SCS-C01 Free Practice Test

- (Exam Topic 3)
A company is planning on using AWS for hosting their applications. They want complete separation and isolation of their production , testing and development environments. Which of the following is an ideal way to design such a setup?
Please select:

1. A. Use separate VPCs for each of the environments
2. B. Use separate IAM Roles for each of the environments
3. C. Use separate IAM Policies for each of the environments
4. D. Use separate AWS accounts for each of the environments

Correct Answer: D
A recommendation from the AWS Security Best practices highlights this as well C:\Users\wk\Desktop\mudassar\Untitled.jpg

option A is partially valid, you can segregate resources, but a best practise is to have multiple accounts for this setup.
Options B and C are invalid because from a maintenance perspective this could become very difficult For more information on the Security Best practices, please visit the following URL:
https://dl.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
The correct answer is: Use separate AWS accounts for each of the environments Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A company's policy requires that all API keys be encrypted and stored separately from source code in a centralized security account. This security account is managed by the company's security team However, an audit revealed that an API key is steed with the source code of an AWS Lambda function m an AWS CodeCommit repository in the DevOps account
How should the security learn securely store the API key?

1. A. Create a CodeCommit repository in the security account using AWS Key Management Service (AWS KMS) tor encryption Require the development team to migrate the Lambda source code to this repository
2. B. Store the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Create a resigned URL tor the S3 ke
3. C. and specify the URL m a Lambda environmental variable in the AWS CloudFormation template Update the Lambda function code to retrieve the key using the URL and call the API
4. D. Create a secret in AWS Secrets Manager in the security account to store the API key using AWS Key Management Service (AWS KMS) tor encryption Grant access to the 1AM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API
5. E. Create an encrypted environment variable for the Lambda function to store the API key using AWS Key Management Service (AWS KMS) tor encryption Grant access to the 1AM role used by the Lambda function so that the function can decrypt the key at runtime

Correct Answer: C

- (Exam Topic 2)
The Security Engineer implemented a new vault lock policy for 10TB of data and called initiate-vault-lock 12 hours ago. The Audit team identified a typo that is allowing incorrect access to the vault.
What is the MOST cost-effective way to correct this?

1. A. Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again.
2. B. Copy the vault data to Amazon S3, delete the vault, and create a new vault with the data.
3. C. Update the policy, keeping the vault lock in place.
4. D. Update the policy and call initiate-vault-lock again to apply the new policy.

Correct Answer: A
Initiate the lock by attaching a vault lock policy to your vault, which sets the lock to an in-progress state and returns a lock ID. While in the in-progress state, you have 24 hours to validate your vault lock policy before the lock ID expires. Use the lock ID to complete the lock process. If the vault lock policy doesn't work as expected, you can abort the lock and restart from the beginning. For information on how to use the S3 Glacier API to lock a vault, see Locking a Vault by Using the Amazon S3 Glacier API. https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock-policy.html

- (Exam Topic 3)
An organization wants to log all AWS API calls made within all of its AWS accounts, and must have a central place to analyze these logs. What steps should be taken to meet these requirements in the MOST secure manner? (Select TWO)

1. A. Turn on AWS CloudTrail in each AWS account
2. B. Turn on CloudTrail in only the account that will be storing the logs
3. C. Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it
4. D. Create a service-based role for CloudTrail and associate it with CloudTrail in each account
5. E. Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it

Correct Answer: AE

- (Exam Topic 3)
An organization has launched 5 instances: 2 for production and 3 for testing. The organization wants that one particular group of IAM users should only access the test instances and not the production ones. How can the organization set that as a part of the policy?
Please select:

1. A. Launch the test and production instances in separate regions and allow region wise access to the group
2. B. Define the IAM policy which allows access based on the instance ID
3. C. Create an IAM policy with a condition which allows access to only small instances
4. D. Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specification tags

Correct Answer: D
Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type — you can quickly identify a specific resource based on the tags you've assigned to it
Option A is invalid because this is not a recommended practices
Option B is invalid because this is an overhead to maintain this in policies Option C is invalid because the instance type will not resolve the requirement For information on resource tagging, please visit the below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Usine_Tags.htmll
The correct answer is: Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specific tags
Submit your Feedback/Queries to our Experts