Amazon AWS-Security-Specialty AWS Certified Security - Specialty (SCS-C01) Exam Practice Test Questions

• Question 1

  Which of the following are valid event sources that are associated with web access control lists that trigger AWS WAF rules? (Choose two.)

  • Amazon S3 static web hosting
    
  • Amazon CloudFront distribution
    
  • Application Load Balancer
    
  • Amazon Route 53
    
  • VPC Flow Logs
    

  Show Answer Answer: 2,,3 Next

• Question 2

  A company recently performed an annual security assessment of its AWS environment. The assessment showed that audit logs are not available beyond 90 days and that unauthorized changes to IAM policies are made without detection.How should a security engineer resolve these issues?

  • Create an Amazon S3 lifecycle policy that archives AWS CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources.
    
  • Configure AWS Artifact to archive AWS CloudTrail logs Configure AWS Trusted Advisor to provide a notification when a policy change is made to resources.
    
  • Configure Amazon CloudWatch to export log groups to Amazon S3. Configure AWS CloudTrail to provide a notification when a policy change is made to resources.
    
  • Create an AWS CloudTrail trail that stores audit logs in Amazon S3. Configure an AWS Config rule to provide a notification when a policy change is made to resources.
    

  Show Answer Answer: 4 Next

• Question 3

  A company is deploying a new web application on AWS. Based on their other web applications, they anticipate being the target of frequent DDoS attacks. Which steps can the company use to protect their application? Select 2 answers from the options given below.Please select:

  • Associate the EC2 instances with a security group that blocks traffic from blacklisted IP addresses.
    
  • Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic.
    
  • Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious traffic.
    
  • Use CloudFront and AWS WAF to prevent malicious traffic from reaching the application
    
  • Enable GuardDuty to block malicious traffic from reaching the application
    

  Show Answer Answer: 2,,4 Next

• Question 4

  Some highly sensitive analytics workloads are to be moved to Amazon EC2 hosts. Threat modeling has found that a risk exists where a subnet could be maliciously or accidentally exposed to the internet.Which of the following mitigations should be recommended?

  • Use AWS Config to detect whether an Internet Gateway is added and use an AWS Lambda function to provide auto-remediation.
    
  • Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses.
    
  • Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet.
    
  • Move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.
    

  Show Answer Answer: 1 Next

• Question 5

  Authorized Administrators are unable to connect to an Amazon EC2 Linux bastion host using SSH over the internet. The connection either fails to respond or generates the following error message:Network error: Connection timed out.What could be responsible for the connection failure? (Select THREE )

  • The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured
    
  • The internet gateway of the VPC has been reconfigured
    
  • The security group denies outbound traffic on ephemeral ports
    
  • The route table is missing a route to the internet gateway
    
  • The NACL denies outbound traffic on ephemeral ports
    
  • The host-based firewall is denying SSH traffic
    

  Show Answer Answer: 2,,4,,6 Next