Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 201:

  You want to launch an EC2 Instance with your own key pair in IAM. How can you achieve this? Choose 3 answers from the options given below.

  A. Use a third party tool to create the Key pair
  B. Create a new key pair using the IAM CLI
  C. Import the public key into EC2
  D. Import the private key into EC2
  A. Use a third party tool to create the Key pair
  B. Create a new key pair using the IAM CLI
  C. Import the public key into EC2

  ---

  Explanation This is given in the IAM Documentation Creating a Key Pair You can use Amazon EC2 to create your key pair. For more information, see Creating a Key Pair Using Amazon EC2. Alternatively, you could use a third-party tool and then import the public key to Amazon EC2. For more information, see Importing Your Own Public Key to Amazon EC2. Option B is Correct, because you can use the IAM CLI to create a new key pair 1 https://docs.IAM.amazon.com/cli/latest/userguide/cliec2-keypairs.html Option D is invalid because the public key needs to be stored in the EC2 Instance For more information on EC2 Key pairs, please visit the below URL: * https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/ec2-key-pairs The correct answers are: Use a third party tool to create the Key pair. Create a new key pair using the IAM CLI, Import the public key into EC2 Submit your Feedback/ Queries to our Experts

• Question 202:

  A company uses a third-party application to store encrypted data in Amazon S3. The company uses another third-party application trial decrypts the data from Amazon S3 to ensure separation of duties Between the applications A Security Engineer warns to separate the permissions using IAM roles attached to Amazon EC2 instances. The company prefers to use native IAM services.

  Which encryption method will meet these requirements?

  A. Use encrypted Amazon EBS volumes with Amazon default keys (IAM EBS)
  B. Use server-side encryption with customer-provided keys (SSE-C)
  C. Use server-side encryption with IAM KMS managed keys (SSE-KMS)
  D. Use server-side encryption with Amazon S3 managed keys (SSE-S3)
  C. Use server-side encryption with IAM KMS managed keys (SSE-KMS)

• Question 203:

  You work as an administrator for a company. The company hosts a number of resources using IAM. There is an incident of a suspicious API activity which occurred 11 days ago. The Security Admin has asked to get the API activity from that point in time. How can this be achieved?

  A. Search the Cloud Watch logs to find for the suspicious activity which occurred 11 days ago
  B. Search the Cloudtrail event history on the API events which occurred 11 days ago.
  C. Search the Cloud Watch metrics to find for the suspicious activity which occurred 11 days ago
  D. Use IAM Config to get the API calls which were made 11 days ago.
  B. Search the Cloudtrail event history on the API events which occurred 11 days ago.

  ---

  The Cloud Trail event history allows to view events which are recorded for 90 days. So one can use a metric filter to gather the API calls from 11 days ago. Option A and C is invalid because Cloudwatch is used for logging and not for monitoring API activity Option D is invalid because IAMConfig is a configuration service and not for monitoring API activity For more information on IAM Cloudtrail, please visit the following URL: https://docs.IAM.amazon.com/IAMcloudtrail/latest/usereuide/how-cloudtrail-works.html Note: In this question we assume that the customer has enabled cloud trail service. IAM CloudTrail is enabled by default for ALL CUSTOMERS and will provide visibility into the past seven days of account activity without the need for you to configure a trail in the service to get started. So for an activity that happened 11 days ago to be stored in the cloud trail we need to configure the trail manually to ensure that it is stored in the events history. ?https://IAM.amazon.com/blogs/IAM/new-amazon-web-services-extends-cloudtrail-to-all- IAM-customers/ The correct answer is: Search the Cloudtrail event history on the API events which occurred 11 days ago.

• Question 204:

  An organization is moving non-business-critical applications to IAM while maintaining a mission-critical application in an on-premises data center. An on-premises application must share limited confidential information with the applications in IAM. The internet performance is unpredictable.

  Which configuration will ensure continued connectivity between sites MOST securely?

