Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 171:

  Your company has created a set of keys using the IAM KMS service. They need to ensure that each key is only used for certain services. For example , they want one key to be used only for the S3 service. How can this be achieved?

  A. Create an IAM policy that allows the key to be accessed by only the S3 service.
  B. Create a bucket policy that allows the key to be accessed by only the S3 service.
  C. Use the kms:ViaService condition in the Key policy
  D. Define an IAM user, allocate the key and then assign the permissions to the required service
  C. Use the kms:ViaService condition in the Key policy

  ---

  Option A and B are invalid because mapping keys to services cannot be done via either the IAM or bucket policy Option D is invalid because keys for IAM users cannot be assigned to services This is mentioned in the IAM Documentation The kms:ViaService condition key limits use of a customer-managed CMK to requests from particular IAM services. (IAM managed CMKs in your account, such as IAM/s3, are always restricted to the IAM service that created them.) For example, you can use kms:V1aService to allow a user to use a customer managed CMK only for requests that Amazon S3 makes on their behalf. Or you can use it to deny the user permission to a CMK when a request on their behalf comes from IAM Lambda. For more information on key policy's for KMS please visit the following URL: https://docs.IAM.amazon.com/kms/latest/developereuide/policy-conditions.html The correct answer is: Use the kms:ViaServtce condition in the Key policy Submit your Feedback/Queries to our Experts

• Question 172:

  A company is running an Amazon RDS for MySQL DB instance in a VPC. The VPC must not send or receive network traffic through the internet.

  A security engineer wants to use AWS Secrets Manager to rotate the DB instance credentials automatically. Because of a security policy, the security engineer cannot use the standard AWS Lambda function that Secrets Manager provides to rotate the credentials.

  The security engineer deploys a custom Lambda function in the VPC. The custom Lambda function will be responsible for rotating the secret in Secrets Manager. The security engineer edits the DB instance's security group to allow connections from this function. When the function is invoked, the function cannot communicate with Secrets Manager to rotate the secret properly.

  What should the security engineer do so that the function can rotate the secret?

  A. Add an egress-only internet gateway to the VPC. Allow only the Lambda function's subnet to route traffic through the egress-only internet gateway.
  B. Add a NAT gateway to the VPC. Configure only the Lambda function's subnet with a default route through the NAT gateway.
  C. Configure a VPC peering connection to the default VPC for Secrets Manager. Configure the Lambda function's subnet to use the peering connection for routes.
  D. Configure a Secrets Manager interface VPC endpoint. Include the Lambda function's private subnet during the configuration process.
  D. Configure a Secrets Manager interface VPC endpoint. Include the Lambda function's private subnet during the configuration process.

  ---

  You can establish a private connection between your VPC and Secrets Manager by creating an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to privately access Secrets Manager APIs without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Reference: https://docs.aws.amazon.com/secretsmanager/latest/userguide/vpc-endpoint-overview.html The correct answer is D. Configure a Secrets Manager interface VPC endpoint. Include the Lambda function's private subnet during the configuration process. A Secrets Manager interface VPC endpoint is a private connection between the VPC and Secrets Manager that does not require an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection1. By configuring a Secrets Manager interface VPC endpoint, the security engineer can enable the custom Lambda function to communicate with Secrets Manager without sending or receiving network traffic through the internet. The security engineer must include the Lambda function's private subnet during the configuration process to allow the function to use the endpoint2. The other options are incorrect for the following reasons: A. An egress-only internet gateway is a VPC component that allows outbound communication over IPv6 from instances in the VPC to the internet, and prevents the internet from initiating an IPv6 connection with the instances3. However, this option does not meet the requirement that the VPC must not send or receive network traffic through the internet. Moreover, an egress-only internet gateway is for use with IPv6 traffic only, and Secrets Manager does not support IPv6 addresses2. B. A NAT gateway is a VPC component that enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating connections with those instances4. However, this option does not meet the requirement that the VPC must not send or receive network traffic through the internet. Additionally, a NAT gateway requires an elastic IP address, which is a public IPv4 address4. C. A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses5. However, this option does not work because Secrets Manager does not have a default VPC that can be peered with. Furthermore, a VPC peering connection does not provide a private connection to Secrets Manager APIs without an internet gateway or other devices2.

• Question 173:

  A company has a strict policy against using root credentials. The company's security team wants to be alerted as soon as possible when root credentials are used to sign in to the AWS Management Console. How should the security team achieve this goal?

  A. Use AWS Lambda to periodically query AWS CloudTrail for console login events and send alerts using Amazon Simple Notification Service (Amazon SNS).
  B. Use Amazon EventBridge to monitor console logins and direct them to Amazon Simple Notification Service (Amazon SNS).
  C. Use Amazon Athena to query AWS IAM Identity Center logs and send alerts using Amazon Simple Notification Service (Amazon SNS) for root login events.
  D. Configure AWS Resource Access Manager to review the access logs and send alerts using Amazon Simple Notification Service (Amazon SNS).
  B. Use Amazon EventBridge to monitor console logins and direct them to Amazon Simple Notification Service (Amazon SNS).

