Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 281:

  You are designing a connectivity solution between on-premises infrastructure and Amazon VPC. Your server's on-premises will be communicating with your VPC instances. You will be establishing IPSec tunnels over the internet. Yo will be using VPN gateways and terminating the IPsec tunnels on IAM-supported customer gateways. Which of the following objectives would you achieve by implementing an IPSec tunnel as outlined above? Choose 4 answers form the options below

  A. End-to-end protection of data in transit
  B. End-to-end Identity authentication
  C. Data encryption across the internet
  D. Protection of data in transit over the Internet
  E. Peer identity authentication between VPN gateway and customer gateway
  F. Data integrity protection across the Internet
  C. Data encryption across the internet
  D. Protection of data in transit over the Internet
  E. Peer identity authentication between VPN gateway and customer gateway
  F. Data integrity protection across the Internet

  ---

  IPSec is a widely adopted protocol that can be used to provide end to end protection for data

• Question 282:

  A company uses Amazon Elastic Container Service (Amazon ECS) containers that have the Fargate launch type. The containers run web and mobile applications that are written in Java and Node.js. To meet network segmentation requirements, each of the company's business units deploys applications in its own dedicated AWS account.

  Each business unit stores container images in an Amazon Elastic Container Registry (Amazon ECR) private registry in its own account.

  A security engineer must recommend a solution to scan ECS containers and ECR registries for vulnerabilities in operating systems and programming language libraries. The company's audit team must be able to identify potential vulnerabilities that exist in any of the accounts where applications are deployed.

  Which solution will meet these requirements?

  A. In each account, update the ECR registry to use Amazon Inspector instead of the default scanning service. Configure Amazon Inspector to forward vulnerability findings to AWS Security Hub in a central security account. Provide access for the audit team to use Security Hub to review the findings.
  B. In each account, configure AWS Config to monitor the configuration of the ECS containers and the ECR registry. Configure AWS Config conformance packs for vulnerability scanning. Create an AWS Config aggregator in a central account to collect configuration and compliance details from all accounts. Provide the audit team with access to AWS Config in the account where the aggregator is configured.
  C. In each account, configure AWS Audit Manager to scan the ECS containers and the ECR registry. Configure Audit Manager to forward vulnerability findings to AWS Security Hub in a central security account. Provide access for the audit team to use Security Hub to review the findings.
  D. In each account, configure Amazon GuardDuty to scan the ECS containers and the ECR registry. Configure GuardDuty to forward vulnerability findings to AWS Security Hub in a central security account. Provide access for the audit team to use Security Hub to review the findings.
  A. In each account, update the ECR registry to use Amazon Inspector instead of the default scanning service. Configure Amazon Inspector to forward vulnerability findings to AWS Security Hub in a central security account. Provide access for the audit team to use Security Hub to review the findings.

• Question 283:

  You have been given a new brief from your supervisor for a client who needs a web application set up on IAM. The a most important requirement is that MySQL must be used as the database, and this database must not be hosted in t?public cloud, but rather at the client's data center due to security risks. Which of the following solutions would be the ^ best to assure that the client's requirements are met? Choose the correct answer from the options below

  A. Build the application server on a public subnet and the database at the client's data center. Connect them with a VPN connection which uses IPsec.
  B. Use the public subnet for the application server and use RDS with a storage gateway to access and synchronize the data securely from the local data center.
  C. Build the application server on a public subnet and the database on a private subnet with a NAT instance between them.
  D. Build the application server on a public subnet and build the database in a private subnet with a secure ssh connection to the private subnet from the client's data center.
  A. Build the application server on a public subnet and the database at the client's data center. Connect them with a VPN connection which uses IPsec.

  ---

  Since the database should not be hosted on the cloud all other options are invalid. The best option is to create a VPN connection for securing traffic as shown below. Option B is invalid because this is the incorrect use of the Storage gateway Option C is invalid since this is the incorrect use of the NAT instance Option D is invalid since this is an incorrect configuration For more information on VPN connections, please visit the below URL http://docs.IAM.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.htmll The correct answer is: Build the application server on a public subnet and the database at the client's data center. Connect them with a VPN connection which uses IPsec Submit your Feedback/Queries to our Experts

• Question 284:

  A company has a set of EC2 Instances hosted in IAM. The EC2 Instances have EBS volumes which is used to store critical information. There is a business continuity requirement to ensure high availability for the EBS volumes. How can you achieve this?

