[Feb 16, 2022] SCS-C01 certification guide Q&A from Training Expert RealExamFree [Q292-Q314]

[Feb 16, 2022] SCS-C01 certification guide Q&A from Training Expert RealExamFree

SCS-C01 Certification Overview Latest SCS-C01 PDF Dumps

NEW QUESTION 292
You are trying to use the Systems Manager to patch a set of EC2 systems. Some of the systems are not getting covered in the patching process. Which of the following can be used to troubleshoot the issue? Choose 3 answers from the options given below.
Please select:

• A. Ensure that agent is running on the instances.
• B. Check to see if the 1AM user has the right permissions for EC2
• C. Check to see if the right role has been assigned to the EC2 instances
• D. Check the Instance status by using the Health API.

Answer: A,C,D

Explanation:
Explanation
For ensuring that the instances are configured properly you need to ensure the followi .
1) You installed the latest version of the SSM Agent on your instance
2) Your instance is configured with an AWS Identity and Access Management (1AM) role that enables the instance to communicate with the Systems Manager API
3) You can use the Amazon EC2 Health API to quickly determine the following information about Amazon EC2 instances The status of one or more instances The last time the instance sent a heartbeat value The version of the SSM Agent The operating system The version of the EC2Config service (Windows) The status of the EC2Config service (Windows) Option B is invalid because 1AM users are not supposed to be directly granted permissions to EC2 Instances For more information on troubleshooting AWS SSM, please visit the following URL:
https://docs.aws.amazon.com/systems-manager/latest/userguide/troubleshooting-remote-commands.html
The correct answers are: Check to see if the right role has been assigned to the EC2 Instances, Ensure that agent is running on the Instances., Check the Instance status by using the Health API.
Submit your Feedback/Queries to our Experts

 

NEW QUESTION 293
An organization is using Amazon CloudWatch Logs with agents deployed on its Linux Amazon EC2 instances. The agent configuration files have been checked and the application log files to be pushed are configured correctly. A review has identified that logging from specific instances is missing.
Which steps should be taken to troubleshoot the issue? (Choose two.)

• A. Check whether any application log entries were rejected because of invalid time stamps by reviewing
  /var/cwlogs/rejects.log.
• B. Use an EC2 run command to confirm that the "awslogs" service is running on all instances.
• C. Verify that the time zone on the application servers is in UTC.
• D. Verify that the permissions used by the agent allow creation of log groups/streams and to put log events.
• E. Check that the trust relationship grants the service "cwlogs.amazonaws.com" permission to write objects to the Amazon S3 staging bucket.

Answer: B,D

Explanation:
Explanation
EC2 run command - can run scripts, install software, collect metrics and log files, manage patches and more.
Bringing these two services together - can create CloudWatch Events rules that use EC2 Run Command to perform actions on EC2 instances or on-premises servers.

 

NEW QUESTION 294
The Information Technology department has stopped using Classic Load Balancers and switched to Application Load Balancers to save costs. After the switch, some users on older devices are no longer able to connect to the website.
What is causing this situation?

• A. The Perfect Forward Secrecy settings are not configured correctly.
• B. Application Load Balancers do not support older web browsers.
• C. The intermediate certificate is installed within the Application Load Balancer.
• D. The cipher suites on the Application Load Balancers are blocking connections.

Answer: D

Explanation:
Explanation
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

 

NEW QUESTION 295
A security engineer needs to create an AWS Key Management Service <AWS KMS) key that will De used to encrypt all data stored in a company's Amazon S3 Buckets in the us-west-1 Region. The key will use server-side encryption. Usage of the key must be limited to requests coming from Amazon S3 within the company's account.
Which statement in the KMS key policy will meet these requirements?
A)

B)

C)

• A. Option C
• B. Option B
• C. Option A

Answer: A

 

NEW QUESTION 296
Your company looks at the gaming domain and hosts several Ec2 Instances as game servers. The servers each experience user loads in the thousands. There is a concern of DDos attacks on the EC2 Instances which could cause a huge revenue loss to the company. Which of the following can help mitigate this security concern and also ensure minimum downtime for the servers.
Please select:

