Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 471:

  A company uses SAML federation to grant users access to AWS accounts. A company workload that is in an isolated AWS account runs on immutable infrastructure with no human access to Amazon EC2. The company requires a specialized user known as a break glass user to have access to the workload AWS account and instances in the case of SAML errors. A recent audit discovered that the company did not create the break glass user for the AWS account that contains the workload.

  The company must create the break glass user. The company must log any activities of the break glass user and send the logs to a security team.

  Which combination of solutions will meet these requirements? (Select TWO.)

  A. Create a local individual break glass IAM user for the security team. Create a trail in AWS CloudTrail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor local user activities.
  B. Create a break glass EC2 key pair for the AWS account. Provide the key pair to the security team. Use AWS CloudTraiI to monitor key pair activity. Send notifications to the security team by using Amazon Simple Notification Service (Amazon SNS).
  C. Create a break glass IAM role for the account. Allow security team members to perform the AssumeRoleWithSAML operation. Create an AWS Cloud Trail trail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor security team activities.
  D. Create a local individual break glass IAM user on the operating system level of each workload instance. Configure unrestricted security groups on the instances to grant access to the break glass IAM users.
  E. Configure AWS Systems Manager Session Manager for Amazon EC2. Configure an AWS Cloud Trail filter based on Session Manager. Send the results to an Amazon Simple Notification Service (Amazon SNS) topic.
  A. Create a local individual break glass IAM user for the security team. Create a trail in AWS CloudTrail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor local user activities.
  E. Configure AWS Systems Manager Session Manager for Amazon EC2. Configure an AWS Cloud Trail filter based on Session Manager. Send the results to an Amazon Simple Notification Service (Amazon SNS) topic.

  ---

  The combination of solutions that will meet the requirements are: A. Create a local individual break glass IAM user for the security team. Create a trail in AWS CloudTrail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor local user activities. This is a valid solution because it allows the security team to access the workload AWS account and instances using a local IAM user that does not depend on SAML federation. It also enables logging and monitoring of the break glass user activities using AWS CloudTrail, Amazon CloudWatch Logs, and Amazon EventBridge123. E. Configure AWS Systems Manager Session Manager for Amazon EC2. Configure an AWS CloudTrail filter based on Session Manager. Send the results to an Amazon Simple Notification Service (Amazon SNS) topic. This is a valid solution because it allows the security team to access the workload instances without opening any inbound ports or managing SSH keys or bastion hosts. It also enables logging and notification of the break glass user activities using AWS CloudTrail, Session Manager, and Amazon SNS456. The other options are incorrect because: B. Creating a break glass EC2 key pair for the AWS account and providing it to the security team is not a valid solution, because it requires opening inbound ports on the instances and managing SSH keys, which increases the security risk and complexity7. C. Creating a break glass IAM role for the account and allowing security team members to perform the AssumeRoleWithSAML operation is not a valid solution, because it still depends on SAML federation, which might not work in case of SAML errors8. D. Creating a local individual break glass IAM user on the operating system level of each workload instance and configuring unrestricted security groups on the instances to grant access to the break glass IAM users is not a valid solution, because it requires opening inbound ports on the instances and managing multiple local users, which increases the security risk and complexity9. References: 1: Creating an IAM User in Your AWS Account 2: Creating a Trail - AWS CloudTrail 3. Using Amazon EventBridge with AWS CloudTrail 4: Setting up Session Manager - AWS Systems Manager 5: Logging Session Manager sessions - AWS Systems Manager 6: Amazon Simple Notification Service 7: Connecting to your Linux instance using SSH - Amazon Elastic Compute Cloud 8: AssumeRoleWithSAML - AWS Security Token Service 9: IAM Users - AWS Identity and Access Management

• Question 472:

  A company has implemented IAM WAF and Amazon CloudFront for an application. The application runs on Amazon EC2 instances that are part of an Auto Scaling group. The Auto Scaling group is behind an Application Load Balancer (ALB).

  The IAM WAF web ACL uses an IAM Managed Rules rule group and is associated with the CloudFront distribution. CloudFront receives the request from IAM WAF and then uses the ALB as the distribution's origin.

  During a security review, a security engineer discovers that the infrastructure is susceptible to a large, layer 7 DDoS attack.

  How can the security engineer improve the security at the edge of the solution to defend against this type of attack?

  A. Configure the CloudFront distribution to use the Lambda@Edge feature. Create an IAM Lambda function that imposes a rate limit on CloudFront viewer requests. Block the request if the rate limit is exceeded.
  B. Configure the IAM WAF web ACL so that the web ACL has more capacity units to process all IAM WAF rules faster.
  C. Configure IAM WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.
  D. Configure the CloudFront distribution to use IAM WAF as its origin instead of the ALB.
  C. Configure IAM WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.

• Question 473:

  A Security Engineer must design a solution that enables the Incident Response team to audit for changes to a user's IAM permissions in the case of a security incident. How can this be accomplished?