  ---

  Amazon EventBridge can be configured to monitor specific AWS CloudTrail events, including root login events. By setting up an EventBridge rule to detect ConsoleLogin events where the userIdentity type is "Root," the security team can quickly receive alerts. EventBridge can then send these events to Amazon SNS, which distributes notifications immediately to the team. This setup provides near-real-time alerts with minimal operational overhead.

• Question 174:

  A company uses infrastructure as code (IaC) to create AWS infrastructure. The company writes the code as AWS CloudFormation templates to deploy the infrastructure. The company has an existing CI/CD pipeline that the company can use to deploy these templates.

  After a recent security audit, the company decides to adopt a policy-as-code approach to improve the company's security posture on AWS. The company must prevent the deployment of any infrastructure that would violate a security policy, such as an unencrypted Amazon Elastic Block Store (Amazon EBS) volume.

  Which solution will meet these requirements?

  A. Turn on AWS Trusted Advisor. Configure security notifications as webhooks in the preferences section of the CI/CD pipeline.
  B. Turn on AWS Config. Use the prebuilt rules or customized rules. Subscribe the CI/CD pipeline to an Amazon Simple Notification Service (Amazon SNS) topic that receives notifications from AWS Config.
  C. Create rule sets in AWS CloudFormation Guard. Run validation checks for CloudFormation templates as a phase of the CI/CD process.
  D. Create rule sets as SCPs. Integrate the SCPs as a part of validation control in a phase of the CI/CD process.
  C. Create rule sets in AWS CloudFormation Guard. Run validation checks for CloudFormation templates as a phase of the CI/CD process.

  ---

  The correct answer is C. Create rule sets in AWS CloudFormation Guard. Run validation checks for CloudFormation templates as a phase of the CI/CD process. This answer is correct because AWS CloudFormation Guard is a tool that helps you implement policy-as-code for your CloudFormation templates. You can use Guard to write rules that define your security policies, such as requiring encryption for EBS volumes, and then validate your templates against those rules before deploying them. You can integrate Guard into your CI/CD pipeline as a step that runs the validation checks and prevents the deployment of any non-compliant templates12. The other options are incorrect because: A. Turning on AWS Trusted Advisor and configuring security notifications as webhooks in the preferences section of the CI/CD pipeline is not a solution, because AWS Trusted Advisor is not a policy-as-code tool, but a service that provides recommendations to help you follow AWS best practices. Trusted Advisor does not allow you to define your own security policies or validate your CloudFormation templates against them3. B. Turning on AWS Config and using the prebuilt or customized rules is not a solution, because AWS Config is not a policy-as-code tool, but a service that monitors and records the configuration changes of your AWS resources. AWS Config does not allow you to validate your CloudFormation templates before deploying them, but only evaluates the compliance of your resources after they are created4. D. Creating rule sets as SCPs and integrating them as a part of validation control in a phase of the CI/CD process is not a solution, because SCPs are not policy-as- code tools, but policies that you can use to manage permissions in your AWS Organizations. SCPs do not allow you to validate your CloudFormation templates, but only restrict the actions that users and roles can perform in your accounts5. References: 1: What is AWS CloudFormation Guard? 2: Introducing AWS CloudFormation Guard 2.0 3: AWS Trusted Advisor 4: What Is AWS Config? 5: Service control policies - AWS Organizations

• Question 175:

  A development team is using an IAM Key Management Service (IAM KMS) CMK to try to encrypt and decrypt a secure string parameter from IAM Systems Manager Parameter Store. However, the development team receives an error message on each attempt.

  Which issues that are related to the CMK could be reasons for the error? (Select TWO.)

  A. The CMK that is used in the attempt does not exist.
  B. The CMK that is used in the attempt needs to be rotated.
  C. The CMK that is used in the attempt is using the CMK's key ID instead of the CMK ARN.
  D. The CMK that is used in the attempt is not enabled.
  E. The CMK that is used in the attempt is using an alias.
  A. The CMK that is used in the attempt does not exist.
  D. The CMK that is used in the attempt is not enabled.

• Question 176:

  A security engineer must ensure that all infrastructure launched in the company IAM account be monitored for deviation from compliance rules, specifically that all EC2 instances are launched from one of a specified list of AM Is and that all attached EBS volumes are encrypted. Infrastructure not in compliance should be terminated. What combination of steps should the Engineer implement? Select 2 answers from the options given below.