• A. Use AWS Inspector to protect the EC2 Instances
• B. Use AWS Trusted Advisor to protect the EC2 Instances
• C. Use VPC Flow logs to monitor the VPC and then implement NACL's to mitigate attacks
• D. Use AWS Shield Advanced to protect the EC2 Instances

Answer: D

Explanation:
Below is an excerpt from the AWS Documentation on some of the use cases for AWS Shield

 

NEW QUESTION 297
You company has mandated that all data in AWS be encrypted at rest. How can you achieve this for EBS volumes? Choose 2 answers from the options given below Please select:

• A. Use TrueEncrypt for EBS volumes on Linux instances
• B. Use AWS Systems Manager to encrypt the existing EBS volumes
• C. Boot EBS volume can be encrypted during launch without using custom AMI
• D. Use Windows bit locker for EBS volumes on Windows instances

Answer: A,D

Explanation:
EBS encryption can also be enabled when the volume is created and not for existing volumes. One can use existing tools for OS level encryption.
Option C is incorrect.
AWS Systems Manager is a management service that helps you automatically collect software inventory, apply OS patches, create system images, and configure Windows and Linux operating systems.
Option D is incorrect
You cannot choose to encrypt a non-encrypted boot volume on instance launch. To have encrypted boot volumes during launch , your custom AMI must have it's boot volume encrypted before launch.
For more information on the Security Best practices, please visit the following URL:
.com/whit Security Practices.
The correct answers are: Use Windows bit locker for EBS volumes on Windows instances. Use TrueEncrypt for EBS volumes on Linux instances Submit your Feedback/Queries to our Experts

 

NEW QUESTION 298
A company hosts a critical web application on the AWS Cloud. This is a key revenue generating application for the company. The IT Security team is worried about potential DDos attacks against the web site. The senior management has also specified that immediate action needs to be taken in case of a potential DDos attack. What should be done in this regard?
Please select:

• A. Consider using VPC Flow logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack.
• B. Consider using the AWS Shield Service
• C. Consider using Cloudwatch logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack.
• D. Consider using the AWS Shield Advanced Service

Answer: D

Explanation:
Explanation
Option A is invalid because the normal AWS Shield Service will not help in immediate action against a DDos attack. This can be done via the AWS Shield Advanced Service Option B is invalid because this is a logging service for VPCs traffic flow but cannot specifically protect against DDos attacks.
Option D is invalid because this is a logging service for AWS Services but cannot specifically protect against DDos attacks.
The AWS Documentation mentions the following
AWS Shield Advanced provides enhanced protections for your applications running on Amazon EC2. Elastic Load Balancing (ELB), Amazon CloudFront and Route 53 against larger and more sophisticated attacks. AWS Shield Advanced is available to AWS Business Support and AWS Enterprise Support customers. AWS Shield Advanced protection provides always-on, flow-based monitoring of network traffic and active application monitoring to provide near real-time notifications of DDoS attacks. AWS Shield Advanced also gives customers highly flexible controls over attack mitigations to take actions instantly. Customers can also engage the DDoS Response Team (DRT) 24X7 to manage and mitigate their application layer DDoS attacks.
For more information on AWS Shield, please visit the below URL:
https://aws.amazon.com/shield/faqs;
The correct answer is: Consider using the AWS Shield Advanced Service Submit your Feedback/Queries to our Experts

 

NEW QUESTION 299
Your company has been using AWS for the past 2 years. They have separate S3 buckets for logging the various AWS services that have been used. They have hired an external vendor for analyzing their log files. They have their own AWS account. What is the best way to ensure that the partner account can access the log files in the company account for analysis. Choose 2 answers from the options given below Please select:

• A. Create an IAM Role in the company account
• B. Create an IAM user in the company account
• C. Ensure the IAM user has access for read-only to the S3 buckets
• D. Ensure the IAM Role has access for read-only to the S3 buckets

