Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 351:

  An AWS account that is used for development projects has a VPC that contains two subnets. The first subnet is named public-subnet-1 and has the CIDR block 192.168.1.0/24 assigned. The other subnet is named private-subnet-2 and has the CIDR block 192.168.2.0/24 assigned. Each subnet contains Amazon EC2 instances.

  Each subnet is currently using the VPC's default network ACL. The security groups that the EC2 instances in these subnets use have rules that allow traffic between each instance where required. Currently, all network traffic flow is working as expected between the EC2 instances that are using these subnets.

  A security engineer creates a new network ACL that is named subnet-2-NACL with default entries. The security engineer immediately configures private-subnet-2 to use the new network ACL and makes no other changes to the infrastructure. The security engineer starts to receive reports that the EC2 instances in public-subnet-1 and public-subnet-2 cannot communicate with each other.

  Which combination of steps should the security engineer take to allow the EC2 instances that are running in these two subnets to communicate again? (Select TWO.)

  A. Add an outbound allow rule for 192.168.2.0/24 in the VPC's default network ACL.
  B. Add an inbound allow rule for 192.168.2.0/24 in the VPC's default network ACL.
  C. Add an outbound allow rule for 192.168.2.0/24 in subnet-2-NACL.
  D. Add an inbound allow rule for 192.168.1.0/24 in subnet-2-NACL.
  E. Add an outbound allow rule for 192.168.1.0/24 in subnet-2-NACL.
  C. Add an outbound allow rule for 192.168.2.0/24 in subnet-2-NACL.
  E. Add an outbound allow rule for 192.168.1.0/24 in subnet-2-NACL.

  ---

  The AWS documentation states that you can add an outbound allow rule for 192.168.2.0/24 in subnet-2-NACL and add an outbound allow rule for 192.168.1.0/24 in subnet-2-NACL. This will allow the EC2 instances that are running in these two subnets to communicate again. References: : Amazon VPC User Guide

• Question 352:

  A company hired an external consultant who needs to use a laptop to access the company's VPCs. Specifically, the consultant needs access to two VPCs that are peered together in the same AWS Region. The company wants to provide the consultant with access to these VPCs without also providing any unnecessary access to other network resources.

  Which solution will meet these requirements?

  A. Create an AWS Site-to-Site VPN endpoint in the same Region as the VPCs. Configure access through an appropriate subnet and authorization rule.
  B. Create an AWS account. Use the VPC sharing feature through AWS Resource Access Manager to allow the consultant to access the VPCs.
  C. Create an AWS Client VPN endpoint in the same Region as the VPCs. Configure access through an appropriate subnet and authorization rule.
  D. Create a gateway VPC endpoint in the same Region as the VPCs. Configure access through an appropriate subnet and authorization rule.
  C. Create an AWS Client VPN endpoint in the same Region as the VPCs. Configure access through an appropriate subnet and authorization rule.

  ---

  AWS Client VPN allows external users (such as the consultant) to securely access resources in a VPC. By creating a Client VPN endpoint and configuring the appropriate subnet and authorization rules, you can provide access to the peered VPCs without giving unnecessary access to other network resources. This solution is secure, scalable, and meets the requirements of limiting access to only the necessary VPCs.

• Question 353:

  Due to new compliance requirements, a Security Engineer must enable encryption with customer-provided keys on corporate data that is stored in DynamoDB. The company wants to retain full control of the encryption keys.

  Which DynamoDB feature should the Engineer use to achieve compliance'?

  A. Use IAM Certificate Manager to request a certificate. Use that certificate to encrypt data prior to uploading it to DynamoDB.
  B. Enable S3 server-side encryption with the customer-provided keys. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB
  C. Create a KMS master key. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoDS. Dispose of the cleartext and encrypted data keys after encryption without storing.
  D. Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.
  D. Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.

  ---

  Follow the link: https://docs.IAM.amazon.com/dynamodb-encryption- client/latest/devguide/what-is-ddb-encrypt.html

• Question 354:

  You have an S3 bucket hosted in IAM. This is used to host promotional videos uploaded by yourself. You need to provide access to users for a limited duration of time. How can this be achieved?

