SCS-C01 Free Practice Test

- (Exam Topic 3)
Your company use AWS KMS for management of its customer keys. From time to time, there is a requirement to delete existing keys as part of housekeeping activities. What can be done during the deletion process to verify that the key is no longer being used.
Please select:

1. A. Use CloudTrail to see if any KMS API request has been issued against existing keys
2. B. Use Key policies to see the access level for the keys
3. C. Rotate the keys once before deletion to see if other services are using the keys
4. D. Change the IAM policy for the keys to see if other services are using the keys

Correct Answer: A
The AWS lentation mentions the following
You can use a combination of AWS CloudTrail, Amazon CloudWatch Logs, and Amazon Simple Notification Service (Amazon SNS) to create an alarm that notifies you of AWS KMS API requests that attempt to use a customer master key (CMK) that is pending deletion. If you receive a notification from such an alarm, you might want to cancel deletion of the CMK to give yourself more time to determine whether you want to delete it
Options B and D are incorrect because Key policies nor IAM policies can be used to check if the keys are being used.
Option C is incorrect since rotation will not help you check if the keys are being used. For more information on deleting keys, please refer to below URL:
https://docs.aws.amazon.com/kms/latest/developereuide/deletine-keys-creatine-cloudwatch-alarm.html
The correct answer is: Use CloudTrail to see if any KMS API request has been issued against existing keys Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
Which of the following is the responsibility of the customer? Choose 2 answers from the options given below. Please select:

1. A. Management of the Edge locations
2. B. Encryption of data at rest
3. C. Protection of data in transit
4. D. Decommissioning of old storage devices

Correct Answer: BC
Below is the snapshot of the Shared Responsibility Model C:\Users\wk\Desktop\mudassar\Untitled.jpg

For more information on AWS Security best practises, please refer to below URL awsstatic corn/whitepapers/Security/AWS Practices.
The correct answers are: Encryption of data at rest Protection of data in transit Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A large corporation is creating a multi-account strategy and needs to determine how its employees should access the AWS infrastructure.
Which of the following solutions would provide the MOST scalable solution?

1. A. Create dedicated IAM users within each AWS account that employees can assume through federation based upon group membership in their existing identity provider
2. B. Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider Use cross-account roles to allow the federated users to assume their target role in the resource accounts.
3. C. Configure the AWS Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access AWS resources directly
4. D. Configure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider allowing users to assume the role based off their SAML token

Correct Answer: B

- (Exam Topic 3)
You have an Amazon VPC that has a private subnet and a public subnet in which you have a NAT instance server. You have created a group of EC2 instances that configure themselves at startup by downloading a bootstrapping script from S3 that deploys an application via GIT.
Which one of the following setups would give us the highest level of security? Choose the correct answer from the options given below.
Please select:

1. A. EC2 instances in our public subnet, no EIPs, route outgoing traffic via the IGW
2. B. EC2 instances in our public subnet, assigned EIPs, and route outgoing traffic via the NAT
3. C. EC2 instance in our private subnet, assigned EIPs, and route our outgoing traffic via our IGW
4. D. EC2 instances in our private subnet, no EIPs, route outgoing traffic via the NAT

Correct Answer: D
The below diagram shows how the NAT instance works. To make EC2 instances very secure, they need to be in a private sub such as the database server shown below with no EIP and all traffic routed via the NAT.
C:\Users\wk\Desktop\mudassar\Untitled.jpg

Options A and B are invalid because the instances need to be in the private subnet
Option C is invalid because since the instance needs to be in the private subnet, you should not attach an EIP to the instance
For more information on NAT instance, please refer to the below Link: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuideA/PC lnstance.html!
The correct answer is: EC2 instances in our private subnet no EIPs, route outgoing traffic via the NAT Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
In your LAMP application, you have some developers that say they would like access to your logs. However, since you are using an AWS Auto Scaling group, your instances are constantly being re-created. What would you do to make sure that these developers can access these log files? Choose the correct answer from the options below
Please select:

1. A. Give only the necessary access to the Apache servers so that the developers can gain access to the log files.
2. B. Give root access to your Apache servers to the developers.
3. C. Give read-only access to your developers to the Apache servers.
4. D. Set up a central logging server that you can use to archive your logs; archive these logs to an S3 bucket for developer-access.

Correct Answer: D
One important security aspect is to never give access to actual servers, hence Option A.B and C are just totally wrong from a security perspective.
The best option is to have a central logging server that can be used to archive logs. These logs can then be stored in S3.
Options A,B and C are all invalid because you should not give access to the developers on the Apache se For more information on S3, please refer to the below link
https://aws.amazon.com/documentation/s3j
The correct answer is: Set up a central logging server that you can use to archive your logs; archive these logs to an S3 bucket for developer-access.
Submit vour Feedback/Queries to our Experts