Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 121:

  A company has an application that uses dozens of Amazon DynamoDB tables to store data. Auditors find that the tables do not comply with the company's data protection policy.

  The company's retention policy states that all data must be backed up twice each month: once at midnight on the 15th day of the month and again at midnight on the 25th day of the month. The company must retain the backups for 3 months.

  Which combination of steps should a security engineer take to meet these requirements? (Choose two.)

  A. Use the DynamoDB on-demand backup capability to create a backup plan. Configure a lifecycle policy to expire backups after 3 months.
  B. Use AWS DataSync to create a backup plan. Add a backup rule that includes a retention period of 3 months.
  C. Use AWS Backup to create a backup plan. Add a backup rule that includes a retention period of 3 months.
  D. Set the backup frequency by using a cron schedule expression. Assign each DynamoDB table to the backup plan.
  E. Set the backup frequency by using a rate schedule expression. Assign each DynamoDB table to the backup plan.
  C. Use AWS Backup to create a backup plan. Add a backup rule that includes a retention period of 3 months.
  D. Set the backup frequency by using a cron schedule expression. Assign each DynamoDB table to the backup plan.

• Question 122:

  You are working in the media industry and you have created a web application where users will be able to upload photos they create to your website. This web application must be able to call the S3 API in order to be able to function. Where should you store your API credentials whilst maintaining the maximum level of security?

  A. Save the API credentials to your PHP files.
  B. Don't save your API credentials, instead create a role in IAM and assign this role to an EC2 instance when you first create it.
  C. Save your API credentials in a public Github repository.
  D. Pass API credentials to the instance using instance userdata.
  B. Don't save your API credentials, instead create a role in IAM and assign this role to an EC2 instance when you first create it.

  ---

  Applications must sign their API requests with IAM credentials. Therefore, if you are an application developer, you need a strategy for managing credentials for your applications that run on EC2 instances. For example, you can securely distribute your IAM credentials to the instances, enabling the applications on those instances to use your credentials to sign requests, while protecting your credentials from other users. However, it's challenging to securely distribute credentials to each instance. especially those that IAM creates on your behalf, such as Spot Instances or instances in Auto Scaling groups. You must also be able to update the credentials on each instance when you rotate your IAM credentials. IAM roles are designed so that your applications can securely make API requests from your instances, without requiring you manage the security credentials that the applications use. Option A.C and D are invalid because using IAM Credentials in an application in production is a direct no recommendation 1 secure access For more information on IAM Roles, please visit the below URL: http://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html The correct answer is: Don't save your API credentials. Instead create a role in IAM and assign this role to an EC2 instance when you first create it Submit your Feedback/Queries to our Experts

• Question 123:

  An ecommerce company has a web application architecture that runs primarily on containers. The application containers are deployed on Amazon Elastic Container Service (Amazon ECS). The container images for the application are stored in Amazon Elastic Container Registry (Amazon ECR).

  The company's security team is performing an audit of components of the application architecture. The security team identifies issues with some container images that are stored in the container repositories. The security team wants to address these issues by implementing continual scanning and on-push scanning of the container images. The security team needs to implement a solution that makes any findings from these scans visible in a centralized dashboard. The security team plans to use the dashboard to view these findings along with other security-related findings that they intend to generate in the future. There are specific repositories that the security team needs to exclude from the scanning process.

  Which solution will meet these requirements?

  A. Use Amazon Inspector. Create inclusion rules in Amazon ECR to match repositories that need to be scanned. Push Amazon Inspector findings to AWS Security Hub.
  B. Use ECR basic scanning of container images. Create inclusion rules in Amazon ECR to match repositories that need to be scanned. Push findings to AWS Security Hub.
  C. Use ECR basic scanning of container images. Create inclusion rules in Amazon ECR to match repositories that need to be scanned. Push findings to Amazon Inspector.
  D. Use Amazon Inspector. Create inclusion rules in Amazon Inspector to match repositories that need to be scanned. Push Amazon Inspector findings to AWS Config.
  A. Use Amazon Inspector. Create inclusion rules in Amazon ECR to match repositories that need to be scanned. Push Amazon Inspector findings to AWS Security Hub.

• Question 124:

  A company suspects that an attacker has exploited an overly permissive role to export credentials from Amazon EC2 instance metadata. The company uses Amazon GuardDuty and AWS Audit Manager. The company has enabled AWS CloudTrail logging and Amazon CloudWatch logging for all of its AWS accounts.

