Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 151:

  An application has a requirement to be resilient across not only Availability Zones within the application's primary region but also be available within another region altogether. Which of the following supports this requirement for IAM resources that are encrypted by IAM KMS?

  A. Copy the application's IAM KMS CMK from the source region to the target region so that it can be used to decrypt the resource after it is copied to the target region.
  B. Configure IAM KMS to automatically synchronize the CMK between regions so that it can be used to decrypt the resource in the target region.
  C. Use IAM services that replicate data across regions, and re-wrap the data encryption key created in the source region by using the CMK in the target region so that the target region's CMK can decrypt the database encryption key.
  D. Configure the target region's IAM service to communicate with the source region's IAM KMS so that it can decrypt the resource in the target region.
  C. Use IAM services that replicate data across regions, and re-wrap the data encryption key created in the source region by using the CMK in the target region so that the target region's CMK can decrypt the database encryption key.

• Question 152:

  A company deployed an Amazon EC2 instance to a VPC on AWS. A recent alert indicates that the EC2 instance is receiving a suspicious number of requests over an open TCP port from an external source. The TCP port remains open for long periods of time.

  The company's security team needs to stop all activity to this port from the external source to ensure that the EC2 instance is not being compromised. The application must remain available to other users.

  Which solution will mefet these requirements?

  A. Update the network ACL that is attached to the subnet that is associated with the EC2 instance. Add a Deny statement for the port and the source IP addresses.
  B. Update the elastic network interface security group that is attached to the EC2 instance to remove the port from theinbound rule list.
  C. Update the elastic network interface security group that is attached to the EC2 instance by adding a Deny entry in the inbound list for the port and the source IP addresses.
  D. Create a new network ACL for the subnet. Deny all traffic from the EC2 instance to prevent data from being removed.
  A. Update the network ACL that is attached to the subnet that is associated with the EC2 instance. Add a Deny statement for the port and the source IP addresses.

  ---

  To address the issue of an Amazon EC2 instance receiving suspicious requests over an open TCP port, the most effective solution is to update the Network Access Control List (NACL) associated with the subnet where the EC2 instance resides. By adding a deny rule for the specific TCP port and source IP addresses involved in the suspicious activity, the security team can effectively block unwanted traffic at the subnet level. NACLs act as a stateless firewall for controlling traffic in and out of subnets, allowing for broad-based traffic filtering. This measure ensures that only legitimate traffic can reach the EC2 instance, thereby enhancing security without affecting the application's availability to other users. It's a more granular and immediate way to block specific traffic compared to modifying security group rules, which are stateful and apply at the instance level.

• Question 153:

  You have an EBS volume attached to an EC2 Instance which uses KMS for Encryption. Someone has now gone ahead and deleted the Customer Key which was used for the EBS encryption. What should be done to ensure the data can be decrypted?

  A. Create a new Customer Key using KMS and attach it to the existing volume
  B. You cannot decrypt the data that was encrypted under the CMK, and the data is not recoverable.
  C. Request IAM Support to recover the key
  D. Use IAM Config to recover the key
  B. You cannot decrypt the data that was encrypted under the CMK, and the data is not recoverable.

  ---

  Deleting a customer master key (CMK) in IAM Key Management Service (IAM KMS) is destructive and potentially dangerous. It deletes the key material and all metadata associated with the CMK, and is irreversible. After a CMK is deleted you can no longer decrypt the data that was encrypted under that CMK, which means that data becomes unrecoverable. You should delete a CMK only when you are sure that you don't need to use it anymore. If you are not sure, consider disabling the CMK instead of deleting it. You can re-enable a disabled CMK if you need to use it again later, but you cannot recover a deleted CMK. https://docs.IAM.amazon.com/kms/latest/developerguide/deleting-keys.html A is incorrect because Creating a new CMK and attaching it to the exiting volume will not allow the data to be decrypted, you cannot attach customer master keys after the volume is encrypted Option C and D are invalid because once the key has been deleted, you cannot recover it For more information on EBS Encryption with KMS, please visit the following URL: https://docs.IAM.amazon.com/kms/latest/developerguide/services-ebs.html The correct answer is: You cannot decrypt the data that was encrypted under the CMK, and the data is not recoverable. Submit your Feedback/Queries to our Experts

• Question 154:

  An application team wants to use IAM Certificate Manager (ACM) to request public certificates to ensure that data is secured in transit. The domains that are being used are not currently hosted on Amazon Route 53

  The application team wants to use an IAM managed distribution and caching solution to optimize requests to its systems and provide better points of presence to customers The distribution solution will use a primary domain name that is customized The distribution solution also will use several alternative domain names The certificates must renew automatically over an indefinite period of time

  Which combination of steps should the application team take to deploy this architecture? (Select THREE.)

