Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 491:

  An international company has established a new business entity in South Korea. The company also has established a new AWS account to contain the workload for the South Korean region. The company has set up the workload in the new account in the ap- northeast-2 Region. The workload consists of three Auto Scaling groups of Amazon EC2 instances. All workloads that operate in this Region must keep system logs and application logs for 7 years.

  A security engineer must implement a solution to ensure that no logging data is lost for each instance during scaling activities. The solution also must keep the logs for only the required period of 7 years. Which combination of steps should the security engineer take to meet these requirements? (Choose three.)

  A. Ensure that the Amazon CloudWatch agent is installed on all the EC2 instances that the Auto Scaling groups launch. Generate a CloudWatch agent configuration file to forward the required logs to Amazon CloudWatch Logs.
  B. Set the log retention for desired log groups to 7 years.
  C. Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon CloudWatch Logs.
  D. Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon S3.
  E. Ensure that a log forwarding application is installed on all the EC2 instances that the Auto Scaling groups launch. Configure the log forwarding application to periodically bundle the logs and forward the logs to Amazon S3.
  F. Configure an Amazon S3 Lifecycle policy on the target S3 bucket to expire objects after 7 years.
  A. Ensure that the Amazon CloudWatch agent is installed on all the EC2 instances that the Auto Scaling groups launch. Generate a CloudWatch agent configuration file to forward the required logs to Amazon CloudWatch Logs.
  B. Set the log retention for desired log groups to 7 years.
  C. Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon CloudWatch Logs.

  ---

  The correct combination of steps that the security engineer should take to meet these requirements are A. Ensure that the Amazon CloudWatch agent is installed on all the EC2 instances that the Auto Scaling groups launch. Generate a CloudWatch agent configuration file to forward the required logs to Amazon CloudWatch Logs., B. Set the log retention for desired log groups to 7 years., and C. Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon CloudWatch Logs. A. This answer is correct because it meets the requirement of ensuring that no logging data is lost for each instance during scaling activities. By installing the CloudWatch agent on all the EC2 instances, the security engineer can collect and send system logs and application logs to CloudWatch Logs, which is a service that stores and monitors log data. By generating a CloudWatch agent configuration file, the security engineer can specify which logs to forward and how often. B. This answer is correct because it meets the requirement of keeping the logs for only the required period of 7 years. By setting the log retention for desired log groups, the security engineer can control how long CloudWatch Logs retains log events before deleting them. The security engineer can choose a predefined retention period of 7 years, or use a custom value. C. This answer is correct because it meets the requirement of providing the necessary permissions to forward logs to CloudWatch Logs. By attaching an IAM role to the launch configuration or launch template that the Auto Scaling groups use, the security engineer can grant permissions to the EC2 instances that are launched by the Auto Scaling groups. By configuring the role to provide the necessary permissions, such as cloudwatch:PutLogEvents and cloudwatch:CreateLogStream, the security engineer can allow the EC2 instances to send log data to CloudWatch Logs.

• Question 492:

  You are responsible to deploying a critical application onto IAM. Part of the requirements for this application is to ensure that the controls set for this application met PCI compliance. Also there is a need to monitor web application logs to identify any malicious activity. Which of the following services can be used to fulfil this requirement. Choose 2 answers from the options given below

  A. Amazon Cloudwatch Logs
  B. Amazon VPC Flow Logs
  C. Amazon IAM Config
  D. Amazon Cloudtrail
  A. Amazon Cloudwatch Logs
  D. Amazon Cloudtrail

  ---

  The IAM Documentation mentions the following about these services IAM CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your IAM account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your IAM infrastructure. CloudTrail provides event history of your IAM account activity, including actions taken through the IAM Management Console, IAM SDKs, command line tools, and other IAM services. This event history simplifies security analysis, resource change tracking, and troubleshooting. Option B is incorrect because VPC flow logs can only check for flow to instances in a VPC Option C is incorrect because this can check for configuration changes only For more information on Cloudtrail, please refer to below URL: https://IAM.amazon.com/cloudtrail; You can use Amazon CloudWatch Logs to monitor, store, and access your log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, IAM CloudTrail, Amazon Route 53, and other sources. You can then retrieve the associated log data from CloudWatch Logs. For more information on Cloudwatch logs, please refer to below URL: http://docs.IAM.amazon.com/AmazonCloudWatch/latest/loes/WhatisCloudWatchLoES.html l The correct answers are: Amazon Cloudwatch Logs, Amazon Cloudtrail

• Question 493:

  A company's data scientists want to create artificial intelligence and machine learning (AI/ML) training models by using Amazon SageMaker. The training models will use large datasets in an Amazon S3 bucket. The datasets contain sensitive information.

  On average. the data scientists need 30 days to train models. The S3 bucket has been secured appropriately The companfs data retention policy states that all data that is older than 45 days must be removed from the S3 bucket.

  Which action should a security engineer take to enforce this data retention policy?