  A security engineer must determine if the credentials were used to access the company's resources from an external account.

  Which solution will provide this information?

  A. Review GuardDuty findings to find InstanceCredentialExfiltration events.
  B. Review assessment reports in the Audit Manager console to find InstanceCredentialExfiltration events.
  C. Review CloudTrail logs for GetSessionToken API calls to AWS Security Token Service (AWS STS) that come from an acount ID from outside the company.
  D. Review CloudWatch logs for GetSessionToken API calls to AWS Security Token Service (AWS STS) that come from an account ID from outside the company.
  A. Review GuardDuty findings to find InstanceCredentialExfiltration events.

  ---

  The correct answer is A because GuardDuty can detect and alert on EC2 instance credential exfiltration events. These events indicate that the credentials obtained from the EC2 instance metadata service are being used from an IP address that is owned by a different AWS account than the one that owns the instance1. GuardDuty can also provide details such as the source and destination IP addresses, the AWS account ID of the attacker, and the API calls made using the exfiltrated credentials2. The other options are incorrect because they do not provide the information needed to determine if the credentials were used to access the company's resources from an external account. Option B is incorrect because Audit Manager does not generate InstanceCredentialExfiltration events. Audit Manager is a service that helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards3. Option C is incorrect because CloudTrail logs do not show the account ID of the caller for GetSessionToken API calls to AWS STS. CloudTrail logs show the account ID of the identity whose credentials were used to call the API4. Option D is incorrect because CloudWatch logs do not show the GetSessionToken API calls to AWS STS by default. CloudWatch logs can show the API calls made by AWS Lambda functions, Amazon API Gateway, and other AWS services that integrate with CloudWatch5. Reference: InstanceCredentialExfiltration, Amazon GuardDuty Enhances Detection of EC2 Instance Credential Exfiltration, What Is AWS Audit Manager?, Logging AWS STS API Calls with AWS CloudTrail, What Is Amazon CloudWatch Logs?

• Question 125:

  A Security Engineer has been asked to troubleshoot inbound connectivity to a web server. This single web server is not receiving inbound connections from the internet, whereas all other web servers are functioning properly.

  The architecture includes network ACLs, security groups, and a virtual security appliance. In addition, the Development team has implemented Application Load Balancers (ALBs) to distribute the load across all web servers. It is a

  requirement that traffic between the web servers and the internet flow through the virtual security appliance.

  The Security Engineer has verified the following:

  1.

  The rule set in the Security Groups is correct

  2.

  The rule set in the network ACLs is correct

  3.

  The rule set in the virtual appliance is correct

  Which of the following are other valid items to troubleshoot in this scenario? (Choose two.)

  A. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway.
  B. Verify which Security Group is applied to the particular web server's elastic network interface (ENI).
  C. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance.
  D. Verify the registered targets in the ALB.
  E. Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.
  C. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance.
  D. Verify the registered targets in the ALB.

  ---

  Explanation Explanation/Reference:Since it is a requirement for traffic between the web servers and the internet to flow through the virtual security appliance, the route table for the web server subnet must have the 0.0.0.0/0 route pointing to this appliance. This setup ensures that all internet-bound traffic passes through the virtual security appliance, meeting the requirement. Application Load Balancers (ALBs) need to have the correct targets (web servers) registered to route traffic to them. If the specific web server in question is not registered as a target in the ALB, it will not receive any inbound traffic. Verifying the ALB's target registration helps ensure the server is part of the load balancing pool. https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/using-eni.html

• Question 126:

  A security administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has all features enabled. The management account is used for billing and administrative purposes, but it is not used for operational AWS resource purposes.

  How can the security administrator restrict usage of member root user accounts across the organization?

  A. Disable the use of the root user account at the organizational root. Enable multi-factor authentication (MFA) of the root user account for each organization member account.
  B. Configure IAM user policies to restrict root account capabilities for each organization member account.
  C. Create an OU in Organizations, and attach an SCP that controls usage of the root user. Add all member accounts to the new OU.
  D. Configure AWS CloudTrail to integrate with Amazon CloudWatch Logs. Create a metric filter for RootAccountUsage.
  C. Create an OU in Organizations, and attach an SCP that controls usage of the root user. Add all member accounts to the new OU.

  ---

  In AWS Organizations, a Service Control Policy (SCP) can be used to restrict the actions of accounts, including root users, across the entire organization or within specific Organizational Units (OUs). By creating an OU and attaching an SCP that limits the root user's capabilities, the security administrator can effectively control the use of root user accounts in all member accounts within that OU. This method provides centralized control and is a best practice for securing root accounts across multiple AWS accounts.

