Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 541:

  A company has several Amazon S3 buckets thai do not enforce encryption in transit A security engineer must implement a solution that enforces encryption in transit for all the company's existing and future S3 buckets. Which solution will meet these requirements'?

  A. Enable AWS Config Create a proactive AWS. Config Custom Policy rule Create a Guard clause to evaluate the S3 bucket policies to check for a value of True for the aws SecureTransport condition key. If the AWS Config rule evaluates to NON_COMPLIANT, block resource creation.
  B. Enable AWS Config Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid Create an AWS Systems Manager. Automation runbook that applies a bucket policy to deny requests when the value of the aws SecureTransport condition key is False Configure automatic remediation Set the runbook as the target of the rule.
  C. Enable Amazon Inspector Create a custom AWS Lambda rule. Create a Lambda function that applies a bucket policy to deny requests when the value of the aws SecureTransport condition key is False Set the Lambda function as the target of the rule.
  D. Create an AWS CloudTrail trail Enable S3 data events on the trail. Create an AWS Lambda function that applies a bucket policy to deny requests when the value of the aws SecureTransport condition key is False. Configure the CloudTrail trail to invoke the Lambda function.
  B. Enable AWS Config Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid Create an AWS Systems Manager. Automation runbook that applies a bucket policy to deny requests when the value of the aws SecureTransport condition key is False Configure automatic remediation Set the runbook as the target of the rule.

• Question 542:

  A company deploys its application as a service on an Amazon Elastic Container Service (Amazon ECS) cluster with theAWS Fargate launch type. A security engineer suspects that some incoming requests are malicious. The security engineer needs to inspect the running container by retrieving log files and memory dump flies.

  Which solution will meet these requirements with the LEAST operational effort?

  A. Migrate the application to an ECS cluster with the Amazon EC2 launch type. Configure the EC2 instances with proper remote access. Log in and inspect the container.
  B. Update the application to dump the required data to STDOUT. Use the awslogs log driver to pass the logs to Amazon CloudWatch Logs. Examine the log files in CloudWatch Logs.
  C. Turn on Amazon CloudWatch Container Insights for the ECS cluster. Send the log data to Amazon CloudWatch Logs by using AWS Distro for OpenTelemetry. Examine the log data in CloudWatch Logs.
  D. Update the ECS task role with AWS Systems Manager permissions. Enable the ECS Exec feature for the ECS service. Use ECS Exec to inspect the container.
  D. Update the ECS task role with AWS Systems Manager permissions. Enable the ECS Exec feature for the ECS service. Use ECS Exec to inspect the container.

• Question 543:

  A company has a batch-processing system that uses Amazon S3, Amazon EC2, and AWS Key Management Service (AWS KMS). The system uses two AWS accounts: Account A and Account B.

  Account A hosts an S3 bucket that stores the objects that will be processed. The S3 bucket also stores the results of the processing. All the S3 bucket objects are encrypted by a KMS key that is managed in Account A.

  Account B hosts a VPC that has a fleet of EC2 instances that access the S3 buck-et in Account A by using statements in the bucket policy. The VPC was created with DNS hostnames enabled and DNS resolution enabled.

  A security engineer needs to update the design of the system without changing any of the system's code. No AWS API calls from the batch-processing EC2 in-stances can travel over the internet.

  Which combination of steps will meet these requirements? (Select TWO.)

