All SCS-C01 Test Inside Amazon Web Services Questions

Page: 35 / 43

Question 140

A company needs its Amazon Elastic Block Store (Amazon EBS) volumes to be encrypted at all times. During a security incident. EBS snapshots of suspicious instances are shared to a forensics account for analysis A security engineer attempting to share a suspicious EBS snapshot to the forensics account receives the following error

"Unable to share snapshot: An error occurred (OperationNotPermitted) when calling the ModifySnapshotAttribute operation: Encrypted snapshots with EBS default key cannot be shared.

Which combination of steps should the security engineer take in the incident account to complete the sharing operation? (Select THREE )

Options:

Create a customer managed CMK Copy the EBS snapshot encrypting the destination snapshot using the new CMK.

Allow forensics accounting principals to use the CMK by modifying its policy.

Create an Amazon EC2 instance. Attach the encrypted and suspicious EBS volume. Copy data from the suspicious volume to an unencrypted volume. Snapshot the unencrypted volume

Copy the EBS snapshot to the new decrypted snapshot

Restore a volume from the suspicious EBS snapshot. Create an unencrypted EBS volume of the same size.

Share the target EBS snapshot with the forensics account.

Question 141

Authorized Administrators are unable to connect to an Amazon EC2 Linux bastion host using SSH over the internet. The connection either fails to respond or generates the following error message:

Network error: Connection timed out.

What could be responsible for the connection failure? (Select THREE )

Options:

The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured

The internet gateway of the VPC has been reconfigured

The security group denies outbound traffic on ephemeral ports

The route table is missing a route to the internet gateway

The NACL denies outbound traffic on ephemeral ports

The host-based firewall is denying SSH traffic

Question 142

A company is configuring three Amazon EC2 instances with each instance in a separate Availability Zone. The EC2 instances wilt be used as transparent proxies for outbound internet traffic for ports 80 and 443 so the proxies can block traffic to certain internet destinations as required by the company's security policies. A Security Engineer completed the following:

• Set up the proxy software on the EC2 instances.

• Modified the route tables on the private subnets to use the proxy EC2 instances as the default route.

• Created a security group rule opening inbound port 80 and 443 TCP protocols on the proxy EC2 instance security group.

However, the proxy EC2 instances are not successfully forwarding traffic to the internet.

What should the Security Engineer do to make the proxy EC2 instances route traffic to the internet?

Options:

Put all the proxy EC2 instances in a cluster placement group.

Disable source and destination checks on the proxy EC2 instances.

Open all inbound ports on the proxy EC2 instance security group.

Change the VPC's DHCP domain-name-server’s options set to the IP addresses of proxy EC2 instances.

Question 143

A Developer reported that IAM CloudTrail was disabled on their account. A Security Engineer investigated the account and discovered the event was undetected by the current security solution. The Security Engineer must recommend a solution that will detect future changes to the CloudTrail configuration and send alerts when changes occur.

What should the Security Engineer do to meet these requirements?