Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 231:

  A company has two AWS accounts: Account A and Account B Each account has a VPC. An application that runs in the VPC in Account A needs to write to an Amazon S3 bucket in Account B. The application in Account A already has permission to write to the S3 bucket in Account B.

  The application and the S3 bucket are in the same AWS Region. The company cannot send network traffic over the public internet.

  Which solution will meet these requirements?

  A. In both accounts, create a transit gateway and VPC attachments in a subnet in each Availability Zone. Update the VPC route tables.
  B. Deploy a software VPN appliance in Account A. Create a VPN connection between the software VPN appliance and a virtual private gateway in Account B
  C. Create a VPC peering connection between the VPC in Account A and the VPC in Account B. Update the VPC route tables, network ACLs, and security groups to allow network traffic between the peered IP ranges.
  D. In Account A. create a gateway VPC endpoint for Amazon S3. Update the VPC route table in Account A.
  D. In Account A. create a gateway VPC endpoint for Amazon S3. Update the VPC route table in Account A.

• Question 232:

  A company is using AWS Organizations with the default SCP. The company needs to restrict AWS usage for all AWS accounts that are in a specific OU.

  Except for some desired global services, the AWS usage must occur only in the eu-west-1 Region for all accounts in the OU. A security engineer must create an SCP that applies the restriction to existing accounts and any new accounts in the OU.

  Which SCP will meet these requirements?

  

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  C. Option C

  ---

  Effect is set to Deny, which ensures that actions outside the specified region (eu-west-1) are blocked. The NotAction field includes , allowing these global services regardless of region. Condition uses StringNotEquals with aws:RequestedRegion set to eu-west-1, ensuring that any requests outside eu-west-1 are denied except for the specified global services.

• Question 233:

  A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The website is experiencing a global DDoS attack by a specific IoT device brand that has a unique user agent.

  A security engineer is creating an AWS WAF web ACL and will associate the web ACL with the ALB. The security engineer must implement a rule statement as part of the web ACL to block the requests. The rule statement must mitigate the current attack and future attacks from these IoT devices without blocking requests from customers.

  Which rule statement will meet these requirements?

  A. Use an IP set match rule statement that includes the IP address for IoT devices from the user agent.
  B. Use a geographic match rule statement. Configure the statement to block countries that the IoT devices are located in.
  C. Use a rate-based rule statement. Set a rate limit that is equal to the number of requests that are coming from the IoT devices.
  D. Use a string match rule statement that includes details of the IoT device brand from the user agent.
  D. Use a string match rule statement that includes details of the IoT device brand from the user agent.

  ---

  By using a string match rule in AWS WAF that targets the unique user agent of the IoT device brand, the security engineer can specifically block requests from those devices while allowing legitimate customer traffic. This approach directly addresses the current DDoS attack by matching the user agent string, which is unique to the malicious devices, and ensures future attacks by the same type of IoT devices are blocked as well. This rule is precise and avoids affecting legitimate users.

• Question 234:

  A security alert has been raised for an Amazon EC2 instance in a customer account that is exhibiting strange behavior. The Security Engineer must first isolate the EC2 instance and then use tools for further investigation.

  What should the Security Engineer use to isolate and research this event? (Choose three.)

  A. IAM CloudTrail
  B. Amazon Athena
  C. IAM Key Management Service (IAM KMS)
  D. VPC Flow Logs
  E. IAM Firewall Manager
  F. Security groups
  A. IAM CloudTrail
  D. VPC Flow Logs
  F. Security groups

  ---

  https://github.com/IAMlabs/aws-well-architected- labs/blob/master/Security/300_Incident_Response_with_IAM_Console_and_CLI/Lab_Guid e.md

• Question 235:

  A company maintains sensitive data in an Amazon S3 bucket that must be protected using an IAM KMS CMK. The company requires that keys be rotated automatically every year.

  How should the bucket be configured?

  A. Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select an IAM-managed CMK.
  B. Select Amazon S3-IAM KMS managed encryption keys (S3-KMS) and select a customer-managed CMK with key rotation enabled.
  C. Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select a customer-managed CMK that has imported key material.
  D. Select server-side encryption with IAM KMS-managed keys (SSE-KMS) and select an alias to an IAM-managed CMK.
  B. Select Amazon S3-IAM KMS managed encryption keys (S3-KMS) and select a customer-managed CMK with key rotation enabled.

• Question 236:

  A company's Security Engineer has been asked to monitor and report all IAM account root user activities.

  Which of the following would enable the Security Engineer to monitor and report all root user activities? (Select TWO)

  A. Configuring IAM Organizations to monitor root user API calls on the paying account
  B. Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported
  C. Configuring Amazon Inspector to scan the IAM account for any root user activity
  D. Configuring IAM Trusted Advisor to send an email to the Security team when the root user logs in to the console
  E. Using Amazon SNS to notify the target group
  B. Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported
  E. Using Amazon SNS to notify the target group

• Question 237:

  A company has five IAM accounts and wants to use IAM CloudTrail to log API calls. The log files must be stored in an Amazon S3 bucket that resides in a new account specifically built for centralized services with a unique top-level prefix for each trail. The configuration must also enable detection of any modification to the logs.

