Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 241:

  The Security Engineer has discovered that a new application that deals with highly sensitive data is storing Amazon S3 objects with the following key pattern, which itself contains highly sensitive data.

  Pattern:

  "randomID_datestamp_PII.csv"

  Example:

  "1234567_12302017_000-00-0000 csv"

  The bucket where these objects are being stored is using server-side encryption (SSE).

  Which solution is the most secure and cost-effective option to protect the sensitive data?

  A. Remove the sensitive data from the object name, and store the sensitive data using S3 user-defined metadata.
  B. Add an S3 bucket policy that denies the action s3:GetObject
  C. Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes.
  D. Store all sensitive objects in Binary Large Objects (BLOBS) in an encrypted Amazon RDS instance.
  C. Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes.

  ---

  Explanation Explanation/Reference:https://docs.IAM.amazon.com/AmazonS3/latest/dev/UsingMetadata.html https://IAM.amazon.com/blogs/database/best-practices-for-securing-sensitive-data-in-IAM- data-stores/

• Question 242:

  A security engineer needs to suppress AWS. Security Hub findings automatically for resources that have a specific tag attached. Which solution will meet this requirement?

  A. Create a Security Hub automation rule Edit the rule to include the specific resource tag and the specific tag value as the criteria. Select the automated action to change the workflow status to SUPPRESSED.
  B. Select each Security Hub control that needs to be suppressed. Add an exception to each control to suppress any findings that contain the specific tag value if the resource contains the specific resource tag.
  C. Send each Security Hub finding to Amazon Detective Create an automated rule in Detective to suppress any findings that contain the specific resource tag and the specific tag value
  D. Send each Security Hub finding to Amazon Inspector. Configure a suppression rule to suppress any findings that contain the specific resource tag and the specific tag value.
  A. Create a Security Hub automation rule Edit the rule to include the specific resource tag and the specific tag value as the criteria. Select the automated action to change the workflow status to SUPPRESSED.

• Question 243:

  There is a requirement for a company to transfer large amounts of data between IAM and an on-premise location. There is an additional requirement for low latency and high consistency traffic to IAM. Given these requirements how would you design a hybrid architecture? Choose the correct answer from the options below

  A. Provision a Direct Connect connection to an IAM region using a Direct Connect partner.
  B. Create a VPN tunnel for private connectivity, which increases network consistency and reduces latency.
  C. Create an iPSec tunnel for private connectivity, which increases network consistency and reduces latency.
  D. Create a VPC peering connection between IAM and the Customer gateway.
  A. Provision a Direct Connect connection to an IAM region using a Direct Connect partner.

  ---

  IAM Direct Connect makes it easy to establish a dedicated network connection from your premises to IAM. Using IAM Direct Connect you can establish private connectivity between IAM and your datacenter, office, or colocation environment which in many cases can reduce your network costs, increase bandwidth throughput and provide a more consistent network experience than Internet-based connections. Options B and C are invalid because these options will not reduce network latency Options D is invalid because this is only used to connect 2 VPC's For more information on IAM direct connect, just browse to the below URL: https://IAM.amazon.com/directconnect The correct answer is: Provision a Direct Connect connection to an IAM region using a Direct Connect partner. omit your Feedback/Queries to our Experts

• Question 244:

  A company uses Amazon GuardDuty.

  The company's security engineer needs lo receive an email notification for every GuardDuty finding that is a High severity level.

  Which solution will meet this requirement?

  A. Create a verified identity for the email address in Amazon Simple Email Service (Amazon SES) Create an Amazon EventBridge rule that has the SES verified identity as the target Specify GuardDuty as the event source Configure the EventBridge event pattern to match High seventy findings.
  B. Create an Amazon Simple Notification Service (Amazon SNS) topic Subscribe the email address to the SNS topic. Create an Amazon EventBridge rule that has the SNS topic as the target Specify GuardDuty as the event source Configure the EventBridge event pattern to match High severity findings.
  C. Create an Amazon Simple Notification Service (Amazon SNS) topic Subscribe the email address to the SNS topic. Enable AWS Security Hub Integrate Security Hub with GuardDuty. Use Security Hub automation rules to publish High severity GuardDuty findings to the SNS topic.
  D. Enable AWS Security Hub Integrate Security Hub with GuardDuty. Use Secunty Hub automation rules to create a custom rule. Configure the custom rule to detect High seventy GuardDuty findings and to send a notification to the email address.
  B. Create an Amazon Simple Notification Service (Amazon SNS) topic Subscribe the email address to the SNS topic. Create an Amazon EventBridge rule that has the SNS topic as the target Specify GuardDuty as the event source Configure the EventBridge event pattern to match High severity findings.

