SCS-C01 Free Practice Test

- (Exam Topic 3)
A company wants to use Cloudtrail for logging all API activity. They want to segregate the logging of data events and management events. How can this be achieved? Choose 2 answers from the options given below
Please select:

1. A. Create one Cloudtrail log group for data events
2. B. Create one trail that logs data events to an S3 bucket
3. C. Create another trail that logs management events to another S3 bucket
4. D. Create another Cloudtrail log group for management events

Correct Answer: BC
The AWS Documentation mentions the following
You can configure multiple trails differently so that the trails process and log only the events that you specify. For example, one trail can log read-only data and management events, so that all read-only events are delivered to one S3 bucket. Another trail can log only write-only data and management events, so that all write-only events are delivered to a separate S3 bucket
Options A and D are invalid because you have to create a trail and not a log group
For more information on managing events with cloudtrail, please visit the following URL: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/loHEing-manasement-and-data-events-with-cloudtr The correct answers are: Create one trail that logs data events to an S3 bucket. Create another trail that logs management events to another S3 bucket
Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
You have enabled Cloudtrail logs for your company's AWS account. In addition, the IT Security department has mentioned that the logs need to be encrypted. How can this be achieved?
Please select:

1. A. Enable SSL certificates for the Cloudtrail logs
2. B. There is no need to do anything since the logs will already be encrypted
3. C. Enable Server side encryption for the trail
4. D. Enable Server side encryption for the destination S3 bucket

Correct Answer: B
The AWS Documentation mentions the following.
By default CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE). You can also choose to encryption your log files with an AWS Key Management Service (AWS KMS) key. You can store your log files in your bucket for as long as you want. You can also define Amazon S3 lifecycle rules to archive or delete log files automatically. If you want notifications about lo file delivery and validation, you can set up Amazon SNS notifications.
Option A.C and D are not valid since logs will already be encrypted
For more information on how Cloudtrail works, please visit the following URL: https://docs.aws.amazon.com/awscloudtrail/latest/usereuide/how-cloudtrail-works.htmll
The correct answer is: There is no need to do anything since the logs will already be encrypted Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
A Developer who is following AWS best practices for secure code development requires an application to encrypt sensitive data to be stored at rest, locally in the application, using AWS KMS. What is the simplest and MOST secure way to decrypt this data when required?

1. A. Request KMS to provide the stored unencrypted data key and then use the retrieved data key to decrypt the data.
2. B. Keep the plaintext data key stored in Amazon DynamoDB protected with IAM policie
3. C. Query DynamoDB to retrieve the data key to decrypt the data
4. D. Use the Encrypt API to store an encrypted version of the data key with another customer managed key.Decrypt the data key and use it to decrypt the data when required.
5. E. Store the encrypted data key alongside the encrypted dat
6. F. Use the Decrypt API to retrieve the data key to decrypt the data when required.

Correct Answer: D
We recommend that you use the following pattern to locally encrypt data: call the GenerateDataKey API, use the key returned in the Plaintext response field to locally encrypt data, and then erase the plaintext data key from memory. Store the encrypted data key (contained in the CiphertextBlob field) alongside of the locally encrypted data. The Decrypt API returns the plaintext key from the encrypted key. https://docs.aws.amazon.com/sdkfornet/latest/apidocs/items/MKeyManagementServiceKeyManagementService

- (Exam Topic 3)
A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected.
Which combination of steps should the security engineer take to accomplish this? (Select TWO.)

1. A. Create an AWS Config rule to detect the creation of unencrypted RDS database
2. B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the AWS Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
3. C. Use AWS System Manager State Manager to detect RDS database encryption configuration drif
4. D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
5. E. Create a read replica for the existing unencrypted RDS database and enable replica encryption in the proces
6. F. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.
7. G. Take a snapshot of the unencrypted RDS databas
8. H. Copy the snapshot and enable snapshot encryption in the proces
9. I. Restore the database instance from the newly created encrypted snapsho
10. J. Terminate the unencrypted database instance.
11. K. Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database

Correct Answer: AD

- (Exam Topic 3)
You want to ensure that you keep a check on the Active EBS Volumes, Active snapshots and Elastic IP addresses you use so that you don't go beyond the service limit. Which of the below services can help in this regard?
Please select:

1. A. AWS Cloudwatch
2. B. AWS EC2
3. C. AWS Trusted Advisor
4. D. AWS SNS

Correct Answer: C
Below is a snapshot of the service limits that the Trusted Advisor can monitor C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A is invalid because even though you can monitor resources, it cannot be checked against the service limit.
Option B is invalid because this is the Elastic Compute cloud service Option D is invalid because it can be send notification but not check on service limit For more information on the Trusted Advisor monitoring, please visit the below URL:
https://aws.amazon.com/premiumsupport/ta-faqs>
The correct answer is: AWS Trusted Advisor Submit your Feedback/Queries to our Experts