Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 521:

  A company stores critical data in an S3 bucket. There is a requirement to ensure that an extra level of security is added to the S3 bucket. In addition , it should be ensured that objects are available in a secondary region if the primary one goes down. Which of the following can help fulfil these requirements? Choose 2 answers from the options given below

  A. Enable bucket versioning and also enable CRR
  B. Enable bucket versioning and enable Master Pays
  C. For the Bucket policy add a condition for {"Null": {"IAM:MultiFactorAuthAge": true}} i
  D. Enable the Bucket ACL and add a condition for {"Null": {"IAM:MultiFactorAuthAge": true}}
  A. Enable bucket versioning and also enable CRR
  C. For the Bucket policy add a condition for {"Null": {"IAM:MultiFactorAuthAge": true}} i

  ---

  The IAM Documentation mentions the following Adding a Bucket Policy to Require MFA Amazon S3 supports MFA-protected API access, a feature that can enforce multi-factor authentication (MFA) for access to your Amazon S3 resources. Multi-factor authentication provides an extra level of security you can apply to your IAM environment. It is a security feature that requires users to prove physical possession of an MFA device by providing a valid MFA code. For more information, go to IAM Multi-Factor Authentication. You can require MFA authentication for any requests to access your Amazoi. S3 resources. You can enforce the MFA authentication requirement using the IAM:MultiFactorAuthAge key in a bucket policy. IAM users car access Amazon S3 resources by using temporary credentials issued by the IAM Security Token Service (STS). You provide the MFA code at the time of the STS request. When Amazon S3 receives a request with MFA authentication, the IAM:MultiFactorAuthAge key provides a numeric value indicating how long ago (in seconds) the temporary credential was created. If the temporary credential provided in the request was not created using an MFA device, this key value is null (absent). In a bucket policy, you can add a condition to check this value, as shown in the following example bucket policy. The policy denies any Amazon S3 operation on the /taxdocuments folder in the examplebucket bucket if the request is not MFA authenticated. To learn more about MFA authentication, see Using Multi-Factor Authentication (MFA) in IAM in the IAM User Guide. Option B is invalid because just enabling bucket versioning will not guarantee replication of objects Option D is invalid because the condition for the bucket policy needs to be set accordingly For more information on example bucket policies, please visit the following URL: ?https://docs.IAM.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html Also versioning and Cross Region replication can ensure that objects will be available in the destination region in case the primary region fails. For more information on CRR, please visit the following URL: https://docs.IAM.amazon.com/AmazonS3/latest/dev/crr.html The correct answers are: Enable bucket versioning and also enable CRR, For the Bucket policy add a condition for {"Null": { "IAM:MultiFactorAuthAge": true}} Submit your Feedback/ Queries to our Experts

• Question 522:

  A security engineer needs to configure monitoring and auditing for IAM Lambda.

  Which combination of actions using IAM services should the security engineer take to accomplish this goal? (Select TWO.)

  A. Use IAM Config to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.
  B. Use IAM CloudTrail to implement governance, compliance, operational, and risk auditing for Lambda.
  C. Use Amazon Inspector to automatically monitor for vulnerabilities and perform governance, compliance, operational, and risk auditing for Lambda.
  D. Use IAM Resource Access Manager to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.
  E. Use Amazon Macie to discover, classify, and protect sensitive data being executed inside the Lambda function.
  A. Use IAM Config to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.
  B. Use IAM CloudTrail to implement governance, compliance, operational, and risk auditing for Lambda.

• Question 523:

  A security engineer is creating an AWS Lambda function. The Lambda function needs to use a role that is named LambdaAuditRole to assume a role that is named AcmeAuditFactoryRole in a different AWS account.

  When the code is processed, the following error message appears: "An error oc-curred (AccessDenied) when calling the AssumeRole operation."

  Which combination of steps should the security engineer take to resolve this er-ror? (Select TWO.)