• Question 245:

  A company has an application on Amazon EC2 instances that store confidential customer data. The company must restrict access to customer data. A security engineer requires secure access to the instances that host the application. According to company policy, users must not open any inbound ports, maintain bastion hosts, or manage SSH keys for the EC2 instances.

  The security engineer wants to monitor, store, and access all session activity logs. The logs must be encrypted.

  Which solution will meet these requirements?

  A. Use AWS Control Tower to connect to the EC2 instances. Configure Amazon CloudWatch logging for the sessions. Select the upload session logs option and allow only encrypted CloudWatch Logs log groups.
  B. Use AWS Security Hub to connect to the EC2 instances. Configure Amazon CloudWatch logging for the sessions. Select the upload session logs option and allow only encrypted CloudWatch Logs log groups.
  C. Use AWS Systems Manager Session Manager to connect to the EC2 instances. Configure Amazon CloudWatch monitoring to record the sessions. Select the store session logs option for the desired CloudWatch Logs log groups.
  D. Use AWS Systems Manager Session Manager to connect to the EC2 instances. Configure Amazon CloudWatch logging. Select the upload session logs option and allow only encrypted CloudWatch Logs log groups.
  D. Use AWS Systems Manager Session Manager to connect to the EC2 instances. Configure Amazon CloudWatch logging. Select the upload session logs option and allow only encrypted CloudWatch Logs log groups.

  ---

  AWS Systems Manager Session Manager provides secure and auditable access to EC2 instances without the need to open inbound ports, manage SSH keys, or maintain bastion hosts. It supports logging session activity to Amazon CloudWatch Logs or Amazon S3, and you can configure the logs to be encrypted. This meets the requirement of monitoring, storing, and encrypting session activity logs while adhering to the company's security policy.

• Question 246:

  A company has several petabytes of data. The company must preserve this data for 7 years to comply with regulatory requirements. The company's compliance team asks a security officer to develop a strategy that will prevent anyone from changing or deleting the data.

  Which solution will meet this requirement MOST cost-effectively?

  A. Create an Amazon S3 bucket. Configure the bucket to use S3 Object Lock in compliance mode. Upload the data to the bucket. Create a resource-based bucket policy that meets all the regulatory requirements.
  B. Create an Amazon S3 bucket. Configure the bucket to use S3 Object Lock in governance mode. Upload the data to the bucket. Create a user-based IAM policy that meets all the regulatory requirements.
  C. Create a vault in Amazon S3 Glacier. Create a Vault Lock policy in S3 Glacier that meets all the regulatory requirements. Upload the data to the vault.
  D. Create an Amazon S3 bucket. Upload the data to the bucket. Use a lifecycle rule to transition the data to a vault in S3 Glacier. Create a Vault Lock policy that meets all the regulatory requirements.
  C. Create a vault in Amazon S3 Glacier. Create a Vault Lock policy in S3 Glacier that meets all the regulatory requirements. Upload the data to the vault.

