Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 161:

  The InfoSec team has mandated that in the future only approved Amazon Machine Images (AMIs) can be used.

  How can the InfoSec team ensure compliance with this mandate?

  A. Terminate all Amazon EC2 instances and relaunch them with approved AMIs.
  B. Patch all running instances by using IAM Systems Manager.
  C. Deploy IAM Config rules and check all running instances for compliance.
  D. Define a metric filter in Amazon CloudWatch Logs to verify compliance.
  C. Deploy IAM Config rules and check all running instances for compliance.

  ---

  https://docs.IAM.amazon.com/config/latest/developerguide/approved-amis-by-id.html

• Question 162:

  A company is worried about potential DDoS attacks. The company has a web application that runs on Amazon EC2 instances. The application uses Amazon S3 to serve static content such as images and videos.

  A security engineer must create a resilient architecture that can withstand DDoS attacks.

  Which solution will meet these requirements MOST cost-effectively?

  A. Create an Amazon CloudWatch alarm that invokes an AWS Lambda function when an EC2 instance's CPU utilization reaches 90%. Program the Lambda function to update security groups that are attached to the EC2 instance to deny inbound ports 80 and 443.
  B. Put the EC2 instances into an Auto Scaling group behind an Elastic Load Balancing (ELB) load balancer. Use Amazon CioudFront with Amazon S3 as an origin.
  C. Set up a warm standby disaster recovery (DR) environment. Fail over to the warm standby DR environment if a DDoS attack is detected on the application.
  D. Subscribe to AWS Shield Advanced. Configure permissions to allow the Shield Response Team to manage resources on the company's behalf during a DDoS event.
  B. Put the EC2 instances into an Auto Scaling group behind an Elastic Load Balancing (ELB) load balancer. Use Amazon CioudFront with Amazon S3 as an origin.

• Question 163:

  A security team is using Amazon EC2 Image Builder to build a hardened AMI with forensic capabilities. An AWS Key Management Service (AWS KMS) key will encrypt the forensic AMI EC2 Image Builder successfully installs the required patches and packages in the security team's AWS account. The security team uses a federated IAM role in the same AWS account to sign in to the AWS Management Console and attempts to launch the forensic AMI. The EC2 instance launches and immediately terminates.

  What should the security learn do lo launch the EC2 instance successfully?

  A. Update the policy that is associated with the federated IAM role to allow the ec2. Describelmages action for the forensic AMI.
  B. Update the policy that is associated with the federated IAM role to allow the ec2 Start Instances action in the security team's AWS account.
  C. Update the policy that is associated with the KMS key that is used to encrypt the forensic AMI. Configure the policy to allow the kms. Encrypt and kms Decrypt actions for the federated IAM role.
  D. Update the policy that is associated with the federated IAM role to allow the kms. DescribeKey action for the KMS key that is used to encrypt the forensic AMI.
  C. Update the policy that is associated with the KMS key that is used to encrypt the forensic AMI. Configure the policy to allow the kms. Encrypt and kms Decrypt actions for the federated IAM role.

  ---

  https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/troubleshooting- launch.html#troubleshooting-launch-internal

• Question 164:

  A company runs a cron job on an Amazon EC2 instance on a predefined schedule. The cron job calls a bash script that encrypts a 2 KB file. A security engineer creates an AWS Key Management Service (AWS KMS) customer managed key with a key policy. The key policy and the EC2 instance role have the necessary configuration for this job.

  Which process should the bash script use to encrypt the file?

  A. Use the aws kms encrypt command to encrypt the file by using the existing KMS key.
  B. Use the aws kms create-grant command to generate a grant for the existing KMS key.
  C. Use the aws kms encrypt command to generate a data key. Use the plaintext data key to encrypt the file.
  D. Use the aws kms generate-data-key command to generate a data key. Use the encrypted data key to encrypt the file.
  D. Use the aws kms generate-data-key command to generate a data key. Use the encrypted data key to encrypt the file.

  ---

  This is the appropriate approach for encrypting files with AWS KMS. The aws kms generate-data-key command generates a data encryption key (DEK) that includes both a plaintext version (used to encrypt the file) and an encrypted version of the key. The plaintext key is used to encrypt the file, and after encryption, the plaintext key should be discarded, and only the encrypted key is retained for future decryption. This method ensures that the KMS key is used securely without directly encrypting or decrypting the file using the KMS key itself.

