provider. Create an IAM role and attach a policy with the necessary permissions.

C. Create an IAM group for the external company. Add a policy to the group that denies IAM modifications. Securely provide the credentials to the external company.

D. Use AWS SSO with the external company's identity provider. Create an IAM group to map to the identity provider user group, and attach a policy with the necessary permissions.

Buy Now

Exam Code: SCS-C01

Exam Name: AWS Certified Security - Specialty (SCS-C01)

Last Update: Apr 20, 2024

Questions: 733

10%OFF Coupon Code: SAVE10

PDF (Q&A)

$45.99

ADD TO CART

VCE

$49.99

ADD TO CART

PDF + VCE

$59.99

ADD TO CART