Answer: A,D

Explanation:
The AWS Documentation mentions the following
To share log files between multiple AWS accounts, you must perform the following general steps. These steps are explained in detail later in this section.
Create an IAM role for each account that you want to share log files with.
For each of these IAM roles, create an access policy that grants read-only access to the account you want to share the log files with.
Have an IAM user in each account programmatically assume the appropriate role and retrieve the log files.
Options A and C are invalid because creating an IAM user and then sharing the IAM user credentials with the vendor is a direct 'NO' practise from a security perspective.
For more information on sharing cloudtrail logs files, please visit the following URL
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-sharine-loes.htmll The correct answers are: Create an IAM Role in the company account Ensure the IAM Role has access for read-only to the S3 buckets Submit your Feedback/Queries to our Experts

 

NEW QUESTION 300
When managing permissions for the API gateway, what can be used to ensure that the right level of permissions are given to developers, IT admins and users? These permissions should be easily managed.
Please select:

• A. Use the secure token service to manage the permissions for the different users
• B. Use the AWS Config tool to manage the permissions for the different users
• C. Use IAM Policies to create different policies for the different types of users.
• D. Use IAM Access Keys to create sets of keys for the different types of users.

Answer: C

Explanation:
The AWS Documentation mentions the following
You control access to Amazon API Gateway with IAM permissions by controlling access to the following two API Gateway component processes:
* To create, deploy, and manage an API in API Gateway, you must grant the API developer permissions to perform the required actions supported by the API management component of API Gateway.
* To call a deployed API or to refresh the API caching, you must grant the API caller permissions to perform required IAM actions supported by the API execution component of API Gateway.
Option A, C and D are invalid because these cannot be used to control access to AWS services. This needs to be done via policies. For more information on permissions with the API gateway, please visit the following URL:
https://docs.aws.amazon.com/apisateway/latest/developerguide/permissions.html The correct answer is: Use IAM Policies to create different policies for the different types of users. Submit your Feedback/Queries to our Experts

 

NEW QUESTION 301
A company wants to control access to its AWS resources by using identities and groups that are defined in its existing Microsoft Active Directory.
What must the company create in its AWS account to map permissions for AWS services to Active Directory user attributes?

• A. AWS IAM roles
• B. AWS IAM users
• C. AWS IAM access keys
• D. AWS IAM groups

Answer: A

 

NEW QUESTION 302
Your company hosts a large section of EC2 instances in AWS. There are strict security rules governing the EC2 Instances. During a potential security breach , you need to ensure quick investigation of the underlying EC2 Instance. Which of the following service can help you quickly provision a test environment to look into the breached instance.
Please select:

• A. AWS Config
• B. AWS Cloudwatch
• C. AWS Cloudformation
• D. AWS Cloudtrail

Answer: C

Explanation:
The AWS Security best practises mentions the following
Unique to AWS, security practitioners can use CloudFormation to quickly create a new, trusted environment in which to conduct deeper investigation. The CloudFormation template can pre-configure instances in an isolated environment that contains all the necessary tools forensic teams need to determine the cause of the incident This cuts down on the time it takes to gather necessary tools, isolates systems under examination, and ensures that the team is operating in a clean room.
Option A is incorrect since this is a logging service and cannot be used to provision a test environment Option C is incorrect since this is an API logging service and cannot be used to provision a test environment Option D is incorrect since this is a configuration service and cannot be used to provision a test environment For more information on AWS Security best practises, please refer to below URL:
https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pd1 The correct answer is: AWS Cloudformation Submit your Feedback/Queries to our Experts

 

NEW QUESTION 303
A company's AWS account consists of approximately 300 IAM users. Now there is a mandate that an access change is required for 100 IAM users to have unlimited privileges to S3.As a system administrator, how can you implement this effectively so that there is no need to apply the policy at the individual user level?
Please select:

• A. Create an S3 bucket policy with unlimited access which includes each user's AWS account ID
• B. Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group
• C. Create a policy and apply it to multiple users using a JSON script
• D. Create a new role and add each user to the IAM role

