Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 481:

  A security engineer is configuring account-based access control (ABAC) to allow only specific principals to put objects into an Amazon S3 bucket. The principals already have access to Amazon S3.

  The security engineer needs to configure a bucket policy that allows principals to put objects into the S3 bucket only if the value of the Team tag on the object matches the value of the Team tag that is associated with the principal. During testing, the security engineer notices that a principal can still put objects into the S3 bucket when the tag values do not match.

  Which combination of factors are causing the PutObject operation to succeed when the tag values are different? (Select TWO.)

  A. The principal's identity-based policy grants access to put objects into the S3 bucket with no conditions.
  B. The principal's identity-based policy overrides the condition because the identity-based policy contains an explicit allow.
  C. The S3 bucket's resource policy does not deny access to put objects.
  D. The S3 bucket's resource policy cannot allow actions to the principal.
  E. The bucket policy does not apply to principals in the same zone of trust.
  A. The principal's identity-based policy grants access to put objects into the S3 bucket with no conditions.
  C. The S3 bucket's resource policy does not deny access to put objects.

  ---

  When using ABAC, the principal's identity-based policy and the S3 bucket's resource policy are both evaluated to determine the effective permissions. If either policy grants access to the principal, the action is allowed. If either policy denies access to the principal, the action is denied. Therefore, to enforce the tag-based condition, both policies must deny access when the tag values do not match. In this case, the principal's identity-based policy grants access to put objects into the S3 bucket with no conditions (A), which means that the policy does not check for the tag values. This policy overrides the condition in the bucket policy because an explicit allow always takes precedence over an implicit deny. The bucket policy can only allow or deny actions to the principal based on the condition, but it cannot override the identity-based policy. The S3 bucket's resource policy does not deny access to put objects ? which means that it also does not check for the tag values. The bucket policy can only allow or deny actions to the principal based on the condition, but it cannot override the identity-based policy. Therefore, the combination of factors A and C are causing the PutObject operation to succeed when the tag values are different. References: Using ABAC with Amazon S3 Bucket policy examples

• Question 482:

  A large government organization is moving to the cloud and has specific encryption requirements. The first workload to move requires that a customer's data be immediately destroyed when the customer makes that request.

  Management has asked the security team to provide a solution that will securely store the data, allow only authorized applications to perform encryption and decryption and allow for immediate destruction of the data

  Which solution will meet these requirements?

  A. Use IAM Secrets Manager and an IAM SDK to create a unique secret for the customer- specific data
  B. Use IAM Key Management Service (IAM KMS) and the IAM Encryption SDK to generate and store a data encryption key for each customer.
  C. Use IAM Key Management Service (IAM KMS) with service-managed keys to generate and store customer-specific data encryption keys
  D. Use IAM Key Management Service (IAM KMS) and create an IAM CloudHSM custom key store Use CloudHSM to generate and store a new CMK for each customer.
  A. Use IAM Secrets Manager and an IAM SDK to create a unique secret for the customer- specific data

• Question 483:

  You are trying to use the Systems Manager to patch a set of EC2 systems. Some of the systems are not getting covered in the patching process. Which of the following can be used to troubleshoot the issue? Choose 3 answers from the options given below.

  A. Check to see if the right role has been assigned to the EC2 instances
  B. Check to see if the IAM user has the right permissions for EC2
  C. Ensure that agent is running on the instances.
  D. Check the Instance status by using the Health API.
  A. Check to see if the right role has been assigned to the EC2 instances
  C. Ensure that agent is running on the instances.
  D. Check the Instance status by using the Health API.

  ---

  For ensuring that the instances are configured properly you need to ensure the followi . 1) You installed the latest version of the SSM Agent on your instance 2) Your instance is configured with an IAM Identity and Access Management (IAM) role that enables the instance to communicate with the Systems Manager API 3) You can use the Amazon EC2 Health API to quickly determine the following information about Amazon EC2 instances The status of one or more instances The last time the instance sent a heartbeat value The version of the SSM Agent The operating system The version of the EC2Config service (Windows) The status of the EC2Config service (Windows) Option B is invalid because IAM users are not supposed to be directly granted permissions to EC2 Instances For more information on troubleshooting IAM SSM, please visit the following URL: https://docs.IAM.amazon.com/systems-manager/latest/userguide/troubleshooting-remote- commands.html The correct answers are: Check to see if the right role has been assigned to the EC2 Instances, Ensure that agent is running on the Instances., Check the Instance status by using the Health API. Submit your Feedback/Queries to our Experts

• Question 484:

  A company requires that IP packet data be inspected for invalid or malicious content.

