SCS-C01 Free Practice Test

- (Exam Topic 3)
You currently have an S3 bucket hosted in an AWS Account. It holds information that needs be accessed by a partner account. Which is the MOST secure way to allow the partner account to access the S3 bucket in your account? Select 3 options.
Please select:

1. A. Ensure an IAM role is created which can be assumed by the partner account.
2. B. Ensure an IAM user is created which can be assumed by the partner account.
3. C. Ensure the partner uses an external id when making the request
4. D. Provide the ARN for the role to the partner account
5. E. Provide the Account Id to the partner account
6. F. Provide access keys for your account to the partner account

Correct Answer: ACD
Option B is invalid because Roles are assumed and not IAM users
Option E is invalid because you should not give the account ID to the partner Option F is invalid because you should not give the access keys to the partner
The below diagram from the AWS documentation showcases an example on this wherein an IAM role and external ID is us> access an AWS account resources
C:\Users\wk\Desktop\mudassar\Untitled.jpg

For more information on creating roles for external ID'S please visit the following URL:
The correct answers are: Ensure an IAM role is created which can be assumed by the partner account. Ensure the partner uses an external id when making the request Provide the ARN for the role to the partner account
Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots.
After performing a gap analysis of its disaster recovery procedures and backup strategies, the company is concerned that, next time, it will not be able to recover the EC2 instances if the AWS account was compromised and Amazon EBS snapshots were deleted.
All EBS snapshots are encrypted using an AWS KMS CMK. Which solution would solve this problem?

1. A. Create a new Amazon S3 bucket Use EBS lifecycle policies to move EBS snapshots to the new S3 bucke
2. B. Move snapshots to Amazon S3 Glacier using lifecycle policies, and apply Glacier Vault Lock policies to prevent deletion
3. C. Use AWS Systems Manager to distribute a configuration that performs local backups of all attached disks to Amazon S3.
4. D. Create a new AWS account with limited privilege
5. E. Allow the new account to access the AWS KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots to the new account on a recuning basis
6. F. Use AWS Backup to copy EBS snapshots to Amazon S3.

Correct Answer: A

- (Exam Topic 2)
For compliance reasons, an organization limits the use of resources to three specific AWS regions. It wants to be alerted when any resources are launched in unapproved regions.
Which of the following approaches will provide alerts on any resources launched in an unapproved region?

1. A. Develop an alerting mechanism based on processing AWS CloudTrail logs.
2. B. Monitor Amazon S3 Event Notifications for objects stored in buckets in unapproved regions.
3. C. Analyze Amazon CloudWatch Logs for activities in unapproved regions.
4. D. Use AWS Trusted Advisor to alert on all resources being created.

Correct Answer: A
https://stackoverflow.com/questions/45449053/cloudwatch-alert-on-any-instance-creation

- (Exam Topic 1)
After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised.
How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?

1. A. Give consent to the AWS Security team to dump the memory core on the compromised instance and provide it to AWS Support for analysis.
2. B. Review memory dump data that the AWS Systems Manager Agent sent to Amazon CloudWatch Logs.
3. C. Download and run the EC2Rescue for Windows Server utility from AWS.
4. D. Reboot the EC2 Windows Server, enter safe mode, and select memory dump.

Correct Answer: B

- (Exam Topic 1)
A Solutions Architect is designing a web application that uses Amazon CloudFront, an Elastic Load Balancing Application Load Balancer, and an Auto Scaling group of Amazon EC2 instances. The load balancer and EC2 instances are in the US West (Oregon) region. It has been decided that encryption in transit is necessary by using a customer-branded domain name from the client to CloudFront and from CloudFront to the load balancer.
Assuming that AWS Certificate Manager is used, how many certificates will need to be generated?

1. A. One in the US West (Oregon) region and one in the US East (Virginia) region.
2. B. Two in the US West (Oregon) region and none in the US East (Virginia) region.
3. C. One in the US West (Oregon) region and none in the US East (Virginia) region.
4. D. Two in the US East (Virginia) region and none in the US West (Oregon) region.

Correct Answer: B