  ---

  To preserve the data for 7 years and prevent anyone from changing or deleting it, the security officer needs to use a service that can store the data securely and enforce compliance controls. The most cost-effective way to do this is to use Amazon S3 Glacier, which is a low-cost storage service for data archiving and long-term backup. S3 Glacier allows you to create a vault, which is a container for storing archives. Archives are any data such as photos, videos, or documents that you want to store durably and reliably. S3 Glacier also offers a feature called Vault Lock, which helps you to easily deploy and enforce compliance controls for individual vaults with a Vault Lock policy. You can specify controls such as "write once read many" (WORM) in a Vault Lock policy and lock the policy from future edits. Once a Vault Lock policy is locked, the policy can no longer be changed or deleted. S3 Glacier enforces the controls set in the Vault Lock policy to help achieve your compliance objectives. For example, you can use Vault Lock policies to enforce data retention by denying deletes for a specified period of time. To use S3 Glacier and Vault Lock, the security officer needs to follow these steps: Create a vault in S3 Glacier using the AWS Management Console, AWS Command Line Interface (AWS CLI), or AWS SDKs. Create a Vault Lock policy in S3 Glacier that meets all the regulatory requirements using the IAM policy language. The policy can include conditions such as aws:CurrentTime or aws:SecureTransport to further restrict access to the vault. Initiate the lock by attaching the Vault Lock policy to the vault, which sets the lock to an in-progress state and returns a lock ID. While the policy is in the in-progress state, you have 24 hours to validate your Vault Lock policy before the lock ID expires. To prevent your vault from exiting the in-progress state, you must complete the Vault Lock process within these 24 hours. Otherwise, your Vault Lock policy will be deleted. Use the lock ID to complete the lock process. If the Vault Lock policy doesn't work as expected, you can stop the Vault Lock process and restart from the beginning. Upload the data to the vault using either direct upload or multipart upload methods. For more information about S3 Glacier and Vault Lock, see S3 Glacier Vault Lock. The other options are incorrect because: Option A is incorrect because creating an Amazon S3 bucket and configuring it to use S3 Object Lock in compliance mode will not prevent anyone from changing or deleting the data. S3 Object Lock is a feature that allows you to store objects using a WORM model in S3. You can apply two types of object locks: retention periods and legal holds. A retention period specifies a fixed period of time during which an object remains locked. A legal hold is an indefinite lock on an object until it is removed. However, S3 Object Lock only prevents objects from being overwritten or deleted by any user, including the root user in your AWS account. It does not prevent objects from being modified by other means, such as changing their metadata or encryption settings. Moreover, S3 Object Lock requires that you enable versioning on your bucket, which will incur additional storage costs for storing multiple versions of an object. Option B is incorrect because creating an Amazon S3 bucket and configuring it to use S3 Object Lock in governance mode will not prevent anyone from changing or deleting the data. S3 Object Lock in governance mode works similarly to compliance mode, except that users with specific IAM permissions can change or delete objects that are locked. This means that users who have s3:BypassGovernanceRetention permission can remove retention periods or legal holds from objects and overwrite or delete them before they expire. This option does not provide strong enforcement for compliance controls as required by the regulatory requirements. Option D is incorrect because creating an Amazon S3 bucket and using a lifecycle rule to transition the data to a vault in S3 Glacier will not prevent anyone from changing or deleting the data. Lifecycle rules are actions that Amazon S3 automatically performs on objects during their lifetime. You can use lifecycle rules to transition objects between storage classes or expire them after a certain period of time. However, lifecycle rules do not apply any compliance controls on objects or prevent them from being modified or deleted by users. Moreover, transitioning objects from S3 to S3 Glacier using lifecycle rules will incur additional charges for retrieval requests and data transfers.

• Question 247:

  Your company use IAM KMS for management of its customer keys. From time to time, there is a requirement to delete existing keys as part of housekeeping activities. What can be done during the deletion process to verify that the key is no longer being used?

  A. Use CloudTrail to see if any KMS API request has been issued against existing keys
  B. Use Key policies to see the access level for the keys
  C. Rotate the keys once before deletion to see if other services are using the keys
  D. Change the IAM policy for the keys to see if other services are using the keys
  A. Use CloudTrail to see if any KMS API request has been issued against existing keys

  ---

  The IAM lentation mentions the following You can use a combination of IAM CloudTrail, Amazon CloudWatch Logs, and Amazon Simple Notification Service (Amazon SNS) to create an alarm that notifies you of IAM KMS API requests that attempt to use a customer master key (CMK) that is pending deletion. If you receive a notification from such an alarm, you might want to cancel deletion of the CMK to give yourself more time to determine whether you want to delete it Options B and D are incorrect because Key policies nor IAM policies can be used to check if the keys are being used. Option C is incorrect since rotation will not help you check if the keys are being used. For more information on deleting keys, please refer to below URL: https://docs.IAM.amazon.com/kms/latest/developereuide/deletine-keys-creatine- cloudwatch-alarm.html The correct answer is: Use CloudTrail to see if any KMS API request has been issued against existing keys Submit your Feedback/Queries to our Experts

• Question 248:

  An IAM account includes two S3 buckets: bucket1 and bucket2. The bucket2 does not have a policy defined, but bucket1 has the following bucket policy:

  

  In addition, the same account has an IAM User named "alice", with the following IAM policy.