  A. Configure an S3 Lifecycle rule on the S3 bucket to delete objects after 45 days.
  B. Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an S3 event notification to invoke the Lambda function for each PutObject operation.
  C. Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an Amazon EventBridge rule to invoke the Lambda function each month.
  D. Configure S3 Intelligent-Ttering on the S3 bucket to automatically transition objects to another storage class.
  A. Configure an S3 Lifecycle rule on the S3 bucket to delete objects after 45 days.

  ---

  The correct answer is A. Configure an S3 Lifecycle rule on the S3 bucket to delete objects after 45 days. The reason is that this is the simplest and most effective way to enforce the data retention policy. According to the AWS documentation1, "To manage your objects so that they are stored cost effectively throughout their lifecycle, configure their Amazon S3 Lifecycle. An S3 Lifecycle configuration is a set of rules that define actions that Amazon S3 applies to a group of objects. There are two types of actions: Transition actions and Expiration actions." The documentation1 also states that "Expiration actions define when objects expire. Amazon S3 deletes expired objects on your behalf." Therefore, by configuring an S3 Lifecycle rule on the S3 bucket to delete objects after 45 days, the security engineer can ensure that the data is removed from the S3 bucket according to the company's policy. The other options are incorrect because: B. Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an S3 event notification to invoke the Lambda function for each PutObject operation. This option is not optimal because it requires deploying and maintaining a Lambda function, which adds complexity and cost. Moreover, it does not guarantee that the data is deleted exactly after 45 days, since the Lambda function is triggered only when a new object is put into the S3 bucket. If there are no new objects for a long period of time, the Lambda function will not run and the data will not be deleted. C. Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an Amazon EventBridge rule to invoke the Lambda function each month. This option is not optimal because it requires deploying and maintaining a Lambda function, which adds complexity and cost. Moreover, it does not guarantee that the data is deleted exactly after 45 days, since the Lambda function is triggered only once a month. If the data is older than 45 days but less than a month, it will not be deleted until the next month. D. Configure S3 Intelligent-Tiering on the S3 bucket to automatically transition objects to another storage class. This option is not sufficient to enforce the data retention policy, because it does not delete the data from the S3 bucket. It only moves the data to a less expensive storage class based on access patterns. According to the AWS documentation2, "S3 Intelligent-Tiering optimizes storage costs by automatically moving data between two access tiers, frequent access and infrequent access, when access patterns change." However, this feature does not expire or delete the data after a certain period of time.

• Question 494:

  A Security Engineer is working with the development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an IAM KMS customer master key (CMK) to encrypt the data on Amazon S3. The inventory data on Amazon S3 will be shared of vendors. All vendors will use IAM principals from their own IAM accounts to access the data on Amazon S3. The vendor list may change weekly, and the solution must support cross-account access.

  What is the MOST efficient way to manage access control for the KMS CMK7?

  A. Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.
  B. Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.
  C. Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access.
  D. Use delegated access across IAM accounts by using IAM roles to manage key access. Programmatically update the IAM trust policy to manage cross-account vendor access.
  A. Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.

  ---

  KMS grants provide a scalable and efficient way to manage access to AWS KMS customer-managed keys, especially for cross-account access. Grants allow you to specify who can use the key and what operations they can perform on it without needing to modify the KMS key policy itself. Grants are flexible and can be created, modified, and revoked programmatically, making them ideal for situations where the vendor list changes frequently. This approach minimizes operational overhead while allowing the security engineer to dynamically control access to the KMS key as vendor requirements change.

• Question 495:

  You have an Amazon VPC that has a private subnet and a public subnet in which you have a NAT instance server. You have created a group of EC2 instances that configure themselves at startup by downloading a bootstrapping script from S3 that deploys an application via GIT.

  Which one of the following setups would give us the highest level of security?

  Choose the correct answer from the options given below.

  A. EC2 instances in our public subnet, no EIPs, route outgoing traffic via the IGW
  B. EC2 instances in our public subnet, assigned EIPs, and route outgoing traffic via the NAT
  C. EC2 instance in our private subnet, assigned EIPs, and route our outgoing traffic via our IGW
  D. EC2 instances in our private subnet, no EIPs, route outgoing traffic via the NAT
  D. EC2 instances in our private subnet, no EIPs, route outgoing traffic via the NAT

  ---

  Explanation Explanation/Reference:The below diagram shows how the NAT instance works. To make EC2 instances very secure, they need to be in a private sub such as the database server shown below with no EIP and all traffic routed via the NAT. Options A and B are invalid because the instances need to be in the private subnet Option C is invalid because since the instance needs to be in the private subnet, you should not attach an EIP to the instance For more information on NAT instance, please refer to the below Link: http://docs.IAM.amazon.com/AmazonVPC/latest/UserGuideA/PC lnstance.html! The correct answer is: EC2 instances in our private subnet no EIPs, route outgoing traffic via the NAT Submit your Feedback/Queries to our Experts

• Question 496:

  An organization wants to log all IAM API calls made within all of its IAM accounts, and must have a central place to analyze these logs. What steps should be taken to meet these requirements in the MOST secure manner? (Select TWO)

  A. Turn on IAM CloudTrail in each IAM account
  B. Turn on CloudTrail in only the account that will be storing the logs
  C. Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it
  D. Create a service-based role for CloudTrail and associate it with CloudTrail in each account
  E. Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it
  A. Turn on IAM CloudTrail in each IAM account
  E. Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it

• Question 497:

  A security engineer is designing a cloud architecture to support an application. The application runs on Amazon EC2 instances and processes sensitive information, including credit card numbers.