• Question 165:

  A company has an external web application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB) within a VPC. The web application stores data in an Amazon RDS for MySQL DB instance.

  The company uses a Linux bastion host to apply schema updates to the database Administrators connect to the bastion host through SSH from their corporate workstations.

  The following security groups are applied to the infrastructure.

  1.

  sgLB associated with the ALB

  2.

  sgWeb associated with the EC2 instances

  3.

  sgDB associated with the DB instance

  4.

  sgBastion associated with the bastion host

  Which security group configuration will meet these requirements MOST securely?

  A. 1. sgLB Allow port 80 traffic and port 443 traffic from 0 0 0 0/0 2. sgWeb Allow port 80 traffic and port 443 traffic from sgLB 3. sgDB Allow port 3306 traffic from sgWeb and sgBastion 4. sgBastion Allow port 22 traffic from the corporate IP address range
  B. 1. sgLB Allow port 80 traffic and port 443 traffic from 0 0 0 0/0 2. sgWeb Allow port 80 traffic and port 443 traffic from sgLB 3. sgDB Allow port 3306 traffic from sgWeb and sgLB 4. sgBastion Allow port 22 traffic from the VPC IP address range
  C. 1. sgLB Allow port 80 traffic and port 443 traffic from 0 0 0 0/0 2. sgWeb Allow port 80 traffic and port 443 traffic from sgLB 3. sgDB Allow port 3306 traffic from sgWeb and sgBastion 4. sgBastion Allow port 22 traffic from the VPC IP address range
  D. 1. sgLB: Allow port 80 traffic and port 443 traffic from 0.0.0.0/0 2. sgWeb: Allow port 80 traffic and port 443 traffic from 0.0.0.0/0 3. sgDB: Allow port 3306 traffic from sgWeb and sgBastion 4. sgBastion: Allow port 22 traffic from the corporate IP address range
  A. 1. sgLB Allow port 80 traffic and port 443 traffic from 0 0 0 0/0 2. sgWeb Allow port 80 traffic and port 443 traffic from sgLB 3. sgDB Allow port 3306 traffic from sgWeb and sgBastion 4. sgBastion Allow port 22 traffic from the corporate IP address range

• Question 166:

  A company needs to create a centralized solution to analyze log files. The company uses an organization in AWS Organizations to manage its AWS accounts. The solution must aggregate and normalize events from the following sources:

  1.

  The entire organization in Organizations

  2.

  All AWS Marketplace offerings that run in the company's AWS accounts

  3.

  The company's on-premises systems

  Which solution will meet these requirements?

  A. Configure a centralized Amazon S3 bucket for the logs. Enable VPC Flow Logs, AWS CloudTrail. and Amazon Route 53 logs in all accounts. Configure all accounts to use the centralized S3 bucket. Configure AWS Glue crawlers to parse the log files. Use Amazon Athena to query the log data.
  B. Configure log streams in Amazon CloudWatch Logs for the sources that need monitoring Create log subscription filters for each log stream. Forward the messages to Amazon OpenSearch Service for analysis.
  C. Set up a delegated Amazon Security Lake administrator account in Organizations. Enable and configure Security Lake for the organization. Add the accounts that need monitoring. Use Amazon Athena to query the log data.
  D. Apply an SCP to configure all member accounts and services to deliver log files to a centralized Amazon S3 bucket. Use Amazon OpenSearch Service to query the centralized S3 bucket for log entries.
  C. Set up a delegated Amazon Security Lake administrator account in Organizations. Enable and configure Security Lake for the organization. Add the accounts that need monitoring. Use Amazon Athena to query the log data.

  ---

  Amazon Security Lake, when configured with a delegated administrator account in AWS Organizations, provides a centralized solution for aggregating, organizing, and prioritizing security data from multiple sources including AWS services, AWS Marketplace solutions, and on-premises systems. By enabling Security Lake for the organization and adding the necessary AWS accounts, the solution centralizes the collection and analysis of log data. This setup leverages the organization's structure to streamline log aggregation and normalization, making it an efficient solution for the specified requirements. The use of Amazon Athena for querying the log data further enhances the ability to analyze and respond to security findings across the organization.

