SCS-C01 Free Practice Test

- (Exam Topic 2)
A Security Engineer is trying to determine whether the encryption keys used in an AWS service are in compliance with certain regulatory standards.
Which of the following actions should the Engineer perform to get further guidance?

1. A. Read the AWS Customer Agreement.
2. B. Use AWS Artifact to access AWS compliance reports.
3. C. Post the question on the AWS Discussion Forums.
4. D. Run AWS Config and evaluate the configuration outputs.

Correct Answer: A
https://aws.amazon.com/artifact/

- (Exam Topic 2)
Which approach will generate automated security alerts should too many unauthorized AWS API requests be identified?

1. A. Create an Amazon CloudWatch metric filter that looks for API call error codes and then implement an alarm based on that metric’s rate.
2. B. Configure AWS CloudTrail to stream event data to Amazon Kinesi
3. C. Configure an AWS Lambda function on the stream to alarm when the threshold has been exceeded.
4. D. Run an Amazon Athena SQL query against CloudTrail log file
5. E. Use Amazon QuickSight to create an operational dashboard.
6. F. Use the Amazon Personal Health Dashboard to monitor the account’s use of AWS services, and raise an alert if service error rates increase.

Correct Answer: A
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html#cloudwatch- Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/. In the navigation pane, choose Logs. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events. Choose Create Metric Filter. On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following: { ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") } Choose Assign Metric. For Filter Name, type AuthorizationFailures. For Metric Namespace, type CloudTrailMetrics. For Metric Name, type AuthorizationFailureCount.

- (Exam Topic 3)
A company's application team needs to host a MySQL database on AWS. According to the company's security policy, all data that is stored on AWS must be encrypted at rest. In addition, all cryptographic material must be compliant with FIPS 140-2 Level 3 validation.
The application team needs a solution that satisfies the company's security requirements and minimizes operational overhead.
Which solution will meet these requirements?

1. A. Host the database on Amazon RD
2. B. Use Amazon Elastic Block Store (Amazon EBS) for encryption.Use an AWS Key Management Service (AWS KMS) custom key store that is backed by AWS CloudHSM for key management.
3. C. Host the database on Amazon RD
4. D. Use Amazon Elastic Block Store (Amazon EBS) for encryption.Use an AWS managed CMK in AWS Key Management Service (AWS KMS) for key management.
5. E. Host the database on an Amazon EC2 instanc
6. F. Use Amazon Elastic Block Store (Amazon EBS) for encryptio
7. G. Use a customer managed CMK in AWS Key Management Service (AWS KMS) for key management.
8. H. Host the database on an Amazon EC2 instanc
9. I. Use Transparent Data Encryption (TDE) for encryption and key management.

Correct Answer: B

- (Exam Topic 2)
A Security Engineer must design a system that can detect whether a file on an Amazon EC2 host has been modified. The system must then alert the Security Engineer of the modification.
What is the MOST efficient way to meet these requirements?

1. A. Install antivirus software and ensure that signatures are up-to-dat
2. B. Configure Amazon CloudWatch alarms to send alerts for security events.
3. C. Install host-based IDS software to check for file integrit
4. D. Export the logs to Amazon CloudWatch Logs for monitoring and alerting.
5. E. Export system log files to Amazon S3. Parse the log files using an AWS Lambda function that will send alerts of any unauthorized system login attempts through Amazon SNS.
6. F. Use Amazon CloudWatch Logs to detect file system change
7. G. If a change is detected, automatically terminate and recreate the instance from the most recent AM
8. H. Use Amazon SNS to send notification of the event.

Correct Answer: B

- (Exam Topic 3)
You have been given a new brief from your supervisor for a client who needs a web application set up on AWS. The a most important requirement is that MySQL must be used as the database, and this database must not be hosted in t« public cloud, but rather at the client's data center due to security risks. Which of the following solutions would be the ^ best to assure that the client's requirements are met? Choose the correct answer from the options below
Please select:

1. A. Build the application server on a public subnet and the database at the client's data cente
2. B. Connect them with a VPN connection which uses IPsec.
3. C. Use the public subnet for the application server and use RDS with a storage gateway to access and synchronize the data securely from the local data center.
4. D. Build the application server on a public subnet and the database on a private subnet with a NAT instance between them.
5. E. Build the application server on a public subnet and build the database in a private subnet with a secure ssh connection to the private subnet from the client's data center.

Correct Answer: A
Since the database should not be hosted on the cloud all other options are invalid. The best option is to create a VPN connection for securing traffic as shown below. C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option B is invalid because this is the incorrect use of the Storage gateway Option C is invalid since this is the incorrect use of the NAT instance Option D is invalid since this is an incorrect configuration For more information on VPN connections, please visit the below URL
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.htmll
The correct answer is: Build the application server on a public subnet and the database at the client's data center. Connect them with a VPN connection which uses IPsec
Submit your Feedback/Queries to our Experts