Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 271:

  A company has an application that is accessed through an Application Load Balancer (ALB).

  The application has run for more than 6 months in production and uses Amazon CloudWatch for metrics.

  A security engineer must implement a solution to detect surges in traffic.

  The solution must notify an existing Amazon Simple Notification Service (Amazon SNS) topic when these surges occur.

  Which solution will meet these requirements?

  A. Enable CloudWatch Anomaly Detection for the appropriate ALB metrics Create alarms based on metric anomaly detection. Configure the alarms to notify the SNS topic when the alarms are in ALARM state.
  B. Implement CloudWatch Contributor Insights Create a Contributor Insights rule that searches for values that are higher than normal for the appropriate metrics for the ALB Configure the rule to notify the SNS topic if the values are detected.
  C. Create an AWS WAF web ACL for the ALB Include a rate-based rule that counts the requests and compares the number to the previous highest number of requests per second Configure the rate-based rule action to target the SNS topic when the rule is matched.
  D. Enable Amazon GuardDuty Create an Amazon EventBridge rule that runs when GuardDuty detects a finding that the ALB has exceeded its normal traffic patterns Configure the SNS topic as the target of the rule.
  A. Enable CloudWatch Anomaly Detection for the appropriate ALB metrics Create alarms based on metric anomaly detection. Configure the alarms to notify the SNS topic when the alarms are in ALARM state.

• Question 272:

  A company hosts an application on Amazon EC2 that is subject to specific rules for regulatory compliance. One rule states that traffic to and from the workload must be inspected for network-level attacks. This involves inspecting the whole packet.

  To comply with this regulatory rule, a security engineer must install intrusion detection software on a c5n.4xlarge EC2 instance. The engineer must then configure the software to monitor traffic to and from the application instances.

  What should the security engineer do next?

  A. Place the network interface in promiscuous mode to capture the traffic.
  B. Configure VPC Flow Logs to send traffic to the monitoring EC2 instance using a Network Load Balancer.
  C. Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer.
  D. Use Amazon Inspector to detect network-level attacks and trigger an IAM Lambda function to send the suspicious packets to the EC2 instance.
  C. Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer.

• Question 273:

  A company is hosting a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application has become the target of a DoS attack. Application logging shows that requests are coming from small number of client IP addresses, but the addresses change regularly.

  The company needs to block the malicious traffic with a solution that requires the least amount of ongoing effort.

  Which solution meets these requirements?

  A. Create an AWS WAF rate-based rule, and attach it to the ALB.
  B. Update the security group that is attached to the ALB to block the attacking IP addresses.
  C. Update the ALB subnet's network ACL to block the attacking client IP addresses.
  D. Create a AWS WAF rate-based rule, and attach it to the security group of the EC2 instances.
  A. Create an AWS WAF rate-based rule, and attach it to the ALB.

• Question 274:

  A security engineer must Implement monitoring of a company's Amazon Aurora MySQL DB instances. The company wants to receive email notifications when unknown users try to log in to the database endpoint.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Enable Amazon GuardDuty. Enable the Amazon RDS Protection feature in GuardDuty to detect login attempts by unknown users. Create an Amazon EventBridge rule to filter GuardDuty findings. Send email notifications by using Amazon Simple Notification Service (Amazon SNS).
  B. Enable the server_audit_logglng parameter on the Aurora MySQL DB instances. Use AWS Lambda to periodically scan the delivered log files for login attempts by unknown users. Send email notifications by using Amazon Simple Notification Service (Amazon SNS).
  C. Create an Amazon RDS Custom AMI. Include a third-party security agent in the AMI to detect login attempts by unknown users. Deploy RDS Custom DB instances. Migrate data from the existing installation to the RDS Custom DB instances. Configure email notifications from the third-party agent.
  D. Write a stored procedure to detect login attempts by unknown users. Schedule a recurring job inside the database engine. Configure Aurora MySQL to use Amazon Simple Notification Service (Amazon SNS) to send email notifications.
  A. Enable Amazon GuardDuty. Enable the Amazon RDS Protection feature in GuardDuty to detect login attempts by unknown users. Create an Amazon EventBridge rule to filter GuardDuty findings. Send email notifications by using Amazon Simple Notification Service (Amazon SNS).

• Question 275:

  A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a private VPC subnet that was created with default ACL settings. The IT Security department has a suspicion that a DDos attack is coming from a suspecting IP. How can you protect the subnets from this attack?

  A. Change the Inbound Security Groups to deny access from the suspecting IP
  B. Change the Outbound Security Groups to deny access from the suspecting IP
  C. Change the Inbound NACL to deny access from the suspecting IP
  D. Change the Outbound NACL to deny access from the suspecting IP
  C. Change the Inbound NACL to deny access from the suspecting IP

  ---

  Option A and B are invalid because by default the Security Groups already block traffic. You can use NACL's as an additional security layer for the subnet to deny traffic. Option D is invalid since just changing the Inbound Rules is sufficient The IAM Documentation mentions the following A network access control list (ACLJ is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC. The correct answer is: Change the Inbound NACL to deny access from the suspecting IP

• Question 276:

  You have an Ec2 Instance in a private subnet which needs to access the KMS service.

  Which of the following methods can help fulfil this requirement, keeping security in perspective?

