SCS-C01 Online Practice Questions and Answers

An application is currently secured using network access control lists and security groups. Web servers are located in public subnets behind an Application Load Balancer (ALB); application servers are located in private subnets.

How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose two.)

A. Configure the application's EC2 instances to use NAT gateways for all inbound traffic.

B. Move the web servers to private subnets without public IP addresses.

C. Configure AWS WAF to provide DDoS attack protection for the ALB.

D. Require all inbound network traffic to route through a bastion host in the private subnet.

E. Require all inbound and outbound network traffic to route through an AWS Direct Connect connection.

A Security Engineer discovers that developers have been adding rules to security groups that allow SSH and RDP traffic from 0.0.0.0/0 instead of the organization firewall IP.

What is the most efficient way to remediate the risk of this activity?

A. Delete the internet gateway associated with the VPC.

B. Use network access control lists to block source IP addresses matching 0.0.0.0/0.

C. Use a host-based firewall to prevent access from all but the organization's firewall IP.

D. Use AWS Config rules to detect 0.0.0.0/0 and invoke an AWS Lambda function to update the security group with the organization's firewall IP.

A company has complex connectivity rules governing ingress, egress, and communications between Amazon EC2 instances. The rules are so complex that they cannot be implemented within the limits of the maximum number of security groups and network access control lists (network ACLs).

What mechanism will allow the company to implement all required network rules without incurring additional cost?

A. Configure AWS WAF rules to implement the required rules.

B. Use the operating system built-in, host-based firewall to implement the required rules.

C. Use a NAT gateway to control ingress and egress according to the requirements.

D. Launch an EC2-based firewall product from the AWS Marketplace, and implement the required rules in that product.

You have a set of application , database and web servers hosted in AWS. The web servers are placed behind an ELB. There are separate security groups for the application, database and web servers. The network security groups have been defined accordingly. There is an issue with the communication between the application and database servers. In order to troubleshoot the issue between just the application and database server, what is the ideal set of MINIMAL steps you would take?

Please select:

A. Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group

B. Check the Outbound security rules for the database security group I Check the inbound security rules for the application security group

C. Check the both the Inbound and Outbound security rules for the database security group Check the inbound security rules for the application security group

D. Check the Outbound security rules for the database security group Check the both the Inbound and Outbound security rules for the application security group

A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet with port 80 and a Database server in the private subnet with port 3306. The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). which of the below mentioned entries is required in the private subnet database security group DBSecGrp?

Please select:

A. Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.

B. Allow Inbound on port 3306 from source 20.0.0.0/16

C. Allow Outbound on port 3306 for Destination Web Server Security Group WebSecGrp.

D. Allow Outbound on port 80 for Destination NAT Instance IP

Your company is planning on AWS on hosting its AWS resources. There is a company policy which mandates that all security keys are completely managed within the company itself. Which of the following is the correct measure of following

this policy?

Please select:

A. Using the AWS KMS service for creation of the keys and the company managing the key lifecycle thereafter.

B. Generating the key pairs for the EC2 Instances using puttygen

C. Use the EC2 Key pairs that come with AWS

D. Use S3 server-side encryption

A company has two teams, and each team needs to access its respective Amazon S3 buckets. The company anticipates adding more teams that also will have their own S3 buckets. When the company adds these teams, team members will

need the ability to be assigned to multiple teams. Team members also will need the ability to change teams.

Additional S3 buckets can be created or deleted.

An IAM administrator must design a solution to accomplish these goals. The solution also must be scalable and must require the least possible operational overhead.

Which solution meets these requirements?

A. Add users to groups that represent the teams. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding group.

B. Create an IAM role for each team. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding role.

C. Create IAM roles that are labeled with an access tag value of a team. Create one policy that allows dynamic access to S3 buckets with the same tag. Attach the policy to the IAM roles. Tag the S3 buckets accordingly.

D. Implement a role-based access control (RBAC) authorization model. Create the corresponding policies, and attach them to the IAM users.

A company has deployed Amazon GuardDuty and now wants to implement automation for potential threats. The company has decided to start with RDP brute force attacks that come from Amazon EC2 instances in the company's AWS environment. A security engineer needs to implement a solution that blocks the detected communication from a suspicious instance until investigation and potential remediation can occur.

Which solution will meet these requirements?

A. Configure GuardDuty to send the event to an Amazon Kinesis data stream. Process the event with an Amazon Kinesis Data Analytics for Apache Flink application that sends a notification to the company through Amazon Simple Notification Service (Amazon SNS). Add rules to the network ACL to block traffic to and from the suspicious instance.

