SCS-C01 Free Practice Test

- (Exam Topic 3)
Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which three IAM best practices should you consider implementing?
Please select:

1. A. Create individual IAM users
2. B. Configure MFA on the root account and for privileged IAM users
3. C. Assign IAM users and groups configured with policies granting least privilege access
4. D. Ensure all users have been assigned and dre frequently rotating a password, access ID/secret key, andX.509 certificate

Correct Answer: ABC
When you go to the security dashboard, the security status will show the best practices for initiating the first level of security.
C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option D is invalid because as per the dashboard, this is not part of the security recommendation For more information on best security practices please visit the URL:
https://aws.amazon.com/whitepapers/aws-security-best-practices;
The correct answers are: Create individual IAM users, Configure MFA on the root account and for privileged IAM users. Assign IAM users and groups configured with policies granting least privilege access
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A company wants to ensure that its AWS resources can be launched only in the us-east-1 and us-west-2 Regions.
What is the MOST operationally efficient solution that will prevent developers from launching Amazon EC2 instances in other Regions?

1. A. Enable Amazon GuardDuty in all Region
2. B. Create alerts to detect unauthorized activity outside us-east-1 and us-west-2.
3. C. Use an organization in AWS Organization
4. D. Attach an SCP that allows all actions when the aws: Requested Region condition key is either us-east-1 or us-west-2. Delete the FullAWSAccess policy.
5. E. Provision EC2 resources by using AWS Cloud Formation templates through AWS CodePipelin
6. F. Allow only the values of us-east-1 and us-west-2 in the AWS CloudFormation template's parameters.
7. G. Create an AWS Config rule to prevent unauthorized activity outside us-east-1 and us-west-2.

Correct Answer: C

- (Exam Topic 3)
A security engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the security engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message.
What is the likely cause of this access denial?
A security engineer is working with a company to design an ecommerce application. The application will run on Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB). The application will use an Amazon RDS DB instance for its database.
The only required connectivity from the internet is for HTTP and HTTPS traffic to the application. The application must communicate with an external payment provider that allows traffic only from a preconfigured allow list of IP addresses. The company must ensure that communications with the external payment provider are not interrupted as the environment scales.
Which combination of actions should the security engineer recommend to meet these requirements? (Select THREE.)

1. A. Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.
2. B. Place the DB instance in a public subnet.
3. C. Place the DB instance in a private subnet.
4. D. Configure the Auto Scaling group to place the EC2 instances in a public subnet.
5. E. Configure the Auto Scaling group to place the EC2 instances in a private subnet.
6. F. Deploy the ALB in a private subnet.

Correct Answer: ACE

- (Exam Topic 3)
A company is planning to run a number of Admin related scripts using the AWS Lambda service. There is a need to understand if there are any errors encountered when the script run. How can this be accomplished in the most effective manner.
Please select:

1. A. Use Cloudwatch metrics and logs to watch for errors
2. B. Use Cloudtrail to monitor for errors
3. C. Use the AWS Config service to monitor for errors
4. D. Use the AWS inspector service to monitor for errors

Correct Answer: A
The AWS Documentation mentions the following
AWS Lambda automatically monitors Lambda functions on your behalf, reporting metrics through Amazon CloudWatch. To help you troubleshoot failures in a function. Lambda logs all requests handled by your function and also automatically stores logs generated by your code through Amazon CloudWatch Logs.
Option B,C and D are all invalid because these services cannot be used to monitor for errors. I For more information on Monitoring Lambda functions, please visit the following URL: https://docs.aws.amazon.com/lambda/latest/dg/monitorine-functions-loes.htmll
The correct answer is: Use Cloudwatch metrics and logs to watch for errors Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
Your company has just set up a new central server in a VPC. There is a requirement for other teams who have their servers located in different VPC's in the same region to connect to the central server. Which of the below options is best suited to achieve this requirement.
Please select:

1. A. Set up VPC peering between the central server VPC and each of the teams VPCs.
2. B. Set up AWS DirectConnect between the central server VPC and each of the teams VPCs.
3. C. Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.
4. D. None of the above options will work.

Correct Answer: A
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within a single region.
Options B and C are invalid because you need to use VPC Peering Option D is invalid because VPC Peering is available
For more information on VPC Peering please see the below Link:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html
The correct answer is: Set up VPC peering between the central server VPC and each of the teams VPCs. Submit your Feedback/Queries to our Experts