• Question 127:

  During a recent security audit, it was discovered that multiple teams in a large organization have placed restricted data in multiple Amazon S3 buckets, and the data may have been exposed. The auditor has requested that the organization identify all possible objects that contain personally identifiable information (PII) and then determine whether this information has been accessed.

  What solution will allow the Security team to complete this request?

  A. Using Amazon Athena, query the impacted S3 buckets by using the PII query identifier function. Then, create a new Amazon CloudWatch metric for Amazon S3 object access to alert when the objects are accessed.
  B. Enable Amazon Macie on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, use the research function for auditing IAM CloudTrail logs and S3 bucket logs for GET operations.
  C. Enable Amazon GuardDuty and enable the PII rule set on the S3 buckets that were impacted, then perform data classification. Using the PII findings report from GuardDuty, query the S3 bucket logs by using Athena for GET operations.
  D. Enable Amazon Inspector on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, query the S3 bucket logs by using Athena for GET operations.
  B. Enable Amazon Macie on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, use the research function for auditing IAM CloudTrail logs and S3 bucket logs for GET operations.

• Question 128:

  A company has several Customer Master Keys (CMK), some of which have imported key material. Each CMK must be rotated annually.

  What two methods can the security team use to rotate each key? Select 2 answers from the options given below

  A. Enable automatic key rotation for a CMK
  B. Import new key material to an existing CMK
  C. Use the CLI or console to explicitly rotate an existing CMK
  D. Import new key material to a new CMK; Point the key alias to the new CMK.
  E. Delete an existing CMK and a new default CMK will be created.
  A. Enable automatic key rotation for a CMK
  D. Import new key material to a new CMK; Point the key alias to the new CMK.

  ---

  The IAM Documentation mentions the following Automatic key rotation is available for all customer managed CMKs with KMS-generated key material. It is not available for CMKs that have imported key material (the value of the Origin field is External), but you can rotate these CMKs manually. Rotating Keys Manually You might want to create a newCMKand use it in place of a current CMK instead of enabling automatic key rotation. When the new CMK has different cryptographic material than the current CMK, using the new CMK has the same effect as changing the backing key in an existing CMK. The process of replacing one CMK with another is known as manual key rotation. When you begin using the new CMK, be sure to keep the original CMK enabled so that IAM KMS can decrypt data that the original CMK encrypted. When decrypting data, KMS identifies the CMK that was used to encrypt the data, and it uses the sam CMK to decrypt the data. As long as you keep both the original and new CMKs enabled, IAM KMS can decrypt any data that was encrypted by either CMK. Option B is invalid because you also need to point the key alias to the new key Option C is invalid because existing CMK keys cannot be rotated as they are Option E is invalid because deleting existing keys will not guarantee the creation of a new default CMK key For more information on Key rotation please see the below Link: https://docs.IAM.amazon.com/kms/latest/developereuide/rotate-keys.html The correct answers are: Enable automatic key rotation for a CMK, Import new key material to a new CMK; Point the key alias to the new CMK. Submit your Feedback/Queries to our Experts

• Question 129:

  A company's database developer has just migrated an Amazon RDS database credential to be stored and managed by IAM Secrets Manager. The developer has also enabled rotation of the credential within the Secrets Manager console and

  set the rotation to change every 30 days.

  After a short period of time, a number of existing applications have failed with authentication errors.

  What is the MOST likely cause of the authentication errors?

  A. Migrating the credential to RDS requires that all access come through requests to the Secrets Manager.
  B. Enabling rotation in Secrets Manager causes the secret to rotate immediately, and the applications are using the earlier credential.
  C. The Secrets Manager IAM policy does not allow access to the RDS database.
  D. The Secrets Manager IAM policy does not allow access for the applications.
  B. Enabling rotation in Secrets Manager causes the secret to rotate immediately, and the applications are using the earlier credential.

  ---

  https://docs.IAM.amazon.com/secretsmanager/latest/userguide/enable-rotation-rds.html

• Question 130:

  An AWS Lambda function was misused to alter data, and a security engineer must identify who invoked the function and what output was produced. The engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.

  Which of the following explains why the logs are not available?

  A. The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.
  B. The Lambda function was invoked by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.
  C. The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.
  D. The version of the Lambda function that was invoked was not current.
  A. The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.