Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 571:

  A company is attempting to conduct forensic analysis on an Amazon EC2 instance, but the company is unable to connect to the instance by using AWS Systems Manager Session Manager. The company has installed AWS Systems Manager Agent (SSM Agent) on the EC2 instance.

  The EC2 instance is in a subnet in a VPC that does not have an internet gateway attached. The company has associated a security group with the EC2 instance. The security group does not have inbound or outbound rules. The subnet's network ACL allows all inbound and outbound traffic.

  Which combination of actions will allow the company to conduct forensic analysis on the EC2 instance without compromising forensic data? (Select THREE.)

  A. Update the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0/0.
  B. Update the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC's CIDR range.
  C. Create an EC2 key pair. Associate the key pair with the EC2 instance.
  D. Create a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance is located.
  E. Attach a security group to the VPC interface endpoint. Allow inbound traffic on port 443 to the VPC's CIDR range.
  F. Create a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.
  B. Update the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC's CIDR range.
  C. Create an EC2 key pair. Associate the key pair with the EC2 instance.
  F. Create a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.

• Question 572:

  A Solutions Architect is designing a web application that uses Amazon CloudFront, an Elastic Load Balancing Application Load Balancer, and an Auto Scaling group of Amazon EC2 instances. The load balancer and EC2 instances are in the US West (Oregon) region. It has been decided that encryption in transit is necessary by using a customer-branded domain name from the client to CloudFront and from CloudFront to the load balancer.

  Assuming that IAM Certificate Manager is used, how many certificates will need to be generated?

  A. One in the US West (Oregon) region and one in the US East (Virginia) region.
  B. Two in the US West (Oregon) region and none in the US East (Virginia) region.
  C. One in the US West (Oregon) region and none in the US East (Virginia) region.
  D. Two in the US East (Virginia) region and none in the US West (Oregon) region.
  A. One in the US West (Oregon) region and one in the US East (Virginia) region.

  ---

  Why? If you want to require HTTPS between viewers and CloudFront, you must change the IAM Region to US East (N. Virginia) in the IAM Certificate Manager console before you request or import a certificate. If you want to require HTTPS between CloudFront and your origin, and you're using an ELB load balancer as your origin, you can request or import a certificate in any Region. https://docs.IAM.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and- https-requirements.html

• Question 573:

  A company uses several AWS CloudFormation stacks to handle the deployment of a suite of applications. The leader of the company's application development team notices that the stack deployments fail with permission errors when some team members try to deploy the stacks. However, other team members can deploy the stacks successfully.

  The team members access the account by assuming a role that has a specific set of permissions that are necessary for the job responsibilities of the team members. All team members have permissions to perform operations on the stacks.

  Which combination of steps will ensure consistent deployment of the stacks MOST securely? (Choose Three.)

  A. Create a service role that has a composite principal that contains each service that needs the necessary permissions. Configure the role to allow the sts:AssumeRole action.
  B. Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts:AssumeRole action.
  C. For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each CloudFormation stack in the resource field of each policy.
  D. For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each service that needs the per-missions in the resource field of the corresponding policy.
  E. Update each stack to use the service role.
  F. Add a policy to each member role to allow the iam:PassRole action. Set the policy's resource field to the ARN of the service role.
  B. Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts:AssumeRole action.
  D. For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each service that needs the per-missions in the resource field of the corresponding policy.
  F. Add a policy to each member role to allow the iam:PassRole action. Set the policy's resource field to the ARN of the service role.

• Question 574:

  An Application team has requested a new IAM KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different IAM services to limit blast radius.

  How can an IAM KMS customer master key (CMK) be constrained to work with only Amazon S3?

  A. Configure the CMK key policy to allow only the Amazon S3 service to use the kms Encrypt action
  B. Configure the CMK key policy to allow IAM KMS actions only when the kms ViaService condition matches the Amazon S3 service name.
  C. Configure the IAM user's policy lo allow KMS to pass a rote lo Amazon S3
  D. Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK
  B. Configure the CMK key policy to allow IAM KMS actions only when the kms ViaService condition matches the Amazon S3 service name.

• Question 575:

  An online media company has an application that customers use to watch events around the world. The application is hosted on a fleet of Amazon EC2 instances that run Amazon Linux 2. The company uses AWS Systems Manager to manage the EC2 instances. The company applies patches and application updates by using the AWS-AmazonLinux2DefaultPatchBaseline patching baseline in Systems Manager Patch Manager.

  The company is concerned about potential attacks on the application during the week of an upcoming event. The company needs a solution that can immediately deploy patches to all the EC2 instances in response to a security incident or vulnerability. The solution also must provide centralized evidence that the patches were applied successfully.

  Which combination of steps will meet these requirements? (Choose two.)

  A. Create a new patching baseline in Patch Manager. Specify Amazon Linux 2 as the product. Specify Security as the classification. Set the automatic approval for patches to 0 days. Ensure that the new patching baseline is the designated default for Amazon Linux 2.
  B. Use the Patch Now option with the scan and install operation in the Patch Manager console to apply patches against the baseline to all nodes. Specify an Amazon S3 bucket as the patching log storage option.
  C. Use the Clone function of Patch Manager to create a copy of the AWS-AmazonLmux2DefaultPatchBaseline built-in baseline. Set the automatic approval for patches to 1 day.
  D. Create a patch policy that patches all managed nodes and sends a patch operation log output to an Amazon S3 bucket. Use a custom scan schedule to set Patch Manager to check every hour for new patches. Assign the baseline to the patch policy.
  E. Use Systems Manager Application Manager to inspect the package versions that were installed on the EC2 instances. Additionally use Application Manager to validate that the patches were correctly installed.
  A. Create a new patching baseline in Patch Manager. Specify Amazon Linux 2 as the product. Specify Security as the classification. Set the automatic approval for patches to 0 days. Ensure that the new patching baseline is the designated default for Amazon Linux 2.
  B. Use the Patch Now option with the scan and install operation in the Patch Manager console to apply patches against the baseline to all nodes. Specify an Amazon S3 bucket as the patching log storage option.