  Which of the following approaches achieve this requirement? (Choose two.)

  A. Configure a proxy solution on Amazon EC2 and route all outbound VPC traffic through it. Perform inspection within proxy software on the EC2 instance.
  B. Configure the host-based agent on each EC2 instance within the VPC. Perform inspection within the host-based agent.
  C. Enable VPC Flow Logs for all subnets in the VPC. Perform inspection from the Flow Log data within Amazon CloudWatch Logs.
  D. Configure Elastic Load Balancing (ELB) access logs. Perform inspection from the log data within the ELB access log files.
  E. Configure the CloudWatch Logs agent on each EC2 instance within the VPC. Perform inspection from the log data within CloudWatch Logs.
  A. Configure a proxy solution on Amazon EC2 and route all outbound VPC traffic through it. Perform inspection within proxy software on the EC2 instance.
  B. Configure the host-based agent on each EC2 instance within the VPC. Perform inspection within the host-based agent.

  ---

  "EC2 Instance IDS/IPS solutions offer key features to help protect your EC2 instances. This includes alerting administrators of malicious activity and policy violations, as well as identifying and taking action against attacks. You can use IAM services and third party IDS/IPS solutions offered in IAM Marketplace to stay one step ahead of potential attackers."

• Question 485:

  A company wants to remove all SSH keys permanently from a specific subset of its Amazon Linux 2 Amazon EC2 instances that are using the same IAM instance profile However three individuals who have IAM user accounts will need to access these instances by using an SSH session to perform critical duties

  How can a security engineer provide the access to meet these requirements'?

  A. Assign an IAM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the IAM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Inventory to select the EC2 instance and connect
  B. Assign an IAM policy to the IAM user accounts to provide permission to use AWS Systems Manager Run Command Remove the SSH keys from the EC2 instances Use Run Command to open an SSH connection to the EC2 instance
  C. Assign an IAM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the IAM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Session Manager to select the EC2 instance and connect
  D. Assign an IAM policy to the IAM user accounts to provide permission to use the EC2 service in the AWS Management Console Remove the SSH keys from the EC2 instances Connect to the EC2 instance as the ec2-user through the AWS Management Console's EC2 SSH client method
  C. Assign an IAM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the IAM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Session Manager to select the EC2 instance and connect

  ---

  To provide access to the three individuals who have IAM user accounts to access the Amazon Linux 2 Amazon EC2 instances that are using the same IAM instance profile, the most appropriate solution would be to assign an IAM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager, provide the IAM user accounts with permission to use Systems Manager, remove the SSH keys from the EC2 instances, and use Systems Manager Session Manager to select the EC2 instance and connect. References: : AWS Systems Manager Session Manager - AWS Systems Manager : AWS Systems Manager - AWS Management Console : AWS Identity and Access Management - AWS Management Console : Amazon Elastic Compute Cloud - Amazon Web Services : Amazon Linux 2 - Amazon Web Services : AWS Systems Manager - AWS Management Console : AWS Systems Manager - AWS Management Console : AWS Systems Manager - AWS Management Console

• Question 486:

  A company deployed Amazon GuardDuty In the us-east-1 Region. The company wants all DNS logs that relate to the company's Amazon EC2 instances to be inspected. What should a security engineer do to ensure that the EC2 instances are logged?

  A. Use IPv6 addresses that are configured for hostnames.
  B. Configure external DNS resolvers as internal resolvers that are visible only to IAM.
  C. Use IAM DNS resolvers for all EC2 instances.
  D. Configure a third-party DNS resolver with logging for all EC2 instances.
  C. Use IAM DNS resolvers for all EC2 instances.

• Question 487:

  A company wants to receive automated email notifications when AWS access keys from developer AWS accounts are detected on code repository sites.

  Which solution will provide the required email notifications?

  A. Create an Amazon EventBridge rule to send Amazon Simple Notification Service (Amazon SNS) email notifications for Amazon GuardDuty UnauthorizedAccesslAMUser/lnstanceCredentialExfiltration OutsideAWS findings.
  B. Change the AWS account contact information for the Operations type to a separate email address. Periodically poll this email address for notifications.
  C. Create an Amazon EventBridge rule that reacts to AWS Health events that have a value of Risk for the service category Configure email notifications by using Amazon Simple Notification Service (Amazon SNS).
  D. D. Implement new anomaly detection software. Ingest AWS CloudTrail logs. Configure monitoring for ConsoleLogin events in the AWS Management Console. Configure email notifications from the anomaly detection software.
  A. Create an Amazon EventBridge rule to send Amazon Simple Notification Service (Amazon SNS) email notifications for Amazon GuardDuty UnauthorizedAccesslAMUser/lnstanceCredentialExfiltration OutsideAWS findings.

