Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 251:

  An organization has three applications running on IAM, each accessing the same data on Amazon S3. The data on Amazon S3 is server-side encrypted by using an IAM KMS Customer Master Key (CMK).

  What is the recommended method to ensure that each application has its own programmatic access control permissions on the KMS CMK?

  A. Change the key policy permissions associated with the KMS CMK for each application when it must access the data in Amazon S3.
  B. Have each application assume an IAM role that provides permissions to use the IAM Certificate Manager CMK.
  C. Have each application use a grant on the KMS CMK to add or remove specific access controls on the KMS CMK.
  D. Have each application use an IAM policy in a user context to have specific access permissions on the KMS CMK.
  C. Have each application use a grant on the KMS CMK to add or remove specific access controls on the KMS CMK.

• Question 252:

  A company is hosting a website that must be accessible to users for HTTPS traffic. Also port 22 should be open for administrative purposes. The administrator's workstation has a static IP address of 203.0.113.1/32.

  Which of the following security group configurations are the MOST secure but still functional to support these requirements? Choose 2 answers from the options given below

  A. Port 443 coming from 0.0.0.0/0
  B. Port 443 coming from 10.0.0.0/16
  C. Port 22 coming from 0.0.0.0/0
  D. Port 22 coming from 203.0.113.1/32
  A. Port 443 coming from 0.0.0.0/0
  D. Port 22 coming from 203.0.113.1/32

  ---

  Since HTTPS traffic is required for all users on the Internet, Port 443 should be open on all IP addresses. For port 22, the traffic should be restricted to an internal subnet. Option B is invalid, because this only allow traffic from a particular CIDR block and not from the internet Option C is invalid because allowing port 22 from the internet is a security risk For more information on IAM Security Groups, please visit the following UR https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/usins-network-secunty.htmll The correct answers are: Port 443 coming from 0.0.0.0/0, Port 22 coming from 203.0.113.1 /32 Submit your Feedback/Queries to our Experts

• Question 253:

  A Security Engineer has been asked to create an automated process to disable IAM user access keys that are more than three months old.

  Which of the following options should the Security Engineer use?

  A. In the IAM Console, choose the IAM service and select "Users". Review the "Access Key Age" column.
  B. Define an IAM policy that denies access if the key age is more than three months and apply to all users.
  C. Write a script that uses the GenerateCredentialReport, GetCredentialReport, and UpdateAccessKey APIs.
  D. Create an Amazon CloudWatch alarm to detect aged access keys and use an IAM Lambda function to disable the keys older than 90 days.
  C. Write a script that uses the GenerateCredentialReport, GetCredentialReport, and UpdateAccessKey APIs.

  ---

  https://docs.IAM.amazon.com/IAM/latest/APIReference/API_UpdateAccessKey.html https://docs.IAM.amazon.com/IAM/latest/APIReference/API_GenerateCredentialReport.ht ml https://docs.IAM.amazon.com/IAM/latest/APIReference/ API_GetCredentialReport.html

• Question 254:

  A company's AWS CloudTrail logs are all centrally stored in an Amazon S3 bucket. The security team controls the company's AWS account. The security team must prevent unauthorized access and tampering of the CloudTrail logs.

  Which combination of steps should the security team take? (Choose three.)

  A. Configure server-side encryption with AWS KMS managed encryption keys (SSE-KMS)
  B. Compress log file with secure gzip.
  C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to notify the security team of any modifications on CloudTrail log files.
  D. Implement least privilege access to the S3 bucket by configuring a bucket policy.
  E. Configure CloudTrail log file integrity validation.
  F. Configure Access Analyzer for S3.
  A. Configure server-side encryption with AWS KMS managed encryption keys (SSE-KMS)
  D. Implement least privilege access to the S3 bucket by configuring a bucket policy.
  E. Configure CloudTrail log file integrity validation.

