Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 261:

  A company is building a data processing application that uses AWS Lambda functions The application's Lambda functions need to communicate with an Amazon RDS OB instance that is deployed within a VPC in the same AWS account Which solution meets these requirements in the MOST secure way?

  A. Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region
  B. Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0 0 0 0/0
  C. Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group
  D. Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups
  C. Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group

  ---

  The AWS documentation states that you can deploy the Lambda functions inside the VPC and attach a security group to the Lambda functions. You can then provide outbound rule access to the VPC CIDR range only and update the DB instance security group to allow traffic from the Lambda security group. This method is the most secure way to meet the requirements. References: : AWS Lambda Developer Guide

• Question 262:

  A company has an AWS Lambda function that creates image thumbnails from larger images. The Lambda function needs read and write access to an Amazon S3 bucket in the same AWS account.

  Which solutions will provide the Lambda function this access? (Select TWO.)

  A. Create an IAM user that has only programmatic access. Create a new access key pair. Add environmental variables to the Lambda function with the ac-cess key ID and secret access key. Modify the Lambda function to use the environmental variables at run time during communication with Amazon S3.
  B. Generate an Amazon EC2 key pair. Store the private key in AWS Secrets Man-ager. Modify the Lambda function to retrieve the private key from Secrets Manager and to use the private key during communication with Amazon S3.
  C. Create an IAM role for the Lambda function. Attach an IAM policy that al-lows access to the S3 bucket.
  D. Create an IAM role for the Lambda function. Attach a bucket policy to the S3 bucket to allow access. Specify the function's IAM role as the princi-pal.
  E. Create a security group. Attach the security group to the Lambda function. Attach a bucket policy that allows access to the S3 bucket through the se-curity group ID.
  C. Create an IAM role for the Lambda function. Attach an IAM policy that al-lows access to the S3 bucket.
  D. Create an IAM role for the Lambda function. Attach a bucket policy to the S3 bucket to allow access. Specify the function's IAM role as the princi-pal.

• Question 263:

  A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances.The application will store highly sensitive user data in Amazon RDS tables.

  The application must Include migration to a different IAM Region in the application disaster recovery plan.

  Provide a full audit trail of encryption key administration events

  Allow only company administrators to administer keys.

  Protect data at rest using application layer encryption

  A Security Engineer is evaluating options for encryption key management

  Why should the Security Engineer choose IAM CloudHSM over IAM KMS for encryption key management in this situation?

  A. The key administration event logging generated by CloudHSM is significantly more extensive than IAM KMS.
  B. CloudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys
  C. The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by IAM KMS
  D. CloudHSM provides the ability to copy keys to a different Region, whereas IAM KMS does not
  B. CloudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys

• Question 264:

  When you enable automatic key rotation for an existing CMK key where the backing key is managed by IAM, after how long is the key rotated?

  A. After 30 days
  B. After 128 days
  C. After 365 days
  D. After 3 years
  D. After 3 years

  ---

  The IAM Documentation states the following ?IAM managed CM Ks: You cannot manage key rotation for IAM managed CMKs. IAM KMS automatically rotates IAM managed keys every three years (1095 days). Note: IAM-managed CMKs are rotated every 3yrs, Customer-Managed CMKs are rotated every 365-days from when rotation is enabled. Option A, B, C are invalid because the dettings for automatic key rotation is not changeable. For more information on key rotation please visit the below URL https://docs.IAM.amazon.com/kms/latest/developereuide/rotate-keys.html IAM managed CMKs are CMKs in your account that are created, managed, and used on your behalf by an IAM service that is integrated with IAM KMS. This CMK is unique to your IAM account and region. Only the service that created the IAM managed CMK can use it You can login to you IAM dashbaord . Click on "Encryption Keys" You will find the list based on the services you are using as follows: IAM/elasticfilesystem 1 IAM/lightsail IAM/s3 IAM/rds and many more Detailed Guide: KMS You can recognize IAM managed CMKs because their aliases have the format IAM/service-name, such as IAM/redshift. Typically, a service creates its IAM managed CMK in your account when you set up the service or the first time you use the CMfC The IAM services that integrate with IAM KMS can use it in many different ways. Some services create IAM managed CMKs in your account. Other services require that you specify a customer managed CMK that you have created. And, others support both types of CMKs to allow you the ease of an IAM managed CMK or the control of a customer- managed CMK Rotation period for CMKs is as follows: IAM managed CMKs: 1095 days Customer managed CMKs: 365 days Since question mentions about "CMK where backing keys is managed by IAM", its Amazon(IAM) managed and its rotation period turns out to be 1095 days{every 3 years) For more details, please check below IAM Docs: https://docs.IAM.amazon.com/kms/latest/developerguide/concepts.html The correct answer is: After 3 years Submit your Feedback/Queries to our Experts

• Question 265:

  A company is hosting sensitive data in an IAM S3 bucket. It needs to be ensured that the bucket always remains private. How can this be ensured continually? Choose 2 answers from the options given below A. Use IAM Config to monitor changes to the IAM Bucket

  B. Use IAM Lambda function to change the bucket policy

  C. Use IAM Trusted Advisor API to monitor the changes to the IAM Bucket

  D. Use IAM Lambda function to change the bucket ACL

  Correct Answer. AD
  AD

  ---

  One of the IAM Blogs mentions the usage of IAM Config and Lambda to achieve this. Below is the diagram representation of this ption C is invalid because the Trusted Advisor API cannot be used to monitor changes to the IAM Bucket Option B doesn't seems to be the most appropriate. 1. If the object is in a bucket in which all the objects need to be private and the object is not private anymore, the Lambda function makes a PutObjectAcI call to S3 to make the object private. |https://IAM.amazon.com/blogs/security/how-todetect-and-automatically-remediate- unintended-permissions-in-amazon-s3-bbiect-acls-with-cloudwatch-events/ The following link also specifies that Create a new Lambda function to examine an Amazon S3 buckets ACL and bucket policy. If the bucket ACL is found to al public access, the Lambda function overwrites it to be private. If a bucket policy is found, the Lambda function creatt an SNS message, puts the policy in the message body, and publishes it to the Amazon SNS topic we created. Bucket policies can be complex, and overwriting your policy may cause unexpected loss of access, so this Lambda function doesn't attempt to alter your policy in any way. https://IAM.amazon.com/blogs/security/how-to-useIAM-config-to-monitor-for-and-respond- to-amazon-s3-buckets-allowinj Based on these facts Option D seems to be more appropriate then Option B. For more information on implementation of this use case, please refer to the Link: https://IAM.amazon.com/blogs/security/how-to-use-IAM-config-to-monitor-for-and-respond- to-amazon-s3-buckets-allowinj The correct answers are: Use IAM Config to monitor changes to the IAM Bucket Use IAM Lambda function to change the bucket ACL

• Question 266:

  A global company that deals with International finance is investing heavily in cryptocurrencies and wants to experiment with mining technologies using IAM. The company's security team has enabled Amazon GuardDuty and is concerned by the number of findings being generated by the accounts. The security team wants to minimize the possibility of GuardDuty finding false negatives for compromised instances that are performing mining

  How can the security team continue using GuardDuty while meeting these requirements?

  A. In the GuardDuty console, select the CryptoCurrency:EC2/BitcoinTool B'DNS finding and use the suppress findings option
  B. Create a custom IAM Lambda function to process newly detected GuardDuty alerts Process the CryptoCurrency EC2/BitcoinTool BIDNS alert and filter out the high-severity finding types only.
  C. When creating a new Amazon EC2 Instance, provide the instance with a specific tag that indicates it is performing mining operations Create a custom IAM Lambda function to process newly detected GuardDuty alerts and filter for the presence of this tag
  D. When GuardDuty produces a cryptocurrency finding, process the finding with a custom IAM Lambda function to extract the instance ID from the finding Then use the IAM Systems Manager Run Command to check for a running process performing mining operations
  A. In the GuardDuty console, select the CryptoCurrency:EC2/BitcoinTool B'DNS finding and use the suppress findings option

• Question 267:

  A company has external vendors that must deliver files to the company. These vendors have cross-account that gives them permission to upload objects to one of the company's S3 buckets.

  What combination of steps must the vendor follow to successfully deliver a file to the company? Select 2 answers from the options given below A. Attach an IAM role to the bucket that grants the bucket owner full permissions to the object

  B. Add a grant to the objects ACL giving full permissions to bucket owner.

  C. Encrypt the object with a KMS key controlled by the company.

  D. Add a bucket policy to the bucket that grants the bucket owner full permissions to the object

  E. Upload the file to the company's S3 bucket

  Correct Answer. BE
  BE

  ---

  This scenario is given in the IAM Documentation A bucket owner can enable other IAM accounts to upload objects. These objects are owned by the accounts that created them. The bucket owner does not own objects that were not created by the bucket owner. Therefore, for the bucket owner to grant access to these objects, the object owner must first grant permission to the bucket owner using an object ACL. The bucket owner can then delegate those permissions via a bucket policy. In this example, the bucket owner delegates permission to users in its own account. Option A and D are invalid because bucket ACL's are used to give grants to bucket Option C is not required since encryption is not part of the requirement For more information on this scenario please see the below Link: https://docs.IAM.amazon.com/AmazonS3/latest/dev/example-walkthroushs-manaeing- access-example3.htmll The correct answers are: Add a grant to the objects ACL giving full permissions to bucket owner., Upload the file to the company's S3 bucket Submit your Feedback/Queries to our Experts

• Question 268:

  You are planning on using the IAM KMS service for managing keys for your application. For which of the following can the KMS CMK keys be used for encrypting? Choose 2 answers from the options given below

