Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 321:

  A security engineer needs to create an Amazon S3 bucket policy to grant least privilege read access to IAM user accounts that are named User=1, User2. and User3. These IAM user accounts are members of the AuthorizedPeople IAM group. The security engineer drafts the following S3 bucket policy:

  

  When the security engineer tries to add the policy to the S3 bucket, the following error message appears: "Missing required field Principal." The security engineer is adding a Principal element to the policy. The addition must provide read access to only User1. User2, and User3. Which solution meets these requirements?

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  A. Option A

• Question 322:

  The CFO of a company wants to allow one of his employees to view only the IAM usage report page. Which of the below mentioned IAM policy statements allows the user to have access to the IAM usage report page?

  A. "Effect": "Allow". "Action": ["Describe"], "Resource": "Billing"
  B. "Effect": "Allow", "Action": ["AccountUsage], "Resource": "*"
  C. "Effect': "Allow", "Action": ["IAM-portal:ViewUsage"," IAM-portal:ViewBilling"], "Resource": "*"
  D. "Effect": "Allow", "Action": ["IAM-portal: ViewBilling"], "Resource": "*"
  C. "Effect': "Allow", "Action": ["IAM-portal:ViewUsage"," IAM-portal:ViewBilling"], "Resource": "*"

  ---

  the IAM documentation, below is the access required for a user to access the Usage reports page and as per this, Option C is the right answer.

• Question 323:

  A company has two AWS accounts. One account is for development workloads. The other account is for production workloads. For compliance reasons the production account contains all the AWS Key Management. Service (AWS KMS) keys that the company uses for encryption.

  The company applies an IAM role to an AWS Lambda function in the development account to allow secure access to AWS resources. The Lambda function must access a specific KMS customer managed key that exists in the production account to encrypt the Lambda function's data.

  Which combination of steps should a security engineer take to meet these requirements? (Select TWO.)

  A. Configure the key policy for the customer managed key in the production account to allow access to the Lambda service.
  B. Configure the key policy for the customer managed key in the production account to allow access to the IAM role of the Lambda function in the development account.
  C. Configure a new IAM policy in the production account with permissions to use the customer managed key. Apply the IAM policy to the IAM role that the Lambda function in the development account uses.
  D. Configure a new key policy in the development account with permissions to use the customer managed key. Apply the key policy to the IAM role that the Lambda function in the development account uses.
  E. Configure the IAM role for the Lambda function in the development account by attaching an IAM policy that allows access to the customer managed key in the production account.
  B. Configure the key policy for the customer managed key in the production account to allow access to the IAM role of the Lambda function in the development account.
  E. Configure the IAM role for the Lambda function in the development account by attaching an IAM policy that allows access to the customer managed key in the production account.

  ---

  To allow a Lambda function in one AWS account to access a KMS customer managed key in another AWS account, the following steps are required: Configure the key policy for the customer managed key in the production account to allow access to the IAM role of the Lambda function in the development account. A key policy is a resource-based policy that defines who can use or manage a KMS key. To grant cross-account access to a KMS key, you must specify the AWS account ID and the IAM role ARN of the external principal in the key policy statement. For more information, see Allowing users in other accounts to use a KMS key. Configure the IAM role for the Lambda function in the development account by attaching an IAM policy that allows access to the customer managed key in the production account. An IAM policy is an identity-based policy that defines what actions an IAM entity can perform on which resources. To allow an IAM role to use a KMS key in another account, you must specify the KMS key ARN and the kms:Encrypt action (or any other action that requires access to the KMS key) in the IAM policy statement. For more information, see Using IAM policies with AWS KMS. This solution will meet the requirements of allowing secure access to a KMS customer managed key across AWS accounts. The other options are incorrect because they either do not grant cross-account access to the KMS key (A, C), or do not use a valid policy type for KMS keys (D). Verified References: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying- external-accounts.html https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html

• Question 324:

  You want to track access requests for a particular S3 bucket. How can you achieve this in the easiest possible way?

  A. Enable server access logging for the bucket
  B. Enable Cloudwatch metrics for the bucket
  C. Enable Cloudwatch logs for the bucket
  D. Enable IAM Config for the S3 bucket
  A. Enable server access logging for the bucket

  ---

  The IAM Documentation mentions the foil To track requests for access to your bucket you can enable access logging. Each access log record provides details about a single access request, such as the requester, bucket name, request time, request action, response status, and error code, if any. Options B and C are incorrect Cloudwatch is used for metrics and logging and cannot be used to track access requests. Option D is incorrect since this can be used for Configuration management but for not for tracking S3 bucket requests. For more information on S3 server logs, please refer to below UF https://docs.IAM.amazon.com/AmazonS3/latest/dev/ServerLoes.html The correct answer is: Enable server access logging for the bucket Submit your Feedback/Queries to our Experts

• Question 325:

  Two Amazon EC2 instances in different subnets should be able to connect to each other but cannot. It has been confirmed that other hosts in the same subnets are able to communicate successfully, and that security groups have valid ALLOW rules in place to permit this traffic.

  Which of the following troubleshooting steps should be performed?

  A. Check inbound and outbound security groups, looking for DENY rules.
  B. Check inbound and outbound Network ACL rules, looking for DENY rules.
  C. Review the rejected packet reason codes in the VPC Flow Logs.
  D. Use IAM X-Ray to trace the end-to-end application flow
  B. Check inbound and outbound Network ACL rules, looking for DENY rules.

• Question 326:

  A customer has an instance hosted in the IAM Public Cloud. The VPC and subnet used to host the Instance have been created with the default settings for the Network Access Control Lists. They need to provide an IT Administrator secure access to the underlying instance. How can this be accomplished?

  A. Ensure the Network Access Control Lists allow Inbound SSH traffic from the IT Administrator's Workstation
  B. Ensure the Network Access Control Lists allow Outbound SSH traffic from the IT Administrator's Workstation
  C. Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation
  D. Ensure that the security group allows Outbound SSH traffic from the IT Administrator's Workstation
  C. Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation

  ---

  Options A and B are invalid as default NACL rule will allow all inbound and outbound traffic. The requirement is that the IT administrator should be able to access this EC2 instance from his workstation. For that we need to enable the Security Group of EC2 instance to allow traffic from the IT administrator's workstation. Hence option C is correct. Option D is incorrect as we need to enable the Inbound SSH traffic on the EC2 instance Security Group since the traffic originate' , from the IT admin's workstation. The correct answer is: Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation Submit your Feedback/Queries to our Experts

• Question 327:

  A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance.

  What should the security engineer do to resolve this error?

  A. Import the key material into AWS Key Management Service (AWS KMS).
  B. Manually upload the new host key to the AWS trusted host keys database.
  C. Ensure that the AmazonSSMManagedInstanceCore policy is attached to the EC2 instance profile.
  D. Create a new SSH key pair for the EC2 instance.
  B. Manually upload the new host key to the AWS trusted host keys database.

  ---

  To set up a CloudFront distribution for an S3 bucket that hosts a static website, and to allow only specified IP addresses to access the website, the following steps are required: Create a CloudFront origin access identity (OAI), which is a special CloudFront user that you can associate with your distribution. An OAI allows you to restrict access to your S3 content by using signed URLs or signed cookies. For more information, see Using an origin access identity to restrict access to your Amazon S3 content. Create the S3 bucket policy so that only the OAI has access. This will prevent users from accessing the website directly by using S3 URLs, as they will receive an Access Denied error. To do this, use the AWS Policy Generator to create a bucket policy that grants s3:GetObject permission to the OAI, and attach it to the S3 bucket. For more information, see Restricting access to Amazon S3 content by using an origin access identity. Create an AWS WAF web ACL and add an IP set rule. AWS WAF is a web application firewall service that lets you control access to your web applications. An IP set is a condition that specifies a list of IP addresses or IP address ranges that requests originate from. You can use an IP set rule to allow or block requests based on the IP addresses of the requesters. For more information, see Working with IP match conditions. Associate the web ACL with the CloudFront distribution. This will ensure that the web ACL filters all requests for your website before they reach your origin. You can do this by using the AWS WAF console, API, or CLI. For more information, see Associating or disassociating a web ACL with a CloudFront distribution. This solution will meet the requirements of allowing only specified IP addresses to access the website and preventing direct access by using S3 URLs. The other options are incorrect because they either do not create a CloudFront distribution for the S3 bucket (A), do not use an OAI to restrict access to the S3 bucket ? or do not use AWS WAF to block traffic from outside the specified IP addresses (D). Verified References: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private- content-restricting-access-to-s3.html https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-ip-conditions.html

• Question 328:

  A company has a few dozen application servers in private subnets behind an Elastic Load Balancer (ELB) in an IAM Auto Scaling group. The application is accessed from the web over HTTPS. The data must always be encrypted in transit. The Security Engineer is worried about potential key exposure due to vulnerabilities in the application software.