  A. Use versioning and enable a timestamp for each version
  B. Use Pre-signed URL's
  C. Use IAM Roles with a timestamp to limit the access
  D. Use IAM policies with a timestamp to limit the access
  B. Use Pre-signed URL's

  ---

  Explanation Explanation/Reference:The IAM Documentation mentions the following All objects by default are private. Only the object owner has permission to access these objects. However, the object owner can optionally share objects with others by creating a pre-signed URL using their own security credentials, to grant time-limited permission to download the objects. Option A is invalid because this can be used to prevent accidental deletion of objects Option C is invalid because timestamps are not possible for Roles Option D is invalid because policies is not the right way to limit access based on time For more information on pre-signed URL's, please visit the URL: https://docs.IAM.ama2on.com/AmazonS3/latest/dev/ShareObiectPreSisnedURL.html The correct answer is: Use Pre-signed URL's Submit your Feedback/Queries to our Experts

• Question 355:

  You have a set of 100 EC2 Instances in an IAM account. You need to ensure that all of these instances are patched and kept to date. All of the instances are in a private subnet. How can you achieve this. Choose 2 answers from the options given below

  A. Ensure a NAT gateway is present to download the updates
  B. Use the Systems Manager to patch the instances
  C. Ensure an internet gateway is present to download the updates
  D. Use the IAM inspector to patch the updates
  A. Ensure a NAT gateway is present to download the updates
  B. Use the Systems Manager to patch the instances

  ---

  Option C is invalid because the instances need to remain in the private: Option D is invalid because IAM inspector can only detect the patches One of the IAM Blogs mentions how patching of Linux servers can be accomplished. Below is the diagram representation of the architecture setup For more information on patching Linux workloads in IAM, please refer to the Lin. https://IAM.amazon.com/blogs/security/how-to-patch-linux-workloads-on-IAMj The correct answers are: Ensure a NAT gateway is present to download the updates. Use the Systems Manager to patch the instances Submit your Feedback/Queries to our Experts

• Question 356:

  A company used AWS Organizations to set up an environment with multiple AWS accounts. The company's organization currently has two AWS accounts, and the company expects to add more than 50 AWS accounts during the next 12 months The company will require all existing and future AWS accounts to use Amazon GuardDuty. Each existing AWS account has GuardDuty active. The company reviews GuardDuty findings by logging into each AWS account individually.

  The company wants a centralized view of the GuardDuty findings for the existing AWS accounts and any future AWS accounts. The company also must ensure that any new AWS account has GuardDuty automatically turned on.

  Which solution will meet these requirements?

  A. Create a new AWS account in the organization. Enable GuardDuty in the new account. Designate the new account as the delegated administrator account for GuardDuty. Configure GuardDuty to add existing accounts as member accounts. Select the option to automatically add new AWS accounts to the organization
  B. Create a new AWS account in the organization. Enable GuardDuty in the new account. Enable AWS Security Hub in each account. Select the option to automatically add new AWS accounts to the organization.
  C. Enable AWS Security Hub in the organization's management account. Designate the management account as the delegated administrator account for Security Hub. Add existing accounts as member accounts. Select the option to automatically add new AWS accounts to the organization. Send all Security Hub findings to the organization's GuardDuty account.
  D. Enable AWS Security Hub in the organization's management account. Configure GuardDuty within the management account to send all GuardDuty findings to Security Hub.
  A. Create a new AWS account in the organization. Enable GuardDuty in the new account. Designate the new account as the delegated administrator account for GuardDuty. Configure GuardDuty to add existing accounts as member accounts. Select the option to automatically add new AWS accounts to the organization

• Question 357:

  A company wants to deploy a continuous security threat-detection service at scale to automatically analyze all the company's member accounts in AWS Organizations within the ap-east-1 Region.

  The company's organization includes a management account, a security account, and many member accounts.

  When the company creates a new member account, the threat-detection service should automatically analyze the new account so that the company can review any findings from the security account.

  Which solution uses AWS security best practices and meets these requirements with the LEAST effort?

