Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 531:

  An application running on EC2 instances processes sensitive information stored on Amazon S3. The information is accessed over the Internet. The security team is concerned that the Internet connectivity to Amazon S3 is a security risk. Which solution will resolve the security concern?

  A. Access the data through an Internet Gateway.
  B. Access the data through a VPN connection.
  C. Access the data through a NAT Gateway.
  D. Access the data through a VPC endpoint for Amazon S3
  D. Access the data through a VPC endpoint for Amazon S3

  ---

  The IAM Documentation mentions the followii A VPC endpoint enables you to privately connect your VPC to supported IAM services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or IAM Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network. Option A.B and C are all invalid because the question specifically mentions that access should not be provided via the Internet For more information on VPC endpoints, please refer to the below URL: The correct answer is: Access the data through a VPC endpoint for Amazon S3 Submit your Feedback/Queries to our Experts

• Question 532:

  A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances.

  Which solution will meet this requirement with the LEAST operational effort?

  A. Use Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption
  B. Import a third-party SSL certificate to AWS Certificate Manager (ACM) Install the third- party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer
  C. Deploy AWS CloudHSM Import a third-party certificate Configure the EC2 instances and the Elastic Load Balancer to use the CloudHSM imported certificate
  D. Import a third-party certificate bundle to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer.
  A. Use Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption

  ---

  To configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances with the least operational effort, the most appropriate solution would be to use Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption. AWS Certificate Manager - Amazon Web Services : Elastic Load Balancing - Amazon Web Services : Amazon Elastic Compute Cloud - Amazon Web Services : AWS Certificate Manager - Amazon Web Services

• Question 533:

  A company wants to start processing sensitive data on Amazon EC2 instances. The company will use Amazon CloudWatch Logs to monitor, store, and access log files from the EC2 instances.

  The company's developers use CloudWatch Logs for troubleshooting. A security engineer must implement a solution that prevents the developers from viewing the sensitive data. The solution must automatically apply to any new log groups that are created in the account in the future.

  Which solution will meet these requirements?

  A. Create a CloudWatch Logs account-wide data protection policy. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logs:Unmask IAM permission.
  B. Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Create a custom data identifier for the sensitive data. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.
  C. Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Specify the appropriate managed data identifiers. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.
  D. Create a CloudWatch Logs data protection policy for each log group. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logs:Unmask IAM permission.
  A. Create a CloudWatch Logs account-wide data protection policy. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logs:Unmask IAM permission.

  ---

  AWS CloudWatch Logs now supports data protection policies that can be applied at the account level to automatically redact or mask sensitive data in logs. By creating an account-wide policy and specifying the appropriate data identifiers, sensitive data will be protected in all new log groups as well. The developers can still access the logs, but they will not be able to view sensitive data unless they have the logs:Unmask permission, which should be withheld from them. This approach ensures that sensitive data is protected and meets the requirement for future log groups.

• Question 534:

  A company has deployed AWS Control Tower and an organization in AWS Organizations to manage its AWS accounts. The company needs to implement the AWS Foundational Security Best Practices standard and must centrally log findings for the organization into one account.

  Which solution will meet these requirements?

  A. Deploy AWS CloudTrail centralized logging for the organization from the AWS Control Tower management account. Enable Amazon GuardDuty. Enable the GuardDuty AWS Foundational Security Best Practices standard.
  B. Automatically deploy the AWS Foundational Security Best Practices standard by configuring a delegated administrator for Amazon GuardDuty from the AWS Control Tower audit account.
  C. Configure a delegated administrator for AWS Security Hub from the AWS Control Tower management account. Enable the Security Hub AWS Foundational Security Best Practices standard in the AWS Control Tower audit account.
  D. Deploy AWS CloudTrail centralized logging for the organization from the AWS Control Tower log archive account. Enable AWS Security Hub. Enable the Security Hub AWS Foundational Security Best Practices standard.
  A. Deploy AWS CloudTrail centralized logging for the organization from the AWS Control Tower management account. Enable Amazon GuardDuty. Enable the GuardDuty AWS Foundational Security Best Practices standard.

• Question 535:

  A company wants to control access to its IAM resources by using identities and groups that are defined in its existing Microsoft Active Directory.

  What must the company create in its IAM account to map permissions for IAM services to Active Directory user attributes?