  Which approach will meet these requirements while protecting the external certificate during a breach?

  A. Use a Network Load Balancer (NLB) to pass through traffic on port 443 from the internet to port 443 on the instances.
  B. Purchase an external certificate, and upload it to the IAM Certificate Manager (for use with the ELB) and to the instances. Have the ELB decrypt traffic, and route and re-encrypt with the same certificate.
  C. Generate an internal self-signed certificate and apply it to the instances. Use IAM Certificate Manager to generate a new external certificate for the ELB. Have the ELB decrypt traffic, and route and re-encrypt with the internal certificate.
  D. Upload a new external certificate to the load balancer. Have the ELB decrypt the traffic and forward it on port 80 to the instances.
  C. Generate an internal self-signed certificate and apply it to the instances. Use IAM Certificate Manager to generate a new external certificate for the ELB. Have the ELB decrypt traffic, and route and re-encrypt with the internal certificate.

• Question 329:

  A company has a new web-based account management system for an online game. Players create a unique username and password to log in to the system.

  The company has implemented an AWS WAF web ACL for the system. The web ACL includes the core rule set (CRS) AWS managed rule group on the Application Load Balancer that serves the system.

  The company's security team finds that the system was the target of a credential stuffing attack. Credentials that were exposed in other breaches were used to try to log in to the system.

  The security team must implement a solution to reduce the chance of a successful credential stuffing attack in the future. The solution also must minimize impact on legitimate users of the system.

  Which combination of actions will meet these requirements? (Choose two.)

  A. Create an Amazon CloudWatch custom metric to analyze the number of successful login responses from a single IP address.
  B. Add the account takeover prevention (ATP) AWS managed rule group to the web ACL. Configure the rule group to inspect login requests to the system. Block any requests that have the awswaf:managed:aws:atp:signal:credential_compromised label.
  C. Configure a default web ACL action that requires all users to solve a CAPTCHA puzzle when they log in.
  D. Implement IP-based match rules in the web ACL for any IP addresses that generate many successful login responses. Block any IP addresses that generate many successful logins.
  E. Create a custom block response that redirects users to a secure workflow to reset their password inside the system.
  A. Create an Amazon CloudWatch custom metric to analyze the number of successful login responses from a single IP address.
  B. Add the account takeover prevention (ATP) AWS managed rule group to the web ACL. Configure the rule group to inspect login requests to the system. Block any requests that have the awswaf:managed:aws:atp:signal:credential_compromised label.

  ---

  Explanation Explanation/Reference:Creating a CloudWatch custom metric to monitor the number of successful login responses from a single IP address can help identify unusual patterns that might indicate credential stuffing. This allows for additional monitoring and detection without immediately impacting legitimate users. The AWS WAF Account Takeover Prevention (ATP) rule group is specifically designed to detect and mitigate credential stuffing attacks. By configuring ATP to inspect login requests and blocking requests with the awswaf:managed:aws:atp:signal:credential_compromised label, the security team can significantly reduce the chances of successful credential stuffing attacks. This approach targets compromised credentials while minimizing impact on legitimate users.

• Question 330:

  A company uses Amazon Cognito for external user authentication for a web application. External users report that they can no longer log in to the application. What is the FIRST step that a security engineer should take to troubleshoot the problem?

  A. Review AWS CloudTrail togs to identify authentication errors that relate to Cognito users.
  B. Use AWS Identity and Access Management Access Analyzer to delete all unused IAM roles and users
  C. Review any recent changes in Cognito configuration, IAM policies, and role trust policies to identify issues.
  D. Write a script that uses CLI commands to reset all user passwords in the Cognito user pool.
  C. Review any recent changes in Cognito configuration, IAM policies, and role trust policies to identify issues.

  ---

  Explanation Explanation/Reference:Understand the Problem: Review Cognito Configuration: Review IAM Policies and Role Trust Relationships: Advantages of Reviewing Configurations: Next Steps: References: Troubleshooting Amazon Cognito User Pools Configuring App Clients in Cognito IAM Roles for Cognito