  A. Ensure that LambdaAuditRole has the sts:AssumeRole permission for Ac- meAuditFactoryRole.
  B. Ensure that LambdaAuditRole has the AWSLambdaBasicExecutionRole managed policy attached.
  C. Ensure that the trust policy for AcmeAuditFactoryRole allows the sts:AssumeRole action from LambdaAuditRole.
  D. Ensure that the trust policy for LambdaAuditRole allows the sts:AssumeRole action from the lambda.amazonaws.com service.
  E. Ensure that the sts:AssumeRole API call is being issued to the us-east-I Region endpoint.
  A. Ensure that LambdaAuditRole has the sts:AssumeRole permission for Ac- meAuditFactoryRole.
  C. Ensure that the trust policy for AcmeAuditFactoryRole allows the sts:AssumeRole action from LambdaAuditRole.

• Question 524:

  A company wishes to enable Single Sign On (SSO) so its employees can login to the management console using their corporate directory identity. Which steps below are required as part of the process? Select 2 answers from the options given below.

  A. Create a Direct Connect connection between on-premise network and IAM. Use an AD connector for connecting IAM with on-premise active directory.
  B. Create IAM policies that can be mapped to group memberships in the corporate directory.
  C. Create a Lambda function to assign IAM roles to the temporary security tokens provided to the users.
  D. Create IAM users that can be mapped to the employees' corporate identities
  E. Create an IAM role that establishes a trust relationship between IAM and the corporate directory identity provider (IdP)
  A. Create a Direct Connect connection between on-premise network and IAM. Use an AD connector for connecting IAM with on-premise active directory.
  E. Create an IAM role that establishes a trust relationship between IAM and the corporate directory identity provider (IdP)

  ---

  Create a Direct Connect connection so that corporate users can access the IAM account Option B is incorrect because IAM policies are not directly mapped to group memberships in the corporate directory. It is IAM roles which are mapped. Option C is incorrect because Lambda functions is an incorrect option to assign roles. Option D is incorrect because IAM users are not directly mapped to employees' corporate identities. For more information on Direct Connect, please refer to below URL: ' https://IAM.amazon.com/directconnect/ From the IAM Documentation, for federated access, you also need to ensure the right policy permissions are in place Configure permissions in IAM for your federated users The next step is to create an IAM role that establishes a trust relationship between IAM and your organization's IdP that identifies your IdP as a principal (trusted entity) for purposes of federation. The role also defines what users authenticated your organization's IdP are allowed to do in IAM. You can use the IAM console to create this role. When you create the trust policy that indicates who can assume the role, you specify the SAML provider that you created earlier in IAM along with one or more SAML attributes that a user must match to be allowed to assume the role. For example, you can specify that only users whose SAML eduPersonOrgDN value is ExampleOrg are allowed to sign in. The role wizard automatically adds a condition to test the saml:aud attribute to make sure that the role is assumed only for sign-in to the IAM Management Console. The trust policy for the role might look like this: For more information on SAML federation, please refer to below URL: https://docs.IAM.amazon.com/IAM/latest/UserGuide/id_roles_providers_enabli Note: What directories can I use with IAM SSO? You can connect IAM SSO to Microsoft Active Directory, running either on-premises or in the IAM Cloud. IAM SSO supports IAM Directory Service for Microsoft Active Directory, also known as IAM Managed Microsoft AD, and AD Connector. IAM SSO does not support Simple AD. See IAM Directory Service Getting Started to learn more. To connect to your on-premises directory with AD Connector, you need the following: VPC Set up a VPC with the following: ?At least two subnets. Each of the subnets must be in a different Availability Zone. ?The VPC must be connected to your on-premises network through a virtual private network (VPN) connection or IAM Direct Connect. ?The VPC must have default hardware tenancy. ?https://IAM.amazon.com/single-sign-on/ ?https://IAM.amazon.com/single-sign-on/faqs/ ?https://IAM.amazon.com/bloj using-corporate-credentials/ ?https://docs.IAM.amazon.com/directoryservice/latest/admin- The correct answers are: Create a Direct Connect connection between on-premise network and IAM. Use an AD connector connecting IAM with on-premise active directory.. Create an IAM role that establishes a trust relationship between IAM and corporate directory identity provider (IdP) Submit your Feedback/Queries to our Experts

• Question 525:

  A company uses Amazon EC2 instances to host frontend services behind an Application Load Balancer. Amazon Elastic Block Store (Amazon EBS) volumes are attached to the EC2 instances. The company uses Amazon S3 buckets to store large files for images and music.