  A. IAM IAM groups
  B. IAM IAM users
  C. IAM IAM roles
  D. IAM IAM access keys
  C. IAM IAM roles

  ---

  Prerequisites to establish Federation Services in IAM - You have a working AD directory and AD FS server. - You have created an identity provider (IdP) in your IAM account using your XML file from your AD FS server. Remember the name of your IdP because you will use it later in this solution. -You have created the appropriate IAM roles in your IAM account, which will be used for federated access. https://IAM.amazon.com/blogs/security/how-to-establish-federated-access-toyour-IAM- resources-by-using-active-directory-user-attributes/

• Question 536:

  Unapproved changes were previously made to a company's Amazon S3 bucket. A security engineer configured IAM Config to record configuration changes made to the company's S3 buckets. The engineer discovers there are S3 configuration changes being made, but no Amazon SNS notifications are being sent. The engineer has already checked the configuration of the SNS topic and has confirmed the configuration is valid.

  Which combination of steps should the security engineer take to resolve the issue? (Select TWO.)

  A. Configure the S3 bucket ACLs to allow IAM Config to record changes to the buckets.
  B. Configure policies attached to S3 buckets to allow IAM Config to record changes to the buckets.
  C. Attach the AmazonS3ReadOnryAccess managed policy to the IAM user.
  D. Verify the security engineer's IAM user has an attached policy that allows all IAM Config actions.
  E. Assign the IAMConfigRole managed policy to the IAM Config role
  B. Configure policies attached to S3 buckets to allow IAM Config to record changes to the buckets.
  E. Assign the IAMConfigRole managed policy to the IAM Config role

  ---

  Explanation Explanation/Reference:

• Question 537:

  A company has a large fleet of Linux Amazon EC2 instances and Windows EC2 instances that run in private subnets. The company wants all remote administration to be performed as securely as possible in the AWS Cloud.

  Which solution will meet these requirements?

  A. Do not use SSH-RSA private keys during the launch of new instances. Implement AWS Systems Manager Session Manager.
  B. Generate new SSH-RSA private keys for existing instances. Implement AWS Systems Manager Session Manager.
  C. Do not use SSH-RSA private keys during the launch of new instances. Configure EC2 Instance Connect.
  D. Generate new SSH-RSA private keys for existing instances. Configure EC2 Instance Connect.
  A. Do not use SSH-RSA private keys during the launch of new instances. Implement AWS Systems Manager Session Manager.

  ---

  AWS Systems Manager Session Manager is a fully managed service that allows you to securely and remotely administer your EC2 instances without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager provides an interactive browser-based shell or CLI access to your instances, as well as port forwarding and auditing capabilities. Session Manager works with both Linux and Windows instances, and supports hybrid environments and edge devices. EC2 Instance Connect is a feature that allows you to use SSH to connect to your Linux instances using short-lived keys that are generated on demand and delivered securely through the AWS metadata service. EC2 Instance Connect does not require any additional software installation or configuration on the instance, but it does require you to use SSH- RSA keys during the launch of new instances. The correct answer is to use Session Manager, as it provides more security and flexibility than EC2 Instance Connect, and does not require SSH-RSA keys or inbound ports. Session Manager also works with Windows instances, while EC2 Instance Connect does not. Verified References: https://docs.aws.amazon.com/systems-manager/latest/userguide/session- manager.html https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2- Instance-Connect.html https://repost.aws/questions/QUnV4R9EoeSdW0GT3cKBUR7w/what-is-the- difference-between-ec-2-instance-connect-and-session-manager-ssh-connections

• Question 538:

  A company has a group of Amazon EC2 instances in a single private subnet of a VPC with no internet gateway attached. A security engineer has installed the Amazon CloudWatch agent on all instances in that subnet to capture logs from a specific application. To ensure that the logs flow securely, the company's networking team has created VPC endpoints for CloudWatch monitoring and CloudWatch logs. The networking team has attached the endpoints to the VPC.

  The application is generating logs. However, when the security engineer queries CloudWatch, the logs do not appear. Which combination of steps should the security engineer take to troubleshoot this issue? (Choose three.)

