Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 371:

  A company plans to move most of its IT infrastructure to IAM. They want to leverage their existing on-premises Active Directory as an identity provider for IAM.

  Which combination of steps should a Security Engineer take to federate the company's on- premises Active Directory with IAM? (Choose two.)

  A. Create IAM roles with permissions corresponding to each Active Directory group.
  B. Create IAM groups with permissions corresponding to each Active Directory group.
  C. Configure Amazon Cloud Directory to support a SAML provider.
  D. Configure Active Directory to add relying party trust between Active Directory and IAM.
  E. Configure Amazon Cognito to add relying party trust between Active Directory and IAM.
  A. Create IAM roles with permissions corresponding to each Active Directory group.
  D. Configure Active Directory to add relying party trust between Active Directory and IAM.

  ---

  https://IAM.amazon.com/blogs/security/how-to-establish-federated-access-to-your-IAM- resources-by-using-active-directory-user-attributes/

• Question 372:

  A company is running its application on AWS. Malicious users exploited a recent promotion event and created many fake accounts. The application currently uses Amazon CloudFront in front of an Amazon API Gateway API. AWS Lambda

  functions serve the different API endpoints. The GET registration endpoint is behind the path of /store/registration. The URI for submission of the new account details is at /store/newaccount.

  A security engineer needs to design a solution that prevents similar exploitations for future promotion events.

  Which combination of steps will meet these requirements? (Choose two.)

  A. Create an AWS WAF web ACL. Add the AWSManagedRulesACFPRuleSet rule group to the web ACL. Associate the web ACL with the CloudFront distribution.
  B. Create an AWS WAF web ACL. Add a rate limit rule to the web ACL. Include a RateBasedStatement entry that has a SearchString value that points to /store/registration.
  C. Specify /store/registration as the registration page path. Specify /store/newaccount as the account creation path.
  D. Enable AWS Shield Advanced for the account that hosts the CloudFront distribution. Configure a DNS-specific custom mitigation that uses the Shield Response Team (SRT) for /store/newaccount.
  E. Enable Amazon GuardDuty for the account that hosts the CloudFront distribution. Enable Lambda Protection for the Lambda functions that answer calls to /store/registration and /store/newaccount.
  A. Create an AWS WAF web ACL. Add the AWSManagedRulesACFPRuleSet rule group to the web ACL. Associate the web ACL with the CloudFront distribution.
  B. Create an AWS WAF web ACL. Add a rate limit rule to the web ACL. Include a RateBasedStatement entry that has a SearchString value that points to /store/registration.

  ---

  Create an AWS WAF Web ACL: Add Managed Rules for Bot Protection: Add a Rate-Based Rule: Associate the Web ACL with CloudFront: Advantages: Prevents Fraudulent Activity: Detects and mitigates bot activity. Scalable: Operates at the CloudFront level, ensuring global protection. References: AWS WAF Managed Rules Rate-Based Rules in WAF

• Question 373:

  One of your company's EC2 Instances have been compromised. The company has strict po thorough investigation on finding the culprit for the security breach. What would you do in from the options given below?

  A. Take a snapshot of the EBS volume
  B. Isolate the machine from the network
  C. Make sure that logs are stored securely for auditing and troubleshooting purpose
  D. Ensure all passwords for all IAM users are changed
  E. Ensure that all access kevs are rotated.
  A. Take a snapshot of the EBS volume
  B. Isolate the machine from the network
  C. Make sure that logs are stored securely for auditing and troubleshooting purpose

  ---

  Some of the important aspects in such a situation are 1) First isolate the instance so that no further security harm can occur on other IAM resources 2) Take a snapshot of the EBS volume for further investigation. This is incase if you need to shutdown the initial instance and do a separate investigation on the data 3) Next is Option C. This indicates that we have already got logs and we need to make sure that it is stored securely so that n unauthorised person can access it and manipulate it. Option D and E are invalid because they could have adverse effects for the other IAM users. For more information on adopting a security framework, please refer to below URL https://d1 .IAMstatic.com/whitepapers/compliance/NIST Cybersecurity Framework Note: In the question we have been asked to take actions to find the culprit and to help the investigation or to further reduce the damage that has happened due to the security breach. So by keeping logs secure is one way of helping the investigation. The correct answers are: Take a snapshot of the EBS volume. Isolate the machine from the network. Make sure that logs are stored securely for auditing and troubleshooting purpose Submit your Feedback/Queries to our Experts

• Question 374:

  An IT department currently has a Java web application deployed on Apache Tomcat running on Amazon EC2 instances. All traffic to the EC2 instances is sent through an internet-facing Application Load Balancer (ALB) The Security team has noticed during the past two days thousands of unusual read requests coming from hundreds of IP addresses. This is causing the Tomcat server to run out of threads and reject new connections

  Which the SIMPLEST change that would address this server issue?

  A. Create an Amazon CloudFront distribution and configure the ALB as the origin
  B. Block the malicious IPs with a network access list (NACL).
  C. Create an IAM Web Application Firewall (WAF). and attach it to the ALB
  D. Map the application domain name to use Route 53
  A. Create an Amazon CloudFront distribution and configure the ALB as the origin

• Question 375:

  Your current setup in IAM consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup?