  Which of the following steps will implement these requirements? (Choose three.)

  A. Create a new S3 bucket in a separate IAM account for centralized storage of CloudTrail logs, and enable "Log File Validation" on all trails.
  B. Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
  C. Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
  D. Use unique log file prefixes for trails in each IAM account.
  E. Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.
  F. Enable encryption of the log files by using IAM Key Management Service
  A. Create a new S3 bucket in a separate IAM account for centralized storage of CloudTrail logs, and enable "Log File Validation" on all trails.
  C. Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
  E. Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.

  ---

  https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/best-practices-security.html If you have created an organization in IAM Organizations, you can create a trail that will log all events for all IAM accounts in that organization. This is sometimes referred to as an organization trail. You can also choose to edit an existing trail in the master account and apply it to an organization, making it an organization trail. Organization trails log events for the master account and all member accounts in the organization. For more information about IAM Organizations, see Organizations Terminology and Concepts. Note Reference: https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/creating-trail-organization.html You must be logged in with the master account for the organization in order to create an organization trail. You must also have sufficient permissions for the IAM user or role in the master account in order to successfully create an organization trail. If you do not have sufficient permissions, you will not see the option to apply a trail to an organization.

• Question 238:

  A company has enabled Amazon GuardDuty in all Regions as part of its security monitoring strategy. In one of the VPCs, the company hosts an Amazon EC2 instance working as an FTP server that is contacted by a high number of clients from multiple locations. This is identified by GuardDuty as a brute force attack due to the high number of connections that happen every hour.

  The finding has been flagged as a false positive. However, GuardDuty keeps raising the issue. A Security Engineer has been asked to improve the signal-to-noise ratio. The Engineer needs to ensure that changes do not compromise the visibility of potential anomalous behavior.

  How can the Security Engineer address the issue?

  A. Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed
  B. Add the FTP server to a trusted IP list and deploy it to GuardDuty to stop receiving the notifications
  C. Use GuardDuty filters with auto archiving enabled to close the findings
  D. Create an IAM Lambda function that closes the finding whenever a new occurrence is reported
  B. Add the FTP server to a trusted IP list and deploy it to GuardDuty to stop receiving the notifications

  ---

  Explanation Explanation/Reference:Trusted IP lists consist of IP addresses that you have whitelisted for secure communication with your IAM infrastructure and applications. GuardDuty does not generate findings for IP addresses on trusted IP lists. At any given time, you can have only one uploaded trusted IP list per IAM account per region. References:

• Question 239:

  A company is processing data on AWS. The data is transmitted by millions of connected devices and is stored in Amazon RDS and Amazon DocumentDB (with MongoDB compatibility).

  The company uses AWS Backup to back up the data.

  The company needs a solution to preserve individual backup recovery points Ail related data and metadata, such as character encodings and datatypes, must remain unchanged and protected from deletion.

  Retention times for the data will vary from several days to several years.

  Which solution will meet these requirements?

  A. Use AWS Backup to create legal holds for the recovery points.
  B. Export the backup data to Amazon S3 Create S3 Object Lock legal holds for the recovery points.
  C. Configure an AWS Backup Vault Lock in compliance mode.
  D. Configure an AWS Backup Vault Lock in governance mode.
  C. Configure an AWS Backup Vault Lock in compliance mode.

• Question 240:

  Company policy requires that all insecure server protocols, such as FTP, Telnet, HTTP, etc be disabled on all servers. The security team would like to regularly check all servers to ensure compliance with this requirement by using a scheduled CloudWatch event to trigger a review of the current infrastructure. What process will check compliance of the company's EC2 instances?

  A. Trigger an IAM Config Rules evaluation of the restricted-common-ports rule against every EC2 instance.
  B. Query the Trusted Advisor API for all best practice security checks and check for "action recommened" status.
  C. Enable a GuardDuty threat detection analysis targeting the port configuration on every EC2 instance.
  D. Run an Amazon inspector assessment using the Runtime Behavior Analysis rules package against every EC2 instance.
  D. Run an Amazon inspector assessment using the Runtime Behavior Analysis rules package against every EC2 instance.

  ---

  Option B is incorrect because querying Trusted Advisor API's are not possible Option C is incorrect because GuardDuty should be used to detect threats and not check the compliance of security protocols. Option D states that Run Amazon Inspector using runtime behavior analysis rules which will analyze the behavior of your instances during an assessment run, and provide guidance about how to make your EC2 instances more secure. Insecure Server Protocols This rule helps determine whether your EC2 instances allow support for insecure and unencrypted ports/services such as FTP, Telnet HTTP, IMAP, POP version 3, SMTP, SNMP versions 1 and 2, rsh, and rlogin. For more information, please refer to below URL: https://docs.IAM.amazon.eom/mspector/latest/userguide/inspector_runtime-behavior- analysis.html#insecure-protocols ( The correct answer is: Run an Amazon Inspector assessment using the Runtime Behavior Analysis rules package against every EC2 instance. Submit your Feedback/Queries to our Experts