Answer: B

Explanation:
Option A is incorrect since you don't add a user to the IAM Role
Option C is incorrect since you don't assign multiple users to a policy
Option D is incorrect since this is not an ideal approach An IAM group is used to collectively manage users who need the same set of permissions.
By having groups, it becomes easier to manage permissions.
So if you change the permissions on the group scale, it will affect all the users in that group For more information on IAM Groups, just browse to the below URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_eroups.html
The correct answer is: Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group Submit your Feedback/Queries to our Experts

 

NEW QUESTION 304
Your company use AWS KMS for management of its customer keys. From time to time, there is a requirement to delete existing keys as part of housekeeping activities. What can be done during the deletion process to verify that the key is no longer being used.
Please select:

• A. Use CloudTrail to see if any KMS API request has been issued against existing keys
• B. Change the 1AM policy for the keys to see if other services are using the keys
• C. Use Key policies to see the access level for the keys
• D. Rotate the keys once before deletion to see if other services are using the keys

Answer: A

Explanation:
Explanation
The AWS lentation mentions the following
You can use a combination of AWS CloudTrail, Amazon CloudWatch Logs, and Amazon Simple Notification Service (Amazon SNS) to create an alarm that notifies you of AWS KMS API requests that attempt to use a customer master key (CMK) that is pending deletion. If you receive a notification from such an alarm, you might want to cancel deletion of the CMK to give yourself more time to determine whether you want to delete it Options B and D are incorrect because Key policies nor 1AM policies can be used to check if the keys are being used.
Option C is incorrect since rotation will not help you check if the keys are being used.
For more information on deleting keys, please refer to below URL:
https://docs.aws.amazon.com/kms/latest/developereuide/deletine-keys-creatine-cloudwatch-alarm.html The correct answer is: Use CloudTrail to see if any KMS API request has been issued against existing keys Submit your Feedback/Queries to our Experts

 

NEW QUESTION 305
An organization wants to log all AWS API calls made within all of its AWS accounts, and must have a central place to analyze these logs.
What steps should be taken to meet these requirements in the MOST secure manner? (Choose two.)

• A. Turn on AWS CloudTrail in each AWS account.
• B. Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it.
• C. Create a service-based role for CloudTrail and associate it with CloudTrail in each account.
• D. Turn on CloudTrail in only the account that will be storing the logs.
• E. Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it.

Answer: D,E

 

NEW QUESTION 306
A company recently experienced a DDoS attack that prevented its web server from serving content. The website is static and hosts only HTML, CSS, and PDF files that users download.
Based on the architecture shown in the image, what is the BEST way to protect the site against future attacks while minimizing the ongoing operational overhead?

• A. Launch a second Amazon EC2 instance in a new subnet. Launch an Application Load Balancer in front of both instances.
• B. Launch an Application Load Balancer in front of the EC2 instance. Create an Amazon CloudFront distribution in front of the Application Load Balancer.
• C. Move all the files to an Amazon S3 bucket. Create a CloudFront distribution in front of the bucket and terminate the web server.
• D. Move all the files to an Amazon S3 bucket. Have the web server serve the files from the S3 bucket.

Answer: D

 

NEW QUESTION 307
A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2 instances.
The company security policy states that application logs for the reporting service must be centrally collected.
What is the MOST efficient way to meet these requirements?

• A. Write an AWS Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket.
• B. Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.
• C. Enable AWS CloudTrail logging for the AWS account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail.
• D. Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync.

Answer: B

Explanation:
Explanation
https://aws.amazon.com/blogs/aws/cloudwatch-log-service/

 

NEW QUESTION 308
A Security Administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has enabled it for all feature sets, including consolidated billing. The top-level account is used for billing and administrative purposes, not for operational AWS resource purposes.
How can the Administrator restrict usage of member root user accounts across the organization?

• A. Configure IAM user policies to restrict root account capabilities for each Organizations member account.
• B. Configure AWS CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric filter for RootAccountUsage.
• C. Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU.
• D. Disable the use of the root user account at the organizational root. Enable multi-factor authentication of the root user account for each organizational member account.

