Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 361:

  A company manages three separate IAM accounts for its production, development, and test environments, Each Developer is assigned a unique IAM user under the development account. A new application hosted on an Amazon EC2 instance in the developer account requires read access to the archived documents stored in an Amazon S3 bucket in the production account.

  How should access be granted?

  A. Create an IAM role in the production account and allow EC2 instances in the development account to assume that role using the trust policy. Provide read access for the required S3 bucket to this role.
  B. Use a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket.
  C. Create a temporary IAM user for the application to use in the production account.
  D. Create a temporary IAM user in the production account and provide read access to Amazon S3. Generate the temporary IAM user's access key and secret key and store these on the EC2 instance used by the application in the development account.
  A. Create an IAM role in the production account and allow EC2 instances in the development account to assume that role using the trust policy. Provide read access for the required S3 bucket to this role.

  ---

  https://IAM.amazon.com/premiumsupport/knowledge-center/cross-account- access-s3/

• Question 362:

  An organization operates a web application that serves users globally. The application runs on Amazon EC2 instances behind an Application Load Balancer. There is an Amazon CloudFront distribution in front of the load balancer, and the

  organization uses IAM WAF. The application is currently experiencing a volumetric attack whereby the attacker is exploiting a bug in a popular mobile game.

  The application is being flooded with HTTP requests from all over the world with the User- Agent set to the following string: Mozilla/5.0 (compatible; ExampleCorp; ExampleGame/1.22; Mobile/1.0)

  What mitigation can be applied to block attacks resulting from this bug while continuing to service legitimate requests?

  A. Create a rule in IAM WAF rules with conditions that block requests based on the presence of ExampleGame/1.22 in the User-Agent header
  B. Create a geographic restriction on the CloudFront distribution to prevent access to the application from most geographic regions
  C. Create a rate-based rule in IAM WAF to limit the total number of requests that the web application services.
  D. Create an IP-based blacklist in IAM WAF to block the IP addresses that are originating from requests that contain ExampleGame/1.22 in the User-Agent header.
  A. Create a rule in IAM WAF rules with conditions that block requests based on the presence of ExampleGame/1.22 in the User-Agent header

  ---

  Explanation Explanation/Reference:Since all the attack has http header- User-Agent set to string: Mozilla/5.0 (compatible; ExampleCorp;) it would be much more easier to block these attack by simply denying traffic with the header match . HTH ExampleGame/1.22; Mobile/1.0)

• Question 363:

  A company has been using the IAM KMS service for managing its keys. They are planning on carrying out housekeeping activities and deleting keys which are no longer in use. What are the ways that can be incorporated to see which keys are in use? Choose 2 answers from the options given below

  A. Determine the age of the master key
  B. See who is assigned permissions to the master key
  C. See Cloudtrail for usage of the key
  D. Use IAM cloudwatch events for events generated for the key
  B. See who is assigned permissions to the master key
  C. See Cloudtrail for usage of the key

  ---

  The direct ways that can be used to see how the key is being used is to see the current access permissions and cloudtrail logs Option A is invalid because seeing how long ago the key was created would not determine the usage of the key Option D is invalid because Cloudtrail Event is better for seeing for events generated by the key This is also mentioned in the IAM Documentation Examining CMK Permissions to Determine the Scope of Potential Usage Determining who or what currently has access to a customer master key (CMK) might help you determine how widely the CM was used and whether it is still needed. To learn how to determine who or what currently has access to a CMK, go to Determining Access to an IAM KMS Customer Master Key. Examining IAM CloudTrail Logs to Determine Actual Usage IAM KMS is integrated with IAM CloudTrail, so all IAM KMS API activity is recorded in CloudTrail log files. If you have CloudTrail turned on in the region where your customer master key (CMK) is located, you can examine your CloudTrail log files to view a history of all IAM KMS API activity for a particular CMK, and thus its usage history. You might be able to use a CMK's usage history to help you determine whether or not you still need it For more information on determining the usage of CMK keys, please visit the following URL: https://docs.IAM.amazon.com/kms/latest/developerguide/deleting-keys- determining-usage.html The correct answers are: See who is assigned permissions to the master key. See Cloudtrail for usage of the key Submit your Feedback/Queries to our Experts

• Question 364:

  A company needs its Amazon Elastic Block Store (Amazon EBS) volumes to be encrypted at all times. During a security incident. EBS snapshots of suspicious instances are shared to a forensics account for analysis A security engineer attempting to share a suspicious EBS snapshot to the forensics account receives the following error

  "Unable to share snapshot: An error occurred (OperationNotPermitted) when calling the ModifySnapshotAttribute operation: Encrypted snapshots with EBS default key cannot be shared.

