Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 431:

  What is the result of the following bucket policy?

  

  Choose the correct answer:

  A. It will allow all access to the bucket mybucket
  B. It will allow the user mark from IAM account number 111111111 all access to the bucket but deny everyone else all access to the bucket
  C. It will deny all access to the bucket mybucket
  D. None of these
  C. It will deny all access to the bucket mybucket

  ---

  Explanation Explanation/Reference:The policy consists of 2 statements, one is the allow for the user mark to the bucket and the next is the deny policy for all other users. The deny permission will override the allow and hence all users will not have access to the bucket. Options A,B and D are all invalid because this policy is used to deny all access to the bucket mybucket For examples on S3 bucket policies, please refer to the below Link: http://docs.IAM.amazon.com/AmazonS3/latest/dev/example-bucket-policies.htmll The correct answer is: It will deny all access to the bucket mybucket Submit your FeedbacK/Quenes to our Experts

• Question 432:

  Your company currently has a set of EC2 Instances hosted in a VPC. The IT Security department is suspecting a possible DDos attack on the instances. What can you do to zero in on the IP addresses which are receiving a flurry of requests?

  A. Use VPC Flow logs to get the IP addresses accessing the EC2 Instances
  B. Use IAM Cloud trail to get the IP addresses accessing the EC2 Instances
  C. Use IAM Config to get the IP addresses accessing the EC2 Instances
  D. Use IAM Trusted Advisor to get the IP addresses accessing the EC2 Instances
  A. Use VPC Flow logs to get the IP addresses accessing the EC2 Instances

  ---

  With VPC Flow logs you can get the list of IP addresses which are hitting the Instances in your VPC You can then use the information in the logs to see which external IP addresses are sending a flurry of requests which could be the potential threat foi a DDos attack. Option B is incorrect Cloud Trail records IAM API calls for your account. VPC FLowlogs logs network traffic for VPC, subnets. Network interfaces etc. As per IAM, VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC where as IAM CloudTrail, is a service that captures API calls and delivers the log files to an Amazon S3 bucket that you specify. Option C is invalid this is a config service and will not be able to get the IP addresses Option D is invalid because this is a recommendation service and will not be able to get the IP addresses For more information on VPC Flow Logs, please visit the following URL: https://docs.IAM.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html The correct answer is: Use VPC Flow logs to get the IP addresses accessing the EC2 Instances Submit your Feedback/Queries to our Experts

• Question 433:

  A company's on-premises networks are connected to VPCs using an IAM Direct Connect gateway. The company's on-premises application needs to stream data using an existing Amazon Kinesis Data Firehose delivery stream. The company's security policy requires that data be encrypted in transit using a private network.

  How should the company meet these requirements?

  A. Create a VPC endpoint tor Kinesis Data Firehose. Configure the application to connect to the VPC endpoint.
  B. Configure an IAM policy to restrict access to Kinesis Data Firehose using a source IP condition. Configure the application to connect to the existing Firehose delivery stream.
  C. Create a new TLS certificate in IAM Certificate Manager (ACM). Create a public-facing Network Load Balancer (NLB) and select the newly created TLS certificate. Configure the NLB to forward all traffic to Kinesis Data Firehose. Configure the application to connect to the NLB.
  D. Peer the on-premises network with the Kinesis Data Firehose VPC using Direct Connect. Configure the application to connect to the existing Firehose delivery stream.
  A. Create a VPC endpoint tor Kinesis Data Firehose. Configure the application to connect to the VPC endpoint.

• Question 434:

  A Security Engineer is troubleshooting an issue with a company's custom logging application. The application logs are written to an Amazon S3 bucket with event notifications enabled to send events lo an Amazon SNS topic. All logs are encrypted at rest using an IAM KMS CMK. The SNS topic is subscribed to an encrypted Amazon SQS queue. The logging application polls the queue for new messages that contain metadata about the S3 object. The application then reads the content of the object from the S3 bucket for indexing.

  The Logging team reported that Amazon CloudWatch metrics for the number of messages sent or received is showing zero. No togs are being received. What should the Security Engineer do to troubleshoot this issue?

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  D. Option D

• Question 435:

  A company is using AWS CloudTrail and Amazon CloudWatch to monitor resources in an AWS account.

  The company's developers have been using an IAM role in the account for the last 3 months.

  A security engineer needs to refine the customer managed IAM policy attached to the role to ensure that the role provides least privilege access.

  Which solution will meet this requirement with the LEAST effort?

  A. Implement AWS IAM Access Analyzer policy generation on the role.
  B. Implement AWS IAM Access Analyzer policy validation on the role.
  C. Search CloudWatch logs to determine the actions the role invoked and to evaluate the permissions.
  D. Use AWS Trusted Advisor to compare the policies assigned to the role against AWS best practices.
  A. Implement AWS IAM Access Analyzer policy generation on the role.

• Question 436:

  A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2 instances. The company security policy states that application logs for the reporting service must be centrally collected. What is the MOST efficient way to meet these requirements?

  A. Write an IAM Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket.
  B. Enable IAM CloudTrail logging for the IAM account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail.
  C. Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync.
  D. Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.
  D. Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.

  ---

  Explanation Explanation/Reference:https://IAM.amazon.com/blogs/IAM/cloudwatch-log-service/

• Question 437:

  A security engineer is setting up an AWS CloudTrail trail for all regions in an AWS account. For added security, the logs are stored using server-side encryption with AWS KMS-managed keys (SSE-KMS) and have log integrity validation enabled.

  While testing the solution, the security engineer discovers that the digest files are readable, but the log files are not. What is the MOST likely cause?

  A. The log files fail integrity validation and automatically are marked as unavailable.
  B. The KMS key policy does not grant the security engineer's IAM user or role permissions to decrypt with it.
  C. The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.
  D. An IAM policy applicable to the security engineer's IAM user or role denies access to the "CloudTrail/" prefix in the Amazon S3 bucket.
  B. The KMS key policy does not grant the security engineer's IAM user or role permissions to decrypt with it.

  ---

  When AWS CloudTrail logs are encrypted using server-side encryption with KMS-managed keys (SSE-KMS), the security engineer's IAM user or role must have explicit permission in the KMS key policy to decrypt the logs. If the IAM user or role does not have the required decryption permissions, they will be unable to read the log files, even though the digest files are readable. This is the most likely cause of the issue.

• Question 438:

  A company has a customer master key (CMK) with imported key materials. Company policy requires that all encryption keys must be rotated every year. What can be done to implement the above policy?

  A. Enable automatic key rotation annually for the CMK.
  B. Use IAM Command Line Interface to create an IAM Lambda function to rotate the existing CMK annually.
  C. Import new key material to the existing CMK and manually rotate the CMK.
  D. Create a new CMK, import new key material to it, and point the key alias to the new CMK.
  D. Create a new CMK, import new key material to it, and point the key alias to the new CMK.

  ---

  https://docs.IAM.amazon.com/en_pv/kms/latest/developerguide/rotate-keys.html#rotate- keys-manually "You might prefer to rotate keys manually so you can control the rotation frequency. It's also a good solution for CMKs that are not eligible for automatic key rotation, such as asymmetric CMKs, CMKs in custom key stores and CMKs with imported key material. Because the new CMK is a different resource from the current CMK, it has a different key ID and ARN. When you change CMKs, you need to update references to the CMK ID or ARN in your applications. Aliases, which associate a friendly name with a CMK, make this process easier. Use an alias to refer to a CMK in your applications. Then, when you want to change the CMK that the application uses, change the target CMK of the alias. To update the target CMK of an alias, use UpdateAlias operation in the IAM KMS API. "

• Question 439:

  A security engineer is working with a company to design an ecommerce application. The application will run on Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB). The application will use an Amazon RDS DB instance for its database.

  The only required connectivity from the internet is for HTTP and HTTPS traffic to the application. The application must communicate with an external payment provider that allows traffic only from a preconfigured allow list of IP addresses. The company must ensure that communications with the external payment provider are not interrupted as the environment scales.

  Which combination of actions should the security engineer recommend to meet these requirements? (Select THREE.)

  A. Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.
  B. Place the DB instance in a public subnet.
  C. Place the DB instance in a private subnet.
  D. Configure the Auto Scaling group to place the EC2 instances in a public subnet.
  E. Configure the Auto Scaling group to place the EC2 instances in a private subnet.
  F. Deploy the ALB in a private subnet.
  A. Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.
  C. Place the DB instance in a private subnet.
  E. Configure the Auto Scaling group to place the EC2 instances in a private subnet.

• Question 440:

  A company needs to encrypt all of its data stored in Amazon S3. The company wants to use IAM Key Management Service (IAM KMS) to create and manage its encryption keys. The company's security policies require the ability to Import the company's own key material for the keys, set an expiration date on the keys, and delete keys immediately, if needed.

  How should a security engineer set up IAM KMS to meet these requirements?

  A. Configure IAM KMS and use a custom key store. Create a customer managed CMK with no key material Import the company's keys and key material into the CMK
  B. Configure IAM KMS and use the default Key store Create an IAM managed CMK with no key material Import the company's key material into the CMK
  C. Configure IAM KMS and use the default key store Create a customer managed CMK with no key material import the company's key material into the CMK
  D. Configure IAM KMS and use a custom key store. Create an IAM managed CMK with no key material. Import the company's key material into the CMK.
  A. Configure IAM KMS and use a custom key store. Create a customer managed CMK with no key material Import the company's keys and key material into the CMK