• Question 576:

  A company is deploying an Amazon EC2-based application. The application will include a custom health-checking component that produces health status data in JSON format. A Security Engineer must implement a secure solution to monitor application availability in near-real time by analyzing the hearth status data. Which approach should the Security Engineer use?

  A. Use Amazon CloudWatch monitoring to capture Amazon EC2 and networking metrics. Visualize metrics using Amazon CloudWatch dashboards.
  B. Run the Amazon Kinesis Agent to write the status data to Amazon Kinesis Data Firehose. Store the streaming data from Kinesis Data Firehose in Amazon Redshift. Then run a script on the pool data and analyze the data in Amazon Redshift
  C. Write the status data directly to a public Amazon S3 bucket from the health-checking component. Configure S3 events to invoke an IAM Lambda function that analyzes the data
  D. Generate events from the health-checking component and send them to Amazon CloudWatch Events. Include the status data as event payloads. Use CloudWatch Events rules to invoke an IAM Lambda function that analyzes the data.
  A. Use Amazon CloudWatch monitoring to capture Amazon EC2 and networking metrics. Visualize metrics using Amazon CloudWatch dashboards.

• Question 577:

  A company has a relational database workload that runs on Amazon Aurora MySQL. According to new compliance standards the company must rotate all database credentials every 30 days. The company needs a solution that maximizes security and minimizes development effort.

  Which solution will meet these requirements?

  A. Store the database credentials in AWS Secrets Manager. Configure automatic credential rotation tor every 30 days.
  B. Store the database credentials in AWS Systems Manager Parameter Store. Create an AWS Lambda function to rotate the credentials every 30 days.
  C. Store the database credentials in an environment file or in a configuration file. Modify the credentials every 30 days.
  D. Store the database credentials in an environment file or in a configuration file. Create an AWS Lambda function to rotate the credentials every 30 days.
  A. Store the database credentials in AWS Secrets Manager. Configure automatic credential rotation tor every 30 days.

  ---

  To rotate database credentials every 30 days, the most secure and efficient solution is to store the database credentials in AWS Secrets Manager and configure automatic credential rotation for every 30 days. Secrets Manager can handle the rotation of the credentials in both the secret and the database, and it can use AWS KMS to encrypt the credentials. Option B is incorrect because it requires creating a custom Lambda function to rotate the credentials, which is more effort than using Secrets Manager. Option C is incorrect because it stores the database credentials in an environment file or a configuration file, which is less secure than using Secrets Manager. Option D is incorrect because it combines the drawbacks of option B and option C. Verified References: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating- secrets.html https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate- secrets_turn-on-for-other.html

• Question 578:

  An IAM Lambda function was misused to alter data, and a Security Engineer must identify who invoked the function and what output was produced. The Engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.

  Which of the following explains why the logs are not available?

  A. The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.
  B. The Lambda function was executed by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.
  C. The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.
  D. The version of the Lambda function that was executed was not current.
  A. The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.

• Question 579:

  A security engineer is designing an incident response plan to address the risk of a compromised Amazon EC2 instance. The plan must recommend a solution to meet the following requirements:

  1.

  A trusted forensic environment must be provisioned

  2.

  Automated response processes must be orchestrated

  Which IAM services should be included in the plan? {Select TWO)

  A. IAM CloudFormation
  B. Amazon GuardDuty
  C. Amazon Inspector
  D. Amazon Macie
  E. IAM Step Functions
  A. IAM CloudFormation
  E. IAM Step Functions

• Question 580:

  A company needs a security engineer to implement a scalable solution for multi-account authentication and authorization. The solution should not introduce additional user- managed architectural components. Native IAM features should be used as much as possible The security engineer has set up IAM Organizations w1th all features activated and IAM SSO enabled.

  Which additional steps should the security engineer take to complete the task?

  A. Use AD Connector to create users and groups for all employees that require access to IAM accounts. Assign AD Connector groups to IAM accounts and link to the IAM roles in accordance with the employees`job functions and access requirements Instruct employees to access IAM accounts by using the IAM Directory Service user portal.
  B. Use an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts. Assign groups to IAM accounts and link to permission sets in accordance with the employees`job functions and access requirements. Instruct employees to access IAM accounts by using the IAM SSO user portal.
  C. Use an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts. Link IAM SSO groups to the IAM users present in all accounts to inherit existing permissions. Instruct employees to access IAM accounts by using the IAM SSO user portal.
  D. Use IAM Directory Service tor Microsoft Active Directory to create users and groups for all employees that require access to IAM accounts Enable IAM Management Console access in the created directory and specify IAM SSO as a source cl information tor integrated accounts and permission sets. Instruct employees to access IAM accounts by using the IAM Directory Service user portal.
  B. Use an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts. Assign groups to IAM accounts and link to permission sets in accordance with the employees`job functions and access requirements. Instruct employees to access IAM accounts by using the IAM SSO user portal.