SCS-C01 Free Practice Test

- (Exam Topic 2)
A Security Engineer is defining the logging solution for a newly developed product. Systems Administrators and Developers need to have appropriate access to event log files in AWS CloudTrail to support and troubleshoot the product.
Which combination of controls should be used to protect against tampering with and unauthorized access to log files? (Choose two.)

1. A. Ensure that the log file integrity validation mechanism is enabled.
2. B. Ensure that all log files are written to at least two separate Amazon S3 buckets in the same account.
3. C. Ensure that Systems Administrators and Developers can edit log files, but prevent any other access.
4. D. Ensure that Systems Administrators and Developers with job-related need-to-know requirements only are capable of viewing—but not modifying—the log files.
5. E. Ensure that all log files are stored on Amazon EC2 instances that allow SSH access from the internalcorporate network only.

Correct Answer: AD

- (Exam Topic 3)
A company has developed a new Amazon RDS database application. The company must secure the ROS database credentials for encryption in transit and encryption at rest. The company also must rotate the credentials automatically on a regular basis.
Which solution meets these requirements?

1. A. Use AWS Systems Manager Parameter Store to store the database credentiai
2. B. Configure automatic rotation of the credentials.
3. C. Use AWS Secrets Manager to store the database credential
4. D. Configure automat* rotation of the credentials
5. E. Store the database credentials in an Amazon S3 bucket that is configured with server-side encryption with S3 managed encryption keys (SSE-S3) Rotate the credentials with 1AM database authentication.
6. F. Store the database credentials m Amazon S3 Glacier, and use S3 Glacier Vault Lock Configure an AWS Lambda function to rotate the credentials on a scheduled basts

Correct Answer: A

- (Exam Topic 3)
Your company has a set of EC2 Instances that are placed behind an ELB. Some of the applications hosted on these instances communicate via a legacy protocol. There is a security mandate that all traffic between the client and the EC2 Instances need to be secure. How would you accomplish this?
Please select:

1. A. Use an Application Load balancer and terminate the SSL connection at the ELB
2. B. Use a Classic Load balancer and terminate the SSL connection at the ELB
3. C. Use an Application Load balancer and terminate the SSL connection at the EC2 Instances
4. D. Use a Classic Load balancer and terminate the SSL connection at the EC2 Instances

Correct Answer: D
Since there are applications which work on legacy protocols, you need to ensure that the ELB can be used at the network layer as well and hence you should choose the Classic ELB. Since the traffic needs to be secure till the EC2 Instances, the SSL termination should occur on the Ec2 Instances.
Option A and C are invalid because you need to use a Classic Load balancer since this is a legacy application. Option B is incorrect since encryption is required until the EC2 Instance
For more information on HTTPS listeners for classic load balancers, please refer to below URL https://docs.aws.ama20n.com/elasticloadbalancing/latest/classic/elb-https-load-balancers.htmll
The correct answer is: Use a Classic Load balancer and terminate the SSL connection at the EC2 Instances Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A Developer signed in to a new account within an AWS Organizations organizations unit (OU) containing multiple accounts. Access to the Amazon S3 service is restricted with the following SCP:

How can the Security Engineer provide the Developer with Amazon S3 access without affecting other accounts?

1. A. Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.
2. B. Add an IAM policy for the Developer, which grants S3 access.
3. C. Create a new OU without applying the SCP restricting S3 acces
4. D. Move the Developer account to this new OU.
5. E. Add an allow list for the Developer account for the S3 service.

Correct Answer: B

- (Exam Topic 3)
Your company is planning on AWS on hosting its AWS resources. There is a company policy which mandates that all security keys are completely managed within the company itself. Which of the following is the correct measure of following this policy?
Please select:

1. A. Using the AWS KMS service for creation of the keys and the company managing the key lifecycle thereafter.
2. B. Generating the key pairs for the EC2 Instances using puttygen
3. C. Use the EC2 Key pairs that come with AWS
4. D. Use S3 server-side encryption

Correct Answer: B
y ensuring that you generate the key pairs for EC2 Instances, you will have complete control of the access keys.
Options A,C and D are invalid because all of these processes means that AWS has ownership of the keys. And the question specifically mentions that you need ownership of the keys
For information on security for Compute Resources, please visit the below URL: https://d1.awsstatic.com/whitepapers/Security/Security Compute Services Whitepaper.pdfl
The correct answer is: Generating the key pairs for the EC2 Instances using puttygen Submit your Feedback/Queries to our Experts