Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 551:

  A company's information security team want to do near-real-time anomaly detection on Amazon EC2 performance and usage statistics. Log aggregation is the responsibility of a security engineer. To do the study, the Engineer needs gather logs from all of the company's IAM accounts in a single place.

  How should the Security Engineer go about doing this?

  A. Log in to each account four times a day and filter the IAM CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.
  B. Set up Amazon CloudWatch to stream data to an Amazon S3 bucket in each source account. Set up bucket replication for each source account into a centralized bucket owned by the Security Engineer.
  C. Set up an IAM Config aggregator to collect IAM configuration data from multiple sources.
  D. Set up Amazon CloudWatch cross-account log data sharing with subscriptions in each account. Send the logs to Amazon Kinesis Data Firehose in the Security Engineer's account.
  D. Set up Amazon CloudWatch cross-account log data sharing with subscriptions in each account. Send the logs to Amazon Kinesis Data Firehose in the Security Engineer's account.

  ---

  Explanation Explanation/Reference:Read the prerequisites in the question carefully. The solution must support "near real time" analysis of the log data. Cloudwatch doesn't stream logs to S3; it supports exporting them to S3 with an up to 12 hour expected delay: https://docs.IAM.amazon.com/AmazonCloudWatch/latest/logs/S3Export.html "Log data can take up to 12 hours to become available for export. For near real-time analysis of log data, see Analyzing log data with CloudWatch Logs Insights or Real-time processing of log data with subscriptions instead." https://docs.IAM.amazon.com/AmazonCloudWatch/latest/logs/Subscriptions.html "You can use subscriptions to get access to a real-time feed of log events from CloudWatch Logs and have it delivered to other services such as an Amazon Kinesis stream, an Amazon Kinesis Data Firehose stream, or IAM Lambda for custom processing, analysis, or loading to other systems. When log events are sent to the receiving service, they are Base64 encoded and compressed with the gzip format." https://docs.IAM.amazon.com/AmazonCloudWatch/latest/logs/ CrossAccountSubscriptions. html

• Question 552:

  A Security Administrator has a website hosted in Amazon S3. The Administrator has been given the following requirements:

  Users may access the website by using an Amazon CloudFront distribution. Users may not access the website directly by using an Amazon S3 URL.

  Which configurations will support these requirements? (Choose two.)

  A. Associate an origin access identity with the CloudFront distribution.
  B. Implement a "Principal": "cloudfront.amazonIAM.com" condition in the S3 bucket policy.
  C. Modify the S3 bucket permissions so that only the origin access identity can access the bucket contents.
  D. Implement security groups so that the S3 bucket can be accessed only by using the intended CloudFront distribution.
  E. Configure the S3 bucket policy so that it is accessible only through VPC endpoints, and place the CloudFront distribution into the specified VPC.
  A. Associate an origin access identity with the CloudFront distribution.
  C. Modify the S3 bucket permissions so that only the origin access identity can access the bucket contents.

• Question 553:

  A company is using AWS Organizations to implement a multi-account strategy. The company does not have on-premises infrastructure. All workloads run on AWS. The company currently has eight member accounts. The company anticipates that it will have no more than 20 AWS accounts total at any time.

  The company issues a new security policy that contains the following requirements:

  1.

  No AWS account should use a VPC within the AWS account for workloads.

  2.

  The company should use a centrally managed VPC that all AWS accounts can access to launch workloads in subnets.

  3.

  No AWS account should be able to modify another AWS account's application resources within the centrally managed VPC.

  4.

  The centrally managed VPC should reside in an existing AWS account that is named Account-A within an organization.

  The company uses an AWS CloudFormation template to create a VPC that contains multiple subnets in Account-A. This template exports the subnet IDs through the CloudFormation Outputs section.

  Which solution will complete the security setup to meet these requirements?