  A. VPN and a cached storage gateway
  B. IAM Snowball Edge
  C. VPN Gateway over IAM Direct Connect
  D. IAM Direct Connect
  C. VPN Gateway over IAM Direct Connect

  ---

  Explanation Explanation/Reference:https://docs.IAM.amazon.com/whitepapers/latest/IAM-vpc-connectivity-options/IAM-direct- connect-plus-vpn-network-to-amazon.html

• Question 205:

  A company wants to encrypt data locally while meeting regulatory requirements related to key exhaustion. The encryption key can be no more than 10 days old or encrypt more than 2" 16 objects Any encryption key must be generated on a FlPS-validated hardware security module (HSM). The company is cost-conscious, as plans to upload an average of 100 objects to Amazon S3 each second for sustained operations across 5 data producers

  When approach MOST efficiently meets the company's needs?

  A. Use the IAM Encryption SDK and set the maximum age to 10 days and the minimum number of messages encrypted to 3" 16. Use IAM Key Management Service (IAM KMS) to generate the master key and data key Use data key caching with the Encryption SDk during the encryption process.
  B. Use IAM Key Management Service (IAM KMS) to generate an IAM managed CMK. Then use Amazon S3 client-side encryption configured to automatically rotate with every object
  C. Use IAM CloudHSM to generate the master key and data keys. Then use Boto 3 and Python to locally encrypt data before uploading the object Rotate the data key every 10 days or after 2" 16 objects have been Uploaded to Amazon 33
  D. Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3) and set the master key to automatically rotate.
  A. Use the IAM Encryption SDK and set the maximum age to 10 days and the minimum number of messages encrypted to 3" 16. Use IAM Key Management Service (IAM KMS) to generate the master key and data key Use data key caching with the Encryption SDk during the encryption process.

• Question 206:

  Your company has a hybrid environment, with on-premise servers and servers hosted in the IAM cloud. They are planning to use the Systems Manager for patching servers. Which of the following is a pre-requisite for this to work?

  A. Ensure that the on-premise servers are running on Hyper-V.
  B. Ensure that an IAM service role is created
  C. Ensure that an IAM User is created
  D. Ensure that an IAM Group is created for the on-premise servers
  B. Ensure that an IAM service role is created

  ---

  You need to ensure that an IAM service role is created for allowing the on- premise servers to communicate with the IAM Systems Manager. Option A is incorrect since it is not necessary that servers should only be running Hyper-V Options C and D are incorrect since it is not necessary that IAM users and groups are created For more information on the Systems Manager role please refer to the below URL: com/systems-rnanaeer/latest/usereuide/sysman-! The correct answer is: Ensure that an IAM service role is created Submit your Feedback/Queries to our Experts

• Question 207:

  A company needs to store multiple years of financial records. The company wants to use Amazon S3 to store copies of these documents. The company must implement a solution to prevent the documents from being edited, replaced, or deleted for 7 years after the documents are stored in Amazon S3. The solution must also encrypt the documents at rest.

  A security engineer creates a new S3 bucket to store the documents. What should the security engineer do next to meet these requirements?

  A. Configure S3 server-side encryption. Create an S3 bucket policy that has an explicit deny rule for all users for s3:DeleteObject and s3:PutObject API calls. Configure S3 Object Lock to use governance mode with a retention period of 7 years.
  B. Configure S3 server-side encryption. Configure S3 Versioning on the S3 bucket. Configure S3 Object Lock to use compliance mode with a retention period of 7 years.
  C. Configure S3 Versioning. Configure S3 Intelligent-Tiering on the S3 bucket to move the documents to S3 Glacier Deep Archive storage. Use S3 server-side encryption immediately. Expire the objects after 7 years.
  D. Set up S3 Event Notifications and use S3 server-side encryption. Configure S3 Event Notifications to target an AWS Lambda function that will review any S3 API call to the S3 bucket and deny the s3:DeleteObject and s3:PutObject API calls. Remove the S3 event notification after 7 years.
  B. Configure S3 server-side encryption. Configure S3 Versioning on the S3 bucket. Configure S3 Object Lock to use compliance mode with a retention period of 7 years.

