SCS-C01 Free Practice Test

- (Exam Topic 2)
A Security Administrator has a website hosted in Amazon S3. The Administrator has been given the following requirements:
Users may access the website by using an Amazon CloudFront distribution.
Users may not access the website directly by using an Amazon S3 URL.
Which configurations will support these requirements? (Choose two.)

1. A. Associate an origin access identity with the CloudFront distribution.
2. B. Implement a “Principal”: “cloudfront.amazonaws.com” condition in the S3 bucket policy.
3. C. Modify the S3 bucket permissions so that only the origin access identity can access the bucket contents.
4. D. Implement security groups so that the S3 bucket can be accessed only by using the intended CloudFront distribution.
5. E. Configure the S3 bucket policy so that it is accessible only through VPC endpoints, and place the CloudFront distribution into the specified VPC.

Correct Answer: AC

- (Exam Topic 1)
A Security Engineer is setting up a new AWS account. The Engineer has been asked to continuously monitor the company's AWS account using automated compliance checks based on AWS best practices and Center for Internet Security (CIS) AWS Foundations Benchmarks
How can the Security Engineer accomplish this using AWS services?

1. A. Enable AWS Config and set it to record all resources in all Regions and global resource
2. B. Then enable AWS Security Hub and confirm that the CIS AWS Foundations compliance standard is enabled
3. C. Enable Amazon Inspector and configure it to scan all Regions for the CIS AWS Foundations Benchmark
4. D. Then enable AWS Security Hub and configure it to ingest the Amazon Inspector findings
5. E. Enable Amazon Inspector and configure it to scan all Regions for the CIS AWS Foundations Benchmark
6. F. Then enable AWS Shield in all Regions to protect the account from DDoS attacks.
7. G. Enable AWS Config and set it to record all resources in all Regions and global resources Then enable Amazon Inspector and configure it to enforce CIS AWS Foundations Benchmarks using AWS Config rules.

Correct Answer: B

- (Exam Topic 2)
A company has complex connectivity rules governing ingress, egress, and communications between Amazon EC2 instances. The rules are so complex that they cannot be implemented within the limits of the maximum number of security groups and network access control lists (network ACLs).
What mechanism will allow the company to implement all required network rules without incurring additional cost?

1. A. Configure AWS WAF rules to implement the required rules.
2. B. Use the operating system built-in, host-based firewall to implement the required rules.
3. C. Use a NAT gateway to control ingress and egress according to the requirements.
4. D. Launch an EC2-based firewall product from the AWS Marketplace, and implement the required rules in that product.

Correct Answer: B

- (Exam Topic 3)
You have a set of Keys defined using the AWS KMS service. You want to stop using a couple of keys , but are not sure of which services are currently using the keys. Which of the following would be a safe option to stop using the keys from further usage.
Please select:

1. A. Delete the keys since anyway there is a 7 day waiting period before deletion
2. B. Disable the keys
3. C. Set an alias for the key
4. D. Change the key material for the key

Correct Answer: B
Option A is invalid because once you schedule the deletion and waiting period ends, you cannot come back
from the deletion process.
Option C and D are invalid because these will not check to see if the keys are being used or not The AWS Documentation mentions the following
Deleting a customer master key (CMK) in AWS Key Management Service (AWS KMS) is destructive and potentially dangerous. It deletes the key material and all metadata associated with the CMK, and is irreversible. After a CMK is deleted you can no longer decrypt the data that was encrypted under that CMK, which means that data becomes unrecoverable. You should delete a CMK only when you are sure that you don't need to use it anymore. If you are not sure, consider disabling the CMK instead of deleting it. You can re-enable a disabled CMK if you need to use it again later, but you cannot recover a deleted CMK.
For more information on deleting keys from KMS, please visit the below URL: https://docs.aws.amazon.com/kms/latest/developereuide/deleting-keys.html
The correct answer is: Disable the keys Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A company needs a forensic-logging solution for hundreds of applications running in Docker on Amazon EC2 The solution must perform real-time analytics on the togs must support the replay of messages and must persist the logs.
Which AWS services should be used to meet these requirements? (Select TWO)

1. A. Amazon Athena
2. B. Amazon Kinesis
3. C. Amazon SQS
4. D. Amazon Elasticsearch
5. E. Amazon EMR

Correct Answer: BD