SCS-C01 Free Practice Test

- (Exam Topic 2)
A company has five AWS accounts and wants to use AWS CloudTrail to log API calls. The log files must be stored in an Amazon S3 bucket that resides in a new account specifically built for centralized services with a unique top-level prefix for each trail. The configuration must also enable detection of any modification to the logs.
Which of the following steps will implement these requirements? (Choose three.)

1. A. Create a new S3 bucket in a separate AWS account for centralized storage of CloudTrail logs, and enable “Log File Validation” on all trails.
2. B. Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
3. C. Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
4. D. Use unique log file prefixes for trails in each AWS account.
5. E. Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.
6. F. Enable encryption of the log files by using AWS Key Management Service

Correct Answer: ACE
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
If you have created an organization in AWS Organizations, you can create a trail that will log all events for all AWS accounts in that organization. This is sometimes referred to as an organization trail. You can also choose to edit an existing trail in the master account and apply it to an organization, making it an organization trail. Organization trails log events for the master account and all member accounts in the organization. For more information about AWS Organizations, see Organizations Terminology and Concepts. Note Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html You must be logged in with the master account for the organization in order to create an organization trail. You must also have sufficient permissions for the IAM user or role in the master account in order to successfully create an organization trail. If you do not have sufficient permissions, you will not see the option to apply a trail to an organization.

- (Exam Topic 3)
A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances . The application will store highly sensitive user data in Amazon RDS tables
The application must
• Include migration to a different AWS Region in the application disaster recovery plan.
• Provide a full audit trail of encryption key administration events
• Allow only company administrators to administer keys.
• Protect data at rest using application layer encryption
A Security Engineer is evaluating options for encryption key management
Why should the Security Engineer choose AWS CloudHSM over AWS KMS for encryption key management in this situation?

1. A. The key administration event logging generated by CloudHSM is significantly more extensive than AWS KMS.
2. B. CloudHSM ensures that only company support staff can administer encryption keys, whereas AWS KMS allows AWS staff to administer keys
3. C. The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by AWS KMS
4. D. CloudHSM provides the ability to copy keys to a different Region, whereas AWS KMS does not

Correct Answer: B

- (Exam Topic 1)
A Security Engineer accidentally deleted the imported key material in an AWS KMS CMK. What should the Security Engineer do to restore the deleted key material?

1. A. Create a new CM
2. B. Download a new wrapping key and a new import token to import the original key material
3. C. Create a new CMK Use the original wrapping key and import token to import the original key material.
4. D. Download a new wrapping key and a new import token Import the original key material into the existing CMK.
5. E. Use the original wrapping key and import token Import the original key material into the existing CMK

Correct Answer: C

- (Exam Topic 3)
A company's security team is building a solution for logging and visualization. The solution will assist the company with the large variety and velocity of data that it receives from AWS across multiple accounts. The security team has enabled AWS CloudTrail and VPC Flow Logs in all of its accounts In addition, the company has an organization in AWS Organizations and has an AWS Security Hub master account.
The security team wants to use Amazon Detective However the security team cannot enable Detective and is unsure why
What must the security team do to enable Detective?

1. A. Enable Amazon Macie so that Secunty H jb will allow Detective to process findings from Macie.
2. B. Disable AWS Key Management Service (AWS KMS) encryption on CtoudTrail logs in every member account of the organization
3. C. Enable Amazon GuardDuty on all member accounts Try to enable Detective in 48 hours
4. D. Ensure that the principal that launches Detective has the organizations ListAccounts permission

Correct Answer: D

- (Exam Topic 2)
A Security Administrator is performing a log analysis as a result of a suspected AWS account compromise. The Administrator wants to analyze suspicious AWS CloudTrail log files but is overwhelmed by the volume of audit logs being generated.
What approach enables the Administrator to search through the logs MOST efficiently?

1. A. Implement a “write-only” CloudTrail event filter to detect any modifications to the AWS account resources.
2. B. Configure Amazon Macie to classify and discover sensitive data in the Amazon S3 bucket that contains the CloudTrail audit logs.
3. C. Configure Amazon Athena to read from the CloudTrail S3 bucket and query the logs to examine account activities.
4. D. Enable Amazon S3 event notifications to trigger an AWS Lambda function that sends an email alarm when there are new CloudTrail API entries.

Correct Answer: C