• Question 208:

  You need to establish a secure backup and archiving solution for your company, using IAM. Documents should be immediately accessible for three months and available for five years for compliance reasons. Which IAM service fulfills these requirements in the most cost-effective way? Choose the correct answer:

  A. Upload data to S3 and use lifecycle policies to move the data into Glacier for long-term archiving.
  B. Upload the data on EBS, use lifecycle policies to move EBS snapshots into S3 and later into Glacier for long-term archiving.
  C. Use Direct Connect to upload data to S3 and use IAM policies to move the data into Glacier for long-term archiving.
  D. Use Storage Gateway to store data to S3 and use lifecycle policies to move the data into Redshift for long-term archiving.
  A. Upload data to S3 and use lifecycle policies to move the data into Glacier for long-term archiving.

  ---

  amazon Glacier is a secure, durable, and extremely low-cost cloud storage service for data archiving and long-term backup. Customers can reliably store large or small amounts of data for as little as $0,004 per gigabyte per month, a significant savings compared to on-premises solutions. With Amazon lifecycle policies you can create transition actions in which you define when objects transition to another Amazon S3 storage class. For example, you may choose to transition objects to the STANDARDJA (IA, for infrequent access) storage class 30 days after creation, or archive objects to the GLACIER storage class one year after creation. Option B is invalid because lifecycle policies are not available for EBS volumes Option C is invalid because IAM policies cannot be used to move data to Glacier Option D is invalid because lifecycle policies is not used to move data to Redshif For more information on S3 lifecycle policies, please visit the URL: http://docs.IAM.amazon.com/AmazonS3/latest/dev/obiect-lifecycle-mgmt.html The correct answer is: Upload data to S3 and use lifecycle policies to move the data into Glacier for long-term archiving. Submit your Feedback/Queries to our Experts

• Question 209:

  An ecommerce website was down for 1 hour following a DDoS attack Users were unable to connect to the website during the attack period. The ecommerce company's security team is worried about future potential attacks and wants to prepare for such events The company needs to minimize downtime in its response to similar attacks in the future.

  Which steps would help achieve this? (Select TWO )

  A. Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access.
  B. Subscribe to IAM Shield Advanced and reach out to IAM Support in the event of an attack.
  C. Use VPC Flow Logs to monitor network: traffic and an IAM Lambda function to automatically block an attacker's IP using security groups.
  D. Set up an Amazon CloudWatch Events rule to monitor the IAM CloudTrail events in real time use IAM Config rules to audit the configuration, and use IAM Systems Manager for remediation.
  E. Use IAM WAF to create rules to respond to such attacks
  B. Subscribe to IAM Shield Advanced and reach out to IAM Support in the event of an attack.
  E. Use IAM WAF to create rules to respond to such attacks

  ---

  Subscribe to AWS Shield Advanced and reach out to AWS Support in the event of an attack.AWS Shield Advanced provides enhanced protection against DDoS attacks. It includes access to the DDoS Response Team (DRT), who can help mitigate attacks quickly and minimize downtime. This service also includes advanced metrics and protections for critical resources, helping the company respond efficiently to attacks. Use AWS WAF to create rules to respond to such attacks.AWS WAF (Web Application Firewall) allows the company to create specific rules that can block malicious traffic, including traffic patterns typical of DDoS attacks. By using AWS WAF, the company can automate and respond to attacks by filtering traffic at the application level, reducing the chances of downtime during future attacks. These solutions help the company reduce downtime by providing proactive protection (AWS WAF) and reactive expert support (AWS Shield Advanced).

• Question 210:

  A company uses Amazon API Gateway to present REST APIs to users. An API developer wants to analyze API access patterns without the need to parse the log files.

  Which combination of steps will meet these requirements with the LEAST effort? (Select TWO.)

  A. Configure access logging for the required API stage.
  B. Configure an AWS CloudTrail trail destination for API Gateway events. Configure filters on the userldentity, userAgent, and sourcelPAddress fields.
  C. Configure an Amazon S3 destination for API Gateway logs. Run Amazon Athena queries to analyze API access information.
  D. Use Amazon CloudWatch Logs Insights to analyze API access information.
  E. Select the Enable Detailed CloudWatch Metrics option on the required API stage.
  C. Configure an Amazon S3 destination for API Gateway logs. Run Amazon Athena queries to analyze API access information.
  D. Use Amazon CloudWatch Logs Insights to analyze API access information.