SCS-C01 Free Practice Test

- (Exam Topic 3)
Your company currently has a set of EC2 Instances hosted in a VPC. The IT Security department is suspecting a possible DDos attack on the instances. What can you do to zero in on the IP addresses which are receiving a flurry of requests.
Please select:

1. A. Use VPC Flow logs to get the IP addresses accessing the EC2 Instances
2. B. Use AWS Cloud trail to get the IP addresses accessing the EC2 Instances
3. C. Use AWS Config to get the IP addresses accessing the EC2 Instances
4. D. Use AWS Trusted Advisor to get the IP addresses accessing the EC2 Instances

Correct Answer: A
With VPC Flow logs you can get the list of IP addresses which are hitting the Instances in your VPC You can then use the information in the logs to see which external IP addresses are sending a flurry of requests which could be the potential threat foi a DDos attack.
Option B is incorrect Cloud Trail records AWS API calls for your account. VPC FLowlogs logs network traffic for VPC, subnets. Network interfaces etc.
As per AWS, VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC where as AWS CloudTrail, is a service that captures API calls and delivers the log files to an Amazon S3 bucket that you specify.
Option C is invalid this is a config service and will not be able to get the IP addresses
Option D is invalid because this is a recommendation service and will not be able to get the IP addresses For more information on VPC Flow Logs, please visit the following URL: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html
The correct answer is: Use VPC Flow logs to get the IP addresses accessing the EC2 Instances Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A company has decided to migrate sensitive documents from on-premises data centers to Amazon S3. Currently, the hard drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key.
Which of the following requires the LEAST amount of configuration when implementing this approach?

1. A. Place each file into a different S3 bucke
2. B. Set the default encryption of each bucket to use a different AWS KMS customer managed key.
3. C. Put all the files in the same S3 bucke
4. D. Using S3 events as a trigger, write an AWS Lambda function to encrypt each file as it is added using different AWS KMS data keys.
5. E. Use the S3 encryption client to encrypt each file individually using S3-generated data keys
6. F. Place all the files in the same S3 bucke
7. G. Use server-side encryption with AWS KMS-managed keys (SSE-KMS) to encrypt the data

Correct Answer: C

- (Exam Topic 3)
An application is designed to run on an EC2 Instance. The applications needs to work with an S3 bucket. From a security perspective , what is the ideal way for the EC2 instance/ application to be configured?
Please select:

1. A. Use the AWS access keys ensuring that they are frequently rotated.
2. B. Assign an IAM user to the application that has specific access to only that S3 bucket
3. C. Assign an IAM Role and assign it to the EC2 Instance
4. D. Assign an IAM group and assign it to the EC2 Instance

Correct Answer: C
The below diagram from the AWS whitepaper shows the best security practicse of allocating a role that has access to the S3 bucket
C:\Users\wk\Desktop\mudassar\Untitled.jpg

Options A,B and D are invalid because using users, groups or access keys is an invalid security practise when giving access to resources from other AWS resources.
For more information on the Security Best practices, please visit the following URL: https://d1.awsstatic.com/whitepapers/Security/AWS Security Best Practices.pdl
The correct answer is: Assign an IAM Role and assign it to the EC2 Instance Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
A security team is responsible for reviewing AWS API call activity in the cloud environment for security violations. These events must be recorded and retained in a centralized location for both current and future AWS regions.
What is the SIMPLEST way to meet these requirements?

1. A. Enable AWS Trusted Advisor security checks in the AWS Console, and report all security incidents for all regions.
2. B. Enable AWS CloudTrail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later analysis.
3. C. Enable AWS CloudTrail by creating a new trail and applying the trail to all region
4. D. Specify a single Amazon S3 bucket as the storage location.
5. E. Enable Amazon CloudWatch logging for all AWS services across all regions, and aggregate them to a single Amazon S3 bucket for later analysis.

Correct Answer: C

- (Exam Topic 2)
A Security Engineer has been asked to create an automated process to disable IAM user access keys that are more than three months old.
Which of the following options should the Security Engineer use?

1. A. In the AWS Console, choose the IAM service and select “Users”. Review the “Access Key Age” column.
2. B. Define an IAM policy that denies access if the key age is more than three months and apply to all users.
3. C. Write a script that uses the GenerateCredentialReport, GetCredentialReport, and UpdateAccessKey APIs.
4. D. Create an Amazon CloudWatch alarm to detect aged access keys and use an AWS Lambda function to disable the keys older than 90 days.

Correct Answer: C
https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccessKey.html https://docs.aws.amazon.com/IAM/latest/APIReference/API_GenerateCredentialReport.html https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetCredentialReport.html