SCS-C01 Free Practice Test

- (Exam Topic 2)
A company wants to have an Intrusion detection system available for their VPC in AWS. They want to have complete control over the system. Which of the following would be ideal to implement?
Please select:

1. A. Use AWS WAF to catch all intrusions occurring on the systems in the VPC
2. B. Use a custom solution available in the AWS Marketplace
3. C. Use VPC Flow logs to detect the issues and flag them accordingly.
4. D. Use AWS Cloudwatch to monitor all traffic

Correct Answer: B
Sometimes companies want to have custom solutions in place for monitoring Intrusions to their systems. In such a case, you can use the AWS Marketplace for looking at custom solutions.
C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A.C and D are all invalid because they cannot be used to conduct intrusion detection or prevention. For more information on using custom security solutions please visit the below URL https://d1.awsstatic.com/Marketplace/security/AWSMP_Security_Solution 0verview.pdf
For more information on using custom security solutions please visit the below URL: https://d1 .awsstatic.com/Marketplace/security/AWSMP Security Solution Overview.pd1
The correct answer is: Use a custom solution available in the AWS Marketplace Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A company's architecture requires that its three Amazon EC2 instances run behind an Application Load Balancer (ALB). The EC2 instances transmit sensitive data between each other Developers use SSL certificates to encrypt the traffic between the public users and the ALB However the Developers are unsure of how to encrypt the data in transit between the ALB and the EC2 instances and the traffic between the EC2 instances
Which combination of activities must the company implement to meet its encryption requirements'? (Select TWO )

1. A. Configure SSLTLS on the EC2 instances and configure the ALB target group to use HTTPS
2. B. Ensure that all resources are in the same VPC so the default encryption provided by the VPC is used to encrypt the traffic between the EC2 instances.
3. C. In the AL
4. D. select the default encryption to encrypt the traffic between the ALB and the EC2 instances
5. E. In the code for the application, include a cryptography library and encrypt the data before sending it between the EC2 instances
6. F. Configure AWS Direct Connect to provide an encrypted tunnel between the EC2 instances

Correct Answer: BC

- (Exam Topic 2)
A company is hosting a website that must be accessible to users for HTTPS traffic. Also port 22 should be open for administrative purposes. The administrator's workstation has a static IP address of 203.0.113.1/32. Which of the following security group configurations are the MOST secure but still functional to support these requirements? Choose 2 answers from the options given below
Please select:

1. A. Port 443 coming from 0.0.0.0/0
2. B. Port 443 coming from 10.0.0.0/16
3. C. Port 22 coming from 0.0.0.0/0
4. D. Port 22 coming from 203.0.113.1/32

Correct Answer: AD
Since HTTPS traffic is required for all users on the Internet, Port 443 should be open on all IP addresses. For port 22, the traffic should be restricted to an internal subnet.
Option B is invalid, because this only allow traffic from a particular CIDR block and not from the internet Option C is invalid because allowing port 22 from the internet is a security risk
For more information on AWS Security Groups, please visit the following UR https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usins-network-secunty.htmll
The correct answers are: Port 443 coming from 0.0.0.0/0, Port 22 coming from 203.0.113.1 /32 Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A recent security audit found that AWS CloudTrail logs are insufficiently protected from tampering and unauthorized access Which actions must the Security Engineer take to address these audit findings? (Select THREE )

1. A. Ensure CloudTrail log file validation is turned on
2. B. Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage
3. C. Use an S3 bucket with tight access controls that exists m a separate account
4. D. Use Amazon Inspector to monitor the file integrity of CloudTrail log files.
5. E. Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files
6. F. Encrypt the CloudTrail log files with server-side encryption with AWS KMS-managed keys (SSE-KMS)

Correct Answer: ADE

- (Exam Topic 2)
A Systems Engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the Development team wants to use security groups and network ACLs to accomplish various security requirements in the environment.
What configuration is necessary to allow the virtual security appliance to route the traffic?

1. A. Disable network ACLs.
2. B. Configure the security appliance's elastic network interface for promiscuous mode.
3. C. Disable the Network Source/Destination check on the security appliance's elastic network interface
4. D. Place the security appliance in the public subnet with the internet gateway

Correct Answer: C
Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. In this case virtual security appliance instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance."