Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 601:

  A company uses an organization in AWS Organizations to manage its AWS accounts. The company has implemented an SCP in the root account to prevent resources from being shared with external accounts.

  The company now needs to allow applications in its marketing team's AWS account to share resources with external accounts. The company must continue to prevent all the other accounts in the organization from sharing resources with external accounts. All the accounts in the organization are members of the same OU.

  Which solution will meet these requirements?

  A. Create a new SCP in the marketing team's account Configure the SCP to explicitly allow resource sharing.
  B. Edit the existing SCP to add a Condition statement that excludes the marketing team's account.
  C. Edit the existing SCP to include an Allow statement that specifies the marketing team's account.
  D. Create an IAM permissions boundary policy to explicitly allow resource sharing Attach the policy to IAM users in the marketing team's account.
  B. Edit the existing SCP to add a Condition statement that excludes the marketing team's account.

• Question 602:

  Your company has a set of 1000 EC2 Instances defined in an IAM Account. They want to effectively automate several administrative tasks on these instances. Which of the following would be an effective way to achieve this?

  A. Use the IAM Systems Manager Parameter Store
  B. Use the IAM Systems Manager Run Command
  C. Use the IAM Inspector
  D. Use IAM Config
  B. Use the IAM Systems Manager Run Command

  ---

  The IAM Documentation mentions the following IAM Systems Manager Run Command lets you remotely and securely manage the configuration of your managed instances. A managed instance is any Amazon EC2 instance or on-premises machine in your hybrid environment that has been configured for Systems Manager. Run Command enables you to automate common administrative tasks and perform ad hoc configuration changes at scale. You can use Run Command from the IAM console, the IAM Command Line Interface, IAM Tools for Windows PowerShell, or the IAM SDKs. Run Command is offered at no additional cost. Option A is invalid because this service is used to store parameter Option C is invalid because this service is used to scan vulnerabilities in an EC2 Instance. Option D is invalid because this service is used to check for configuration changes For more information on executing remote commands, please visit the below U https:// docs.IAM.amazon.com/systems-manaEer/latest/usereuide/execute-remote- commands.htmll ( The correct answer is: Use the IAM Systems Manager Run Command Submit your Feedback/Queries to our Experts

• Question 603:

  A company is running workloads on AWS. The workloads are in separate AWS accounts for development, testing, and production. All the company's developers can access the development account. A subset of the developers can access the testing account and the production account.

  The company is spending too much time managing individual credentials for every developer across every environment. A security engineer must implement a more scalable solution that the company can use when a developer needs different access. The solution must allow developers to access resources across multiple accounts. The solution also must minimize credential sharing.

  Which solution will meet these requirements?

  A. Use AWS Identity and Access Management Access Analyzer to identify the permissions that the developers need on each account. Configure IAM Access Analyzer to automatically provision the correct access for each developer.
  B. Create an Amazon Simple Workflow Service (Amazon SWF) workflow. Instruct the developers to use the workflow to request access to other accounts when additional access is necessary.
  C. Create IAM roles in the testing account and production account. Add a policy that allows the sts:AssumeRole action to the roles. Create IAM roles in the development account for the developers who have access to the testing and production accounts. Add these roles to the trust policy on the new roles in the testing and production accounts.
  D. Create service accounts in the testing environment and production environment. Give the access keys for the service accounts to developers who require access to the testing account and the production account. Rotate the access keys for the service accounts periodically.
  C. Create IAM roles in the testing account and production account. Add a policy that allows the sts:AssumeRole action to the roles. Create IAM roles in the development account for the developers who have access to the testing and production accounts. Add these roles to the trust policy on the new roles in the testing and production accounts.

  ---

  Using IAM roles with cross-account access and the sts:AssumeRole action is a scalable and secure solution that allows developers to access resources across multiple accounts without sharing long-term credentials. This approach allows developers in the development account to assume roles in the testing and production accounts as needed, based on permissions defined in the trust policy. It minimizes credential management complexity and avoids credential sharing, as developers use temporary session-based credentials through role assumption.

• Question 604:

  A Security Engineer is trying to determine whether the encryption keys used in an IAM service are in compliance with certain regulatory standards. Which of the following actions should the Engineer perform to get further guidance?

  A. Read the IAM Customer Agreement.
  B. Use IAM Artifact to access IAM compliance reports.
  C. Post the question on the IAM Discussion Forums.
  D. Run IAM Config and evaluate the configuration outputs.
  B. Use IAM Artifact to access IAM compliance reports.

  ---

  Explanation Explanation/Reference:https://IAM.amazon.com/artifact/ Third-party auditors assess the security and compliance of IAM Key Management Service as part of multiple IAM compliance programs. These include SOC, PCI, FedRAMP, HIPPA, and others. The compliance document is found in IAM Artifact.

• Question 605:

  A Security Engineer discovered a vulnerability in an application running on Amazon ECS. The vulnerability allowed attackers to install malicious code. Analysis of the code shows it exfiltrates data on port 5353 in batches at random time intervals.