  ---

  The solution to receiving automated email notifications when AWS access keys are detected on code repository sites is to use Amazon EventBridge with Amazon GuardDuty findings. Specifically, creating an EventBridge rule that targets Amazon GuardDuty findings, particularly the UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration finding type, allows for the detection of potential unauthorized use or exposure of AWS credentials. When such a finding is detected, EventBridge can then trigger an action to send a notification via Amazon Simple Notification Service (Amazon SNS). By configuring an SNS topic to send emails, stakeholders can be promptly informed of such security incidents. This approach leverages AWS's native security and monitoring services to provide timely alerts with minimal operational overhead, ensuring that the company can respond quickly to potential security breaches involving exposed AWS credentials.

• Question 488:

  An Amazon S3 bucket is encrypted using an IAM KMS CMK. An IAM user is unable to download objects from the S3 bucket using the IAM Management Console; however, other users can download objects from the S3 bucket. Which policies should the Security Engineer review and modify to resolve this issue? (Select three.)

  A. The CMK policy
  B. The VPC endpoint policy
  C. The S3 bucket policy
  D. The S3 ACL
  E. The IAM policy
  A. The CMK policy
  C. The S3 bucket policy
  E. The IAM policy

  ---

  Explanation Explanation/Reference:https://IAM.amazon.com/premiumsupport/knowledge-center/decrypt-kms- encrypted-objects-s3/

• Question 489:

  A company has multiple production IAM accounts. Each account has IAM CloudTrail configured to log to a single Amazon S3 bucket in a central account. Two of the production accounts have trails that are not logging anything to the S3 bucket.

  Which steps should be taken to troubleshoot the issue? (Choose three.)

  A. Verify that the log file prefix is set to the name of the S3 bucket where the logs should go.
  B. Verify that the S3 bucket policy allows access for CloudTrail from the production IAM account IDs.
  C. Create a new CloudTrail configuration in the account, and configure it to log to the account's S3 bucket.
  D. Confirm in the CloudTrail Console that each trail is active and healthy.
  E. Open the global CloudTrail configuration in the master account, and verify that the storage location is set to the correct S3 bucket.
  F. Confirm in the CloudTrail Console that the S3 bucket name is set correctly.
  B. Verify that the S3 bucket policy allows access for CloudTrail from the production IAM account IDs.
  D. Confirm in the CloudTrail Console that each trail is active and healthy.
  F. Confirm in the CloudTrail Console that the S3 bucket name is set correctly.

• Question 490:

  A company has an AWS account that includes an Amazon S3 bucket. The S3 bucket uses server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all the objects at rest by using a customer managed key. The S3 bucket does not have a bucket policy.

  An IAM role in the same account has an IAM policy that allows s3 List* and s3 Get' permissions for the S3 bucket. When the IAM role attempts to access an object in the S3 bucket the role receives an access denied message.

  Why does the IAM rote not have access to the objects that are in the S3 bucket?

  A. The IAM rote does not have permission to use the KMS CreateKey operation.
  B. The S3 bucket lacks a policy that allows access to the customer managed key that encrypts the objects.
  C. The IAM rote does not have permission to use the customer managed key that encrypts the objects that are in the S3 bucket.
  D. The ACL of the S3 objects does not allow read access for the objects when the objects ace encrypted at rest.
  C. The IAM rote does not have permission to use the customer managed key that encrypts the objects that are in the S3 bucket.

  ---

  When using server-side encryption with AWS KMS keys (SSE-KMS), the requester must have both Amazon S3 permissions and AWS KMS permissions to access the objects. The Amazon S3 permissions are for the bucket and object operations, such as s3:ListBucket and s3:GetObject. The AWS KMS permissions are for the key operations, such as kms:GenerateDataKey and kms:Decrypt. In this case, the IAM role has the necessary Amazon S3 permissions, but not the AWS KMS permissions to use the customer managed key that encrypts the objects. Therefore, the IAM role receives an access denied message when trying to access the objects. Verified References: https://docs.aws.amazon.com/AmazonS3/latest/userguide/troubleshoot-403- errors.html https://repost.aws/knowledge-center/s3-access-denied-error-kms https://repost.aws/knowledge-center/cross-account-access-denied-error-s3