Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 141:

  A security engineer receives an IAM abuse email message. According to the message, an Amazon EC2 instance that is running in the security engineer's IAM account is sending phishing email messages.

  The EC2 instance is part of an application that is deployed in production. The application runs on many EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple subnets and multiple Availability Zones.

  The instances normally communicate only over the HTTP. HTTPS, and MySQL protocols. Upon investigation, the security engineer discovers that email messages are being sent over port 587. All other traffic is normal.

  The security engineer must create a solution that contains the compromised EC2 instance, preserves forensic evidence for analysis, and minimizes application downtime. Which combination of steps must the security engineer take to meet these requirements? (Select THREE.)

  A. Add an outbound rule to the security group that is attached to the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.
  B. Add an outbound rule to the network ACL for the subnet that contains the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.
  C. Gather volatile memory from the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then take a snapshot of the compromised EC2 instance.
  D. Take a snapshot of the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then gather volatile memory from the compromised EC2 instance.
  E. Move the compromised EC2 instance to an isolated subnet that has a network ACL that has no inbound rules or outbound rules.
  F. Replace the existing security group that is attached to the compromised EC2 instance with a new security group that has no inbound rules or outbound rules.
  A. Add an outbound rule to the security group that is attached to the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.
  C. Gather volatile memory from the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then take a snapshot of the compromised EC2 instance.
  E. Move the compromised EC2 instance to an isolated subnet that has a network ACL that has no inbound rules or outbound rules.

• Question 142:

  You have just received an email from IAM Support stating that your IAM account might have been compromised.

  Which of the following steps would you look to carry out immediately? Choose 3 answers from the options below.

  A. Change the root account password.
  B. Rotate all IAM access keys
  C. Keep all resources running to avoid disruption
  D. Change the password for all IAM users.
  A. Change the root account password.
  B. Rotate all IAM access keys
  D. Change the password for all IAM users.

  ---

  One of the articles from IAM mentions what should be done in such a scenario If you suspect that your account has been compromised, or if you have received a notification from IAM that the account has been compromised, perform the following tasks: Change your IAM root account password and the passwords of any IAM users. Delete or rotate all root and IAM Identity and Access Management (IAM) access keys. Delete any resources on your account you didn't create, especially running EC2 instances, EC2 spot bids, or IAM users. Respond to any notifications you received from IAM Support through the IAM Support Center. Option C is invalid because there could be compromised instances or resources running on your environment. They should be shutdown or stopped immediately. For more information on the article, please visit the below URL: https://IAM.amazon.com/premiumsupport/knowledee-center/potential-account- compromise> The correct answers are: Change the root account password. Rotate all IAM access keys. Change the password for all IAM users. Submit your Feedback/Queries to our Experts

• Question 143:

  A company has many member accounts in an organization in AWS Organizations. The company is concerned about the potential for misuse of the AWS account root user credentials for member accounts in the organization. To address this potential misuse, the company wants to ensure that even if the account root user credentials are compromised the account is still protected.

  Which solution will meet this requirement?

  A. Block service access by using SCPs for the root user
  B. Remove the password for the root user
  C. Delete access keys for the root user
  D. Create an Amazon EventBridge rule to detect any AWS account root user API events
  A. Block service access by using SCPs for the root user

• Question 144:

  A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running on IAM.

  Which combination of IAM services and features will provide protection in this scenario? (Select THREE).

  A. Amazon Route 53
  B. IAM Certificate Manager (ACM)
  C. Amazon S3
  D. IAM Shield
  E. Elastic Load Balancer
  F. Amazon GuardDuty
  D. IAM Shield
  E. Elastic Load Balancer
  F. Amazon GuardDuty

• Question 145:

  A company has a large set of keys defined in IAM KMS. Their developers frequently use the keys for the applications being developed. What is one of the ways that can be used to reduce the cost of accessing the keys in the IAM KMS service?

  A. Enable rotation of the keys
  B. Use Data key caching
  C. Create an alias of the key
  D. Use the right key policy
  B. Use Data key caching

  ---

  The IAM Documentation mentions the following Data key caching stores data keys and related cryptographic material in a cache. When you encrypt or decrypt data, the IAM Encryption SDK looks for a matching data key in the cache. If it finds a match, it uses the cached data key rather than generatir a new one. Data key caching can improve performance, reduce cost, and help you stay within service limits as your application scales. Option A.C and D are all incorrect since these options will not impact how the key is used. For more information on data key caching, please refer to below URL: https://docs.IAM.amazon.com/encryption-sdk/latest/developer-guide/data-key-cachine.htmll The correct answer is: Use Data key caching Submit your Feedback/Queries to our Experts

• Question 146:

  A company has a requirement to create a DynamoDB table. The company's software architect has provided the following CLI command for the DynamoDB table

  

  Which of the following has been taken of from a security perspective from the above command?