  A. Use a CloudFormation template in the member accounts to launch workloads. Configure the template to use the Fn::lmportValue function to obtain the subnet ID values.
  B. Use a transit gateway in the VPC within Account-A. Configure the member accounts to use the transit gateway to access the subnets in Account-A to launch workloads.
  C. Use AWS Resource Access Manager (AWS RAM) to share Account-A's VPC subnets with the remaining member accounts. Configure the member accounts to use the shared subnets to launch workloads.
  D. Create a peering connection between Account-A and the remaining member accounts. Configure the member accounts to use the subnets in Account-A through the VPC peering connection to launch workloads.
  C. Use AWS Resource Access Manager (AWS RAM) to share Account-A's VPC subnets with the remaining member accounts. Configure the member accounts to use the shared subnets to launch workloads.

  ---

  The correct answer is C. Use AWS Resource Access Manager (AWS RAM) to share Account-A's VPC subnets with the remaining member accounts. Configure the member accounts to use the shared subnets to launch workloads. This answer is correct because AWS RAM is a service that helps you securely share your AWS resources across AWS accounts, within your organization or organizational units (OUs), and with IAM roles and users for supported resource types1. One of the supported resource types is VPC subnets2, which means you can share the subnets in Account-A's VPC with the other member accounts using AWS RAM. This way, you can meet the requirements of using a centrally managed VPC, avoiding duplicate VPCs in each account, and launching workloads in shared subnets. You can also control the access to the shared subnets by using IAM policies and resource-based policies3, which can prevent one account from modifying another account's resources. The other options are incorrect because: A. Using a CloudFormation template in the member accounts to launch workloads and using the Fn::ImportValue function to obtain the subnet ID values is not a solution, because Fn::ImportValue can only import values that have been exported by another stack within the same region4. This means that you cannot use Fn::ImportValue to reference the subnet IDs that are exported by Account-A's CloudFormation template, unless all the member accounts are in the same region as Account-A. This option also does not avoid creating duplicate VPCs in each account, which is one of the requirements. B. Using a transit gateway in the VPC within Account-A and configuring the member accounts to use the transit gateway to access the subnets in Account-A to launch workloads is not a solution, because a transit gateway does not allow you to launch workloads in another account's subnets. A transit gateway is a network transit hub that enables you to route traffic between your VPCs and on-premises networks5, but it does not enable you to share subnets across accounts. D. Creating a peering connection between Account-A and the remaining member accounts and configuring the member accounts to use the subnets in Account-A through the VPC peering connection to launch workloads is not a solution, because a VPC peering connection does not allow you to launch workloads in another account's subnets. A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them privately6, but it does not enable you to share subnets across accounts. References: 1: What is AWS Resource Access Manager? 2: Shareable AWS resources 3: Managing permissions for shared resources 4: Fn::ImportValue 5: What is a transit gateway? 6: What is VPC peering?

• Question 554:

  A security engineer need to ensure their company's uses of IAM meets IAM security best practices. As part of this, the IAM account root user must not be used for daily work. The root user must be monitored for use, and the Security team must be alerted as quickly as possible if the root user is used.

  Which solution meets these requirements?

  A. Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification.
  B. Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification logs from S3 and generate notifications using Amazon SNS.
  C. Set up a rule in IAM config to trigger root user events. Trigger an IAM Lambda function and generate notifications using Amazon SNS.
  D. Use Amazon Inspector to monitor the usage of the root user and generate notifications using Amazon SNS
  A. Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification.

• Question 555:

  Your application currently use IAM Cognito for authenticating users. Your application consists of different types of users. Some users are only allowed read access to the application and others are given contributor access. How wou you manage the access effectively?

  A. Create different cognito endpoints, one for the readers and the other for the contributors.
  B. Create different cognito groups, one for the readers and the other for the contributors.
  C. You need to manage this within the application itself
  D. This needs to be managed via Web security tokens
  B. Create different cognito groups, one for the readers and the other for the contributors.

  ---

  The IAM Documentation mentions the following You can use groups to create a collection of users in a user pool, which is often done to set the permissions for those users. For example, you can create separate groups for users who are readers, contributors, and editors of your website and app. Option A is incorrect since you need to create cognito groups and not endpoints Options C and D are incorrect since these would be overheads when you can use IAM Cognito For more information on IAM Cognito user groups please refer to the below Link: https://docs.IAM.amazon.com/coenito/latest/developersuide/cognito-user-pools-user- groups.htmll The correct answer is: Create different cognito groups, one for the readers and the other for the contributors. Submit your Feedback/Queries to our Experts

• Question 556:

  A company is building an application on IAM that will store sensitive Information. The company has a support team with access to the IT infrastructure, including databases. The company's security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead. The credentials must be regularly rotated.

