Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 511:

  A company is using an AWS Key Management Service (AWS KMS) AWS owned key in its application to encrypt files in an AWS account The company's security team wants the ability to change to new key material for new files whenever a potential key breach occurs A security engineer must implement a solution that gives the security team the ability to change the key whenever the team wants to do so

  Which solution will meet these requirements?

  A. Create a new customer managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change
  B. Create a new AWS managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change
  C. Create a key alias. Create a new customer managed key every time the security team requests a key change. Associate the alias with the new key.
  D. Create a key alias Create a new AWS managed key every time the security team requests a key change Associate the alias with the new key
  C. Create a key alias. Create a new customer managed key every time the security team requests a key change. Associate the alias with the new key.

  ---

  Customer managed keys provide full control over the lifecycle, including the ability to rotate and change the key material. Key aliases allow you to abstract the underlying key from the application, making it easier to switch to a new key without changing the application code. AWS owned keys and AWS managed keys do not provide the same level of control for key rotation and material changes as customer managed keys. By creating a key alias and associating it with a new customer managed key each time the security team requests a key change, you ensure that the encryption uses fresh key material while maintaining seamless integration with your application.

• Question 512:

  You are working for a company and been allocated the task for ensuring that there is a federated authentication mechanism setup between IAM and their On-premise Active Directory. Which of the following are important steps that need to be covered in this process? Choose 2 answers from the options given below.

  A. Ensure the right match is in place for On-premise AD Groups and IAM Roles.
  B. Ensure the right match is in place for On-premise AD Groups and IAM Groups.
  C. Configure IAM as the relying party in Active Directory
  D. Configure IAM as the relying party in Active Directory Federation services
  A. Ensure the right match is in place for On-premise AD Groups and IAM Roles.
  D. Configure IAM as the relying party in Active Directory Federation services

  ---

  The IAM Documentation mentions some key aspects with regards to the configuration of On-premise AD with IAM One is the Groups configuration in AD Active Directory Configuration Determining how you will create and delineate your AD groups and IAM roles in IAM is crucial to how you secure access to your account and manage resources. SAML assertions to the IAM environment and the respective IAM role access will be managed through regular expression (regex) matching between your on-premises AD group name to an IAM IAM role. One approach for creating the AD groups that uniquely identify the IAM IAM role mapping is by selecting a common group naming convention. For example, your AD groups would start with an identifier, for example, IAM-, as this will distinguish your IAM groups from others within the organization. Next include the 12-digitIAM account number. Finally, add the matching role name within the IAM account. Here is an example: And next is the configuration of the relying party which is IAM ADFS federation occurs with the participation of two parties; the identity or claims provider (in this case the owner of the identity repository - Active Directory) and the relying party, which is another application that wishes to outsource authentication to the identity provider; in this case Amazon Secure Token Service (STS). The relying party is a federation partner that is represented by a claims provider trust in the federation service. Option B is invalid because AD groups should not be matched to IAM Groups Option C is invalid because the relying party should be configured in Active Directory Federation services For more information on the federated access, please visit the following URL: 1 https://IAM.amazon.com/blogs/security/IAM-federated-authentication-with-active- directory-federation-services-ad-fs/ The correct answers are: Ensure the right match is in place for On-premise AD Groups and IAM Roles., Configure IAM as the relying party in Active Directory Federation services Submit your Feedback/Queries to our Experts

• Question 513:

  A company's on-premises data center forwards DNS logs to a third-party security incident events management (SIEM) solution that alerts on suspicious behavior. The company wants to introduce a similar capability to its IAM accounts that includes automatic remediation. The company expects to double in size within the next few months.

  Which solution meets the company's current and future logging requirements?

  A. Enable Amazon GuardDuty and IAM Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Set up specific rules within Amazon Even;Bridge to trigger an IAM Lambda function for remediation steps.
  B. Ingest all IAM CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Use the current on-premises SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.
  C. Ingest all IAM CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Launch an Amazon EC2 instance and install the current SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.
  D. Enable Amazon GuardDuty and IAM Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Create an IAM Organizations SCP that denies access to certain API calls that are on an ignore list.
  A. Enable Amazon GuardDuty and IAM Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Set up specific rules within Amazon Even;Bridge to trigger an IAM Lambda function for remediation steps.

