SCS-C01 Free Practice Test

- (Exam Topic 3)
A company needs to retain tog data archives for several years to be compliant with regulations. The tog data is no longer used but It must be retained
What Is the MOST secure and cost-effective solution to meet these requirements?

1. A. Archive the data to Amazon S3 and apply a restrictive bucket policy to deny the s3 DeleteOotect API
2. B. Archive the data to Amazon S3 Glacier and apply a Vault Lock policy
3. C. Archive the data to Amazon S3 and replicate it to a second bucket in a second AWS Region Choose the S3 Standard-Infrequent Access (S3 Standard-1A) storage class and apply a restrictive bucket policy to deny the s3 DeleteObject API
4. D. Migrate the log data to a 16 T8 Amazon Elastic Block Store (Amazon EBS) volume Create a snapshot of the EBS volume

Correct Answer: B

- (Exam Topic 1)
A company is designing the securely architecture (or a global latency-sensitive web application it plans to deploy to AWS. A Security Engineer needs to configure a highly available and secure two-tier architecture. The security design must include controls to prevent common attacks such as DDoS, cross-site scripting, and SQL injection.
Which solution meets these requirements?

1. A. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Regio
2. B. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Regio
3. C. Create an AmazonCloudFront distribution that uses the ALB as its origi
4. D. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.
5. E. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Regio
6. F. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Regio
7. G. Create an Amazon CloudFront distribution that uses the ALB as its origi
8. H. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.
9. I. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Regio
10. J. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Regio
11. K. Create appropriate AWS WAF ACLs and enable them on the ALB.
12. L. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Regio
13. M. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Regio
14. N. Create appropriate AWS WAF ACLs and enable them on the ALB.

Correct Answer: A

- (Exam Topic 1)
Users report intermittent availability of a web application hosted on AWS. Monitoring systems report an excess of abnormal network traffic followed by high CPU utilization on the application web tier. Which of the following techniques will improve the availability of the application? (Select TWO.)

1. A. Deploy AWS WAF to block all unsecured web applications from accessing the internet.
2. B. Deploy an Intrusion Detection/Prevention System (IDS/IPS) to monitor or block unusual incoming network traffic.
3. C. Configure security groups to allow outgoing network traffic only from hosts that are protected with up-to-date antivirus software.
4. D. Create Amazon CloudFront distribution and configure AWS WAF rules to protect the web applications from malicious traffic.
5. E. Use the default Amazon VPC for externakfacing systems to allow AWS to actively block malicious network traffic affecting Amazon EC2 instances.

Correct Answer: BD

- (Exam Topic 2)
In response to the past DDoS attack experiences, a Security Engineer has set up an Amazon CloudFront distribution for an Amazon S3 bucket. There is concern that some users may bypass the CloudFront distribution and access the S3 bucket directly.
What must be done to prevent users from accessing the S3 objects directly by using URLs?

1. A. Change the S3 bucket/object permission so that only the bucket owner has access.
2. B. Set up a CloudFront origin access identity (OAI), and change the S3 bucket/object permission so that only the OAI has access.
3. C. Create IAM roles for CloudFront, and change the S3 bucket/object permission so that only the IAM role has access.
4. D. Redirect S3 bucket access to the corresponding CloudFront distribution.

Correct Answer: B
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3

- (Exam Topic 3)
A company uses a third-party application to store encrypted data in Amazon S3. The company uses another third-party application trial decrypts the data from Amazon S3 to ensure separation of duties Between the applications A Security Engineer warns to separate the permissions using IAM roles attached to Amazon EC2 instances. The company prefers to use native AWS services.
Which encryption method will meet these requirements?

1. A. Use encrypted Amazon EBS volumes with Amazon default keys (AWS EBS)
2. B. Use server-side encryption with customer-provided keys (SSE-C)
3. C. Use server-side encryption with AWS KMS managed keys (SSE-KMS)
4. D. Use server-side encryption with Amazon S3 managed keys (SSE-S3)

Correct Answer: C