  A. Since the ID is hashed, it ensures security of the underlying table.
  B. The above command ensures data encryption at rest for the Customer table
  C. The above command ensures data encryption in transit for the Customer table
  D. The right throughput has been specified from a security perspective
  B. The above command ensures data encryption at rest for the Customer table

  ---

  The above command with the "-sse-specification Enabled=true" parameter ensures that the data for the DynamoDB table is encrypted at rest. Options A,C and D are all invalid because this command is specifically used to ensure data encryption at rest For more information on DynamoDB encryption, please visit the URL: https://docs.IAM.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial. html The correct answer is: The above command ensures data encryption at rest for the Customer table

• Question 147:

  A company has multiple departments. Each department has its own IAM account. All these accounts belong to the same organization in IAM Organizations.

  A large .csv file is stored in an Amazon S3 bucket in the sales department's IAM account. The company wants to allow users from the other accounts to access the .csv file's content through the combination of IAM Glue and Amazon Athena. However, the company does not want to allow users from the other accounts to access other files in the same folder.

  Which solution will meet these requirements?

  A. Apply a user policy in the other accounts to allow IAM Glue and Athena lo access the .csv We.
  B. Use S3 Select to restrict access to the .csv lie. In IAM Glue Data Catalog, use S3 Select as the source of the IAM Glue database.
  C. Define an IAM Glue Data Catalog resource policy in IAM Glue to grant cross-account S3 object access to the .csv file.
  D. Grant IAM Glue access to Amazon S3 in a resource-based policy that specifies the organization as the principal.
  A. Apply a user policy in the other accounts to allow IAM Glue and Athena lo access the .csv We.

• Question 148:

  A company uses AWS Organizations to manage a multi-account AWS environment in a single AWS Region. The organization's management account is named management-01. The company has turned on AWS Config in all accounts in the

  organization. The company has designated an account named security-01 as the delegated administrator for AWS Config.

  All accounts report the compliance status of each account's rules to the AWS Config delegated administrator account by using an AWS Config aggregator. Each account administrator can configure and manage the account's own AWS

  Config rules to handle each account's unique compliance requirements.

  A security engineer needs to implement a solution to automatically deploy a set of 10 AWS Config rules to all existing and future AWS accounts in the organization. The solution must turn on AWS Config automatically during account creation.

  Which combination of steps will meet these requirements? (Choose two.)

  A. Create an AWS CloudFormation template that contains the 10 required AWS Config rules. Deploy the template by using CloudFormation StackSets in the security-01 account.
  B. Create a conformance pack that contains the 10 required AWS Config rules. Deploy the conformance pack from the security-01 account.
  C. Create a conformance pack that contains the 10 required AWS Config rules. Deploy the conformance pack from the management-01 account.
  D. Create an AWS CloudFormation template that will activate AWS Config. Deploy the template by using CloudFormation StackSets in the security-01 account.
  E. Create an AWS CloudFormation template that will activate AWS Config. Deploy the template by using CloudFormation StackSets in the management-01 account.
  B. Create a conformance pack that contains the 10 required AWS Config rules. Deploy the conformance pack from the security-01 account.
  E. Create an AWS CloudFormation template that will activate AWS Config. Deploy the template by using CloudFormation StackSets in the management-01 account.

• Question 149:

  Which approach will generate automated security alerts should too many unauthorized IAM API requests be identified?

  A. Create an Amazon CloudWatch metric filter that looks for API call error codes and then implement an alarm based on that metric's rate.
  B. Configure IAM CloudTrail to stream event data to Amazon Kinesis. Configure an IAM Lambda function on the stream to alarm when the threshold has been exceeded.
  C. Run an Amazon Athena SQL query against CloudTrail log files. Use Amazon QuickSight to create an operational dashboard.
  D. Use the Amazon Personal Health Dashboard to monitor the account's use of IAM services, and raise an alert if service error rates increase.
  A. Create an Amazon CloudWatch metric filter that looks for API call error codes and then implement an alarm based on that metric's rate.

  ---

  https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudwatch-alarms-for- cloudtrail.html#cloudwatch-alarms-for-cloudtrail-authorization-failures Open the CloudWatch console at https://console.IAM.amazon.com/cloudwatch/. In the navigation pane, choose Logs. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events. Choose Create Metric Filter. On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following: { ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") } Choose Assign Metric. For Filter Name, type AuthorizationFailures. For Metric Namespace, type CloudTrailMetrics. For Metric Name, type AuthorizationFailureCount.

• Question 150:

  A company is running internal microservices on Amazon Elastic Container Service (Amazon ECS) with the Amazon EC2 launch type. The company is using Amazon Elastic Container Registry (Amazon ECR) private repositories.

  A security engineer needs to encrypt the private repositories by using AWS Key Management Service (AWS KMS). The security engineer also needs to analyze the container images for any common vulnerabilities and exposures (CVEs).

  Which solution will meet these requirements?

  A. Enable KMS encryption on the existing ECR repositories. Install Amazon Inspector Agent from the ECS container instances' user data. Run an assessment with the CVE rules.
  B. Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Analyze the scan report after the next push of images.
  C. Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Install AWS Systems Manager Agent on the ECS container instances. Run an inventory report.
  D. Enable KMS encryption on the existing ECR repositories. Use AWS Trusted Advisor to check the ECS container instances and to verily the findings against a list of current CVEs.
  B. Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Analyze the scan report after the next push of images.