• Question 514:

  A Systems Administrator has written the following Amazon S3 bucket policy designed to allow access to an S3 bucket for only an authorized IAM IAM user from the IP address range 10.10.10.0/24:

  

  When trying to download an object from the S3 bucket from 10.10.10.40, the IAM user receives an access denied message. What does the Administrator need to change to grant access to the user?

  A. Change the "Resource" from "arn: IAM:s3:::Bucket" to "arn:IAM:s3:::Bucket/*".
  B. Change the "Principal" from "*" to {IAM:"arn:IAM:iam: : account-number: user/username"}
  C. Change the "Version" from "2012-10-17" to the last revised date of the policy
  D. Change the "Action" from ["s3:*"] to ["s3:GetObject", "s3:ListBucket"]
  A. Change the "Resource" from "arn: IAM:s3:::Bucket" to "arn:IAM:s3:::Bucket/*".

• Question 515:

  A security engineer is responsible for providing secure access to IAM resources for thousands of developer in a company's corporate identity provider (idp). The developers access a set of IAM services from the corporate premises using IAM credential. Due to the velum of require for provisioning new IAM users, it is taking a long time to grant access permissions. The security engineer receives reports that developer are sharing their IAM credentials with others to avoid provisioning delays. The causes concern about overall security for the security engineer.

  Which actions will meet the program requirements that address security?

  A. Create an Amazon CloudWatch alarm for IAM CloudTrail Events Create a metric filter to send a notification when me same set of IAM credentials is used by multiple developer
  B. Create a federation between IAM and the existing corporate IdP Leverage IAM roles to provide federated access to IAM resources
  C. Create a VPN tunnel between the corporate premises and the VPC Allow permissions to all IAM services only if it originates from corporate premises.
  D. Create multiple IAM rotes for each IAM user Ensure that users who use the same IAM credentials cannot assume the same IAM role at the same time.
  B. Create a federation between IAM and the existing corporate IdP Leverage IAM roles to provide federated access to IAM resources

• Question 516:

  A team is using AWS Secrets Manager to store an application database password. Only a limited number of IAM principals within the account can have access to the secret. The principals who require access to the secret change frequently. A security engineer must create a solution that maximizes flexibility and scalability.

  Which solution will meet these requirements?

  A. Use a role-based approach by creating an IAM role with an inline permissions policy that allows access to the secret. Update the IAM principals in the role trust policy as required.
  B. Deploy a VPC endpoint for Secrets Manager. Create and attach an endpoint policy that specifies the IAM principals that are allowed to access the secret. Update the list of IAM principals as required.
  C. Use a tag-based approach by attaching a resource policy to the secret. Apply tags to the secret and the IAM principals. Use the aws:PrincipalTag and aws:ResourceTag IAM condition keys to control access.
  D. Use a deny-by-default approach by using IAM policies to deny access to the secret explicitly. Attach the policies to an IAM group. Add all IAM principals to the IAM group. Remove principals from the group when they need access. Add the principals to the group again when access is no longer allowed.
  C. Use a tag-based approach by attaching a resource policy to the secret. Apply tags to the secret and the IAM principals. Use the aws:PrincipalTag and aws:ResourceTag IAM condition keys to control access.

• Question 517:

  A startup company is using a single AWS account that has resources in a single AWS Region. A security engineer configures an AWS Cloud Trail trail in the same Region to deliver log files to an Amazon S3 bucket by using the AWS CLI.

  Because of expansion, the company adds resources in multiple Regions. The secu-rity engineer notices that the logs from the new Regions are not reaching the S3 bucket.

  What should the security engineer do to fix this issue with the LEAST amount of operational overhead?

  A. Create a new CloudTrail trail. Select the new Regions where the company added resources.
  B. Change the S3 bucket to receive notifications to track all actions from all Regions.
  C. Create a new CloudTrail trail that applies to all Regions.
  D. Change the existing CloudTrail trail so that it applies to all Regions.
  D. Change the existing CloudTrail trail so that it applies to all Regions.