  A. In the Account B VPC, create a gateway VPC endpoint for Amazon S3. For the gateway VPC endpoint, create a resource policy that allows the s3:GetObject, s3:ListBucket, s3:PutObject, and s3:PutObjectAcl actions for the S3 bucket.
  B. In the Account B VPC, create an interface VPC endpoint for Amazon S3. For the interface VPC endpoint, create a resource policy that allows the s3:GetObject, s3:ListBucket, s3:PutObject, and s3:PutObjectAcl actions for the S3 bucket.
  C. In the Account B VPC, create an interface VPC endpoint for AWS KMS. For the interface VPC endpoint, create a resource policy that allows the kms:Encrypt, kms:Decrypt, and kms:GenerateDataKey actions for the KMS key. Ensure that private DNS is turned on for the endpoint.
  D. In the Account B VPC, create an interface VPC endpoint for AWS KMS. For the interface VPC endpoint, create a resource policy that allows the kms:Encrypt, kms:Decrypt, and kms:GenerateDataKey actions for the KMS key. Ensure that private DNS is turned off for the endpoint.
  E. In the Account B VPC, verify that the S3 bucket policy allows the s3:PutObjectAcl action for cross-account use. In the Account B VPC, create a gateway VPC endpoint for Amazon S3. For the gateway VPC endpoint, create a resource policy that allows the s3:GetObject, s3:ListBucket, and s3:PutObject actions for the S3 bucket.
  B. In the Account B VPC, create an interface VPC endpoint for Amazon S3. For the interface VPC endpoint, create a resource policy that allows the s3:GetObject, s3:ListBucket, s3:PutObject, and s3:PutObjectAcl actions for the S3 bucket.
  C. In the Account B VPC, create an interface VPC endpoint for AWS KMS. For the interface VPC endpoint, create a resource policy that allows the kms:Encrypt, kms:Decrypt, and kms:GenerateDataKey actions for the KMS key. Ensure that private DNS is turned on for the endpoint.

• Question 544:

  Your company has a set of EBS volumes defined in IAM. The security mandate is that all EBS volumes are encrypted. What can be done to notify the IT admin staff if there are any unencrypted volumes in the account?

  A. Use IAM Inspector to inspect all the EBS volumes
  B. Use IAM Config to check for unencrypted EBS volumes
  C. Use IAM Guard duty to check for the unencrypted EBS volumes
  D. Use IAM Lambda to check for the unencrypted EBS volumes
  B. Use IAM Config to check for unencrypted EBS volumes

  ---

  The enc config rule for IAM Config can be used to check for unencrypted volumes. encrypted-volurrn 5 volumes that are in an attached state are encrypted. If you specify the ID of a KMS key for encryptio using the kmsld parameter, the rule checks if the EBS volumes in an attached state are encrypted with that KMS key*1. Options A and C are incorrect since these services cannot be used to check for unencrypted EBS volumes Option D is incorrect because even though this is possible, trying to implement the solution alone with just the Lambda servk would be too difficult For more information on IAM Config and encrypted volumes, please refer to below URL: https://docs.IAM.amazon.com/config/latest/developerguide/encrypted- volumes.html Submit your Feedback/Queries to our Experts

• Question 545:

  There are currently multiple applications hosted in a VPC. During monitoring it has been noticed that multiple port scans are coming in from a specific IP Address block. The internal security team has requested that all offending IP Addresses be denied for the next 24 hours. Which of the following is the best method to quickly and temporarily deny access from the specified IP Address's?

  A. Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.
  B. Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.
  C. Add a rule to all of the VPC Security Groups to deny access from the IP Address block.
  D. Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block.
  B. Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.

  ---

  NACL acts as a firewall at the subnet level of the VPC and we can deny the offending IP address block at the subnet level using NACL rules to block the incoming traffic to the VPC instances. Since NACL rules are applied as per the Rule numbers make sure that this rule number should take precedence over other rule numbers if there are any such rules that will allow traffic from these IP ranges. The lowest rule number has more precedence over a rule that has a higher number. The IAM Documentation mentions the following as a best practices for IAM users For extra security, enable multi-factor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or APIs). With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP). Users must provide both their normal credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone). Options C is invalid because these options are not available Option D is invalid because there is not root access for users For more information on IAM best practices, please visit the below URL: https://docs.IAM.amazon.com/IAM/latest/UserGuide/best-practices.html The correct answer is: Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block. omit your Feedback/Queries to our Experts

• Question 546:

  A company has configured an organization in AWS Organizations for its AWS accounts. AWS CloudTrail is enabled in all AWS Regions.