  

  Which buckets can user "alice" access?

  A. Bucket1 only
  B. Bucket2 only
  C. Both bucket1 and bucket2
  D. Neither bucket1 nor bucket2
  C. Both bucket1 and bucket2

  ---

  Explanation Explanation/Reference:Both S3 policies and IAM policies can be used to grant access to buckets. IAM policies specify what actions are allowed or denied on what IAM resources (e.g. allow ec2:TerminateInstance on the EC2 instance with instance_id=i-8b3620ec). You attach IAM policies to IAM users, groups, or roles, which are then subject to the permissions you've defined. In other words, IAM policies define what a principal can do in your IAM environment. S3 bucket policies, on the other hand, are attached only to S3 buckets. S3 bucket policies specify what actions are allowed or denied for which principals on the bucket that the bucket policy is attached to (e.g. allow user Alice to PUT but not DELETE objects in the bucket). https:// IAM.amazon.com/blogs/security/iam-policies-and-bucket- policies-and-acls-oh-my-controlling-access-to-s3-resources/

• Question 249:

  A website currently runs on Amazon EC2, wan mostly statics content on the site. Recently the site was subjected to a DDoS attack a security engineer was (asked was redesigning the edge security to help Mitigate this risk in the future.

  What are some ways the engineer could achieve this (Select THREE)?

  A. Use IAM X-Ray to inspect the trafc going to the EC2 instances.
  B. Move the static content to Amazon S3, and front this with an Amazon Cloud Front distribution.
  C. Change the security group conguration to block the source of the attack trafc
  D. Use IAM WAF security rules to inspect the inbound trafc.
  E. Use Amazon Inspector assessment templates to inspect the inbound traffic.
  F. Use Amazon Route 53 to distribute trafc.
  B. Move the static content to Amazon S3, and front this with an Amazon Cloud Front distribution.
  D. Use IAM WAF security rules to inspect the inbound trafc.
  F. Use Amazon Route 53 to distribute trafc.

• Question 250:

  A company operates a web application that runs on Amazon EC2 instances. The application listens on port 80 and port 443. The company uses an Application Load Balancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the application instances only on port 80.

  The ALB is in public subnets that are associated with a network ACL that is named NACL1. The application instances are in dedicated private subnets that are associated with a network ACL that is named NACL2. An Amazon RDS for PostgreSQL DB instance that uses port 5432 is in a dedicated private subnet that is associated with a network ACL that is named NACL3. All the network ACLs currently allow all inbound and outbound traffic.

  Which set of network ACL changes will increase the security of the application while ensuring functionality?

  A. Make the following changes to NACL3: Add a rule that allows inbound traffic on port 5432 from NACL2. Add a rule that allows outbound traffic on ports 1024-65536 to NACL2. Remove the default rules that allow all inbound and outbound traffic.
  B. Make the following changes to NACL3: Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the application instance subnets. Add a rule that allows outbound traffic on ports 1024-65536 to the application instance subnets. Remove the default rules that allow all inbound and outbound traffic.
  C. Make the following changes to NACL2: Add a rule that allows outbound traffic on port 5432 to the CIDR blocks of the RDS subnets. Remove the default rules that allow all inbound and outbound traffic.
  D. Make the following changes to NACL2: Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the RDS subnets. Add a rule that allows outbound traffic on port 5432 to the RDS subnets.
  B. Make the following changes to NACL3: Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the application instance subnets. Add a rule that allows outbound traffic on ports 1024-65536 to the application instance subnets. Remove the default rules that allow all inbound and outbound traffic.

  ---

  For increased security while ensuring functionality, adjusting NACL3 to allow inbound traffic on port 5432 from the CIDR blocks of the application instance subnets, and allowing outbound traffic on ephemeral ports (1024-65536) back to those subnets creates a secure path for database access. Removing default allow-all rules enhances security by implementing the principle of least privilege, ensuring that only necessary traffic is permitted.