  A. Request a certificate (torn ACM in the us-west-2 Region Add the domain names that the certificate will secure
  B. Send an email message to the domain administrators to request vacation of the domains for ACM
  C. Request validation of the domains for ACM through DNS Insert CNAME records into each domain's DNS zone
  D. Create an Application Load Balancer for me caching solution Select the newly requested certificate from ACM to be used for secure connections
  E. Create an Amazon CloudFront distribution for the caching solution Enter the main CNAME record as the Origin Name Enter the subdomain names or alternate names in the Alternate Domain Names Distribution Settings Select the newly requested certificate from ACM to be used for secure connections
  F. Request a certificate from ACM in the us-east-1 Region Add the domain names that the certificate wil secure
  C. Request validation of the domains for ACM through DNS Insert CNAME records into each domain's DNS zone
  E. Create an Amazon CloudFront distribution for the caching solution Enter the main CNAME record as the Origin Name Enter the subdomain names or alternate names in the Alternate Domain Names Distribution Settings Select the newly requested certificate from ACM to be used for secure connections
  F. Request a certificate from ACM in the us-east-1 Region Add the domain names that the certificate wil secure

• Question 155:

  The Security Engineer created a new IAM Key Management Service (IAM KMS) key with the following key policy:

  

  What are the effects of the key policy? (Choose two.)

  A. The policy allows access for the IAM account 111122223333 to manage key access though IAM policies.
  B. The policy allows all IAM users in account 111122223333 to have full access to the KMS key.
  C. The policy allows the root user in account 111122223333 to have full access to the KMS key.
  D. The policy allows the KMS service-linked role in account 111122223333 to have full access to the KMS key.
  E. The policy allows all IAM roles in account 111122223333 to have full access to the KMS key.
  A. The policy allows access for the IAM account 111122223333 to manage key access though IAM policies.
  C. The policy allows the root user in account 111122223333 to have full access to the KMS key.

  ---

  Explanation Explanation/Reference:Giving the IAM account full access to the CMK does this; it enables you to use IAM policies to give IAM users and roles in the account access to the CMK. It does not by itself give any IAM users or roles access to the CMK, but it enables you to use IAM policies to do so. https://docs.IAM.amazon.com/kms/latest/developerguide/key-policies.html#key-policy- default-allow-root-enable-iam

• Question 156:

  A Security Engineer received an IAM Abuse Notice listing EC2 instance IDs that are reportedly abusing other hosts.

  Which action should the Engineer take based on this situation? (Choose three.)

  A. Use IAM Artifact to capture an exact image of the state of each instance.
  B. Create EBS Snapshots of each of the volumes attached to the compromised instances.
  C. Capture a memory dump.
  D. Log in to each instance with administrative credentials to restart the instance.
  E. Revoke all network ingress and egress except for to/from a forensics workstation.
  F. Run Auto Recovery for Amazon EC2.
  B. Create EBS Snapshots of each of the volumes attached to the compromised instances.
  E. Revoke all network ingress and egress except for to/from a forensics workstation.
  F. Run Auto Recovery for Amazon EC2.

• Question 157:

  A company is testing its incident response plan for compromised credentials. The company runs a database on an Amazon EC2 instance and stores the sensitive data-base credentials as a secret in AWS Secrets Manager. The secret has rotation configured with an AWS Lambda function that uses the generic rotation function template. The EC2 instance and the Lambda function are deployed in the same private subnet. The VPC has a Secrets Manager VPC endpoint.

  A security engineer discovers that the secret cannot rotate. The security engi-neer determines that the VPC endpoint is working as intended. The Amazon Cloud-Watch logs contain the following error:

  "setSecret: Unable to log into database".

  Which solution will resolve this error?

