Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 211:

  A company uses Amazon GuardDuty. The company's security team wants all High severity findings to automatically generate a ticket in a third-party ticketing system through email integration.

  Which solution will meet this requirement?

  A. Create a verified identity for the third-party ticketing email system in Amazon Simple Email Service (Amazon SES). Create an Amazon EventBridge rule that includes an event pattern that matches High severity GuardDuty findings. Specify the SES identity as the target for the EventBridge rule.
  B. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third- party ticketing email system to the SNS topic. Create an Amazon EventBridge rule that includes an event pattern that matches High severity GuardDuty findings. Specify the SNS topic as the target for the EventBridge rule.
  C. Use the GuardDuty CreateFilter API operation to build a filter in GuardDuty to monitor for High severity findings. Export the results of the filter to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third-party ticketing email system to the SNS topic.
  D. Use the GuardDuty CreateFilter API operation to build a filter in GuardDuty to monitor for High severity findings. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third-party ticketing email system to the SNS topic. Create an Amazon EventBridge rule that includes an event pattern that matches GuardDuty findings that are selected by the filter. Specify the SNS topic as the target for the EventBridge rule.
  B. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third- party ticketing email system to the SNS topic. Create an Amazon EventBridge rule that includes an event pattern that matches High severity GuardDuty findings. Specify the SNS topic as the target for the EventBridge rule.

  ---

  The correct answer is B. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third-party ticketing email system to the SNS topic. Create an Amazon EventBridge rule that includes an event pattern that matches High severity GuardDuty findings. Specify the SNS topic as the target for the Event-Bridge rule. According to the AWS documentation1, you can use Amazon EventBridge to create rules that match events from GuardDuty and route them to targets such as Amazon SNS topics. You can use event patterns to filter events based on criteria such as severity, type, or resource. For example, you can create a rule that matches only High severity findings and sends them to an SNS topic that is subscribed by a third-party ticketing email system. This way, you can automate the creation of tickets for High severity findings and notify the security team.

• Question 212:

  A company hosts a web application on an Apache web server. The application runs on Amazon EC2 instances that are in an Auto Scaling group. The company configured the EC2 instances to send the Apache web server logs to an Amazon CloudWatch Logs group that the company has configured to expire after 1 year.

  Recently, the company discovered in the Apache web server logs that a specific IP address is sending suspicious requests to the web application. A security engineer wants to analyze the past week of Apache web server logs to determine how many requests that the IP address sent and the corresponding URLs that the IP address requested.

  What should the security engineer do to meet these requirements with the LEAST effort?

  A. Export the CloudWatch Logs group data to Amazon S3. Use Amazon Macie to query the logs for the specific IP address and the requested URLs.
  B. Configure a CloudWatch Logs subscription to stream the log group to an Am-azon OpenSearch Service cluster. Use OpenSearch Service to analyze the logs for the specific IP address and the requested URLs.
  C. Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested URLs.
  D. Export the CloudWatch Logs group data to Amazon S3. Use AWS Glue to crawl the S3 bucket for only the log entries that contain the specific IP ad-dress. Use AWS Glue to view the results.
  C. Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested URLs.

• Question 213:

  Your company has many IAM accounts defined and all are managed via IAM Organizations. One IAM account has a S3 bucket that has critical data. How can we ensure that all the users in the IAM organisation have access to this bucket?

  A. Ensure the bucket policy has a condition which involves IAM:PrincipalOrglD
  B. Ensure the bucket policy has a condition which involves IAM:AccountNumber
  C. Ensure the bucket policy has a condition which involves IAM:PrincipaliD
  D. Ensure the bucket policy has a condition which involves IAM:OrglD
  A. Ensure the bucket policy has a condition which involves IAM:PrincipalOrglD

  ---

  The IAM Documentation mentions the following IAM Identity and Access Management (IAM) now makes it easier for you to control access to your IAM resources by using the IAM organization of IAM principals (users and roles). For some services, you grant permissions using resource-based policies to specify the accounts and principals that can access the resource and what actions they can perform on it. Now, you can use a new condition key, IAM:PrincipalOrglD, in these policies to require all principals accessing the resource to be from an account in the organization Option B.C and D are invalid because the condition in the bucket policy has to mention IAM:PrincipalOrglD For more information on controlling access via Organizations, please refer to the below Link: https://IAM.amazon.com/blogs/security/control-access-to-IAM-resources-by-usins-the-IAM- organization-of-iam-principal ( The correct answer is: Ensure the bucket policy has a condition which involves IAM:PrincipalOrglD Submit your Feedback/Queries to our Experts

• Question 214:

  A company is using AWS Organizations to manage multiple accounts. The company needs to allow an IAM user to use a role to access resources that are in another organization's AWS account.