• Question 255:

  A developer operations team uses AWS Identity and Access Management (IAM) to manage user permissions. The team created an Amazon EC2 instance profile role that uses an AWS managed ReadOnlyAccess policy. When an application that is running on Amazon EC2 tries to read a file from an encrypted Amazon S3 bucket, the application receives an AccessDenied error.

  The team administrator has verified that the S3 bucket policy allows everyone in the account to access the S3 bucket. There is no object ACL that is attached to the file.

  What should the administrator do to fix the IAM access issue?

  A. Edit the ReadOnlyAccess policy to add kms:Decrypt actions
  B. Add the EC2 IAM role as the authorized Principal to the S3 bucket policy
  C. Attach an inline policy with kms:Decrypt permissions to the IAM role
  D. Attach an inline policy with S3:* permissions to the IAM role
  C. Attach an inline policy with kms:Decrypt permissions to the IAM role

• Question 256:

  A company maintains an open-source application that is hosted on a public GitHub repository. While creating a new commit to the repository, an engineer uploaded their IAM access key and secret access key. The engineer reported the mistake to a manager, and the manager immediately disabled the access key.

  The company needs to assess the impact of the exposed access key. A security engineer must recommend a solution that requires the least possible managerial overhead.

  Which solution meets these requirements?

  A. Analyze an AWS Identity and Access Management (IAM) use report from AWS Trusted Advisor to see when the access key was last used.
  B. Analyze Amazon CloudWatch Logs for activity by searching for the access key.
  C. Analyze VPC flow logs for activity by searching for the access key.
  D. Analyze a credential report in AWS Identity and Access Management (IAM) to see when the access key was last used.
  D. Analyze a credential report in AWS Identity and Access Management (IAM) to see when the access key was last used.

• Question 257:

  Which of the following minimizes the potential attack surface for applications?

  A. Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level.
  B. Use network ACLs to provide stateful firewalls at the VPC level to prevent access to any specific IAM resource.
  C. Use IAM Direct Connect for secure trusted connections between EC2 instances within private subnets.
  D. Design network security in a single layer within the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) to facilitate quicker responses to threats.
  A. Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level.

  ---

  Explanation Explanation/Reference:https://IAM.amazon.com/answers/networking/vpc-security-capabilities/ Security Group is stateful and hypervisor level.

• Question 258:

  A Security Engineer is defining the logging solution for a newly developed product. Systems Administrators and Developers need to have appropriate access to event log files in IAM CloudTrail to support and troubleshoot the product.

  Which combination of controls should be used to protect against tampering with and unauthorized access to log files? (Choose two.)

  A. Ensure that the log file integrity validation mechanism is enabled.
  B. Ensure that all log files are written to at least two separate Amazon S3 buckets in the same account.
  C. Ensure that Systems Administrators and Developers can edit log files, but prevent any other access.
  D. Ensure that Systems Administrators and Developers with job-related need-to-know requirements only are capable of viewing--but not modifying--the log files.
  E. Ensure that all log files are stored on Amazon EC2 instances that allow SSH access from the internal corporate network only.
  A. Ensure that the log file integrity validation mechanism is enabled.
  D. Ensure that Systems Administrators and Developers with job-related need-to-know requirements only are capable of viewing--but not modifying--the log files.

• Question 259:

  A security team is working on a solution that will use Amazon EventBridge (Amazon CloudWatch Events) to monitor new Amazon S3 objects. The solution will monitor for public access and for changes to any S3 bucket policy or setting that result in public access. The security team configures EventBridge to watch for specific API calls that are logged from AWS CloudTrail. EventBridge has an action to send an email notification through Amazon Simple Notification Service (Amazon SNS) to the security team immediately with details of the API call.

  Specifically, the security team wants EventBridge to watch for the s3:PutObjectAcl, s3:DeleteBucketPolicy, and s3:PutBucketPolicy API invocation logs from CloudTrail. While developing the solution in a single account, the security team discovers that the s3:PutObjectAcl API call does not invoke an EventBridge event However, the s3:DeleteBucketPolicy API call and the s3:PutBucketPolicy API call do invoke an event.

