aws SCS-C01 practice test | Leads4pass New Exam Dumps Questions And Answers Update

Welcome to your aws SCS-C01 practice test

QUESTION 1

A recent security audit found that AWS CloudTrail logs are insufficiently protected from tampering and unauthorized
access. Which actions must the Security Engineer take to access these audit findings? (Choose three.)

A. Ensure CloudTrail log file validation is turned on.

B. Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage.

C. Use an S3 bucket with tight access controls that exists in a separate account.

D. Use Amazon Inspector to monitor the file integrity of CloudTrail log files.

E. Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files.

F. Encrypt the CloudTrail log files with server-side encryption AWS KMS-managed keys (SSE-KMS).

QUESTION 2

One of your company\\’s EC2 Instances has been compromised. The company has strict po thorough investigation on
finding the culprit for the security breach. What would you do in from the options given below? Please select:(Choose three.)

A. Take a snapshot of the EBS volume

B. Isolate the machine from the network

C. Make sure that logs are stored securely for auditing and troubleshooting purpose

D. Ensure all passwords for all 1 AM users are changed

E. Ensure that all access kevs are rotated.

QUESTION 3

A Security Engineer is trying to determine whether the encryption keys used in an AWS service are in compliance with
certain regulatory standards. Which of the following actions should the Engineer perform to get further guidance?

A. Read the AWS Customer Agreement.

B. Use AWS Artifact to access AWS compliance reports.

C. Post the question on the AWS Discussion Forums.

D. Run AWS Config and evaluate the configuration outputs.

QUESTION 4

A corporate cloud security policy states that communications between the company\\’s VPC and KMS must travel
entirely within the AWS network and not use public service endpoints. Which combination of the following actions MOST
satisfies this requirement? (Choose two.)

A. Add the AWS:sourceVpce condition to the AWS KMS key policy referencing the company\\’s VPC endpoint ID.

B. Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.

C. Create a VPC endpoint for AWS KMS with private DNS enabled.

D. Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN.

E. Add the following condition to the AWS KMS key policy: “AWS: SourceIp”: “10.0.0.0/16”.

QUESTION 5

Some highly sensitive analytics workloads are to be moved to Amazon EC2 hosts. Threat modeling has found that a risk
exists where a subnet could be maliciously or accidentally exposed to the internet. Which of the following mitigations
should be recommended?

A. Use AWS Config to detect whether an Internet Gateway is added and use an AWS Lambda function to provide auto-remediation.

B. Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses.

C. Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet.

D. move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.

QUESTION 6

A company wants to use Cloudtrail for logging all API activity. They want to segregate the logging of data events and
management events. How can this be achieved? Choose 2 answers from the options given below Please select: (Choose two.)

A. Create one Cloudtrail log group for data events

B. Create one trail that logs data events to an S3 bucket

C. Create another trail that logs management events to another S3 bucket

D. Create another Cloudtrail log group for management events

QUESTION 7

A Web Administrator for the website example.com has created an Amazon CloudFront distribution for
dev.example.com, with a requirement to configure HTTPS using a custom TLS certificate imported to AWS Certificate
Manager. Which combination of steps is required to ensure the availability of the certificate in the CloudFront console?
(Choose two.)

A. Call UploadServerCertificate with /cloudfront/dev/ in the path parameter.

B. Import the certificate with a 4,096-bit RSA public key.

C. Ensure that the certificate, private key, and certificate chain are PKCS #12-encoded.

D. Import the certificate in the us-east-1 (N. Virginia) Region.

E. Ensure that the certificate, private key, and certificate chain are PEM-encoded.

QUESTION 8

Your company has an EC2 Instance hosted in AWS. This EC2 Instance hosts an application. Currently, this application
is experiencing a number of issues. Do you need to inspect the network packets to see what type of error that is
occurring? Which one of the below steps can help address this issue?
Please select:

A. Use the VPC Flow Logs.

B. Use a network monitoring tool provided by an AWS partner.

C. Use another instance. Setup a port to “promiscuous mode” and sniff the traffic to analyze the packets.

D. Use Cloudwatch metric

QUESTION 9

Your company has mandated that all data in AWS be encrypted at rest. How can you achieve this for EBS volumes?
Choose 2 answers from the options given below Please select: (Choose two.)

A. Use Windows bit locker for EBS volumes on Windows instances

B. Use TrueEncrypt for EBS volumes on Linux instances

C. Use AWS Systems Manager to encrypt the existing EBS volumes

D. Boot EBS volume can be encrypted during launch without using custom AMI

QUESTION 10

Company policy requires that all insecure server protocols, such as FTP, Telnet, HTTP, etc be disabled on all servers.
The security team would like to regularly check all servers to ensure compliance with this requirement by using a
scheduled CloudWatch event to trigger a review of the current infrastructure. What process will check compliance of the
company\\’s EC2 instances?
Please select:

A. Trigger an AWS Config Rules evaluation of the restricted-common-ports rule against every EC2 instance.

B. Query the Trusted Advisor API for all best-practice security checks and check for “action recommended” status.

C. Enable a GuardDuty threat detection analysis targeting the port configuration on every EC2 instance.

D. Run an Amazon inspector assessment using the Runtime Behavior Analysis rules package against every EC2 instance.

QUESTION 11

You have an Amazon VPC that has a private subnet and a public subnet in which you have a NAT instance server. You
have created a group of EC2 instances that configure themselves at startup by downloading a bootstrapping script from
S3 that deploys an application via GIT.
Which one of the following setups would give us the highest level of security?
Choose the correct answer from the options given below.
Please select:

A. EC2 instances in our public subnet, no EIPs, route outgoing traffic via the IGW

B. EC2 instances in our public subnet assigned EIPs, and route outgoing traffic via the NAT

C. EC2 instance in our private subnet assigned EIPs, and route our outgoing traffic via our IGW

D. EC2 instances in our private subnet, no EIPs, route outgoing traffic via the NAT

QUESTION 12

An Application Developer is using an AWS Lambda function that must use AWS KMS to perform encrypt and decrypt
operations for API keys that are less than 2 KB.
Which key policy would allow the application to do this while granting the least privilege? lead4pass scs-c01 practice test q12

A. Option A

B. Option B

C. Option C

D. Option D

QUESTION 13

Your company has a requirement to monitor all root user activity by notification. How can this best be achieved? Choose
2 answers from the options given below. Each answer forms part of the solution Please select: (Choose two.)

A. Create a Cloudwatch Events Rule s

B. Create a Cloudwatch Logs Rule

C. Use a Lambda function

D. Use Cloudtrail API call