Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 311:

  To meet regulatory requirements, a security engineer needs to implement an IAM policy that restricts the use of AWS services to the us-east-1 Region.

  What policy should the Engineer implement?

  

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  C. Option C

• Question 312:

  A company has a web server in the AWS Cloud. The company will store the content for the web server in an Amazon S3 bucket. A security engineer must use an Amazon CloudFront distribution to speed up delivery of the content. None of the files can be publicly accessible from the S3 bucket direct.

  Which solution will meet these requirements?

  A. Configure the permissions on the individual files in the S3 bucket so that only the CloudFront distribution has access to them.
  B. Create an origin access identity (OAI). Associate the OAI with the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI can access the files in the S3 bucket.
  C. Create an S3 role in AWS Identity and Access Management (IAM). Allow only the CloudFront distribution to assume the role to access the files in the S3 bucket.
  D. Create an S3 bucket policy that uses only the CloudFront distribution ID as the principal and the Amazon Resource Name (ARN) as the target.
  B. Create an origin access identity (OAI). Associate the OAI with the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI can access the files in the S3 bucket.

• Question 313:

  Your company uses IAM to host its resources. They have the following requirements

  1) Record all API calls and Transitions 2) Help in understanding what resources are there in the account 3) Facility to allow auditing credentials and logins

  Which services would suffice the above requirements?

  A. IAM Inspector, CloudTrail, IAM Credential Reports
  B. CloudTrail. IAM Credential Reports, IAM SNS
  C. CloudTrail, IAM Config, IAM Credential Reports
  D. IAM SQS, IAM Credential Reports, CloudTrail
  C. CloudTrail, IAM Config, IAM Credential Reports

  ---

  You can use IAM CloudTrail to get a history of IAM API calls and related events for your account. This history includes calls made with the IAM Management Console, IAM Command Line Interface, IAM SDKs, and other IAM services. Options A,B and D are invalid because you need to ensure that you use the services of CloudTrail, IAM Config, IAM Credential Reports For more information on Cloudtrail, please visit the below URL: http://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudtrail-user-guide.html IAM Config is a service that enables you to assess, audit and evaluate the configurations of your IAM resources. Config continuously monitors and records your IAM resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between IAM resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, char management and operational troubleshooting. For more information on the config service, please visit the below URL https://IAM.amazon.com/config/ You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices. You can get a credential report from the IAM Management Console, the IAM SDKs and Command Line Tools, or the IAM API. For more information on Credentials Report, please visit the below URL: http://docs.IAM.amazon.com/IAM/latest/UserGuide/id credentials_getting-report.html The correct answer is: CloudTrail, IAM Config, IAM Credential Reports Submit your Feedback/Queries to our Experts

• Question 314:

  Within a VPC, a corporation runs an Amazon RDS Multi-AZ DB instance. The database instance is connected to the internet through a NAT gateway via two subnets.

  Additionally, the organization has application servers that are hosted on Amazon EC2 instances and use the RDS database. These EC2 instances have been deployed onto two more private subnets inside the same VPC. These EC2 instances connect to the internet through a default route via the same NAT gateway. Each VPC subnet has its own route table.

  The organization implemented a new security requirement after a recent security examination. Never allow the database instance to connect to the internet. A security engineer must perform this update promptly without interfering with the network traffic of the application servers.

  How will the security engineer be able to comply with these requirements?

  A. Remove the existing NAT gateway. Create a new NAT gateway that only the application server subnets can use.
  B. Configure the DB instanceTMs inbound network ACL to deny traffic from the security group ID of the NAT gateway.
  C. Modify the route tables of the DB instance subnets to remove the default route to the NAT gateway.
  D. Configure the route table of the NAT gateway to deny connections to the DB instance subnets.
  C. Modify the route tables of the DB instance subnets to remove the default route to the NAT gateway.

  ---

  Each subnet has a route table, so modify the routing associated with DB instance subnets to prevent internet access.

• Question 315:

  Your company has a set of EC2 Instances defined in IAM. These Ec2 Instances have strict security groups attached to them. You need to ensure that changes to the Security groups are noted and acted on accordingly. How can you achieve this?

  A. Use Cloudwatch logs to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.
  B. Use Cloudwatch metrics to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.
  C. Use IAM inspector to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS f the notification.
  D. Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.
  D. Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.

  ---

  The below diagram from an IAM blog shows how security groups can be monitored Option A is invalid because you need to use Cloudwatch Events to check for chan, Option B is invalid because you need to use Cloudwatch Events to check for chang Option C is invalid because IAM inspector is not used to monitor the activity on Security Groups For more information on monitoring security groups, please visit the below URL: Ihttpsy/IAM.amazon.com/blogs/security/how-to-automatically-revert-and-receive- notifications-about-changes-to-your-amazonj 'pc-security-groups/ The correct answer is: Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well. Submit your Feedback/Queries to our Experts

• Question 316:

  A security engineer must troubleshoot an administrator's inability to make an existing Amazon S3 bucket public in an account that is part of an organization n IAM Organizations. The administrator switched the role from the master account to a member account and then attempted to make one S3 bucket public. This action was immediately denied

  Which actions should the security engineer take to troubleshoot the permissions issue? (Select TWO.)