  The company has implemented a security architecture oit>AWS to prevent, identify, and isolate potential ransomware attacks. The company now wants to further reduce risk.

  A security engineer must develop a disaster recovery solution that can recover to normal operations if an attacker bypasses preventive and detective controls. The solution must meet an RPO of 1 hour.

  Which solution will meet these requirements?

  A. Use AWS Backup to create backups of the EC2 instances and S3 buckets every hour. Create AWS CloudFormation templates that replicate existing architecture components. Use AWS CodeCommit to store the CloudFormation templates alongside application configuration code.
  B. Use AWS Backup to create backups of the EBS volumes and S3 objects every day. Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPC flow logs. Use the logs for automated response.
  C. Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPC flow logs. Use the logs for automated response Enable AWS Security Hub to establish a single location for recovery procedures. Create AWS CloudFormation templates that replicate existing architecture components. Use AWS CodeCommit to store the CloudFormation templates alongside application configuration code.
  D. Create EBS snapshots every 4 hours Enable Amazon GuardDuty Malware Protection. Create automation to immediately restore the most recent snapshot for any EC2 instances that produce an Execution:EC2/MaliciousFile finding in GuardDuty.
  A. Use AWS Backup to create backups of the EC2 instances and S3 buckets every hour. Create AWS CloudFormation templates that replicate existing architecture components. Use AWS CodeCommit to store the CloudFormation templates alongside application configuration code.

  ---

  The correct answer is A because it meets the RPO of 1 hour by creating backups of the EC2 instances and S3 buckets every hour. It also uses AWS CloudFormation templates to replicate the existing architecture components and AWS CodeCommit to store the templates and the application configuration code. This way, the security engineer can quickly restore the environment in case of a ransomware attack. The other options are incorrect because they do not meet the RPO of 1 hour or they do not provide a complete disaster recovery solution. Option B only creates backups of the EBS volumes and S3 objects every day, which is not frequent enough to meet the RPO. Option C does not create any backups of the EC2 instances or the S3 buckets, which are essential for the frontend services. Option D only creates EBS snapshots every 4 hours, which is also not frequent enough to meet the RPO. Additionally, option D relies on Amazon GuardDuty to detect and respond to ransomware attacks, which may not be effective if the attacker bypasses the preventive and detective controls. Reference: AWS Backup, AWS CloudFormation, AWS CodeCommit

• Question 526:

  An EC2 Instance hosts a Java based application that access a DynamoDB table. This EC2 Instance is currently serving production based users. Which of the following is a secure way of ensuring that the EC2 Instance access the Dynamo table?

  A. Use IAM Roles with permissions to interact with DynamoDB and assign it to the EC2 Instance
  B. Use KMS keys with the right permissions to interact with DynamoDB and assign it to the EC2 Instance
  C. Use IAM Access Keys with the right permissions to interact with DynamoDB and assign it to the EC2 Instance
  D. Use IAM Access Groups with the right permissions to interact with DynamoDB and assign it to the EC2 Instance
  A. Use IAM Roles with permissions to interact with DynamoDB and assign it to the EC2 Instance

  ---

  To always ensure secure access to IAM resources from EC2 Instances, always ensure to assign a Role to the EC2 Instance Option B is invalid because KMS keys are not used as a mechanism for providing EC2 Instances access to IAM services. Option C is invalid Access keys is not a safe mechanism for providing EC2 Instances access to IAM services. Option D is invalid because there is no way access groups can be assigned to EC2 Instances. For more information on IAM Roles, please refer to the below URL: https://docs.IAM.amazon.com/IAM/latest/UserGuide/id roles.html The correct answer is: Use IAM Roles with permissions to interact with DynamoDB and assign it to the EC2 Instance Submit your Feedback/Queries to our Experts

• Question 527:

  A company wants to have a secure way of generating, storing and managing cryptographic exclusive access for the keys. Which of the following can be used for this purpose?