  A security engineer must implement a solution to prevent CloudTrail from being disabled.

  Which solution will meet this requirement?

  A. Enable CloudTrail log file integrity validation from the organization's management account.
  B. Enable server-side encryption with AWS KMS keys (SSE-KMS) for CloudTrail logs. Create a KMS key. Attach a policy to the key to prevent decryption of the logs.
  C. Create an SCP that includes an explicit Deny rule for the StopLogging action and the DeleteTrail action. Attach the SCP to the root OU.
  D. Create IAM policies for all the company's users to prevent the users from performing the DescribeTrails action and the GetTrailStatus action.
  C. Create an SCP that includes an explicit Deny rule for the StopLogging action and the DeleteTrail action. Attach the SCP to the root OU.

  ---

  Explanation Explanation/Reference:Service Control Policies (SCPs) in AWS Organizations allow you to set permissions guardrails for accounts within an organization. By creating an SCP with an explicit Deny rule for the StopLogging and DeleteTrail actions, the security engineer can ensure that no one in the organization, regardless of their individual permissions, can stop or delete CloudTrail logs. Attaching this SCP to the root Organizational Unit (OU) will apply this restriction across all accounts, thereby preventing CloudTrail from being disabled.

• Question 547:

  An organization has setup multiple IAM users. The organization wants that each IAM user accesses the IAM console only within the organization and not from outside. How can it achieve this?

  A. Create an IAM policy with the security group and use that security group for IAM console login
  B. Create an IAM policy with a condition which denies access when the IP address range is not from the organization
  C. Configure the EC2 instance security group which allows traffic only from the organization's IP range
  D. Create an IAM policy with VPC and allow a secure gateway between the organization and IAM Console
  B. Create an IAM policy with a condition which denies access when the IP address range is not from the organization

  ---

  You can actually use a Deny condition which will not allow the person to log in from outside. The below example shows the Deny condition to ensure that any address specified in the source address is not allowed to access the resources in IAM. Option A is invalid because you don't mention the security group in the IAM policy Option C is invalid because security groups by default don't allow traffic Option D is invalid because the IAM policy does not have such an option For more information on IAM policy conditions, please visit the URL: http://docs.IAM.amazon.com/IAM/latest/UserGuide/access pol examples.htm l#iam-policy-example-ec2-two-condition! The correct answer is: Create an IAM policy with a condition which denies access when the IP address range is not from the organization Submit your Feedback/Queries to our Experts

• Question 548:

  A security engineer wants to use Amazon Simple Notification Service (Amazon SNS) to send email alerts to a company's security team for Amazon GuardDuty findings

  that have a High severity level. The security engineer also wants to deliver these findings to a visualization tool for further examination.

  Which solution will meet these requirements?