  A. Image Objects
  B. Large files
  C. Password
  D. RSA Keys
  C. Password
  D. RSA Keys

  ---

  The CMK keys themselves can only be used for encrypting data that is maximum 4KB in size. Hence it can be used for encryptii information such as passwords and RSA keys. Option A and B are invalid because the actual CMK key can only be used to encrypt small amounts of data and not large amoui of data. You have to generate the data key from the CMK key in order to encrypt high amounts of data For more information on the concepts for KMS, please visit the following URL: https://docs.IAM.amazon.com/kms/latest/developereuide/concepts.htmll The correct answers are: Password, RSA Keys Submit your Feedback/Queries to our Experts

• Question 269:

  A company is designing a new application stack. The design includes web servers and backend servers that are hosted on Amazon EC2 instances. The design also includes an Amazon Aurora MySQL DB cluster.

  The EC2 instances are in an Auto Scaling group that uses launch templates. The EC2 instances for the web layer and the backend layer are backed by Amazon Elastic Block Store (Amazon EBS) volumes. No layers are encrypted at rest. A security engineer needs to implement encryption at rest.

  Which combination of steps will meet these requirements? (Select TWO.)

  A. Modify EBS default encryption settings in the target AWS Region to enable encryption. Use an Auto Scaling group instance refresh.
  B. Modify the launch templates for the web layer and the backend layer to add AWS Certificate Manager (ACM) encryption for the attached EBS volumes. Use an Auto Scaling group instance refresh.
  C. Create a new AWS Key Management Service (AWS KMS) encrypted DB cluster from a snapshot of the existing DB cluster.
  D. Apply AWS Key Management Service (AWS KMS) encryption to the existing DB cluster.
  E. Apply AWS Certificate Manager (ACM) encryption to the existing DB cluster.
  A. Modify EBS default encryption settings in the target AWS Region to enable encryption. Use an Auto Scaling group instance refresh.
  C. Create a new AWS Key Management Service (AWS KMS) encrypted DB cluster from a snapshot of the existing DB cluster.

  ---

  https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.html https://aws.amazon.com/premiumsupport/knowledge-center/ebs-automatic-encryption/ To implement encryption at rest for both the EC2 instances and the Aurora DB cluster, the following steps are required: For the EC2 instances, modify the EBS default encryption settings in the target AWS Region to enable encryption. This will ensure that any new EBS volumes created in that Region are encrypted by default using an AWS managed key. Alternatively, you can specify a customer managed key when creating new EBS volumes. For more information, see Amazon EBS encryption. Use an Auto Scaling group instance refresh to replace the existing EC2 instances with new ones that have encrypted EBS volumes attached. An instance refresh is a feature that helps you update all instances in an Auto Scaling group in a rolling fashion without the need to manage the instance replacement process manually. For more information, see Replacing Auto Scaling instances based on an instance refresh. For the Aurora DB cluster, create a new AWS Key Management Service (AWS KMS) encrypted DB cluster from a snapshot of the existing DB cluster. You can use either an AWS managed key or a customer managed key to encrypt the new DB cluster. You cannot enable or disable encryption for an existing DB cluster, so you have to create a new one from a snapshot. For more information, see Encrypting Amazon Aurora resources. The other options are incorrect because they either do not enable encryption at rest for the resources (B, D), or they use the wrong service for encryption (E). Verified References: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html https://docs.aws.amazon.com/autoscaling/ec2/userguide/asg-instance-refresh.html https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.html

• Question 270:

  Your company has a set of EC2 Instances that are placed behind an ELB. Some of the applications hosted on these instances communicate via a legacy protocol. There is a security mandate that all traffic between the client and the EC2 Instances need to be secure. How would you accomplish this?

  A. Use an Application Load balancer and terminate the SSL connection at the ELB
  B. Use a Classic Load balancer and terminate the SSL connection at the ELB
  C. Use an Application Load balancer and terminate the SSL connection at the EC2 Instances
  D. Use a Classic Load balancer and terminate the SSL connection at the EC2 Instances
  D. Use a Classic Load balancer and terminate the SSL connection at the EC2 Instances

  ---

  Since there are applications which work on legacy protocols, you need to ensure that the ELB can be used at the network layer as well and hence you should choose the Classic ELB. Since the traffic needs to be secure till the EC2 Instances, the SSL termination should occur on the Ec2 Instances. Option A and C are invalid because you need to use a Classic Load balancer since this is a legacy application. Option B is incorrect since encryption is required until the EC2 Instance For more information on HTTPS listeners for classic load balancers, please refer to below URL https://docs.IAM.ama20n.com/elasticloadbalancing/latest/classic/elb-https-load- balancers.htmll The correct answer is: Use a Classic Load balancer and terminate the SSL connection at the EC2 Instances Submit your Feedback/Queries to our Experts