  A. Activate Amazon GuardDuty in ap-east-1. Designate the secunty account as the GuardDuty delegated administrator by using the console.
  B. Activate Amazon GuardDuty in ap-east-1 with trusted access toAWS Organizations Designate the management account as the GuardDuty organization administrator.
  C. Activate AWS Security Hub in ap-east-1 Designate the management account as the Security Hub delegated administrator by using the console.
  D. Activate AWS Control Tower in ap-east-1 with trusted access to AWS Organizations Designate the security account as the organization administrator.
  B. Activate Amazon GuardDuty in ap-east-1 with trusted access toAWS Organizations Designate the management account as the GuardDuty organization administrator.

• Question 358:

  A company has a forensic logging use case whereby several hundred applications running on Docker on EC2 need to send logs to a central location. The Security Engineer must create a logging solution that is able to perform real-time analytics on the log files, grants the ability to replay events, and persists data.

  Which IAM Services, together, can satisfy this use case? (Select two.)

  A. Amazon Elasticsearch
  B. Amazon Kinesis
  C. Amazon SQS
  D. Amazon CloudWatch
  E. Amazon Athena
  A. Amazon Elasticsearch
  B. Amazon Kinesis

  ---

  Explanation Explanation/Reference:https://docs.aws.amazon.com/whitepapers/latest/IAM-overview/analytics.html#amazon- athena

• Question 359:

  An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs a network port scan against other instances in the VPC. When the Security team performs its own internal tests in a separate account by using pre-approved third- party scanners from the IAM Marketplace, the Security team also then receives multiple Amazon GuardDuty events from Amazon CloudWatch alerting on its test activities.

  How can the Security team suppress alerts about authorized security tests while still receiving alerts about the unauthorized activity?

  A. Use a filter in IAM CloudTrail to exclude the IP addresses of the Security team's EC2 instances.
  B. Add the Elastic IP addresses of the Security team's EC2 instances to a trusted IP list in Amazon GuardDuty.
  C. Install the Amazon Inspector agent on the EC2 instances that the Security team uses.
  D. Grant the Security team's EC2 instances a role with permissions to call Amazon GuardDuty API operations.
  B. Add the Elastic IP addresses of the Security team's EC2 instances to a trusted IP list in Amazon GuardDuty.

  ---

  Explanation Explanation/Reference:Trusted IP lists consist of IP addresses that you have whitelisted for secure communication with your IAM infrastructure and applications. GuardDuty does not generate findings for IP addresses on trusted IP lists. At any given time, you can have only one uploaded trusted IP list per IAM account per region. Threat lists consist of known malicious IP addresses. GuardDuty generates findings based on threat lists. At any given time, you can have up to six uploaded threat lists per IAM account per region. https://docs.IAM.amazon.com/guardduty/latest/ug/guardduty_upload_lists.html

• Question 360:

  A security engineer has designed a VPC to segment private traffic from public traffic. The VPC includes two Availability Zones. The security engineer has provisioned each Availability Zone with one private subnet and one public subnet. The security engineer has created three route tables for use with the environment. One route table is for the public subnets, and two route tables are for the private subnets (one route table for the private subnet in each Availability Zone).

  The security engineer discovers that all four subnets are attempting to route traffic out through the internet gateway that is attached to the VPC.

  Which combination of steps should the security engineer take to remediate this scenario? (Choose two.)

  A. Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.
  B. Verify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.
  C. Modify the route tables that are associated with each of the public subnets. Create a new route for local destinations to the VPC CIDR range.
  D. Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the NAT gateway in the public subnet of the same Availability Zone as the target of the route.
  E. Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the internet gateway in the public subnet of the same Availability Zone as the target of the route.
  A. Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.
  D. Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the NAT gateway in the public subnet of the same Availability Zone as the target of the route.

  ---

  Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone. A NAT gateway should be provisioned in the public subnet to allow instances in the private subnet to send traffic to the internet (for updates, etc.) without exposing them directly to the internet. This ensures that private traffic can go through the NAT gateway while public traffic uses the internet gateway. Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the NAT gateway in the public subnet of the same Availability Zone as the target of the route. For private subnets, traffic that needs to go to the internet should be routed through the NAT gateway, not the internet gateway. Modifying the route tables of the private subnets to use the NAT gateway ensures this traffic is properly routed. These steps ensure that private subnets route their internet-bound traffic through the NAT gateway, while public subnets route directly through the internet gateway, resolving the issue.