SCS-C01 Free Practice Test

- (Exam Topic 3)
A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running on AWS.
Which combination of AWS services and features will provide protection in this scenario? (Select THREE).

1. A. Amazon Route 53
2. B. AWS Certificate Manager (ACM)
3. C. Amazon S3
4. D. AWS Shield
5. E. Elastic Load Balancer
6. F. Amazon GuardDuty

Correct Answer: DEF

- (Exam Topic 3)
An organization must establish the ability to delete an AWS KMS Customer Master Key (CMK) within a
24- hour timeframe to keep it from being used for encrypt or decrypt operations Which of tne following actions will address this requirement?

1. A. Manually rotate a key within KMS to create a new CMK immediately
2. B. Use the KMS import key functionality to execute a delete key operation
3. C. Use the schedule key deletion function within KMS to specify the minimum wait period for deletion
4. D. Change the KMS CMK alias to immediately prevent any services from using the CMK.

Correct Answer: C

- (Exam Topic 3)
A company has an application that uses an Amazon RDS PostgreSQL database. The company is developing an application feature that will store sensitive information for an individual in the database.
During a security review of the environment, the company discovers that the RDS DB instance is not encrypting data at rest. The company needs a solution that will provide encryption at rest for all the existing data and for any new data that is entered for an individual.
Which combination of options can the company use to meet these requirements? (Select TWO.)

1. A. Create a snapshot of the DB instanc
2. B. Copy the snapshot to a new snapshot, and enable encryption for the copy proces
3. C. Use the new snapshot to restore the DB instance.
4. D. Modify the configuration of the DB instance by enabling encryptio
5. E. Create a snapshot of the DB instanc
6. F. Use the snapshot to restore the DB instance.
7. G. Use AWS Key Management Service (AWS KMS) to create a new default AWS managed awa/rds key.Select this key as the encryption key for operations with Amazon RDS.
8. H. Use AWS Key Management Service (AWS KMS] to create a new CM
9. I. Select this key as the encryption key for operations with Amazon RDS.
10. J. Create a snapshot of the DB instanc
11. K. Enable encryption on the snapshoVUse the snapshot to restore the DB instance.

Correct Answer: CE

- (Exam Topic 3)
You need to ensure that the cloudtrail logs which are being delivered in your AWS account is encrypted. How can this be achieved in the easiest way possible?
Please select:

1. A. Don't do anything since CloudTrail logs are automatically encrypted.
2. B. Enable S3-SSE for the underlying bucket which receives the log files
3. C. Enable S3-KMS for the underlying bucket which receives the log files
4. D. Enable KMS encryption for the logs which are sent to Cloudwatch

Correct Answer: A
The AWS Documentation mentions the following
By default the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3)
Option B,C and D are all invalid because by default all logs are encrypted when they sent by Cloudtrail to S3 buckets
For more information on AWS Cloudtrail log encryption, please visit the following URL: https://docs.aws.amazon.com/awscloudtrail/latest/usereuide/encryptine-cloudtrail-loe-files-with-aws-kms.htmll The correct answer is: Don't do anything since CloudTrail logs are automatically encrypted. Submit your
Feedback/Queries to our Experts

- (Exam Topic 3)
You are working for a company and been allocated the task for ensuring that there is a federated authentication mechanism setup between AWS and their On-premise Active Directory. Which of the following are important steps that need to be covered in this process? Choose 2 answers from the options given below.
Please select:

1. A. Ensure the right match is in place for On-premise AD Groups and IAM Roles.
2. B. Ensure the right match is in place for On-premise AD Groups and IAM Groups.
3. C. Configure AWS as the relying party in Active Directory
4. D. Configure AWS as the relying party in Active Directory Federation services

Correct Answer: AD
The AWS Documentation mentions some key aspects with regards to the configuration of On-premise AD with AWS
One is the Groups configuration in AD Active Directory Configuration
Determining how you will create and delineate your AD groups and IAM roles in AWS is crucial to how you secure access to your account and manage resources. SAML assertions to the AWS environment and the respective IAM role access will be managed through regular [removed]regex) matching between your
on-premises AD group name to an AWS IAM role.
One approach for creating the AD groups that uniquely identify the AWS IAM role mapping is by selecting a common group naming convention. For example, your AD groups would start with an identifier, for example, AWS-, as this will distinguish your AWS groups from others within the organization. Next include the
12- digitAWS account number. Finally, add the matching role name within the AWS account. Here is an example:
C:\Users\wk\Desktop\mudassar\Untitled.jpg

And next is the configuration of the relying party which is AWS
ADFS federation occurs with the participation of two parties; the identity or claims provider (in this case the owner of the identity repository - Active Directory) and the relying party, which is another application that wishes to outsource authentication to the identity provider; in this case Amazon Secure Token Service (STS). The relying party is a federation partner that is represented by a claims provider trust in the federation service.
Option B is invalid because AD groups should not be matched to IAM Groups
Option C is invalid because the relying party should be configured in Active Directory Federation services For more information on the federated access, please visit the following URL:
1
https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-a
The correct answers are: Ensure the right match is in place for On-premise AD Groups and IAM Roles., Configure AWS as the relying party in Active Directory Federation services
Submit your Feedback/Queries to our Experts