  A. Set up GuardDuty to send notifications to an Amazon CloudWatch alarm with two targets in CloudWatch. From CloudWatch, stream the findings through Amazon Kinesis Data Streams into an Amazon OpenSearch Service domain as the first target for delivery. Use Amazon QuickSight to visualize the findings. Use OpenSearch queries for further analysis. Deliver email alerts to the security team by configuring an SNS topic as a second target for the CloudWatch alarm. Use event pattern matching with an Amazon EventBridge event rule to send only High severity findings in the alerts.
  B. Set up GuardDuty to send notifications to AWS CloudTrail with two targets in CloudTrail. From CloudTrail, stream the findings through Amazon Kinesis Data Firehose into an Amazon OpenSearch Service domain as the first target for delivery. Use OpenSearch Dashboards to visualize the findings. Use OpenSearch queries for further analysis. Deliver email alerts to the security team by configuring an SNS topic as a second target for CloudTraiI. Use event pattern matching with a CloudTrail event rule to send only High severity findings in the alerts.
  C. Set up GuardDuty to send notifications to Amazon EventBridge with two targets. From EventBridge, stream the findings through Amazon Kinesis Data Firehose into an Amazon OpenSearch Service domain as the first target for delivery. Use OpenSearch Dashboards to visualize the findings. Use OpenSearch queries for further analysis. Deliver email alerts to the security team by configuring an SNS topic as a second target for EventBridge. Use event pattern matching with an EventBridge event rule to send only High severity findings in the alerts.
  D. Set up GuardDuty to send notifications to Amazon EventBridge with two targets. From EventBridge, stream the findings through Amazon Kinesis Data Streams into an Amazon OpenSearch Service domain as the first target for delivery. Use Amazon QuickSight to visualize the findings. Use OpenSearch queries for further analysis. Deliver email alerts to the security team by configuring an SNS topic as a second target for EventBridge. Use event pattern matching with an EventBridge event rule to send only High severity findings in the alerts.
  C. Set up GuardDuty to send notifications to Amazon EventBridge with two targets. From EventBridge, stream the findings through Amazon Kinesis Data Firehose into an Amazon OpenSearch Service domain as the first target for delivery. Use OpenSearch Dashboards to visualize the findings. Use OpenSearch queries for further analysis. Deliver email alerts to the security team by configuring an SNS topic as a second target for EventBridge. Use event pattern matching with an EventBridge event rule to send only High severity findings in the alerts.

• Question 549:

  A security engineer is designing security controls for a fleet of Amazon EC2 instances that run sensitive workloads in a VPC. The security engineer needs to implement a solution to detect and mitigate software vulnerabilities on the EC2 instances.

  Which solution will meet this requirement?

  A. Scan the EC2 instances by using Amazon Inspector. Apply security patches and updates by using AWS Systems Manager Patch Manager.
  B. Install host-based firewall and antivirus software on each EC2 instance. Use AWS Systems Manager Run Command to update the firewall and antivirus software.
  C. Install the Amazon CloudWatch agent on the EC2 instances. Enable detailed logging. Use Amazon EventBridge to review the software logs for anomalies.
  D. Scan the EC2 instances by using Amazon GuardDuty Malware Protection. Apply security patches and updates by using AWS Systems Manager Patch Manager.
  A. Scan the EC2 instances by using Amazon Inspector. Apply security patches and updates by using AWS Systems Manager Patch Manager.

  ---

  Amazon Inspector is a security service that helps detect vulnerabilities and unintended network exposure on Amazon EC2 instances. It automatically scans instances for known software vulnerabilities and provides recommendations to mitigate them. AWS Systems Manager Patch Manager complements Amazon Inspector by automating the process of applying security patches and updates to maintain the security of the EC2 fleet. This combination provides a comprehensive solution for both vulnerability detection and patching, aligning with the security engineer's requirement.

• Question 550:

  A company is planning to create an organization by using AWS Organizations. The company needs to integrate user management with the company's external identity provider (IdP). The company also needs to centrally manage access to all of its AWS accounts and applications from the organization's management account.

  Which solution will meet these requirements?

  A. Configure AWS Directory Service with the external IdP. Create IAM policies and associate them with users from the external IdP.
  B. Enable AWS IAM Identity Center and use the external IdP as the identity source. Create permission sets and account assignments by using IAM Identity Center.
  C. Configure AWS Identity and Access Management (IAM) to use the external IdP as an IdP. Create IAM policies and associate them with users from the external IdP.
  D. Enable Amazon Cognito in the organization's management account. Create an identity pool and associate it with the external IdP. Create IAM roles and associate them with the identity pool.
  B. Enable AWS IAM Identity Center and use the external IdP as the identity source. Create permission sets and account assignments by using IAM Identity Center.

  ---

  AWS IAM Identity Center (formerly AWS Single Sign-On) allows integration with external identity providers (IdPs) for centralized user management across multiple AWS accounts. By configuring IAM Identity Center to use the external IdP as the identity source, the company can centrally manage user access and permissions through permission sets and account assignments, ensuring unified access management across all AWS accounts within the organization. This solution meets both requirements of integrating with the external IdP and managing access centrally.