Amazon SCS-C01 Quiz 7 Topic 6 Questions 31-35

Question: 1

Which of the following are valid configurations for using SSL certificates with Amazon CloudFront? (Select THREE )

ADefault IAM Certificate Manager certificate

BCustom SSL certificate stored in IAM KMS

CDefault CloudFront certificate

DCustom SSL certificate stored in IAM Certificate Manager

EDefault SSL certificate stored in IAM Secrets Manager

FCustom SSL certificate stored in IAM IAM

Show Answer

Question: 2

A company has several workloads running on AWS Employees are required to authenticate using on-premises ADFS and SSO to access the AWS Management Console Developers migrated an existing legacy web application to an Amazon EC2 instance Employees need to access this application from anywhere on the internet but currently, mere is no authentication system but into the application.

How should the Security Engineer implement employee-only access to this system without changing the application?

APlace the application behind an Application Load Balancer (ALB) Use Amazon Cognito as authentication (or the ALB Define a SAML-based Amazon Cognito user pool and connect it to ADFS
implement AWS SSO in the master account and link it to ADFS as an identity provide' Define the EC2 instance as a managed resource, then apply an IAM policy on the resource

BDefine an Amazon Cognito identity pool then install the connector on the Active Directory server Use the Amazon Cognito SDK on the application instance to authenticate the employees using their C. Active Directory user names and passwords

DCreate an AWS Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2 Ensure the security group on Amazon EC2 only allows access from the Lambda function.

Show Answer

Question: 3

A company has a website with an Amazon CloudFront HTTPS distribution, an Application Load Balancer (ALB) with multiple web instances for dynamic website content, and an Amazon S3 bucket for static website content. The company's security engineer recently updated the website security requirements:

* HTTPS needs to be enforced for all data in transit with specific ciphers.

* The CloudFront distribution needs to be accessible from the internet only.

Which solution will meet these requirements?

ASet up an S3 bucket policy with the awssecuretransport key Configure the CloudFront origin access identity (OAI) with the S3 bucket Configure CloudFront to use specific ciphers. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers Link the ALB with AWS WAF to allow access from the CloudFront IP ranges.

BSet up an S3 bucket policy with the aws:securetransport key. Configure the CloudFront origin access identity (OAI) with the S3 bucket. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers.

CModify the CloudFront distribution to use AWS WAF. Force HTTPS on the S3 bucket with specific ciphers in the bucket policy. Configure an HTTPS listener only for the ALB. Set up a security group to limit access to the ALB from the CloudFront IP ranges

DModify the CloudFront distribution to use the ALB as the origin. Enforce an HTTPS listener on the ALB. Create a path-based routing rule on the ALB with proxies that connect lo Amazon S3. Create a bucket policy to allow access from these proxies only.

Show Answer

Question: 4

A recent security audit found that AVVS CloudTrail logs are insufficiently protected from tampering and unauthorized access Which actions must the Security Engineer take to address these audit findings? (Select THREE )

AEnsure CloudTrail log file validation is turned on

BConfigure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage

CUse an S3 bucket with tight access controls that exists m a separate account

DUse Amazon Inspector to monitor the file integrity of CloudTrail log files.

ERequest a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files

FEncrypt the CloudTrail log files with server-side encryption with AWS KMS-managed keys (SSE-KMS)

Show Answer

Question: 5

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements:

* Encryption in transit

* Encryption at rest

* Logging of all object retrievals in AWS CloudTrail

Which of the following meet these security requirements? (Choose three.)

ASpecify ''aws:SecureTransport'': ''true'' within a condition in the S3 bucket policy.

BEnable a security group for the S3 bucket that allows port 443, but not port 80.

CSet up default encryption for the S3 bucket.

DEnable Amazon CloudWatch Logs for the AWS account.

EEnable API logging of data events for all S3 objects.

FEnable S3 object versioning for the S3 bucket.

Show Answer

Amazon SCS-C01 Quiz:7 Topic:6 Questions:31-35