SCS-C01 Free Practice Test

- (Exam Topic 1)
A company's security information events management (SIEM) tool receives new AWS CloudTrail logs from an Amazon S3 bucket that is configured to send all object created event notification to an Amazon SNS topic An Amazon SQS queue is subscribed to this SNS topic. The company's SEM tool then ports this SQS queue for new messages using an IAM role and fetches new log events from the S3 bucket based on the SQS messages.
After a recent security review that resulted m restricted permissions, the SEM tool has stopped receiving new CloudTral logs
Which of the following are possible causes of this issue? (Select THREE)

1. A. The SOS queue does not allow the SQS SendMessage action from the SNS topic
2. B. The SNS topic does not allow the SNS Publish action from Amazon S3
3. C. The SNS topic is not delivering raw messages to the SQS queue
4. D. The S3 bucket policy does not allow CloudTrail to perform the PutObject action
5. E. The IAM role used by the 5EM tool does not have permission to subscribe to the SNS topic
6. F. The IAM role used by the SEM tool does not allow the SQS DeleteMessage actio

Correct Answer: ADF

- (Exam Topic 1)
Authorized Administrators are unable to connect to an Amazon EC2 Linux bastion host using SSH over the internet. The connection either fails to respond or generates the following error message:
Network error: Connection timed out.
What could be responsible for the connection failure? (Select THREE )

1. A. The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured
2. B. The internet gateway of the VPC has been reconfigured
3. C. The security group denies outbound traffic on ephemeral ports
4. D. The route table is missing a route to the internet gateway
5. E. The NACL denies outbound traffic on ephemeral ports
6. F. The host-based firewall is denying SSH traffic

Correct Answer: BDF

- (Exam Topic 1)
An external Auditor finds that a company's user passwords have no minimum length. The company is currently using two identity providers:
• AWS IAM federated with on-premises Active Directory
• Amazon Cognito user pools to accessing an AWS Cloud application developed by the company Which combination o1 actions should the Security Engineer take to solve this issue? (Select TWO.)

1. A. Update the password length policy In the on-premises Active Directory configuration.
2. B. Update the password length policy In the IAM configuration.
3. C. Enforce an IAM policy In Amazon Cognito and AWS IAM with a minimum password length condition.
4. D. Update the password length policy in the Amazon Cognito configuration.
5. E. Create an SCP with AWS Organizations that enforces a minimum password length for AWS IAM and Amazon Cognito.

Correct Answer: AD

- (Exam Topic 1)
A company is setting up products to deploy in AWS Service Catalog. Management is concerned that when users launch products, elevated IAM privileges will be required to create resources. How should the company mitigate this concern?

1. A. Add a template constraint to each product in the portfolio.
2. B. Add a launch constraint to each product in the portfolio.
3. C. Define resource update constraints for each product in the portfolio.
4. D. Update the AWS CloudFormalion template backing the product to include a service role configuration.

Correct Answer: C

- (Exam Topic 1)
The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet.
What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.)

1. A. Use AWS Certificate Manager to encrypt all traffic between the client and application servers.
2. B. Review the application security groups to ensure that only the necessary ports are open.
3. C. Use Elastic Load Balancing to offload Secure Sockets Layer encryption.
4. D. Use Amazon Inspector to periodically scan the backend instances.
5. E. Use AWS Key Management Services to encrypt all the traffic between the client and application servers.

Correct Answer: BD