AWS Certified Security - Specialty (SCS-C01) Free Practice Test

Question 1

A company needs its Amazon Elastic Block Store (Amazon EBS) volumes to be encrypted at all times. During a security incident. EBS snapshots of suspicious instances are shared to a forensics account for analysis A security engineer attempting to share a suspicious EBS snapshot to the forensics account receives the following error
"Unable to share snapshot: An error occurred (OperationNotPermitted) when calling the ModifySnapshotAttribute operation: Encrypted snapshots with EBS default key cannot be shared.
Which combination of steps should the security engineer take in the incident account to complete the sharing operation? (Select THREE )

A. Create an Amazon EC2 instance. Attach the encrypted and suspicious EBS volume. Copy data from the suspicious volume to an unencrypted volume. Snapshot the unencrypted volume

B. Share the target EBS snapshot with the forensics account.

C. Restore a volume from the suspicious EBS snapshot. Create an unencrypted EBS volume of the same size.

D. Copy the EBS snapshot to the new decrypted snapshot

E. Allow forensics accounting principals to use the CMK by modifying its policy.

F. Create a customer managed CMK Copy the EBS snapshot encrypting the destination snapshot using the new CMK.

Correct Answer: B,E,F

Question 2

A company wants to migrate its static primary domain website to AWS. The company hosts the website and DNS servers internally. The company wants the website to enforce SSL/TLS encryption block IP addresses from outside the United States (US), and take advantage of managed services whenever possible.
Which solution will meet these requirements?

A. Migrate the website to Amazon S3 Import a public SSL certificate to an Application Load. Balancer with rules to block traffic from outside the US Migrate DNS to Amazon Route 53.

B. Migrate the website to Amazon S3. Import a public SSL certificate to Amazon CloudFront Use AWS WAF rules to block traffic from outside the US Update DNS.
accordingly

C. Migrate the website to Amazon S3 Import a public SSL certificate that is created by AWS Certificate Manager (ACM) to Amazon. CloudFront Configure CloudFront to block traffic from outside the US. Migrate DNS to Amazon Route 53.

D. Migrate the website to Amazon EC2 Import a public SSL certificate that is created by AWS Certificate Manager (ACM) to an Application Load Balancer with rules to block traffic from outside the US Update DNS accordingly.

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 3

An auditor needs access to logs that record all API events on IAM. The auditor only needs read-only access to the log files and does not need access to each IAM account. The company has multiple IAM accounts, and the auditor needs access to all the logs for all the accounts. What is the best way to configure access for the auditor to view event logs from all accounts? Choose the correct answer from the options below Please select:

A. Configure the CloudTrail service in each IAM account and enable consolidated logging inside of CloudTrail.

B. Configure the CloudTrail service in each IAM account and have the logs delivered to a single IAM bucket in the primary account and erant the auditor access to that single bucket in the orimarv account.

C. Configure the CloudTrail service in each IAM account, and have the logs delivered to an IAM bucket on each account, while granting the auditor permissions to the bucket via roles in the secondary accounts and a single primary IAM account that can assume a read-only role in the secondary IAM accounts.

D. Configure the CloudTrail service in the primary IAM account and configure consolidated billing for all the secondary accounts. Then grant the auditor access to the S3 bucket that receives the CloudTrail log files.

Correct Answer: B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 4

A company uses AWS Organizations to manage several AWs accounts. The company processes a large volume of sensitive dat a. The company uses a serverless approach to microservices. The company stores all the data in either Amazon S3 or Amazon DynamoDB. The company reads the data by using either AWS lambda functions or container-based services that the company hosts on Amazon Elastic Kubernetes Service (Amazon EKS) on AWS Fargate.
The company must implement a solution to encrypt all the data at rest and enforce least privilege data access controls. The company creates an AWS Key Management Service (AWS KMS) customer managed key.
What should the company do next to meet these requirements?

A. Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.

B. Create a key policy that allows the kms:Decrypt action only for Amazon S3 and DynamoDB. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.

C. Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.

D. Create an 1AM policy that denies the kms:Decrypt action for the key. Create a Lambda function than runs on a schedule to attach the policy to any new roles. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.

Correct Answer: D

Question 5

Your company is planning on developing an application in IAM. This is a web based application. The application user will use their facebook or google identities for authentication. You want to have the ability to manage user profiles without having to add extra coding to manage this. Which of the below would assist in this.
Please select:

A. Use IAM users to manage the user profiles

B. Create an OlDC identity provider in IAM

C. Create a SAML provider in IAM

D. Use IAM Cognito to manage the user profiles

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 6

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements:
Encryption in transit
Encryption at rest
Logging of all object retrievals in IAM CloudTrail
Which of the following meet these security requirements? (Choose three.)