  A. Use IAM Config to review the IAM policy assigned to users before and after the incident.
  B. Run the GenerateCredentialReport via the IAM CLI, and copy the output to Amazon S3 daily for auditing purposes.
  C. Copy IAM CloudFormation templates to S3, and audit for changes from the template.
  D. Use Amazon EC2 Systems Manager to deploy images, and review IAM CloudTrail logs for changes.
  A. Use IAM Config to review the IAM policy assigned to users before and after the incident.

  ---

  Explanation Explanation/Reference:https://IAM.amazon.com/blogs/security/how-to-record-and-govern-your-iam-resource- configurations-using-IAM-config/

• Question 474:

  A company recently had a security audit in which the auditors identified multiple potential threats. These potential threats can cause usage pattern changes such as DNS access peak, abnormal instance traffic, abnormal network interface

  traffic, and unusual Amazon S3 API calls. The threats can come from different sources and can occur at any time. The company needs to implement a solution to continuously monitor its system and identify all these incoming threats in near-

  real time.

  Which solution will meet these requirements?

  A. Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon CloudWatch Logs to manage these logs from a centralized account.
  B. Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon Macie to monitor these logs from a centralized account.
  C. Enable Amazon GuardDuty from a centralized account. Use GuardDuty to manage AWS CloudTrail logs, VPC flow logs, and DNS logs.
  D. Enable Amazon Inspector from a centralized account. Use Amazon Inspector to manage AWS CloudTrail logs, VPC flow logs, and DNS logs.
  C. Enable Amazon GuardDuty from a centralized account. Use GuardDuty to manage AWS CloudTrail logs, VPC flow logs, and DNS logs.

  ---

  Which data sources does GuardDuty analyze? GuardDuty analyzes CloudTrail management event logs, CloudTrail S3 data event logs, VPC Flow Logs, DNS query logs, and Amazon EKS audit logs. GuardDuty can also scan EBS volume data for possible malware when GuardDuty Malware Protection is enabled and identifies suspicious behavior indicative of malicious software in EC2 instance or container workloads. The service is optimized to consume large data volumes for near real-time processing of security detections. GuardDuty gives you access to built-in detection techniques developed and optimized for the cloud, which are maintained and continuously improved upon by GuardDuty engineering.

• Question 475:

  A company hosts multiple externally facing applications, each isolated in its own IAM account The company'B Security team has enabled IAM WAF. IAM Config. and Amazon GuardDuty on all accounts. The company's Operations team has also joined all of the accounts to IAM Organizations and established centralized logging for CloudTrail. IAM Config, and GuardDuty. The company wants the Security team to take a reactive remediation in one account, and automate implementing this remediation as proactive prevention in all the other accounts.

  How should the Security team accomplish this?

  A. Update the IAM WAF rules in the affected account and use IAM Firewall Manager to push updated IAM WAF rules across all other accounts.
  B. Use GuardDuty centralized logging and Amazon SNS to set up alerts to notify all application teams of security incidents.
  C. Use GuardDuty alerts to write an IAM Lambda function that updates all accounts by adding additional NACLs on the Amazon EC2 instances to block known malicious IP addresses.
  D. Use IAM Shield Advanced to identify threats in each individual account and then apply the account-based protections to all other accounts through Organizations.
  C. Use GuardDuty alerts to write an IAM Lambda function that updates all accounts by adding additional NACLs on the Amazon EC2 instances to block known malicious IP addresses.

• Question 476:

  A company has two IAM accounts, each containing one VPC. The first VPC has a VPN connection with its corporate network. The second VPC, without a VPN, hosts an Amazon Aurora database cluster in private subnets. Developers manage the Aurora database from a bastion host in a public subnet as shown in the image.

  

  A security review has flagged this architecture as vulnerable, and a Security Engineer has been asked to make this design more secure. The company has a short deadline and a second VPN connection to the Aurora account is not possible. How can a Security Engineer securely set up the bastion host?

  A. Move the bastion host to the VPC with VPN connectivity. Create a VPC peering relationship between the bastion host VPC and Aurora VPC.
  B. Create a SSH port forwarding tunnel on the Developer's workstation to the bastion host to ensure that only authorized SSH clients can access the bastion host.
  C. Move the bastion host to the VPC with VPN connectivity. Create a cross-account trust relationship between the bastion VPC and Aurora VPC, and update the Aurora security group for the relationship.
  D. Create an IAM Direct Connect connection between the corporate network and the Aurora account, and adjust the Aurora security group for this connection.
  A. Move the bastion host to the VPC with VPN connectivity. Create a VPC peering relationship between the bastion host VPC and Aurora VPC.

• Question 477:

  An organization must establish the ability to delete an IAM KMS Customer Master Key (CMK) within a 24-hour timeframe to keep it from being used for encrypt or decrypt operations.

  Which of tne following actions will address this requirement?