  The application will send the credit card numbers to a component that is running in an isolated environment. The component will encrypt, store, and decrypt the numbers.

  The component then will issue tokens to replace the numbers in other parts of the application.

  The component of the application that manages the tokenization process will be deployed on a separate set of EC2 instances. Other components of the application must not be able to store or access the credit card numbers.

  Which solution will meet these requirements?

  A. Use EC2 Dedicated Instances for the tokenization component of the application.
  B. Place the EC2 instances that manage the tokenization process into a partition placement group.
  C. Create a separate VPC. Deploy new EC2 instances into the separate VPC to support the data tokenization.
  D. Deploy the tokenization code onto AWS Nitro Enclaves that are hosted on EC2 instances.
  D. Deploy the tokenization code onto AWS Nitro Enclaves that are hosted on EC2 instances.

  ---

  AWS Nitro Enclaves are isolated and hardened virtual machines that run on EC2 instances and provide a secure environment for processing sensitive data. Nitro Enclaves have no persistent storage, interactive access, or external networking, and they can only communicate with the parent instance through a secure local channel. Nitro Enclaves also support cryptographic attestation, which allows verifying the identity and integrity of the enclave and its code. Nitro Enclaves are ideal for implementing data protection solutions such as tokenization, encryption, and key management. Using Nitro Enclaves for the tokenization component of the application meets the requirements of isolating the sensitive data from other parts of the application, encrypting and storing the credit card numbers securely, and issuing tokens to replace the numbers. Other components of the application will not be able to access or store the credit card numbers, as they are only available within the enclave.

• Question 498:

  A Security Engineer must implement mutually authenticated TLS connections between containers that communicate inside a VPC.

  Which solution would be MOST secure and easy to maintain?

  A. Use IAM Certificate Manager to generate certificates from a public certificate authority and deploy them to all the containers.
  B. Create a self-signed certificate in one container and use IAM Secrets Manager to distribute the certificate to the other containers to establish trust.
  C. Use IAM Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then create the private keys in the containers and sign them using the ACM PCA API.
  D. Use IAM Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use IAM Certificate Manager to generate the private certificates and deploy them to all the containers.
  D. Use IAM Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use IAM Certificate Manager to generate the private certificates and deploy them to all the containers.

• Question 499:

  An organization is using Amazon CloudWatch Logs with agents deployed on its Linux Amazon EC2 instances. The agent configuration files have been checked and the application log files to be pushed are configured correctly. A review has identified that logging from specific instances is missing.

  Which steps should be taken to troubleshoot the issue? (Choose two.)

  A. Use an EC2 run command to confirm that the "IAMlogs" service is running on all instances.
  B. Verify that the permissions used by the agent allow creation of log groups/streams and to put log events.
  C. Check whether any application log entries were rejected because of invalid time stamps by reviewing /var/cwlogs/rejects.log.
  D. Check that the trust relationship grants the service "cwlogs.amazonIAM.com" permission to write objects to the Amazon S3 staging bucket.
  E. Verify that the time zone on the application servers is in UTC.
  A. Use an EC2 run command to confirm that the "IAMlogs" service is running on all instances.
  B. Verify that the permissions used by the agent allow creation of log groups/streams and to put log events.

  ---

  EC2 run command - can run scripts, install software, collect metrics and log files, manage patches and more. Bringing these two services together - can create CloudWatch Events rules that use EC2 Run Command to perform actions on EC2 instances or on-premises servers.

• Question 500:

  Your CTO thinks your IAM account was hacked.

  What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated IAM engineers and doing everything they can to cover their tracks?

  A. Use CloudTrail Log File Integrity Validation.
  B. Use IAM Config SNS Subscriptions and process events in real time.
  C. Use CloudTrail backed up to IAM S3 and Glacier.
  D. Use IAM Config Timeline forensics.
  A. Use CloudTrail Log File Integrity Validation.

  ---

  The IAM Documentation mentions the following To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. You can use the IAM CLI to validate the files in the location where CloudTrail delivered them Validated log files are invaluable in security and forensic investigations. For example, a validated log file enables you to assert positively that the log file itself has not changed, or that particular user credentials performed specific API activity. The CloudTrail log file integrity validation process also lets you know if a log file has been deleted or changed, or assert positively that no log files were delivered to your account during a given period of time. Options B.C and D is invalid because you need to check for log File Integrity Validation for cloudtrail logs For more information on Cloudtrail log file validation, please visit the below URL: http://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudtrail-log-file-validation- intro.html The correct answer is: Use CloudTrail Log File Integrity Validation. omit your Feedback/Queries to our Expert