  A. Set up a CloudWatch event based on Trusted Advisor metrics
  B. Trigger a Lambda function from a scheduled CloudWatch event that terminates non- compliant infrastructure.
  C. Set up a CloudWatch event based on Amazon inspector findings
  D. Monitor compliance with IAM Config Rules triggered by configuration changes
  E. Trigger a CLI command from a CloudWatch event that terminates the infrastructure
  B. Trigger a Lambda function from a scheduled CloudWatch event that terminates non- compliant infrastructure.
  D. Monitor compliance with IAM Config Rules triggered by configuration changes

  ---

  You can use IAM Config to monitor for such Event Option A is invalid because you cannot set Cloudwatch events based on Trusted Advisor checks. Option C is invalid Amazon inspector cannot be used to check whether instances are launched from a specific A Option E is invalid because triggering a CLI command is not the preferred option, instead you should use Lambda functions for all automation purposes. For more information on Config Rules please see the below Link: https://docs.IAM.amazon.com/config/latest/developerguide/evaluate-config-rules.html These events can then trigger a lambda function to terminate instances For more information on Cloudwatch events please see the below Link: https://docs.IAM.amazon.com/AmazonCloudWatch/latest/events/WhatlsCloudWatchEvents . ( The correct answers are: Trigger a Lambda function from a scheduled Cloudwatch event that terminates non-compliant infrastructure., Monitor compliance with IAM Config Rules triggered by configuration changes Submit your Feedback/ Queries to our Experts

• Question 177:

  A company has a web-based application that runs behind an Application Load Balancer (ALB). The application is experiencing a credential stuffing attack that is producing many failed login attempts. The attack is coming from many IP addresses. The login attempts are using a user agent string of a known mobile device emulator.

  A security engineer needs to implement a solution to mitigate the credential stuffing attack. The solution must still allow legitimate logins to the application.

  Which solution will meet these requirements?

  A. Create an Amazon CloudWatch alarm that reacts to login attempts that contain the specified user agent string. Add an Amazon Simple Notification Service (Amazon SNS) topic to the alarm.
  B. Modify the inbound security group on the ALB to deny traffic from the IP addresses that are involved in the attack.
  C. Create an AWS WAF web ACL for the ALB. Create a custom rule that blocks requests that contain the user agent string of the device emulator.
  D. Create an AWS WAF web ACL for the ALB Create a custom rule that allows requests from legitimate user agent strings
  C. Create an AWS WAF web ACL for the ALB. Create a custom rule that blocks requests that contain the user agent string of the device emulator.

  ---

  To mitigate a credential stuffing attack against a web-based application behind an Application Load Balancer (ALB), creating an AWS WAF web ACL with a custom rule to block requests containing the known malicious user agent string is an effective solution. This approach allows for precise targeting of the attack vector (the user agent string of the device emulator) without impacting legitimate users. AWS WAF provides the capability to inspect HTTP(S) requests and block those that match defined criteria, such as specific strings in the user agent header, thereby preventing malicious requests from reaching the application.

• Question 178:

  An company is using IAM Secrets Manager to store secrets that are encrypted using a CMK and are stored in the security account 111122223333. One of the company's production accounts. 444455556666, must to retrieve the secret values

  from the security account 111122223333. A security engineer needs to apply a policy to the secret in the security account based on least privilege access so the production account can retrieve the secret value only.

  Which policy should the security engineer apply?

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  A. Option A

• Question 179:

  A corporate cloud security policy states that communications between the company's VPC and KMS must travel entirely within the IAM network and not use public service endpoints.

  Which combination of the following actions MOST satisfies this requirement? (Choose two.)

  A. Add the IAM:sourceVpce condition to the IAM KMS key policy referencing the company's VPC endpoint ID.
  B. Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.
  C. Create a VPC endpoint for IAM KMS with private DNS enabled.
  D. Use the KMS Import Key feature to securely transfer the IAM KMS key over a VPN.
  E. Add the following condition to the IAM KMS key policy: "IAM:SourceIp": "10.0.0.0/16".
  A. Add the IAM:sourceVpce condition to the IAM KMS key policy referencing the company's VPC endpoint ID.
  C. Create a VPC endpoint for IAM KMS with private DNS enabled.

  ---

  An IAM policy can deny access to KMS except through your VPC endpoint with the following condition statement: "Condition": { "StringNotEquals": { "IAM:sourceVpce": "vpce-0295a3caf8414c94a" } } If you select the Enable Private DNS Name option, the standard IAM KMS DNS hostname (https://kms..amazonIAM.com) resolves to your VPC endpoint.

• Question 180:

  A Developer reported that IAM CloudTrail was disabled on their account. A Security Engineer investigated the account and discovered the event was undetected by the current security solution. The Security Engineer must recommend a solution that will detect future changes to the CloudTrail configuration and send alerts when changes occur.

  What should the Security Engineer do to meet these requirements?

  A. Use IAM Resource Access Manager (IAM RAM) to monitor the IAM CloudTrail configuration. Send notifications using Amazon SNS.
  B. Create an Amazon CloudWatch Events rule to monitor Amazon GuardDuty findings. Send email notifications using Amazon SNS.
  C. Update security contact details in IAM account settings for IAM Support to send alerts when suspicious activity is detected.
  D. Use Amazon Inspector to automatically detect security issues. Send alerts using Amazon SNS.
  B. Create an Amazon CloudWatch Events rule to monitor Amazon GuardDuty findings. Send email notifications using Amazon SNS.