  Which combination of steps should the security engineer take in the incident account to complete the sharing operation? (Select THREE )

  A. Create a customer managed CMK Copy the EBS snapshot encrypting the destination snapshot using the new CMK.
  B. Allow forensics accounting principals to use the CMK by modifying its policy.
  C. Create an Amazon EC2 instance. Attach the encrypted and suspicious EBS volume. Copy data from the suspicious volume to an unencrypted volume. Snapshot the unencrypted volume
  D. Copy the EBS snapshot to the new decrypted snapshot
  E. Restore a volume from the suspicious EBS snapshot. Create an unencrypted EBS volume of the same size.
  F. Share the target EBS snapshot with the forensics account.
  A. Create a customer managed CMK Copy the EBS snapshot encrypting the destination snapshot using the new CMK.
  B. Allow forensics accounting principals to use the CMK by modifying its policy.
  F. Share the target EBS snapshot with the forensics account.

• Question 365:

  A company is using a Redshift cluster to store their data warehouse. There is a requirement from the Internal IT Security team to ensure that data gets encrypted for the Redshift database. How can this be achieved?

  A. Encrypt the EBS volumes of the underlying EC2 Instances
  B. Use IAM KMS Customer Default master key
  C. Use SSL/TLS for encrypting the data
  D. Use S3 Encryption
  B. Use IAM KMS Customer Default master key

  ---

  The IAM Documentation mentions the following Amazon Redshift uses a hierarchy of encryption keys to encrypt the database. You can use either IAM Key Management Servic (IAM KMS) or a hardware security module (HSM) to manage the top-level encryption keys in this hierarchy. The process that Amazon Redshift uses for encryption differs depending on how you manage keys. Option A is invalid because its the cluster that needs to be encrypted Option C is invalid because this encrypts objects in transit and not objects at rest Option D is invalid because this is used only for objects in S3 buckets For more information on Redshift encryption, please visit the following URL: https://docs.IAM.amazon.com/redshift/latest/memt/workine-with-db-encryption.htmll The correct answer is: Use IAM KMS Customer Default master key Submit your Feedback/Queries to our Experts

• Question 366:

  A company runs its microservices architecture in Kubernetes containers on AWS by using Amazon Elastic Kubernetes Service (Amazon EKS) and Amazon Aurora The company has an organization in AWS Organizations to manage

  hundreds of AWS accounts that host different microservices.

  The company needs to implement a monitoring solution for logs from all AWS resources across all accounts. The solution must include automatic detection of security-related issues.

  Which solution will meet these requirements with the LEAST operational effort?

  A. Designate an Amazon GuardDuty administrator account in the organization's management account. Enable GuardDuty for all accounts. Enable EKS Protection and RDS Protection in the GuardDuty administrator account.
  B. Designate a monitoring account. Share Amazon CloudWatch logs from all accounts with the monitoring account. Configure Aurora to publish all logs to CloudWatch. Use Amazon Inspector in the monitoring account to evaluate the CloudWatch logs.
  C. Create a central Amazon S3 bucket in the organization's management account. Configure AWS CloudTrail in all AWS accounts to deliver CloudTrail logs to the S3 bucket. Configure Aurora to publish all logs to CloudTrail. Use Amazon Athena to query the CloudTrail logs in the S3 bucket for security issues.
  D. Designate a monitoring account. Share Amazon CloudWatch logs from all accounts with the monitoring account. Subscribe an Amazon Kinesis data stream to the CloudWatch logs. Create AWS Lambda functions to process log records in the data stream to detect security issues.
  A. Designate an Amazon GuardDuty administrator account in the organization's management account. Enable GuardDuty for all accounts. Enable EKS Protection and RDS Protection in the GuardDuty administrator account.

  ---

  Amazon GuardDuty is a managed threat detection service that provides security monitoring for AWS accounts and resources, including Amazon EKS and Amazon RDS (Aurora) environments, with built-in capabilities for detecting security-related issues. By designating a GuardDuty administrator account and enabling GuardDuty for all accounts in the organization, the company can achieve centralized, automated threat detection with minimal operational overhead. Enabling EKS Protection and RDS Protection in GuardDuty specifically covers security threats for Kubernetes and Aurora databases, aligning perfectly with the company's architecture and requirements.

• Question 367:

  A security engineer logs in to the AWS Lambda console with administrator permissions. The security engineer is trying to view logs in Amazon CloudWatch for a Lambda function that is named my Function.