  A. Review the cross-account role permissions and the S3 bucket policy Verify that the Amazon S3 block public access option in the member account is deactivated.
  B. Review the role permissions in the master account and ensure it has sufficient privileges to perform S3 operations
  C. Filter IAM CloudTrail logs for the master account to find the original deny event and update the cross-account role in the member account accordingly Verify that the Amazon S3 block public access option in the master account is deactivated.
  D. Evaluate the SCPs covering the member account and the permissions boundary of the role in the member account for missing permissions and explicit denies.
  E. Ensure the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action for the role in the member account
  B. Review the role permissions in the master account and ensure it has sufficient privileges to perform S3 operations
  E. Ensure the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action for the role in the member account

• Question 317:

  Which of the following is the most efficient way to automate the encryption of IAM CloudTrail logs using a Customer Master Key (CMK) in IAM KMS?

  A. Use the KMS direct encrypt function on the log data every time a CloudTrail log is generated.
  B. Use the default Amazon S3 server-side encryption with S3-managed keys to encrypt and decrypt the CloudTrail logs.
  C. Configure CloudTrail to use server-side encryption using KMS-managed keys to encrypt and decrypt CloudTrail logs.
  D. Use encrypted API endpoints so that all IAM API calls generate encrypted CloudTrail log entries using the TLS certificate from the encrypted API call.
  C. Configure CloudTrail to use server-side encryption using KMS-managed keys to encrypt and decrypt CloudTrail logs.

  ---

  Explanation Explanation/Reference:https://docs.IAM.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html

• Question 318:

  A company has a requirement that no Amazon EC2 security group can allow SSH access from the CIDR block 0.0.0.0/0. The company wants to monitor compliance with this requirement at all times and wants to receive a near-real-time notification if any security group is noncompliant.

  A security engineer has configured AWS Config and will use the restricted-ssh managed rule to monitor the security groups.

  What should the security engineer do next to meet these requirements?

  A. Configure AWS Config to send its configuration snapshots to an Amazon S3 bucket. Create an AWS Lambda function to run on a PutEvent to the S3 bucket. Configure the Lambda function to parse the snapshot for a compliance change to the restricted-ssh managed rule. Configure the Lambda function to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if a change is discovered.
  B. Configure an Amazon EventBridge event rule that is invoked by a compliance change event from AWS Config for the restricted-ssh managed rule. Configure the event rule to target an Amazon Simple Notification Service (Amazon SNS) topic that will provide a notification.
  C. Configure AWS Config to push all its compliance notifications to Amazon CloudWatch Logs. Configure a CloudWatch Logs metric filter on the AWS Config log group to look for a compliance notification change on the restricted-ssh managed rule. Create an Amazon CloudWatch alarm on the metric filter to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if the alarm is in the ALARM state.
  D. Configure an Amazon CloudWatch alarm on the CloudWatch metric for the restricted-ssh managed rule. Configure the CloudWatch alarm to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if the alarm is in the ALARM state.
  B. Configure an Amazon EventBridge event rule that is invoked by a compliance change event from AWS Config for the restricted-ssh managed rule. Configure the event rule to target an Amazon Simple Notification Service (Amazon SNS) topic that will provide a notification.

  ---

  AWS Config automatically generates compliance change events when a rule, such as the restricted-ssh managed rule, detects noncompliance. By setting up an Amazon EventBridge event rule that listens for compliance change events specifically related to this rule, you can quickly trigger a notification via Amazon SNS whenever a security group violates the rule. This provides near-real-time notifications with minimal operational overhead, directly addressing the requirement.

• Question 319:

  You are designing a custom IAM policy that would allow uses to list buckets in S3 only if they are MFA authenticated. Which of the following would best match this requirement?

  

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  A. Option A

  ---

  The Condition clause can be used to ensure users can only work with resources if they are MFA authenticated. Option B and C are wrong since the IAM:MultiFactorAuthPresent clause should be marked as true. Here you are saying that onl if the user has been MFA activated, that means it is true, then allow access. Option D is invalid because the "boor clause is missing in the evaluation for the condition clause. Boolean conditions let you construct Condition elements that restrict access based on comparing a key to "true" or "false." Here in this scenario the boot attribute in the condition element will return a value True for option A which will ensure that access is allowed on S3 resources. For more information on an example on such a policy, please visit the following URL:

• Question 320:

  A company wants to implement host-based security for Amazon EC2 instances and containers in Amazon Elastic Container Registry (Amazon ECR). The company has deployed AWS Systems Manager Agent (SSM Agent) on the EC2 instances. All the company's AWS accounts are in one organization in AWS Organizations. The company will analyze the workloads for software vulnerabilities and unintended network exposure. The company will push any findings to AWS Security Hub, which the company has configured for the organization.

  The company must deploy the solution to all member accounts, including new accounts, automatically. When new workloads come online, the solution must scan the workloads.

  Which solution will meet these requirements?

  A. Use SCPs to configure scanning of EC2 instances and ECR containers for all accounts in the organization.
  B. Configure a delegated administrator for Amazon GuardDuty for the organization. Create an Amazon EventBridge rule to initiate analysis of ECR containers
  C. Configure a delegated administrator for Amazon Inspector for the organization. Configure automatic scanning for new member accounts.
  D. Configure a delegated administrator for Amazon Inspector for the organization. Create an AWS Config rule to initiate analysis of ECR containers.
  C. Configure a delegated administrator for Amazon Inspector for the organization. Configure automatic scanning for new member accounts.