  A. Use the AWS Management Console to edit the JSON structure of the secret in Secrets Manager so that the secret automatically conforms with the structure that the database requires.
  B. Ensure that the security group that is attached to the Lambda function allows outbound connections to the EC2 instance. Ensure that the security group that is attached to the EC2 instance allows inbound connections from the security group that is attached to the Lambda function.
  C. Use the Secrets Manager list-secrets command in the AWS CLI to list the secret. Identify the database credentials. Use the Secrets Manager rotate-secret command in the AWS CLI to force the immediate rotation of the secret.
  D. Add an internet gateway to the VPC. Create a NAT gateway in a public subnet. Update the VPC route tables so that traffic from the Lambda function and traffic from the EC2 instance can reach the Secrets Manager public endpoint.
  B. Ensure that the security group that is attached to the Lambda function allows outbound connections to the EC2 instance. Ensure that the security group that is attached to the EC2 instance allows inbound connections from the security group that is attached to the Lambda function.

  ---

  This answer is correct because ensuring that the security groups allow bidirectional communication between the Lambda function and the EC2 instance will resolve the error. The error indicates that the Lambda function cannot connect to the database, which might be due to firewall rules blocking the traffic. By allowing outbound connections from the Lambda function and inbound connections to the EC2 instance, the security engineer can enable the rotation function to access and update the database credentials.

• Question 158:

  A company uses a collaboration application. A security engineer needs to configure automated alerts from AWS Security Hub in the us-west-2 Region for the application. The security engineer wants to receive an alert in a channel in the application every time Security Hub receives a new finding.

  The security engineer creates an AWS Lambda function to convert the message to the format that the application requires. The Lambda function also sends the message to the application's API. The security engineer configures a corresponding Amazon EventBridge rule that specifies the Lambda function as the target.

  After the EventBridge rule is implemented, the channel begins to constantly receive alerts from Security Hub. Many of the alerts are Amazon Inspector alerts that do not require any action. The security engineer wants to stop the Amazon Inspector alerts.

  Which solution will meet this requirement with the LEAST operational effort?

  A. Update the Lambda function code to find pattern matches of events from Amazon Inspector and to suppress the findings.
  B. Create a Security Hub custom action that automatically sends findings from all services except Amazon Inspector to the EventBridge event bus.
  C. Modify the value of the ProductArn attribute in the event pattern of the EventBridge rule to "anything-but": ["arn:aws:securityhub:us-west-2::product/aws/inspector"].
  D. Create an Amazon Simple Notification Service (Amazon SNS) topic to send messages to the application. Set a filter policy on the topic subscriptions to reject any messages that contain the product/aws/inspector string.
  C. Modify the value of the ProductArn attribute in the event pattern of the EventBridge rule to "anything-but": ["arn:aws:securityhub:us-west-2::product/aws/inspector"].

  ---

  Explanation Explanation/Reference:To filter out specific findings, such as those from Amazon Inspector, EventBridge event patterns can be used to selectively route events. By updating the ProductArn attribute in the event pattern with anything-but for Amazon Inspector's ProductArn (arn:aws:securityhub:us-west-2::product/aws/inspector), only findings from other services will trigger the Lambda function. This approach allows the security engineer to filter out unnecessary alerts with minimal operational effort, avoiding the need for additional filtering in Lambda or SNS.

• Question 159:

  A company is using AWS Organizations to create OUs for its accounts. The company has more than 20 accounts that are all part of the OUs. A security engineer must implement a solution to ensure that no account can stop to file delivery to AWS CloudTrail.

  Which solution will meet this requirement?

  A. Use the --is-multi-region-trail option while running the create-trail command to ensure that logs are configured across all AWS Regions.
  B. Create an SCP that includes a Deny rule tor the cloudtrail. StopLogging action Apply the SCP to all accounts in the OUs.
  C. Create an SCP that includes an Allow rule for the cloudtrail. StopLogging action Apply the SCP to all accounts in the OUs.
  D. Use AWS Systems Manager to ensure that CloudTrail is always turned on.
  B. Create an SCP that includes a Deny rule tor the cloudtrail. StopLogging action Apply the SCP to all accounts in the OUs.

  ---

  This SCP prevents users or roles in any affected account from disabling a CloudTrail log, either directly as a command or through the console. https://asecure.cloud/a/scp_cloudtrail/

• Question 160:

  A business requires a forensic logging solution for hundreds of Docker-based apps running on Amazon EC2. The solution must analyze logs in real time, provide message replay, and persist logs.

  Which Amazon Web Offerings (IAM) services should be employed to satisfy these requirements? (Select two.)

  A. Amazon Athena
  B. Amazon Kinesis
  C. Amazon SQS
  D. Amazon Elasticsearch
  E. Amazon EMR
  B. Amazon Kinesis
  D. Amazon Elasticsearch