  Which combination of steps must the company perform to meet this requirement? (Select TWO.)

  A. Create an identity policy that allows the sts: AssumeRole action in the AWS account that contains the resources. Attach the identity policy to the IAM user.
  B. Ensure that the sts: AssumeRole action is allowed by the SCPs of the organization that owns the resources that the IAM user needs to access.
  C. Create a role in the AWS account that contains the resources. Create an entry in the role's trust policy that allows the IAM user to assume the role. Attach the trust policy to the role.
  D. Establish a trust relationship between the IAM user and the AWS account that contains the resources.
  E. Create a role in the IAM user's AWS account. Create an identity policy that allows the sts: AssumeRole action. Attach the identity policy to the role.
  B. Ensure that the sts: AssumeRole action is allowed by the SCPs of the organization that owns the resources that the IAM user needs to access.
  C. Create a role in the AWS account that contains the resources. Create an entry in the role's trust policy that allows the IAM user to assume the role. Attach the trust policy to the role.

  ---

  To allow cross-account access to resources using IAM roles, the following steps are required: Create a role in the AWS account that contains the resources (the trusting account) and specify the AWS account that contains the IAM user (the trusted account) as a trusted entity in the role's trust policy. This allows users from the trusted account to assume the role and access resources in the trusting account. Ensure that the IAM user has permission to assume the role in their own AWS account. This can be done by creating an identity policy that allows the sts:AssumeRole action and attaching it to the IAM user or their group. Ensure that there are no service control policies (SCPs) in the organization that owns the resources that deny or restrict access to the sts:AssumeRole action or the role itself. SCPs are applied to all accounts in an organization and can override any permissions granted by IAM policies. Verified References: https://repost.aws/knowledge-center/cross-account-access-iam https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accou nts_access.html https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-accountwith- roles.html

• Question 215:

  A company wants to deny a specific federated user named Bob access to an Amazon S3 bucket named DOC-EXAMPLE-BUCKET. The company wants to meet this requirement by using a bucket policy. The company also needs to ensure that this bucket policy affects Bob's S3 permissions only. Any other permissions that Bob has must remain intact.

  Which policy should the company use to meet these requirements?

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  B. Option B

  ---

  Explanation Explanation/Reference:

• Question 216:

  A company has a VPC with an IPv6 address range and a public subnet with an IPv6 address block. The VPC currently hosts some public Amazon EC2 instances but a Security Engineer needs to migrate a second application into the VPC

  that also requires IPv6 connectivity.

  This new application will occasionally make API requests to an external, internet-accessible endpoint to receive updates However, the Security team does not want the application's EC2 instance exposed directly to the internet The Security Engineer intends to create a private subnet with a custom route table and to associate the route table with the private subnet

  What else does the Security Engineer need to do to ensure the application will not be exposed directly to the internet, but can still communicate as required?

  A. Launch a NAT instance in the public subnet Update the custom route table with a new route to the NAT instance
  B. Remove the internet gateway, and add IAM PrivateLink to the VPC Then update the custom route table with a new route to IAM PrivateLink
  C. Add a managed NAT gateway to the VPC Update the custom route table with a new route to the gateway
  D. Add an egress-only internet gateway to the VPC. Update the custom route table with a new route to the gateway
  D. Add an egress-only internet gateway to the VPC. Update the custom route table with a new route to the gateway

• Question 217:

  A company must retain backup copies of Amazon RDS DB instances and Amazon Elastic Block Store (Amazon EBS) volumes. The company must retain the backup copies in data centers that are several hundred miles apart.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Configure AWS Backup to create the backups according to the needed schedule. In the backup plan, specify multiple Availability Zones as backup destinations.
  B. Configure Amazon Data Lifecycle Manager to create the backups. Configure the Amazon Data Lifecycle Manager policy to copy the backups to an Amazon S3 bucket. Enable replication on the S3 bucket.
  C. Configure AWS Backup to create the backups according to the needed schedule. Create a destination backup vault in a different AWS Region. Configure AWS Backup to copy the backups to the destination backup vault.
  D. Configure Amazon Data Lifecycle Manager to create the backups. Create an AWS Lambda function to copy the backups to a different AWS Region. Use Amazon EventBridge to invoke the Lambda function on a schedule.
  C. Configure AWS Backup to create the backups according to the needed schedule. Create a destination backup vault in a different AWS Region. Configure AWS Backup to copy the backups to the destination backup vault.