  A. Use a VPC endpoint
  B. Attach an Internet gateway to the subnet
  C. Attach a VPN connection to the VPC
  D. Use VPC Peering
  A. Use a VPC endpoint

  ---

  The IAM Documentation mentions the following You can connect directly to IAM KMS through a private endpoint in your VPC instead of connecting over the internet. When you use a VPC endpoint communication between your VPC and IAM KMS is conducted entirely within the IAM network. Option B is invalid because this could open threats from the internet Option C is invalid because this is normally used for communication between on-premise environments and IAM. Option D is invalid because this is normally used for communication between VPCs For more information on accessing KMS via an endpoint, please visit the following URL https://docs.IAM.amazon.com/kms/latest/developerguide/kms-vpcendpoint.htmll The correct answer is: Use a VPC endpoint Submit your Feedback/Queries to our Experts

• Question 277:

  Your company has defined a set of S3 buckets in IAM. They need to monitor the S3 buckets and know the source IP address and the person who make requests to the S3 bucket. How can this be achieved?

  A. Enable VPC flow logs to know the source IP addresses
  B. Monitor the S3 API calls by using Cloudtrail logging
  C. Monitor the S3 API calls by using Cloudwatch logging
  D. Enable IAM Inspector for the S3 bucket
  B. Monitor the S3 API calls by using Cloudtrail logging

  ---

  The IAM Documentation mentions the following Amazon S3 is integrated with IAM CloudTrail. CloudTrail is a service that captures specific API calls made to Amazon S3 from your IAM account and delivers the log files to an Amazon S3 bucket that you specify. It captures API calls made from the Amazon S3 console or from the Amazon S3 API. Using the information collected by CloudTrail, you can determine what request was made to Amazon S3, the source IP address from which the request was made, who made the request when it was made, and so on Options A,C and D are invalid because these services cannot be used to get the source IP address of the calls to S3 buckets For more information on Cloudtrail logging, please refer to the below Link: https://docs.IAM.amazon.com/AmazonS3/latest/dev/cloudtrail-logeins.htmll The correct answer is: Monitor the S3 API calls by using Cloudtrail logging Submit your Feedback/Queries to our Experts

• Question 278:

  You currently operate a web application In the IAM US-East region. The application runs on an auto-scaled layer of EC2 instances and an RDS Multi-AZ database. Your IT security compliance officer has tasked you to develop a reliable and durable logging solution to track changes made to your EC2.IAM and RDS resources. The solution must ensure the integrity and confidentiality of your log data. Which of these solutions would you recommend?

  A. Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected. Use IAM roles S3 bucket policies and Mufti Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.
  B. Create a new CloudTrail with one new S3 bucket to store the logs. Configure SNS to send log file delivery notifications to your management system. Use IAM roles and S3 bucket policies on the S3 bucket that stores your logs.
  C. Create a new CloudTrail trail with an existing S3 bucket to store the logs and with the global services option selected. Use S3 ACLsand Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.
  D. Create three new CloudTrail trails with three new S3 buckets to store the logs one for the IAM Management console, one for IAM SDKs and one for command line tools. Use IAM roles and S3 bucket policies on the S3 buckets that store your logs.
  B. Create a new CloudTrail with one new S3 bucket to store the logs. Configure SNS to send log file delivery notifications to your management system. Use IAM roles and S3 bucket policies on the S3 bucket that stores your logs.

  ---

  IAM Identity and Access Management (IAM) is integrated with IAM CloudTrail, a service that logs IAM events made by or on behalf of your IAM account. CloudTrail logs authenticated IAM API calls and also IAM sign-in events, and collects this event information in files that are delivered to Amazon S3 buckets. You need to ensure that all services are included. Hence option B is partially correct. Option B is invalid because you need to ensure that global services is select Option C is invalid because you should use bucket policies Option D is invalid because you should ideally just create one S3 bucket For more information on Cloudtrail, please visit the below URL: http://docs.IAM.amazon.com/IAM/latest/UserGuide/cloudtrail-inteeration.html The correct answer is: Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services o selected. Use IAM roles S3 bucket policies and Mulrj Factor Authentication (MFA) Delete on the S3 bucket that stores your l(

• Question 279:

  Which of the following is not a best practice for carrying out a security audit?

  Please select:

  A. Conduct an audit on a yearly basis
  B. Conduct an audit if application instances have been added to your account
  C. Conduct an audit if you ever suspect that an unauthorized person might have accessed your account
  D. Whenever there are changes in your organization
  A. Conduct an audit on a yearly basis

  ---

  A year's time is generally too long a gap for conducting security audits The IAM Documentation mentions the following You should audit your security configuration in the following situations: On a periodic basis. If there are changes in your organization, such as people leaving. If you have stopped using one or more individual IAM services. This is important for removing permissions that users in your account no longer need. If you've added or removed software in your accounts, such as applications on Amazon EC2 instances, IAM OpsWor stacks, IAM CloudFormation templates, etc. If you ever suspect that an unauthorized person might have accessed your account. Option B, C and D are all the right ways and recommended best practices when it comes to conducting audits For more information on Security Audit guideline, please visit the below URL: https://docs.IAM.amazon.com/eeneral/latest/gr/IAM-security-audit-euide.html The correct answer is: Conduct an audit on a yearly basis Submit your Feedback/Queries to our Experts

• Question 280:

  A company uses an Amazon S3 bucket to store reports Management has mandated that all new objects stored in this bucket must be encrypted at rest using server-side encryption with a client-specified IAM Key Management Service (IAM KMS) CMK owned by the same account as the S3 bucket. The IAM account number is 111122223333, and the bucket name Is report bucket. The company's security specialist must write the S3 bucket policy to ensure the mandate can be Implemented

  Which statement should the security specialist include in the policy?

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  D. Option D