SCS-C01 Free Practice Test

- (Exam Topic 3)
A company's application team wants to replace an internal application with a new AWS architecture that consists of Amazon EC2 instances, an AWS Lambda function, and an Amazon S3 bucket in a single AWS Region. After an architecture review, the security team mandates that no application network traffic can traverse the public internet at any point. The security team already has an SCP in place for the company's organization in AWS Organizations to restrict the creation of internet gateways. NAT gateways, and egress-only gateways.
Which combination of steps should the application team take to meet these requirements? (Select THREE.)

1. A. Create an S3 endpoint that has a full-access policy for the application's VPC.
2. B. Create an S3 access point for the S3 bucke
3. C. Include a policy that restricts the network origin to VPCs.
4. D. Launch the Lambda functio
5. E. Enable the block public access configuration.
6. F. Create a security group that has an outbound rule over port 443 with a destination of the S3 endpomt.Associate the security group with the EC2 instances.
7. G. Create a security group that has an outbound rule over port 443 with a destination of the S3 access point.Associate the security group with the EC2 instances.
8. H. Launch the Lambda function in a VPC.

Correct Answer: ADF

- (Exam Topic 3)
Company policy requires that all insecure server protocols, such as FTP, Telnet, HTTP, etc be disabled on all servers. The security team would like to regularly check all servers to ensure compliance with this requirement by using a scheduled CloudWatch event to trigger a review of the current infrastructure. What process will check compliance of the company's EC2 instances?
Please select:

1. A. Trigger an AWS Config Rules evaluation of the restricted-common-ports rule against every EC2 instance.
2. B. Query the Trusted Advisor API for all best practice security checks and check for "action recommened" status.
3. C. Enable a GuardDuty threat detection analysis targeting the port configuration on every EC2 instance.
4. D. Run an Amazon inspector assessment using the Runtime Behavior Analysis rules package against every EC2 instance.

Correct Answer: D
Option B is incorrect because querying Trusted Advisor API's are not possible
Option C is incorrect because GuardDuty should be used to detect threats and not check the compliance of security protocols.
Option D states that Run Amazon Inspector using runtime behavior analysis rules which will analyze the behavior of your instances during an assessment run, and provide guidance about how to make your EC2 instances more secure.
Insecure Server Protocols
This rule helps determine whether your EC2 instances allow support for insecure and unencrypted ports/services such as FTP, Telnet HTTP, IMAP, POP version 3, SMTP, SNMP versions 1 and 2, rsh, and rlogin.
For more information, please refer to below URL: https://docs.aws.amazon.eom/mspector/latest/userguide/inspector_runtime-behavior-analysis.html#insecure-prot
(
The correct answer is: Run an Amazon Inspector assessment using the Runtime Behavior Analysis rules package against every EC2 instance.
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
The CFO of a company wants to allow one of his employees to view only the AWS usage report page. Which of the below mentioned IAM policy statements allows the user to have access to the AWS usage report page?
Please select:

1. A. "Effect": "Allow". "Action": ["Describe"], "Resource": "Billing"
2. B. "Effect": "Allow", "Action": ["AccountUsage], "Resource": "*"
3. C. "Effect': "Allow", "Action": ["aws-portal:ViewUsage"," aws-portal:ViewBilling"], "Resource": "*"
4. D. "Effect": "Allow", "Action": ["aws-portal: ViewBilling"], "Resource": "*"

Correct Answer: C
the aws documentation, below is the access required for a user to access the Usage reports page and as per this, Option C is the right answer.
C:\Users\wk\Desktop\mudassar\Untitled.jpg

- (Exam Topic 3)
A company's AWS account consists of approximately 300 IAM users. Now there is a mandate that an access change is required for 100 IAM users to have unlimited privileges to S3.As a system administrator, how can you implement this effectively so that there is no need to apply the policy at the individual user level?
Please select:

1. A. Create a new role and add each user to the IAM role
2. B. Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group
3. C. Create a policy and apply it to multiple users using a JSON script
4. D. Create an S3 bucket policy with unlimited access which includes each user's AWS account ID

Correct Answer: B
Option A is incorrect since you don't add a user to the IAM Role Option C is incorrect since you don't assign multiple users to a policy Option D is incorrect since this is not an ideal approach
An IAM group is used to collectively manage users who need the same set of permissions. By having groups, it becomes easier to manage permissions. So if you change the permissions on the group scale, it will affect all the users in that group
For more information on IAM Groups, just browse to the below URL: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_eroups.html
The correct answer is: Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
One of the EC2 Instances in your company has been compromised. What steps would you take to ensure that you could apply digital forensics on the Instance. Select 2 answers from the options given below
Please select:

1. A. Remove the role applied to the Ec2 Instance
2. B. Create a separate forensic instance
3. C. Ensure that the security groups only allow communication to this forensic instance
4. D. Terminate the instance

Correct Answer: BC
Option A is invalid because removing the role will not help completely in such a situation
Option D is invalid because terminating the instance means that you cannot conduct forensic analysis on the instance
One way to isolate an affected EC2 instance for investigation is to place it in a Security Group that only the forensic investigators can access. Close all ports except to receive inbound SSH or RDP traffic from one single IP address from which the investigators can safely examine the instance.
For more information on security scenarios for your EC2 Instance, please refer to below URL: https://d1.awsstatic.com/Marketplace/scenarios/security/SEC 11 TSB Final.pd1
The correct answers are: Create a separate forensic instance. Ensure that the security groups only allow communication to this forensic instance
Submit your Feedback/Queries to our Experts