  ---

  The correct answer is D. Change the existing CloudTrail trail so that it applies to all Regions. According to the AWS documentation1, you can configure CloudTrail to deliver log files from multiple Regions to a single S3 bucket for a single account. To change an existing single-Region trail to log in all Regions, you must use the AWS CLI and add the --is-multi- region-trail option to the update-trail command2. This will ensure that you log global service events and capture all management event activity in your account. Option A is incorrect because creating a new CloudTrail trail for each Region will incur additional costs and increase operational overhead. Option B is incorrect because changing the S3 bucket to receive notifications will not affect the delivery of log files from other Regions. Option C is incorrect because creating a new CloudTrail trail that applies to all Regions will result in duplicate log files for the original Region and also incur additional costs.

• Question 518:

  During a manual review of system logs from an Amazon Linux EC2 instance, a Security Engineer noticed that there are sudo commands that were never properly alerted or reported on the Amazon CloudWatch Logs agent

  Why were there no alerts on the sudo commands?

  A. There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs
  B. The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch
  C. CloudWatch Logs status is set to ON versus SECURE, which prevents it from pulling in OS security event logs
  D. The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.
  B. The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch

• Question 519:

  A company runs an application on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). A security engineer needs to provide secure access to the application without requiring the use of a VPN. Users should be able to access the application only when they meet specific security conditions, including a defined device posture.

  Which solution will meet these requirements?

  A. Create an AWS WAF web ACL. Configure a custom response to block traffic that does not align with the defined device posture.
  B. Configure AWS Verified Access. Add the application by creating an endpoint for the ALB.
  C. Configure Amazon Verified Permissions. Use a policy-based access control (PBAC) policy to perform authorization.
  D. Configure Amazon Verified Permissions. Add the application by creating an endpoint for the ALB.
  B. Configure AWS Verified Access. Add the application by creating an endpoint for the ALB.

  ---

  AWS Verified Access allows secure access to applications without requiring a VPN, using a zero-trust model to enforce security conditions, including device posture and identity verification. By configuring Verified Access and adding an endpoint for the Application Load Balancer (ALB), the security engineer can ensure that only users who meet specific security conditions can access the application. Verified Access is designed to meet this use case by providing secure access controls based on device posture and other conditions.

• Question 520:

  A company is planning to migrate its applications to AWS in a single AWS Region. The company's applications will use a combination of Amazon EC2 instances, Elastic Load Balancing (ELB) load balancers, and Amazon S3 buckets. The company wants to complete the migration as quickly as possible. All the applications must meet the following requirements:

  1.

  Data must be encrypted at rest.

  2.

  Data must be encrypted in transit.

  3.

  Endpoints must be monitored for anomalous network traffic.

  Which combination of steps should a security engineer take to meet these requirements with the LEAST effort? (Choose three.)

  A. Install the Amazon Inspector agent on EC2 instances by using AWS Systems Manager Automation.
  B. Enable Amazon GuardDuty in all AWS accounts.
  C. Create VPC endpoints for Amazon EC2 and Amazon S3. Update VPC route tables to use only the secure VPC endpoints.
  D. Configure AWS Certificate Manager (ACM). Configure the load balancers to use certificates from ACM.
  E. Use AWS Key Management Service (AWS KMS) for key management. Create an S3 bucket policy to deny any PutObject command with a condition for x-amz-meta-side-encryption.
  F. Use AWS Key Management Service (AWS KMS) for key management. Create an S3 bucket policy to deny any PutObject command with a condition for x-amz-server-side-encryption.
  B. Enable Amazon GuardDuty in all AWS accounts.
  D. Configure AWS Certificate Manager (ACM). Configure the load balancers to use certificates from ACM.
  F. Use AWS Key Management Service (AWS KMS) for key management. Create an S3 bucket policy to deny any PutObject command with a condition for x-amz-server-side-encryption.

  ---

  Enable Amazon GuardDuty in all AWS accounts: GuardDuty provides anomaly detection and monitors for suspicious activity on AWS resources, fulfilling the requirement for endpoint monitoring with minimal setup. Configure AWS Certificate Manager (ACM). Configure the load balancers to use certificates from ACM: ACM provides and manages SSL/TLS certificates for encrypting data in transit through ELB load balancers. This ensures that data transmitted to and from the load balancers is encrypted, meeting the requirement for encryption in transit. Use AWS Key Management Service (AWS KMS) for key management. Create an S3 bucket policy to deny any PutObject command with a condition for x-amz-server-side-encryption: KMS handles encryption at rest, and the S3 bucket policy enforces server-side encryption by denying PutObject requests that do not specify encryption. This meets the requirement for data encryption at rest.