B. Configure GuardDuty to send the event to Amazon EventBridge (Amazon CloudWatch Events). Deploy an AWS WAF web ACL. Process the event with an AWS Lambda function that sends a notification to the company through Amazon Simple Notification Service (Amazon SNS) and adds a web ACL rule to block traffic to and from the suspicious instance.

C. Enable AWS Security Hub to ingest GuardDuty findings and send the event to Amazon EventBridge (Amazon CloudWatch Events). Deploy AWS Network Firewall. Process the event with an AWS Lambda function that adds a rule to a Network Firewall firewall policy to block traffic to and from the suspicious instance.

D. Enable AWS Security Hub to ingest GuardDuty findings. Configure an Amazon Kinesis data stream as an event destination for Security Hub. Process the event with an AWS Lambda function that replaces the security group of the suspicious instance with a security group that does not allow any connections.

A company has two VPCs in the us-east-1 Region: vpc-1 and vpe-2. The company recently created an Amazon API Gateway REST API with the endpoint type set to PRIVATE. The company also created a VPC endpoint for the REST API in

vpc-1. Resources in vpc-1 can access the REST API successfully.

The company now wants to give resources in vpc-2 the ability to access the REST API. The company creates a VPC endpoint for the REST API in vpc-2, but the resources in vpc-2 cannot access the REST API.

A security engineer must make the REST API accessible to resources in vpc-2 by creating a solution that provides the minimum access that is necessary.

Which solution will meet these requirements?

A. Set up VPC peering between vpc-1 and vpc-2. Attach an identity-based policy to the resources in vpc-2 to grant access to the REST API.

B. Set up a VPC endpoint of vpc-2 in vpc-1. Attach an identity-based policy to the resources in vpc-2 to grant access to the REST API.

C. Set the API endpoint type to REGIONAL. Attach a resource policy to the REST API to allow access from vpc-2.

D. Keep the API endpoint type as PRIVATE. Attach a resource policy to the REST API to allow access from vpc-2.

A company has application logs from AWS accounts in an organization in AWS Organizations. A security engineer is copying these logs to a centralized Amazon S3 bucket in the security team's AWS account.

Each of the company's applications is in its own AWS account. Logs are encrypted and pushed into S3 buckets that are associated with each account.

The security engineer deploys an AWS Lambda function into each account to copy the relevant log files to the centralized S3 bucket. The Lambda function can copy the log files in the centralized S3 bucket.

The Lambda function's IAM execution role policy from the security team's AWS account is the following:

{ "Version": "2012-10-17","Statement":

{

"Action": "s3:8",

"Resource":"*",

"Effect": "Allow"

}

]

}

The centralized S3 bucket policy is the following:

{ "Version": "2012-10-17","Statement":

{

"Effect": "Allow",

"Principal": {

"AWS": [

"arn:aws:iam::111122223333:role/LogCopier",

"arn:aws:iam::444455556666:role/LogCopier"

]

},

"Action": ["s3:*"],

"Resource": "*",

}]}

The security engineer needs to remove excess permissions while ensuring the functionality of the solution.

Which changes to the policies meet these requirements? (Choose two.)

A. Update the centralized S3 bucket policy to the following:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": {

"AWS": [

"arn:aws:iam::111122223333:role/LogCopier",

"arn:aws:iam::444455556666:role/LogCopier"

]

},

"Action": ["s3:PutObject"],

"Resource": "arn:aws:s3:::centralizedbucket/"

}

]

}

B. Update the centralized S3 bucket policy to the following:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": {

"AWS": [

"arn:aws:iam::111122223333:role/LogCopier",

"arn:aws:iam::444455556666:role/LogCopier"

]

},

"Action": ["s3:Put*"],

"Resource": "arn:aws:s3:::centralizedbucket/*"

}

]

}

C. Update the Lambda IAM execution role policy to the following:

{

"Version": "2012-10-17",

"Statement": [

{

"Action": ["s3:Get*", "s3:List*"],

"Resource": [

"arn:aws:s3:::centralizedbucket/*",

"arn:aws:s3:::centralizedbucket/"

],

"Effect": "Allow"

}

]

}

D. Update the Lambda IAM execution role policy to the following:

{

"Version": "2012-10-17",

"Statement": [

{

"Action": ["s3:Put*", "s3:List*"],

"Resource": [

"arn:aws:s3:::centralizedbucket/*",

"arn:aws:s3:::centralizedbucket/"

],

"Effect": "Allow"

}

]

}

E. Update the Lambda IAM execution role policy to the following:

{

"Version": "2012-10-17",

"Statement": [

{

"Action": ["s3:Put*", "s3:Get*", "s3:List*"],

"Resource": [

"arn:aws:s3:::centralizedbucket/*",

"arn:aws:s3:::centralizedbucket/"

],

"Effect": "Allow"

}

]

}