SCS-C01 Free Practice Test

- (Exam Topic 3)
An application running on EC2 instances in a VPC must access sensitive data in the data center. The access must be encrypted in transit and have consistent low latency. Which hybrid architecture will meet these requirements?
Please select:

1. A. Expose the data with a public HTTPS endpoint.
2. B. A VPN between the VPC and the data center over a Direct Connect connection
3. C. A VPN between the VPC and the data center.
4. D. A Direct Connect connection between the VPC and data center

Correct Answer: B
Since this is required over a consistency low latency connection, you should use Direct Connect. For encryption, you can make use of a VPN
Option A is invalid because exposing an HTTPS endpoint will not help all traffic to flow between a VPC and the data center.
Option C is invalid because low latency is a key requirement Option D is invalid because only Direct Connect will not suffice
For more information on the connection options please see the below Link: https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpn-connection-sharint
The correct answer is: A VPN between the VPC and the data center over a Direct Connect connection Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A company manages three separate AWS accounts for its production, development, and test environments, Each Developer is assigned a unique IAM user under the development account. A new application hosted on an Amazon EC2 instance in the developer account requires read access to the archived documents stored in an Amazon S3 bucket in the production account.
How should access be granted?

1. A. Create an IAM role in the production account and allow EC2 instances in the development account toassume that role using the trust polic
2. B. Provide read access for the required S3 bucket to this role.
3. C. Use a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket.
4. D. Create a temporary IAM user for the application to use in the production account.
5. E. Create a temporary IAM user in the production account and provide read access to Amazon S3.Generate the temporary IAM user's access key and secret key and store these on the EC2 instance used by the application in the development account.

Correct Answer: B

- (Exam Topic 2)
A company’s security policy requires that VPC Flow Logs are enabled on all VPCs. A Security Engineer is looking to automate the process of auditing the VPC resources for compliance.
What combination of actions should the Engineer take? (Choose two.)

1. A. Create an AWS Lambda function that determines whether Flow Logs are enabled for a given VPC.
2. B. Create an AWS Config configuration item for each VPC in the company AWS account.
3. C. Create an AWS Config managed rule with a resource type of AWS:: Lambda:: Function.
4. D. Create an Amazon CloudWatch Event rule that triggers on events emitted by AWS Config.
5. E. Create an AWS Config custom rule, and associate it with an AWS Lambda function that contains the evaluating logic.

Correct Answer: AE
https://medium.com/mudita-misra/how-to-audit-your-aws-resources-for-security-compliance-by-using-custom-a

- (Exam Topic 2)
An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised.
What techniques will limit lateral movement and allow evidence gathering?

1. A. Remove the instance from the load balancer and terminate it.
2. B. Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.
3. C. Reboot the instance and check for any Amazon CloudWatch alarms.
4. D. Stop the instance and make a snapshot of the root EBS volume.

Correct Answer: B
https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf

- (Exam Topic 2)
Which option for the use of the AWS Key Management Service (KMS) supports key management best practices that focus on minimizing the potential scope of data exposed by a possible future key compromise?

1. A. Use KMS automatic key rotation to replace the master key, and use this new master key for future encryption operations without re-encrypting previously encrypted data.
2. B. Generate a new Customer Master Key (CMK), re-encrypt all existing data with the new CMK, and use it for all future encryption operations.
3. C. Change the CMK alias every 90 days, and update key-calling applications with the new key alias.
4. D. Change the CMK permissions to ensure that individuals who can provision keys are not the same individuals who can use the keys.

Correct Answer: B
"automatic key rotation has no effect on the data that the CMK protects. It does not rotate the data keys that the CMK generated or re-encrypt any data protected by the CMK, and it will not mitigate the effect of a compromised data key. You might decide to create a new CMK and use it in place of the original CMK. This has the same effect as rotating the key material in an existing CMK, so it's often thought of as manually rotating the key." https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html