  ---

  AWS Backup provides a streamlined solution for managing cross-Region backups with minimal operational overhead. By configuring a backup plan in AWS Backup to create backups and copy them to a destination backup vault in a different AWS Region, the company can ensure backups are retained in geographically separate data centers. This approach meets the requirement to store backups several hundred miles apart with automated cross-Region backup capabilities.

• Question 218:

  A company that uses AWS Organizations wants to see AWS Security Hub findings for many AWS accounts and AWS Regions. Some of the accounts are in the company's organization, and some accounts are in organizations that the company manages for customers. Although the company can see findings in the Security Hub administrator account for accounts in the company's organization, there are no findings from accounts in other organizations.

  Which combination of steps should the company take to see findings from accounts that are outside the organization that includes the Security Hub administrator account? (Select TWO.)

  A. Use a designated administration account to automatically set up member accounts.
  B. Create the AWS Service Role ForSecurrty Hub service-linked rote for Security Hub.
  C. Send an administration request from the member accounts.
  D. Enable Security Hub for all member accounts.
  E. Send invitations to accounts that are outside the company's organization from the Security Hub administrator account.
  C. Send an administration request from the member accounts.
  E. Send invitations to accounts that are outside the company's organization from the Security Hub administrator account.

  ---

  To see Security Hub findings for accounts that are outside the organization that includes the Security Hub administrator account, the following steps are required: Send invitations to accounts that are outside the company's organization from the Security Hub administrator account. This will allow the administrator account to view and manage findings from those accounts. The administrator account can send invitations by using the Security Hub console, API, or CLI. For more information, see Sending invitations to member accounts. Send an administration request from the member accounts. This will allow the member accounts to accept the invitation from the administrator account and establish a relationship with it. The member accounts can send administration requests by using the Security Hub console, API, or CLI. For more information, see Sending administration requests. This solution will enable the company to see Security Hub findings for many AWS accounts and AWS Regions, including accounts that are outside its own organization. The other options are incorrect because they either do not establish a relationship between the administrator and member accounts (A, B), do not enable Security Hub for all member accounts (D), or do not use a valid service for Security Hub (F). Verified References: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-member-accounts.html

• Question 219:

  A security engineer discovers that a company’s user passwords have no required minimum length. The company is using the following two identity providers (IdPs):

  1.

  AWS Identity and Access Management (IAM) federated with on-premises Active Directory

  2.

  Amazon Cognito user pools that contain the user database for an AWS Cloud application that the company developed

  Which combination of actions should the security engineer take to implement a required minimum length for the passwords? (Choose two.)

  A. Update the password length policy in the IAM configuration.
  B. Update the password length policy in the Cognito configuration.
  C. Update the password length policy in the on-premises Active Directory configuration
  D. Create an SCP in AWS Organizations. Configure the SCP to enforce a minimum password length for IAM and Cognito.
  E. Create an IAM policy that includes a condition for minimum password length. Enforce the policy for IAM and Cognito.
  B. Update the password length policy in the Cognito configuration.
  C. Update the password length policy in the on-premises Active Directory configuration

  ---

  Explanation Update the password length policy in the Cognito configuration.Amazon Cognito allows you to configure password policies, including setting a required minimum length for passwords, within the user pool. This ensures that the passwords for the cloud application meet the new length requirement. Update the password length policy in the on-premises Active Directory configuration. Since IAM federates with the on-premises Active Directory, the password policies for federated users, such as the minimum password length, are managed directly within Active Directory. Updating the Active Directory policy ensures that the federated users meet the new password length requirement.

• Question 220:

  A company uses AWS Organizations. The company has more than 100 AWS accounts and will increase the number of accounts. The company also uses an external corporate identity provider (IdP).

  The company needs to provide users with role-based access to the accounts. The solution must maximize scalability and operational efficiency.

  Which solution will meet these requirements?

  A. In each account, create a set of dedicated IAM users. Ensure that all users assume these IAM users through federation with the existing IdP.
  B. Deploy an IAM role in a central identity account. Allow users to assume the role through federation with the existing IdP. In each account, deploy a set of IAM roles that match the desired access patterns. Include a trust policy that allows access from the central identity account. Edit the permissions policy for the role in each account to match user access requirements.
  C. Enable AWS IAM Identity Center. Integrate IAM Identity Center with the company's existing IdP. Create permission sets that match the desired access patterns. Assign permissions to match user access requirements.
  D. In each account, deploy a set of IAM roles that match the desired access patterns. Create a trust policy with the existing IdP. Update each role's permissions policy to use SAML-based IAM condition keys that are based on user access requirements.
  C. Enable AWS IAM Identity Center. Integrate IAM Identity Center with the company's existing IdP. Create permission sets that match the desired access patterns. Assign permissions to match user access requirements.