  A. Use lifecycle policies for the EBS volumes
  B. Use EBS Snapshots
  C. Use EBS volume replication
  D. Use EBS volume encryption
  B. Use EBS Snapshots

  ---

  Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations as part of normal operation of those services and at no additional charge. However, Amazon EBS replication is stored within the same availability zone, not across multiple zones; therefore, it is highly recommended that you conduct regular snapshots to Amazon S3 for long-term data durability Option A is invalid because there is no lifecycle policy for EBS volumes Option C is invalid because there is no EBS volume replication Option D is invalid because EBS volume encryption will not ensure business continuity For information on security for Compute Resources, please visit the below URL: https://d1.awsstatic.com/whitepapers/Security/Security_Compute_Services_Whitepaper.pdf

• Question 285:

  You have just recently set up a web and database tier in a VPC and hosted the application. When testing the app , you are not able to reach the home page for the app. You have verified the security groups. What can help you diagnose the issue.

  A. Use the IAM Trusted Advisor to see what can be done.
  B. Use VPC Flow logs to diagnose the traffic
  C. Use IAM WAF to analyze the traffic
  D. Use IAM Guard Duty to analyze the traffic
  B. Use VPC Flow logs to diagnose the traffic

  ---

  Option A is invalid because this can be used to check for security issues in your account, but not verify as to why you cannot reach the home page for your application Option C is invalid because this used to protect your app against application layer attacks, but not verify as to why you cannot reach the home page for your application Option D is invalid because this used to protect your instance against attacks, but not verify as to why you cannot reach the home page for your application The IAM Documentation mentions the following VPC Flow Logs capture network flow information for a VPC, subnet or network interface and stores it in Amazon CloudWatch Logs. Flow log data can help customers troubleshoot network issues; for example, to diagnose why specific traffic is not reaching an instance, which might be a result of overly restrictive security group rules. Customers can also use flow logs as a security toi to monitor the traffic that reaches their instances, to profile network traffic, and to look for abnormal traffic behaviors. For more information on IAM Security, please visit the following URL: https://IAM.amazon.com/answers/networking/vpc-security-capabilities> The correct answer is: Use VPC Flow logs to diagnose the traffic Submit your Feedback/Queries to our Experts

• Question 286:

  A company is using Amazon Macie, AWS Firewall Manager, Amazon Inspector, and AWS Shield Advanced in its AWS account. The company wants to receive alerts if a DDoS attack occurs against the account.

  Which solution will meet this requirement?

  A. Use Macie to detect an active DDoS event. Create Amazon CloudWatch alarms that respond to Macie findings.
  B. Use Amazon Inspector to review resources and to invoke Amazon CloudWatch alarms for any resources that are vulnerable to DDoS attacks.
  C. Create an Amazon CloudWatch alarm that monitors Firewall Manager metrics for an active DDoS event.
  D. Create an Amazon CloudWatch alarm that monitors Shield Advanced metrics for an active DDoS event.
  D. Create an Amazon CloudWatch alarm that monitors Shield Advanced metrics for an active DDoS event.

  ---

  This answer is correct because AWS Shield Advanced is a service that provides comprehensive protection against DDoS attacks of any size or duration. It also provides metrics and reports on the DDoS attack vectors, duration, and size. You can create an Amazon CloudWatch alarm that monitors Shield Advanced metrics such as DDoSAttackBitsPerSecond, DDoSAttackPacketsPerSecond, and DDoSAttackRequestsPerSecond to receive alerts if a DDoS attack occurs against your account. For more information, see Monitoring AWS Shield Advanced with Amazon CloudWatch and AWS Shield Advanced metrics and alarms.

• Question 287:

  A company has AWS accounts in an organization in AWS Organizations. The company needs to install a corporate software package on all Amazon EC2 instances for all the accounts in the organization.

  A central account provides base AMIs for the EC2 instances. The company uses AWS Systems Manager for software inventory and patching operations.

  A security engineer must implement a solution that detects EC2 instances ttjat do not have the required software. The solution also must automatically install the software if the software is not present.

  Which solution will meet these requirements?

  A. Provide new AMIs that have the required software pre-installed. Apply a tag to the AMIs to indicate that the AMIs have the required software. Configure an SCP that allows new EC2 instances to be launched only if the instances have the tagged AMIs. Tag all existing EC2 instances.
  B. Configure a custom patch baseline in Systems Manager Patch Manager. Add the package name for the required software to the approved packages list. Associate the new patch baseline with all EC2 instances. Set up a maintenance window for software deployment.
  C. Centrally enable AWS Config. Set up the ec2-managedinstance-applications-required AWS Config rule for all accounts Create an Amazon EventBridge rule that reacts to AWS Config events. Configure the EventBridge rule to invoke an AWS Lambda function that uses Systems Manager Run Command to install the required software.
  D. Create a new Systems Manager Distributor package for the required software. Specify the download location. Select all EC2 instances in the different accounts. Install the software by using Systems Manager Run Command.
  C. Centrally enable AWS Config. Set up the ec2-managedinstance-applications-required AWS Config rule for all accounts Create an Amazon EventBridge rule that reacts to AWS Config events. Configure the EventBridge rule to invoke an AWS Lambda function that uses Systems Manager Run Command to install the required software.