  What should the security engineer recommend?

  A. Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an IAM Lambda function to rotate database credentials. Set up TLS for the connection to the database.
  B. Install a database on an Amazon EC2 Instance. Enable third-party disk encryption to encrypt the Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in IAM CloudHSM with automatic rotation. Set up TLS for the connection to the database.
  C. Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in IAM Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.
  D. Set up an IAM CloudHSM cluster with IAM Key Management Service (IAM KMS) to store KMS keys. Set up Amazon RDS encryption using IAM KMS to encrypt the database. Store database credentials in the IAM Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.
  C. Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in IAM Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.

• Question 557:

  Authorized Administrators are unable to connect to an Amazon EC2 Linux bastion host using SSH over the internet. The connection either fails to respond or generates the following error message:

  Network error: Connection timed out.

  What could be responsible for the connection failure? (Select THREE )

  A. The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured
  B. The internet gateway of the VPC has been reconfigured
  C. The security group denies outbound traffic on ephemeral ports
  D. The route table is missing a route to the internet gateway
  E. The NACL denies outbound traffic on ephemeral ports
  F. The host-based firewall is denying SSH traffic
  B. The internet gateway of the VPC has been reconfigured
  D. The route table is missing a route to the internet gateway
  F. The host-based firewall is denying SSH traffic

• Question 558:

  Your developer is using the KMS service and an assigned key in their Java program. They get the below error when running the code arn:IAM:iam::113745388712:user/UserB is not authorized to perform: kms:DescribeKey Which of the following could help resolve the issue?

  A. Ensure that UserB is given the right IAM role to access the key
  B. Ensure that UserB is given the right permissions in the IAM policy
  C. Ensure that UserB is given the right permissions in the Key policy
  D. Ensure that UserB is given the right permissions in the Bucket policy
  C. Ensure that UserB is given the right permissions in the Key policy

  ---

  Explanation Explanation/Reference:You need to ensure that UserB is given access via the Key policy for the Key Option is invalid because you don't assign roles to IAM users For more information on Key policies please visit the below Link: https://docs.IAM.amazon.com/kms/latest/developerguide/key-poli The correct answer is: Ensure that UserB is given the right permissions in the Key policy

• Question 559:

  Your company looks at the gaming domain and hosts several Ec2 Instances as game servers. The servers each experience user loads in the thousands. There is a concern of DDos attacks on the EC2 Instances which could cause a huge revenue loss to the company. Which of the following can help mitigate this security concern and also ensure minimum downtime for the servers.

  A. Use VPC Flow logs to monitor the VPC and then implement NACL's to mitigate attacks
  B. Use IAM Shield Advanced to protect the EC2 Instances
  C. Use IAM Inspector to protect the EC2 Instances
  D. Use IAM Trusted Advisor to protect the EC2 Instances
  B. Use IAM Shield Advanced to protect the EC2 Instances

  ---

  Below is an excerpt from the IAM Documentation on some of the use cases for IAM Shield

• Question 560:

  A security team is responsible for reviewing IAM API call activity in the cloud environment for security violations. These events must be recorded and retained in a centralized location for both current and future IAM regions.

  What is the SIMPLEST way to meet these requirements?

  A. Enable IAM Trusted Advisor security checks in the IAM Console, and report all security incidents for all regions.
  B. Enable IAM CloudTrail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later analysis.
  C. Enable IAM CloudTrail by creating a new trail and applying the trail to all regions. Specify a single Amazon S3 bucket as the storage location.
  D. Enable Amazon CloudWatch logging for all IAM services across all regions, and aggregate them to a single Amazon S3 bucket for later analysis.
  C. Enable IAM CloudTrail by creating a new trail and applying the trail to all regions. Specify a single Amazon S3 bucket as the storage location.

  ---

  https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/creating-trail- organization.html