SCS-C01 Free Practice Test

- (Exam Topic 3)
A company is using AWS Organizations. The company wants to restrict AWS usage to the eu-west-1 Region for all accounts under an OU that is named "development." The solution must persist restrictions to existing and new AWS accounts under the development OU.

1. A. Option A
2. B. Option B
3. C. Option C
4. D. Option D

Correct Answer: A

- (Exam Topic 2)
You have just recently set up a web and database tier in a VPC and hosted the application. When testing the app , you are not able to reach the home page for the app. You have verified the security groups. What can help you diagnose the issue.
Please select:

1. A. Use the AWS Trusted Advisor to see what can be done.
2. B. Use VPC Flow logs to diagnose the traffic
3. C. Use AWS WAF to analyze the traffic
4. D. Use AWS Guard Duty to analyze the traffic

Correct Answer: B
Option A is invalid because this can be used to check for security issues in your account, but not verify as to why you cannot reach the home page for your application
Option C is invalid because this used to protect your app against application layer attacks, but not verify as to why you cannot reach the home page for your application
Option D is invalid because this used to protect your instance against attacks, but not verify as to why you cannot reach the home page for your application
The AWS Documentation mentions the following
VPC Flow Logs capture network flow information for a VPC, subnet or network interface and stores it in Amazon CloudWatch Logs. Flow log data can help customers troubleshoot network issues; for example, to diagnose why specific traffic is not reaching an instance, which might be a result of overly restrictive security group rules. Customers can also use flow logs as a security toi to monitor the traffic that reaches their instances, to profile network traffic, and to look for abnormal traffic behaviors.
For more information on AWS Security, please visit the following URL: https://aws.amazon.com/answers/networking/vpc-security-capabilities>
The correct answer is: Use VPC Flow logs to diagnose the traffic Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
A pharmaceutical company has digitized versions of historical prescriptions stored on premises. The company would like to move these prescriptions to AWS and perform analytics on the data in them. Any operation with this data requires that the data be encrypted in transit and at rest.
Which application flow would meet the data protection requirements on AWS?

1. A. Digitized files -> Amazon Kinesis Data Analytics
2. B. Digitized files -> Amazon Kinesis Data Firehose -> Amazon S3 -> Amazon Athena
3. C. Digitized files -> Amazon Kinesis Data Streams -> Kinesis Client Library consumer -> Amazon S3 -> Athena
4. D. Digitized files -> Amazon Kinesis Data Firehose -> Amazon Elasticsearch

Correct Answer: B

- (Exam Topic 1)
A Security Engineer for a large company is managing a data processing application used by 1,500 subsidiary companies. The parent and subsidiary companies all use AWS. The application uses TCP port 443 and runs on Amazon EC2 behind a Network Load Balancer (NLB). For compliance reasons, the application should only be accessible to the subsidiaries and should not be available on the public internet. To meet the compliance requirements for restricted access, the Engineer has received the public and private CIDR block ranges for each subsidiary
What solution should the Engineer use to implement the appropriate access restrictions for the application?

1. A. Create a NACL to allow access on TCP port 443 from the 1;500 subsidiary CIDR block ranges.Associate the NACL to both the NLB and EC2 instances
2. B. Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block range
3. C. Associate the security group to the NL
4. D. Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group.
5. E. Create an AWS PrivateLink endpoint service in the parent company account attached to the NL
6. F. Create an AWS security group for the instances to allow access on TCP port 443 from the AWS PrivateLink endpoin
7. G. Use AWS PrivateLink interface endpoints in the 1,500 subsidiary AWS accounts to connect to the data processing application.
8. H. Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block range
9. I. Associate the security group with EC2 instances.

Correct Answer: D

- (Exam Topic 1)
An AWS account administrator created an IAM group and applied the following managed policy to require that each individual user authenticate using multi-factor authentication:

After implementing the policy, the administrator receives reports that users are unable to perform Amazon EC2 commands using the AWS CLI. What should the administrator do to resolve this problem while still
enforcing multi-factor authentication?

1. A. Change the value of aws MultiFactorAuthPresent to true.
2. B. Instruct users to run the aws sts get-session-token CLI command and pass the multi-factor authentication—serial-number and —token-code parameter
3. C. Use these resulting values to make API/CLI calls
4. D. Implement federated API/CLI access using SAML 2.0, then configure the identity provider to enforce multi-factor authentication.
5. E. Create a role and enforce multi-factor authentication in the role trust policy Instruct users to run the sts assume-role CLI command and pass --serial-number and —token-code parameters Store the resulting values in environment variable
6. F. Add sts:AssumeRole to NotAction in the policy.

Correct Answer: B