• Question 167:

  A company stores sensitive documents in Amazon S3 by using server-side encryption with an IAM Key Management Service (IAM KMS) CMK. A new requirement mandates that the CMK that is used for these documents can be used only for S3 actions.

  Which statement should the company add to the key policy to meet this requirement?

  

  A. B. C. D.
  C

• Question 168:

  A security administrator is setting up a new AWS account. The security administrator wants to secure the data that a company stores in an Amazon S3 bucket. The security administrator also wants to reduce the chance of unintended data exposure and the potential for misconfiguration of objects that are in the S3 bucket.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Configure the S3 Block Public Access feature for the AWS account.
  B. Configure the S3 Block Public Access feature for all objects that are in the bucket.
  C. Deactivate ACLs for objects that are in the bucket.
  D. Use AWS PrivateLink for Amazon S3 to access the bucket.
  D. Use AWS PrivateLink for Amazon S3 to access the bucket.

• Question 169:

  A company receives a notification from the AWS Abuse team about an AWS account The notification indicates that a resource in the account is compromised The company determines that the compromised resource is an Amazon EC2 instance that hosts a web application The compromised EC2 instance is part of an EC2 Auto Scaling group

  The EC2 instance accesses Amazon S3 and Amazon DynamoDB resources by using an IAM access key and secret key The IAM access key and secret key are stored inside the AMI that is specified in the Auto Scaling group's launch configuration The company is concerned that the credentials that are stored in the AMI might also have been exposed

  The company must implement a solution that remediates the security concerns without causing downtime for the application The solution must comply with security best practices

  Which solution will meet these requirements'?

  A. Rotate the potentially compromised access key that the EC2 instance uses Create a new AM I without the potentially compromised credentials Perform an EC2 Auto Scaling instance refresh
  B. Delete or deactivate the potentially compromised access key Create an EC2 Auto Scaling linked IAM role that includes a custom policy that matches the potentially compromised access key permission Associate the new IAM role with the Auto Scaling group Perform an EC2 Auto Scaling instance refresh.
  C. Delete or deactivate the potentially compromised access key Create a new AMI without the potentially compromised credentials Create an IAM role that includes the correct permissions Create a launch template for the Auto Scaling group to reference the new AMI and IAM role Perform an EC2 Auto Scaling instance refresh
  D. Rotate the potentially compromised access key Create a new AMI without the potentially compromised access key Use a user data script to supply the new access key as environmental variables in the Auto Scaling group's launch configuration Perform an EC2 Auto Scaling instance refresh
  C. Delete or deactivate the potentially compromised access key Create a new AMI without the potentially compromised credentials Create an IAM role that includes the correct permissions Create a launch template for the Auto Scaling group to reference the new AMI and IAM role Perform an EC2 Auto Scaling instance refresh

  ---

  The AWS documentation states that you can create a new AMI without the potentially compromised credentials and create an IAM role that includes the correct permissions. You can then create a launch template for the Auto Scaling group to reference the new AMI and IAM role. This method is the most secure way to remediate the security concerns without causing downtime for the application. References: : AWS Security Best Practices

• Question 170:

  A company's engineering team is developing a new application that creates AWS Key Management Service (AWS KMS) customer managed key grants for users. Immediately after a grant is created, users must be able to use the KMS key to

  encrypt a 512-byte payload. During load testing, AccessDeniedException errors occur occasionally when a user first attempts to use the key to encrypt.

  Which solution should the company's security specialist recommend to eliminate these AccessDeniedException errors?

  A. Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.
  B. Instruct the engineering team to consume a random grant token from users and to call the CreateGrant operation by passing the grant token to the operation. Instruct users to use that grant token in their call to encrypt.
  C. Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name as the grant token in the call to encrypt.
  D. Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.
  D. Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.

  ---

  When creating a grant in AWS KMS, the operation returns a grant token that can be used immediately to make API calls with the newly created grant. Without using the grant token, there can be a delay before the grant is fully available for use, which can result in AccessDeniedException errors. By passing the grant token to users and instructing them to use it in their encrypt requests, they can use the grant immediately without waiting for full grant propagation, eliminating the error.