  ---

  Utilizing AWS Config with a custom AWS Config rule (ec2-managedinstance- applications-required) enables detection of EC2 instances lacking the required software across all accounts in an organization. By creating an Amazon EventBridge rule that triggers on AWS Config events, and configuring it to invoke an AWS Lambda function, automated actions can be taken to ensure compliance. The Lambda function can leverage AWS Systems Manager Run Command to install the necessary software on non-compliant instances. This approach ensures continuous compliance and automated remediation, aligning with best practices for cloud security and management.

• Question 288:

  A company's security engineer is designing an isolation procedure for Amazon EC2 instances as part of an incident response plan. The security engineer needs to isolate a target instance to block any traffic to and from the target instance, except for traffic from the company's forensics team. Each of the company's EC2 instances has its own dedicated security group. The EC2 instances are deployed in subnets of a VPC. A subnet can contain multiple instances.

  The security engineer is testing the procedure for EC2 isolation and opens an SSH session to the target instance. The procedure starts to simulate access to the target instance by an attacker. The security engineer removes the existing security group rules and adds security group rules to give the forensics team access to the target instance on port 22.

  After these changes, the security engineer notices that the SSH connection is still active and usable. When the security engineer runs a ping command to the public IP address of the target instance, the ping command is blocked.

  What should the security engineer do to isolate the target instance?

  A. Add an inbound rule to the security group to allow traffic from 0.0.0.0/0 for all ports. Add an outbound rule to the security group to allow traffic to 0.0.0.0/0 for all ports. Then immediately delete these rules.
  B. Remove the port 22 security group rule. Attach an instance role policy that allows AWS Systems Manager Session Manager connections so that the forensics team can access the target instance.
  C. Create a network ACL that is associated with the target instance's subnet. Add a rule at the top of the inbound rule set to deny all traffic from 0.0.0.0/0. Add a rule at the top of the outbound rule set to deny all traffic to 0.0.0.0/0.
  D. Create an AWS Systems Manager document that adds a host-level firewall rule to block all inbound traffic and outbound traffic. Run the document on the target instance.
  B. Remove the port 22 security group rule. Attach an instance role policy that allows AWS Systems Manager Session Manager connections so that the forensics team can access the target instance.

• Question 289:

  Which of the following is the responsibility of the customer? Choose 2 answers from the options given below.

  A. Management of the Edge locations
  B. Encryption of data at rest
  C. Protection of data in transit
  D. Decommissioning of old storage devices
  B. Encryption of data at rest
  C. Protection of data in transit

  ---

  Below is the snapshot of the Shared Responsibility Model For more information on IAM Security best practises, please refer to below URL IAMstatic corn/whitepapers/Security/IAM Practices. The correct answers are: Encryption of data at rest Protection of data in transit Submit your Feedback/ Queries to our Experts

• Question 290:

  A company is migrating its Amazon EC2 based applications to use Instance Metadata Service Version 2 (IMDSv2). A security engineer needs to determine whether any of the EC2 instances are still using Instance Metadata Service Version 1 (IMDSv1).

  What should the security engineer do to confirm that the IMDSv1 endpoint is no longer being used?

  A. Configure logging on the Amazon CloudWatch agent for IMDSv1 as part of EC2 instance startup. Create a metric filter and a CloudWatch dashboard. Track the metric in the dashboard.
  B. Create an Amazon CloudWatch dashboard. Verify that the EC2:MetadataNoToken metric is zero across all EC2 instances. Monitor the dashboard.
  C. Create a security group that blocks access to HTTP for the IMDSv1 endpoint. Attach the security group to all EC2 instances.
  D. Configure user data scripts for all EC2 instances to send logging information to AWS CloudTrail when IMDSv1 is used. Create a metric filter and an Amazon CloudWatch dashboard. Track the metric in the dashboard.
  B. Create an Amazon CloudWatch dashboard. Verify that the EC2:MetadataNoToken metric is zero across all EC2 instances. Monitor the dashboard.

  ---

  The EC2:MetadataNoToken CloudWatch metric tracks the number of instance metadata requests that do not use a token, which indicates the use of Instance Metadata Service Version 1 (IMDSv1). By creating a CloudWatch dashboard to monitor this metric, the security engineer can easily confirm if any instances are still using IMDSv1. If the metric is zero, it means that IMDSv2 is being used and IMDSv1 is no longer in use.