  The security team has enabled CloudTrail for AWS management events with a basic configuration in the AWS Region in which EventBridge is being tested. Verification of the EventBridge event pattern indicates that the pattern is set up correctly. The security team must implement a solution so that the s3:PutObjectAcl API call will invoke an EventBridge event. The solution must not generate false notifications.

  Which solution will meet these requirements?

  A. Modify the EventBridge event pattern by selecting Amazon S3. Select All Events as the event type.
  B. Modify the EventBridge event pattern by selecting Amazon S3. Select Bucket Level Operations as the event type.
  C. Enable CloudTrail Insights to identify unusual API activity.
  D. Enable CloudTrail to monitor data events for read and write operations to S3 buckets.
  D. Enable CloudTrail to monitor data events for read and write operations to S3 buckets.

  ---

  According to the AWS documentation1, CloudTrail data events are the resource operations performed on or within a resource. These are also known as data plane operations. Data events are often high-volume activities. For example, Amazon S3 object-level API activity (such as GetObject, DeleteObject, and PutObject) is a data event. By default, trails do not log data events. To record CloudTrail data events, you must explicitly add the supported resources or resource types for which you want to collect activity. For more information, see Logging data events in the Amazon S3 User Guide2. In this case, the security team wants EventBridge to watch for the s3:PutObjectAcl API invocation logs from CloudTrail. This API uses the acl subresource to set the access control list (ACL) permissions for a new or existing object in an S3 bucket3. This is a data event that affects the S3 object resource type. Therefore, the security team must enable CloudTrail to monitor data events for read and write operations to S3 buckets in order to invoke an EventBridge event for this API call. The other options are incorrect because: A. Modifying the EventBridge event pattern by selecting Amazon S3 and All Events as the event type will not capture the s3:PutObjectAcl API call, because this is a data event and not a management event. Management events provide information about management operations that are performed on resources in your AWS account. These are also known as control plane operations. B. Modifying the EventBridge event pattern by selecting Amazon S3 and Bucket Level Operations as the event type will not capture the s3:PutObjectAcl API call, because this is a data event that affects the S3 object resource type and not the S3 bucket resource type. Bucket level operations are management events that affect the configuration or metadata of an S3 bucket5. C. Enabling CloudTrail Insights to identify unusual API activity will not help the security team monitor new S3 objects or changes to any S3 bucket policy or setting that result in public access. CloudTrail Insights helps AWS users identify and respond to unusual activity associated with API calls and API error rates by continuously analyzing CloudTrail management events6. It does not analyze data events or generate EventBridge events. References: 1: CloudTrail log event reference - AWS CloudTrail 2: Logging data events - AWS CloudTrail 3: PutObjectAcl - Amazon Simple Storage Service 4: [Logging management events - AWS CloudTrail] 5: [Amazon S3 Event Types - Amazon Simple Storage Service] 6: Logging Insights events for trails - AWS CloudTrail

• Question 260:

  A company is planning on using IAM EC2 and IAM Cloudfrontfor their web application. For which one of the below attacks is usage of Cloudfront most suited for?

  A. Cross side scripting
  B. SQL injection
  C. DDoS attacks
  D. Malware attacks
  C. DDoS attacks

  ---

  The below table from IAM shows the security capabilities of IAM Cloudfront IAM Cloudfront is more prominent for DDoS attacks. Options A,B and D are invalid because Cloudfront is specifically used to protect sites against DDoS attacks For more information on security with Cloudfront, please refer to the below Link: https://d1.IAMstatic.com/whitepapers/Security/Secure content delivery with CloudFront whitepaper.pdi The correct answer is: DDoS attacks Submit your Feedback/Queries to our Experts