  When the security engineer chooses the option in the Lambda console to view logs in CloudWatch, an "error loading Log Streams" message appears.

  The IAM policy for the Lambda function's execution role contains the following:

  

  How should the security engineer correct the error?

  A. Move the logs:CreateLogGroup action to the second Allow statement.
  B. Add the logs:PutDestination action to the second Allow statement.
  C. Add the logs:GetLogEvents action to the second Allow statement.
  D. Add the logs:CreateLogStream action to the second Allow statement.
  D. Add the logs:CreateLogStream action to the second Allow statement.

  ---

  Explanation Explanation/Reference:CloudWatchLogsReadOnlyAccess doesn't include "logs:CreateLogStream" but it includes "logs:Get*" https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-identity- based-access-control- cwl.html#:~:text=oam%3A*%3A*% 3Asink/*%22%0A%20%20%20%20%20%20%20%20% 7D%0A%20%20%20%20%5D%0A%7D-,CloudWatchLogsReadOnlyAccess,- The%20CloudWatchLogsReadOnlyAccess%20policy

• Question 368:

  A company's Security Engineer is copying all application logs to centralized Amazon S3 buckets. Currently, each of the company's applications is in its own IAM account, and logs are pushed into S3 buckets associated with each account. The Engineer will deploy an IAM Lambda function into each account that copies the relevant log files to the centralized S3 bucket.

  The Security Engineer is unable to access the log files in the centralized S3 bucket. The Engineer's IAM user policy from the centralized account looks like this:

  

  The centralized S3 bucket policy looks like this:

  

  Why is the Security Engineer unable to access the log files?

  A. The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.
  B. The object ACLs are not being updated to allow the users within the centralized account to access the objects
  C. The Security Engineers IAM policy does not grant permissions to read objects in the S3 bucket
  D. The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level
  C. The Security Engineers IAM policy does not grant permissions to read objects in the S3 bucket

• Question 369:

  You are planning on hosting a web application on IAM. You create an EC2 Instance in a public subnet. This instance needs to connect to an EC2 Instance that will host an Oracle database. Which of the following steps should be followed to ensure a secure setup is in place? Select 2 answers.

  A. Place the EC2 Instance with the Oracle database in the same public subnet as the Web server for faster communication
  B. Place the EC2 Instance with the Oracle database in a separate private subnet
  C. Create a database security group and ensure the web security group to allowed incoming access
  D. Ensure the database security group allows incoming traffic from 0.0.0.0/0
  B. Place the EC2 Instance with the Oracle database in a separate private subnet
  C. Create a database security group and ensure the web security group to allowed incoming access

  ---

  The best secure option is to place the database in a private subnet. The below diagram from the IAM Documentation shows this setup. Also ensure that access is not allowed from all sources but just from the web servers. Option A is invalid because databases should not be placed in the public subnet Option D is invalid because the database security group should not allow traffic from the internet For more information on this type of setup, please refer to the below URL: https://docs.IAM.amazon.com/AmazonVPC/latest/UserGuideA/PC Scenario2. The correct answers are: Place the EC2 Instance with the Oracle database in a separate private subnet Create a database security group and ensure the web security group to allowed incoming access Submit your Feedback/Queries to our Experts

• Question 370:

  A company wants to automate the creation of a security report. The company has an AWS Lambda function that gathers data from Amazon Inspector findings stored in AWS Security Hub in the us-west-2 Region. The Lambda function then

  needs to create a daily report by using an Amazon EventBridge schedule.

  A security engineer discovers that the Lambda function is failing to create the report. The security engineer must implement a solution that corrects the issue and provides least privilege permissions.

  Which solution will meet these requirements?

  A. Create a resource-based policy that allows Security Hub access to the ARN of the Lambda function.
  B. Attach the AWSSecurityHubReadOnlyAccess AWS managed policy to the Lambda function's execution role.
  C. Grant the Lambda function's execution role read-only permissions to access Amazon Inspector and Security Hub.
  D. Create a custom IAM policy that grants the Security Hub Get*, List*, Batch*, and Describe* permissions on the arn:aws:securityhub:us-west-2::product/aws/inspector/* resource. Attach the policy to the Lambda function's execution role.
  C. Grant the Lambda function's execution role read-only permissions to access Amazon Inspector and Security Hub.

  ---

  Explanation Explanation/Reference:The Lambda function requires read-only permissions to access data from Amazon Inspector and Security Hub to generate the report. Granting the Lambda function's execution role these specific read-only permissions to both Amazon Inspector and Security Hub ensures least privilege access while allowing it to retrieve the necessary data for report creation.