Answer: C

Explanation:
Explanation/Reference:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_about-scps.html

 

NEW QUESTION 309
Your company has a hybrid environment, with on-premise servers and servers hosted in the AWS cloud. They are planning to use the Systems Manager for patching servers. Which of the following is a pre-requisite for this to work; Please select:

• A. Ensure that the on-premise servers are running on Hyper-V.
• B. Ensure that an 1AM Group is created for the on-premise servers
• C. Ensure that an 1AM service role is created
• D. Ensure that an 1AM User is created

Answer: C

Explanation:
You need to ensure that an 1AM service role is created for allowing the on-premise servers to communicate with the AWS Systems Manager.
Option A is incorrect since it is not necessary that servers should only be running Hyper-V Options C and D are incorrect since it is not necessary that 1AM users and groups are created For more information on the Systems Manager role please refer to the below URL:
.com/systems-rnanaeer/latest/usereuide/sysman-!
The correct answer is: Ensure that an 1AM service role is created
Submit your Feedback/Queries to our Experts

 

NEW QUESTION 310
In response to the past DDoS attack experiences, a Security Engineer has set up an Amazon CloudFront distribution for an Amazon S3 bucket. There is concern that some users may bypass the CloudFront distribution and access the S3 bucket directly.
What must be done to prevent users from accessing the S3 objects directly by using URLs?

• A. Change the S3 bucket/object permission so that only the bucket owner has access.
• B. Create IAM roles for CloudFront, and change the S3 bucket/object permission so that only the IAM role has access.
• C. Redirect S3 bucket access to the corresponding CloudFront distribution.
• D. Set up a CloudFront origin access identity (OAI), and change the S3 bucket/object permission so that only the OAI has access.

Answer: D

Explanation:
Explanation
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3

 

NEW QUESTION 311
An organization is using AWS CloudTrail, Amazon CloudWatch Logs, and Amazon CloudWatch to send alerts when new access keys are created. However, the alerts are no longer appearing in the Security Operations mail box.
Which of the following actions would resolve this issue?

• A. In Amazon SNS, determine whether the "Account spend limit" has been reached for this alert.
• B. In CloudWatch, verify that the alarm threshold "consecutive periods" value is equal to, or greater than 1.
• C. In SNS, ensure that the subscription used by these alerts has not been deleted.
• D. In CloudTrail, verify that the trail logging bucket has a log prefix configured.

Answer: B

 

NEW QUESTION 312
A company is hosting multiple applications within a single VPC in its AWS account. The applications are running behind an Application Load Balancer that is associated with an AWS WAF web ACL. The company's security team has identified that multiple port scans are originating from a specific range of IP addresses on the internet.
A security engineer needs to deny access from the offending IP addresses.
Which solution will meet these requirements?

• A. Modify the AWS WAF web ACL with a rate-based rule statement to deny the incoming requests from the IP address range.
• B. Configure the AWS WAF web ACL with regex match conditions. Specify a pattern set to deny the incoming requests based on the match condition
• C. Modify the AWS WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range.
• D. Add a rule to all security groups to deny the incoming requests from the IP address range.

Answer: B

 

NEW QUESTION 313
A Development team has built an experimental environment to test a simple static web application. It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer, a NAT gateway, and an internet gateway. The private subnet holds all of the Amazon EC2 instances.
There are 3 different types of servers. Each server type has its own Security Group that limits access to only required connectivity. The Security Groups have both inbound and outbound rules applied. Each subnet has both inbound and outbound network ACLs applied to limit access to only required connectivity.
Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Choose three.)

• A. The outbound network ACL rules on the private subnet and the inbound network ACL rules on the public subnet.
• B. The route tables and the outbound rules on the appropriate private subnet security group.
• C. The rules on any host-based firewall that may be applied on the Amazon EC2 instances.
• D. The Security Group applied to the Application Load Balancer and NAT gateway.
• E. The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet.
• F. That the 0.0.0.0/0 route in the private subnet route table points to the Internet gateway in the public subnet.

Answer: C,D,E

 

NEW QUESTION 314
......

The Best Amazon SCS-C01 Study Guides and Dumps of 2022: https://passleader.realexamfree.com/SCS-C01-real-exam-dumps.html