Amazon SCS-C01 Quiz 5 Topic 4 Questions 21-25

Question: 1

A recent security audit found that AVVS CloudTrail logs are insufficiently protected from tampering and unauthorized access Which actions must the Security Engineer take to address these audit findings? (Select THREE )

AEnsure CloudTrail log file validation is turned on

BConfigure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage

CUse an S3 bucket with tight access controls that exists m a separate account

DUse Amazon Inspector to monitor the file integrity of CloudTrail log files.

ERequest a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files

FEncrypt the CloudTrail log files with server-side encryption with AWS KMS-managed keys (SSE-KMS)

Show Answer

Question: 2

A company has a website with an Amazon CloudFront HTTPS distribution, an Application Load Balancer (ALB) with multiple web instances for dynamic website content, and an Amazon S3 bucket for static website content. The company's security engineer recently updated the website security requirements:

* HTTPS needs to be enforced for all data in transit with specific ciphers.

* The CloudFront distribution needs to be accessible from the internet only.

Which solution will meet these requirements?

ASet up an S3 bucket policy with the awssecuretransport key Configure the CloudFront origin access identity (OAI) with the S3 bucket Configure CloudFront to use specific ciphers. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers Link the ALB with AWS WAF to allow access from the CloudFront IP ranges.

BSet up an S3 bucket policy with the aws:securetransport key. Configure the CloudFront origin access identity (OAI) with the S3 bucket. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers.

CModify the CloudFront distribution to use AWS WAF. Force HTTPS on the S3 bucket with specific ciphers in the bucket policy. Configure an HTTPS listener only for the ALB. Set up a security group to limit access to the ALB from the CloudFront IP ranges

DModify the CloudFront distribution to use the ALB as the origin. Enforce an HTTPS listener on the ALB. Create a path-based routing rule on the ALB with proxies that connect lo Amazon S3. Create a bucket policy to allow access from these proxies only.

Show Answer

Question: 3

A recent security audit identified that a company's application team injects database credentials into the environment variables of an AWS Fargate task. The company's security policy mandates that all sensitive data be encrypted at rest and in transit.

When combination of actions should the security team take to make the application compliant within the security policy? (Select THREE)

A Store the credentials securely in a file in an Amazon S3 bucket with restricted access to the application team IAM role Ask the application team to read the credentials from the S3 object instead

B Create an AWS Secrets Manager secret and specify the key/value pairs to be stored in this secret

C Modify the application to pull credentials from the AWS Secrets Manager secret instead of the environment variables.

D Add the following statement to the container instance IAM role policy

q3_SCS-C01

E) Add the following statement to the execution role policy.

q3_SCS-C01

F.

Log in to the AWS Fargate instance, create a script to read the secret value from AWS Secret Manager, and inject the environment variables. Ask the application team to redeploy the application.

AOption A

BOption B

COption C

DOption D

EOption E

FOption F

Show Answer

Question: 4

You are designing a custom IAM policy that would allow uses to list buckets in S3 only if they are MFA authenticated. Which of the following would best match this requirement?

A

q4_SCS-C01

B

q4_SCS-C01

C

q4_SCS-C01

D

q4_SCS-C01

The Condition clause can be used to ensure users can only work with resources if they are MFA authenticated.

Option B and C are wrong since the aws:MultiFactorAuthPresent clause should be marked as true. Here you are saying that onl if the user has been MFA activated, that means it is true, then allow access.

Option D is invalid because the "boor clause is missing in the evaluation for the condition clause.

Boolean conditions let you construct Condition elements that restrict access based on comparing a key to "true" or "false."

Here in this scenario the boot attribute in the condition element will return a value True for option A which will ensure that access is allowed on S3 resources.

For more information on an example on such a policy, please visit the following URL:

AOption A

BOption B

Show Answer

Question: 5

Which of the following bucket policies will ensure that objects being uploaded to a bucket called 'demo' are encrypted.

Please select:

A.

q5_SCS-C01

B.

q5_SCS-C01

C.

q5_SCS-C01

D.

q5_SCS-C01

The condition of "s3:x-amz-server-side-encryption":"aws:kms" ensures that objects uploaded need to be encrypted.

Options B,C and D are invalid because you have to ensure the condition of ns3:x-amz-server-side-encryption":"aws:kms" is present

For more information on AWS KMS best practices, just browse to the below URL:

q5_SCS-C01

Submit your Feedback/Queries to our Expert

AOption A

BOption B

Show Answer

A recent security audit found that AVVS CloudTrail logs are insufficiently protected from tampering and unauthorized access Which actions must the Security Engineer take to address these audit findings? (Select THREE )

Amazon SCS-C01 Quiz:5 Topic:4 Questions:21-25