  A. Ensure that the EC2 instance profile that is attached to the EC2 instances has permissions to create log streams and write logs.
  B. Create a metric filter on the logs so that they can be viewed in the AWS Management Console.
  C. Check the CloudWatch agent configuration file on each EC2 instance to make sure that the CloudWatch agent is collecting the proper log files.
  D. Check the VPC endpoint policies of both VPC endpoints to ensure that the EC2 instances have permissions to use them.
  E. Create a NAT gateway in the subnet so that the EC2 instances can communicate with CloudWatch.
  F. Ensure that the security groups allow all the EC2 instances to communicate with each other to aggregate logs before sending.
  A. Ensure that the EC2 instance profile that is attached to the EC2 instances has permissions to create log streams and write logs.
  C. Check the CloudWatch agent configuration file on each EC2 instance to make sure that the CloudWatch agent is collecting the proper log files.
  D. Check the VPC endpoint policies of both VPC endpoints to ensure that the EC2 instances have permissions to use them.

  ---

  The possible steps to troubleshoot this issue are: A. Ensure that the EC2 instance profile that is attached to the EC2 instances has permissions to create log streams and write logs. This is a necessary step because the CloudWatch agent uses the credentials from the instance profile to communicate with CloudWatch1. C. Check the CloudWatch agent configuration file on each EC2 instance to make sure that the CloudWatch agent is collecting the proper log files. This is a necessary step because the CloudWatch agent needs to know which log files to monitor and send to CloudWatch2. D. Check the VPC endpoint policies of both VPC endpoints to ensure that the EC2 instances have permissions to use them. This is a necessary step because the VPC endpoint policies control which principals can access the AWS services through the endpoints3. The other options are incorrect because: B. Creating a metric filter on the logs is not a troubleshooting step, but a way to extract metric data from the logs. Metric filters do not affect the visibility of the logs in the AWS Management Console. E. Creating a NAT gateway in the subnet is not a solution, because the EC2 instances do not need internet access to communicate with CloudWatch through the VPC endpoints. A NAT gateway would also incur additional costs. F. Ensuring that the security groups allow all the EC2 instances to communicate with each other is not a necessary step, because the CloudWatch agent does not require log aggregation before sending. Each EC2 instance can send its own logs independently to CloudWatch. References: 1: IAM Roles for Amazon EC2 2: CloudWatch Agent Configuration File: Logs Section 3: Using Amazon VPC Endpoints : Metric Filters : NAT Gateways : CloudWatch Agent Reference: Log Aggregation

• Question 539:

  A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet with port 80 and a Database server in the private subnet with port 3306. The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). Which of the below mentioned entries is required in the private subnet database security group DBSecGrp?

  A. Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.
  B. Allow Inbound on port 3306 from source 20.0.0.0/16
  C. Allow Outbound on port 3306 for Destination Web Server Security Group WebSecGrp.
  D. Allow Outbound on port 80 for Destination NAT Instance IP
  A. Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.

  ---

  Since the Web server needs to talk to the database server on port 3306 that means that the database server should allow incoming traffic on port 3306. The below table from the IAM documentation shows how the security groups should be set up. Option B is invalid because you need to allow incoming access for the database server from the WebSecGrp security group. Options C and D are invalid because you need to allow Outbound traffic and not inbound traffic For more information on security groups please visit the below Link: http://docs.IAM.amazon.com/AmazonVPC/latest/UserGuide/VPC Scenario2.html The correct answer is: Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp. Submit your Feedback/Queries to our Experts

• Question 540:

  An application outputs logs to a text file. The logs must be continuously monitored for security incidents. Which design will meet the requirements with MINIMUM effort?

  A. Create a scheduled process to copy the component's logs into Amazon S3. Use S3 events to trigger a Lambda function that updates Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
  B. Install and configure the Amazon CloudWatch Logs agent on the application's EC2 instance. Create a CloudWatch metric filter to monitor the application logs. Set up CloudWatch alerts based on the metrics.
  C. Create a scheduled process to copy the application log files to IAM CloudTrail. Use S3 events to trigger Lambda functions that update CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
  D. Create a file watcher that copies data to Amazon Kinesis when the application writes to the log file. Have Kinesis trigger a Lambda function to update Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
  B. Install and configure the Amazon CloudWatch Logs agent on the application's EC2 instance. Create a CloudWatch metric filter to monitor the application logs. Set up CloudWatch alerts based on the metrics.

  ---

  https://docs.IAM.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html