A. Enable Amazon CloudWatch Logs for the IAM account.

B. Enable a security group for the S3 bucket that allows port 443, but not port 80.

C. Specify "IAM:SecureTransport": "true" within a condition in the S3 bucket policy.

D. Set up default encryption for the S3 bucket.

E. Enable API logging of data events for all S3 objects.

F. Enable S3 object versioning for the S3 bucket.

Correct Answer: C,D,E

Question 7

A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture:
1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets.
3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other
4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols
5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required Which of the following accurately reflects the access control mechanisms the Architect should verify1?

A. Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet.

B. Inbound SG configuration on database servers
Outbound SG configuration on application servers
Inbound and outbound network ACL configuration on the database subnet
Inbound and outbound network ACL configuration on the application server subnet

C. Inbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet

D. Outbound SG configuration on database servers Inbound SG configuration on application servers inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet

Correct Answer: D

Question 8

You are hosting a web site via website hosting on an S3 bucket - http://demo.s3-website-us-east-l .amazonIAM.com. You have some web pages that use Javascript that access resources in another bucket which has web site hosting also enabled. But when users access the web pages , they are getting a blocked Javascript error. How can you rectify this?
Please select:

A. Enable versioning for the bucket

B. Enable CRR for the bucket

C. Enable CORS for the bucket

D. Enable MFA for the bucket

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 9

A company is hosting a static website on Amazon S3 The company has configured an Amazon CloudFront distribution to serve the website contents The company has associated an IAM WAF web ACL with the CloudFront distribution. The web ACL ensures that requests originate from the United States to address compliance restrictions.
THE company is worried that the S3 URL might still be accessible directly and that requests can bypass the CloudFront distribution Which combination of steps should the company take to remove direct access to the S3 URL? (Select TWO. )

A. Update the S3 bucket policy to allow s3 GetObject with a condition that the IAM Referer key matches the secret value Deny all other requests

B. Create an origin access identity (OAI) for the S3 origin

C. Configure the S3 bucket poky so that only the origin access identity (OAI) has read permission for objects in the bucket

D. Add an origin custom header that has the name Referer to the CloudFront distribution Give the header a secret value.

E. Select "Restrict Bucket Access" in the origin settings of the CloudFront distribution

Correct Answer: C,E

Question 10

An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK. Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below Please select:

A. Add permission to use the KMS key to decrypt to the SSM service role.

B. Add the EC2 instance role as a trusted service to the SSM service role.

C. Add permission to use the KMS key to decrypt to the EC2 instance role

D. Add the SSM service role as a trusted service to the EC2 instance role.

E. Add permission to read the SSM parameter to the EC2 instance role. .

Correct Answer: C,E

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 11

A company has a set of EC2 instances hosted in IAM. These instances have EBS volumes for storing critical information. There is a business continuity requirement and in order to boost the agility of the business and to ensure data durability which of the following options are not required.
Please select:

A. Use EBS volume encryption

B. Use EBS Snapshots

C. Use lifecycle policies for the EBS volumes

D. Use EBS volume replication

Correct Answer: A,D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 12

A company has decided to migrate sensitive documents from on-premises data centers to Amazon S3. Currently, the hard drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key.
Which of the following requires the LEAST amount of configuration when implementing this approach?

A. Place each file into a different S3 bucket. Set the default encryption of each bucket to use a different IAM KMS customer managed key.

B. Place all the files in the same S3 bucket. Use server-side encryption with IAM KMS-managed keys (SSE-KMS) to encrypt the data

C. Put all the files in the same S3 bucket. Using S3 events as a trigger, write an IAM Lambda function to encrypt each file as it is added using different IAM KMS data keys.

D. Use the S3 encryption client to encrypt each file individually using S3-generated data keys

Correct Answer: B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 13

An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise's account. The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party. Which of the following would meet all of these conditions?
Please select:

A. From the IAM Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.

B. Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application. Create a new access and secret key for the user and provide these credentials to the SaaS provider.

C. Create an IAM role for EC2 instances, assign it a policy that allows only the actions required tor the Saas application to work, provide the role ARN to the SaaS provider to use when launching their application instances.

D. Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 14

A windows machine in one VPC needs to join the AD domain in another VPC. VPC Peering has been established. But the domain join is not working. What is the other step that needs to be followed to ensure that the AD domain join can work as intended Please select:

A. Ensure that the AD is placed in a public subnet

B. Change the VPC peering connection to a Direct Connect connection

C. Ensure the security groups for the AD hosted subnet has the right rule for relevant subnets

D. Change the VPC peering connection to a VPN connection

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Welcome to TestSimulate

Amazon AWS Certified Security - Specialty (SCS-C01) Free Practice Test