  A. Manually rotate a key within KMS to create a new CMK immediately
  B. Use the KMS import key functionality to execute a delete key operation
  C. Use the schedule key deletion function within KMS to specify the minimum wait period for deletion
  D. Change the KMS CMK alias to immediately prevent any services from using the CMK.
  C. Use the schedule key deletion function within KMS to specify the minimum wait period for deletion

• Question 478:

  A company runs workloads on Amazon EC2 instances in VPCs The EC2 instances make requests to Amazon S3 buckets through VPC endpoints. The company uses AWS Organizations to manage its AWS accounts.

  The company needs the requests from the EC2 instances to originate from the same VPC that the EC2 instance credentials were issued to.

  Which solution will meet this requirement?

  A. Deploy an SCP that includes the S3: * action with the "awsSourceVpc": "S {aws: Ec2lnstanceSourceVpc}" condition.
  B. Edit the VPC endpoints to include the S3:' action with the "aws: Ec2lnstanceSourcePrivatelPv4": "${aws:VpcSourcelp}" condition.
  C. Limit all actions in the S3 bucket policies by using the aws:SourceVpce condition key with the value of the allowed VPC endpoint.
  D. Limit all actions in the S3 bucket policies by using the aws:SourceVpc condition key with the value to the allowed VPC ID.
  D. Limit all actions in the S3 bucket policies by using the aws:SourceVpc condition key with the value to the allowed VPC ID.

  ---

  Restrict Access Using S3 Bucket Policy: Example Bucket Policy: Advantages: Test and Validate: References: AWS S3 Bucket Policy Conditions AWS Condition Keys for S3

• Question 479:

  A security engineer is auditing a production system and discovers several additional IAM roles that are not required and were not previously documented during the last audit 90 days ago. The engineer is trying to find out who created these IAM roles and when they were created. The solution must have the lowest operational overhead.

  Which solution will meet this requirement?

  A. Import IAM CloudTrail logs from Amazon S3 into an Amazon Elasticsearch Service cluster, and search through the combined logs for CreateRole events.
  B. Create a table in Amazon Athena for IAM CloudTrail events. Query the table in Amazon Athena for CreateRole events.
  C. Use IAM Config to look up the configuration timeline for the additional IAM roles and view the linked IAM CloudTrail event.
  D. Download the credentials report from the IAM console to view the details for each IAM entity, including the creation dates.
  A. Import IAM CloudTrail logs from Amazon S3 into an Amazon Elasticsearch Service cluster, and search through the combined logs for CreateRole events.

• Question 480:

  A medical company recently completed an acquisition and inherited an existing AWS environment. The company has an upcoming audit and is concerned about the compliance posture of its acquisition.

  The company must identify personal health information inside Amazon S3 buckets and must identify S3 buckets that are publicly accessible. The company needs to prepare for the audit by collecting evidence in the environment.

  Which combination of steps will meet these requirements with the LEAST operational overhead? (Choose three.)

  A. Enable Amazon Macie. Run an on-demand sensitive data discovery job that uses the PERSONAL_INFORMATION managed data identifier.
  B. Use AWS Glue with the Detect PII transform to identify sensitive data and to mask the sensitive data.
  C. Enable AWS Audit Manager. Create an assessment by using a supported framework.
  D. Enable Amazon GuardDuty S3 Protection. Document any findings that are related to suspicious access of S3 buckets.
  E. Enable AWS Security Hub. Use the AWS Foundational Security Best Practices standard. Review the controls dashboard for evidence of failed S3 Block Public Access controls.
  F. Enable AWS Config. Set up the s3-bucket-public-write-prohibited AWS Config managed rule.
  A. Enable Amazon Macie. Run an on-demand sensitive data discovery job that uses the PERSONAL_INFORMATION managed data identifier.
  E. Enable AWS Security Hub. Use the AWS Foundational Security Best Practices standard. Review the controls dashboard for evidence of failed S3 Block Public Access controls.
  F. Enable AWS Config. Set up the s3-bucket-public-write-prohibited AWS Config managed rule.

  ---

  Enable Amazon Macie. Run an on-demand sensitive data discovery job that uses the PERSONAL_INFORMATION managed data identifier. Amazon Macie is designed to automatically discover and classify sensitive data, including personal health information (PHI), in Amazon S3. Running a sensitive data discovery job will allow the company to identify PHI with minimal operational overhead Enable AWS Security Hub. Use the AWS Foundational Security Best Practices standard. Review the controls dashboard for evidence of failed S3 Block Public Access controls. AWS Security Hub integrates with other AWS security services and provides a comprehensive view of the security posture, including public access to S3 buckets. It helps in identifying potential compliance issues related to public access. Enable AWS Config. Set up the s3-bucket-public-write-prohibited AWS Config managed rule. AWS Config can be used to monitor and enforce compliance rules, such as preventing public write access to S3 buckets. This helps in identifying S3 buckets that are publicly accessible and collecting evidence for the audit. These steps collectively allow the company to identify PHI, review public accessibility of S3 buckets, and gather compliance evidence with minimal operational effort.