  A. Use KMS and the normal KMS encryption keys
  B. Use KMS and use an external key material
  C. Use S3 Server Side encryption
  D. Use Cloud HSM
  D. Use Cloud HSM

  ---

  The IAM Documentation mentions the following The IAM CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) instances within the IAM cloud. IAM and IAM Marketplace partners offer a variety of solutions for protecting sensitive data within the IAM platform, but for some applications and data subject to contractual or regulatory mandates for managing cryptographic keys, additional protection may be necessary. CloudHSM complements existing data protection solutions and allows you to protect your encryption keys within HSMs that are desigr and validated to government standards for secure key management. CloudHSM allows you to securely generate, store and manage cryptographic keys used for data encryption in a way that keys are accessible only by you. Option A.B and Care invalid because in all of these cases, the management of the key will be with IAM. Here the question specifically mentions that you want to have exclusive access over the keys. This can be achieved with Cloud HSM For more information on CloudHSM, please visit the following URL: https://IAM.amazon.com/cloudhsm/faq: The correct answer is: Use Cloud HSM Submit your Feedback/Queries to our Experts

• Question 528:

  A company uses user data scripts that contain sensitive information to bootstrap Amazon EC2 instances. A Security Engineer discovers that this sensitive information is viewable by people who should not have access to it. What is the MOST secure way to protect the sensitive information used to bootstrap the instances?

  A. Store the scripts in the AMI and encrypt the sensitive data using IAM KMS Use the instance role profile to control access to the KMS keys needed to decrypt the data.
  B. Store the sensitive data in IAM Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role.
  C. Externalize the bootstrap scripts in Amazon S3 and encrypt them using IAM KMS. Remove the scripts from the instance and clear the logs after the instance is configured.
  D. Block user access of the EC2 instance's metadata service using IAM policies. Remove all scripts and clear the logs after execution.
  B. Store the sensitive data in IAM Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role.

• Question 529:

  A security engineer has been tasked with implementing a solution that allows the company's development team to have interactive command line access to Amazon EC2 Linux instances using the IAM Management Console.

  Which steps should the security engineer take to satisfy this requirement while maintaining least privilege?

  A. Enable IAM Systems Manager in the IAM Management Console and configure for access to EC2 instances using the default AmazonEC2RoleforSSM role. Install the Systems Manager Agent on all EC2 Linux instances that need interactive access. Configure IAM user policies to allow development team access to the Systems Manager Session Manager and attach to the team's IAM users.
  B. Enable console SSH access in the EC2 console. Configure IAM user policies to allow development team access to the IAM Systems Manager Session Manager and attach to the development team's IAM users.
  C. Enable IAM Systems Manager in the IAM Management Console and configure to access EC2 instances using the default AmazonEC2RoleforSSM role. Install the Systems Manager Agent on all EC2 Linux instances that need interactive access. Configure a security group that allows SSH port 22 from all published IP addresses. Configure IAM user policies to allow development team access to the IAM Systems Manager Session Manager and attach to the team's IAM users.
  D. Enable IAM Systems Manager in the IAM Management Console and configure to access EC2 instances using the default AmazonEC2RoleforSSM role Install the Systems Manager Agent on all EC2 Linux instances that need interactive access. Configure IAM policies to allow development team access to the EC2 console and attach to the teams IAM users.
  A. Enable IAM Systems Manager in the IAM Management Console and configure for access to EC2 instances using the default AmazonEC2RoleforSSM role. Install the Systems Manager Agent on all EC2 Linux instances that need interactive access. Configure IAM user policies to allow development team access to the Systems Manager Session Manager and attach to the team's IAM users.

• Question 530:

  A company has several production IAM accounts and a central security IAM account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents.

  A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly.

  Which combination of actions would build the required solution? (Choose three.)

  A. Configure Amazon CloudWatch Events in the production accounts to send all S3 events to the security account event bus.
  B. Enable Amazon GuardDuty in the security account. and join the production accounts as members.
  C. Configure an Amazon CloudWatch Events rule in the security account to detect S3 bucket creation or modification events.
  D. Enable IAM Trusted Advisor and activate email notifications for an email address assigned to the security contact.
  E. Invoke an IAM Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team.
  F. Configure event notifications on S3 buckets for PUT; POST, and DELETE events.
  D. Enable IAM Trusted Advisor and activate email notifications for an email address assigned to the security contact.
  E. Invoke an IAM Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team.
  F. Configure event notifications on S3 buckets for PUT; POST, and DELETE events.