  A. Consider moving the web server to a private subnet
  B. Consider moving the database server to a private subnet
  C. Consider moving both the web and database server to a private subnet
  D. Consider creating a private subnet and adding a NAT instance to that subnet
  B. Consider moving the database server to a private subnet

  ---

  The ideal setup is to ensure that the web server is hosted in the public subnet so that it can be accessed by users on the internet. The database server can be hosted in the private subnet. The below diagram from the IAM Documentation shows how this can be setup Option A and C are invalid because if you move the web server to a private subnet, then it cannot be accessed by users Option D is invalid because NAT instances should be present in the public subnet For more information on public and private subnets in IAM, please visit the following url com/AmazonVPC/latest/UserGuide/VPC Scenario2. The correct answer is: Consider moving the database server to a private subnet Submit your Feedback/Queries to our Experts

• Question 376:

  You need to create a policy and apply it for just an individual user. How could you accomplish this in the right way?

  A. Add an IAM managed policy for the user
  B. Add a service policy for the user
  C. Add an IAM role for the user
  D. Add an inline policy for the user
  D. Add an inline policy for the user

  ---

  Options A and B are incorrect since you need to add an inline policy just for the user Option C is invalid because you don't assign an IAM role to a user The IAM Documentation mentions the following An inline policy is a policy that's embedded in a principal entity (a user, group, or role)--that is, the policy is an inherent part of the principal entity. You can create a policy and embed it in a principal entity, either when you create the principal entity or later. For more information on IAM Access and Inline policies, just browse to the below URL: https://docs.IAM.amazon.com/IAM/latest/UserGuide/access The correct answer is: Add an inline policy for the user Submit your Feedback/Queries to our Experts

• Question 377:

  A healthcare company has multiple AWS accounts in an organization in AWS Organizations. The company uses Amazon S3 buckets to store sensitive information of patients. The company needs to restrict users from deleting any S3 bucket across the organization.

  What is the MOST scalable solution that meets these requirements?

  A. Permissions boundaries in AWS Identity and Access Management (IAM)
  B. S3 bucket policies
  C. Tag policies
  D. SCPs
  D. SCPs

  ---

  Service Control Policies (SCPs) are policies that can be applied at the organization or organizational unit (OU) level within AWS Organizations. They allow the organization to enforce central control over the maximum available permissions for all accounts within the organization. SCPs can be used to explicitly deny actions such as deleting S3 buckets across all accounts, regardless of the IAM policies within individual accounts. This approach is scalable because it applies across the entire organization, ensuring that no users or roles in any account can delete S3 buckets if the SCP denies that action.

• Question 378:

  A company runs an application on IAM that needs to be accessed only by employees. Most employees work from the office, but others work remotely or travel. How can the Security Engineer protect this workload so that only employees can access it?

  A. Add each employee's home IP address to the security group for the application so that only those users can access the workload.
  B. Create a virtual gateway for VPN connectivity for each employee, and restrict access to the workload from within the VPC.
  C. Use a VPN appliance from the IAM Marketplace for users to connect to, and restrict workload access to traffic from that appliance.
  D. Route all traffic to the workload through IAM WAF. Add each employee's home IP address into an IAM WAF rule, and block all other traffic.
  C. Use a VPN appliance from the IAM Marketplace for users to connect to, and restrict workload access to traffic from that appliance.

  ---

  Explanation Explanation/Reference:https://docs.IAM.amazon.com/vpn/latest/clientvpn-admin/what-is.html

• Question 379:

  A security engineer is asked to update an AW3 CoudTrail log file prefix for an existing trail. When attempting to save the change in the CloudTrail console, the security engineer receives the following error message. "There is a problem with the bucket policy''

  What will enable the security engineer to saw the change?

  A. Create a new trail with the updated log file prefix, and then delete the original nail Update the existing bucket policy in the Amazon S3 console with the new log the prefix, and then update the log file prefix in the CloudTrail console
  B. Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform PutBucketPolicy. and then update the log file prefix in the CloudTrail console
  C. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.
  D. Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console
  C. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.

  ---

  https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/create-s3- bucket-policy-for-cloudtrail.html#cloudtrail-add-change-or-remove-a-bucket-prefix

• Question 380:

  A company has an organization in AWS Organizations that includes dedicated accounts for each of its business units. The company is collecting all AWS CloudTrail logs from the accounts in a single Amazon S3 bucket in the top-level account. The company's IT governance team has access to the top-level account. A security engineer needs to allow each business unit to access its own CloudTrail logs.

  The security engineer creates an IAM role in the top-level account for each of the other accounts. For each role the security engineer creates an IAM policy to allow read-only permissions to objects in the S3 bucket with the prefix of the respective logs.

  Which action must the security engineer take in each business unit account to allow an IAM user in that account to read the logs?

  A. Attach a policy to the IAM user to allow the user to assume the role that was created in the top-level account. Specify the role's ARN in the policy.
  B. Create an SCP that grants permissions to the top-level account.
  C. Use the root account of the business unit account to assume the role that was created in the top-level account. Specify the role's ARN in the policy.
  D. Forward the credentials of the IAM role in the top-level account to the IAM user in the business unit account.
  A. Attach a policy to the IAM user to allow the user to assume the role that was created in the top-level account. Specify the role's ARN in the policy.

  ---

  To allow an IAM user in one AWS account to access resources in another AWS account using IAM roles, the following steps are required: Create a role in the AWS account that contains the resources (the trusting account) and specify the AWS account that contains the IAM user (the trusted account) as a trusted entity in the role's trust policy. This allows users from the trusted account to assume the role and access resources in the trusting account. Attach a policy to the IAM user in the trusted account that allows the user to assume the role in the trusting account. The policy must specify the ARN of the role that was created in the trusting account. The IAM user can then switch roles or use temporary credentials to access the resources in the trusting account. Verified References: https://repost.aws/knowledge-center/cross-account-access-iam https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accou nts_access.html https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-accountwith- roles.html