  While the code of the containers is being patched, how can Engineers quickly identify all compromised hosts and stop the egress of data on port 5353?

  A. Enable IAM Shield Advanced and IAM WAF. Configure an IAM WAF custom filter for egress traffic on port 5353
  B. Enable Amazon Inspector on Amazon ECS and configure a custom assessment to evaluate containers that have port 5353 open. Update the NACLs to block port 5353 outbound.
  C. Create an Amazon CloudWatch custom metric on the VPC Flow Logs identifying egress traffic on port 5353. Update the NACLs to block port 5353 outbound.
  D. Use Amazon Athena to query IAM CloudTrail logs in Amazon S3 and look for any traffic on port 5353. Update the security groups to block port 5353 outbound.
  C. Create an Amazon CloudWatch custom metric on the VPC Flow Logs identifying egress traffic on port 5353. Update the NACLs to block port 5353 outbound.

• Question 606:

  A new application will be deployed on EC2 instances in private subnets. The application will transfer sensitive data to and from an S3 bucket. Compliance requirements state that the data must not traverse the public internet. Which solution meets the compliance requirement?

  A. Access the S3 bucket through a proxy server
  B. Access the S3 bucket through a NAT gateway.
  C. Access the S3 bucket through a VPC endpoint for S3
  D. Access the S3 bucket through the SSL protected S3 endpoint
  C. Access the S3 bucket through a VPC endpoint for S3

  ---

  The IAM Documentation mentions the following A VPC endpoint enables you to privately connect your VPC to supported IAM services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or IAM Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network. Option A is invalid because using a proxy server is not sufficient enough Option B and D are invalid because you need secure communication which should not traverse the internet For more information on VPC endpoints please see the below link https://docs.IAM.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.htmll The correct answer is: Access the S3 bucket through a VPC endpoint for S3 Submit your Feedback/Queries to our Experts

• Question 607:

  A company hosts business-critical applications on Amazon EC2 instances in a VPC. The VPC uses default DHCP options sets. A security engineer needs to log all DNS queries that internal resources make in the VPC. The security engineer also must create a list of the most common DNS queries over time.

  Which solution will meet these requirements?

  A. Install the Amazon CloudWatch agent on each EC2 instance in the VPC. Use the CloudWatch agent to stream the DNS query logs to an Amazon CloudWatch Logs log group. Use CloudWatch metric filters to automatically generate metrics that list the most common ONS queries.
  B. Install a BIND DNS server in the VPC. Create a bash script to list the DNS request number of common DNS queries from the BIND logs.
  C. Create VPC flow logs for all subnets in the VPC. Stream the flow logs to an Amazon CloudWatch Logs log group. Use CloudWatch Logs Insights to list the most common DNS queries for the log group in a custom dashboard.
  D. Configure Amazon Route 53 Resolver query logging. Add an Amazon CloudWatch Logs log group as the destination. Use Amazon CloudWatch Contributor Insights to analyze the data and create time series that display the most common DNS queries.
  D. Configure Amazon Route 53 Resolver query logging. Add an Amazon CloudWatch Logs log group as the destination. Use Amazon CloudWatch Contributor Insights to analyze the data and create time series that display the most common DNS queries.

  ---

  https://aws.amazon.com/blogs/aws/log-your-vpc-dns-queries-with-route-53- resolver-query-logs/

• Question 608:

  A Developer signed in to a new account within an IAM Organizations organizations unit (OU) containing multiple accounts. Access to the Amazon S3 service is restricted with the following SCP:

  

  How can the Security Engineer provide the Developer with Amazon S3 access without affecting other accounts?

  A. Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.
  B. Add an IAM policy for the Developer, which grants S3 access.
  C. Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.
  D. Add an allow list for the Developer account for the S3 service.
  C. Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.

  ---

  Explanation Explanation/Reference:

• Question 609:

  A company has developed a new Amazon RDS database application. The company must secure the ROS database credentials for encryption in transit and encryption at rest. The company also must rotate the credentials automatically on a regular basis.

  Which solution meets these requirements?

  A. Use IAM Systems Manager Parameter Store to store the database credentiais. Configure automatic rotation of the credentials.
  B. Use IAM Secrets Manager to store the database credentials. Configure automat* rotation of the credentials
  C. Store the database credentials in an Amazon S3 bucket that is configured with server- side encryption with S3 managed encryption keys (SSE-S3) Rotate the credentials with IAM database authentication.
  D. Store the database credentials in Amazon S3 Glacier, and use S3 Glacier Vault Lock Configure an IAM Lambda function to rotate the credentials on a scheduled basts
  A. Use IAM Systems Manager Parameter Store to store the database credentiais. Configure automatic rotation of the credentials.

• Question 610:

  A company is running an application on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally. A security engineer noticed that logs were lost after a scale-in event. The security engineer needs to recommend a solution to ensure the durability and availability of log data. All logs must be kept for a minimum of 1 year for auditing purposes.

  What should the security engineer recommend?

  A. Within the Auto Scaling lifecycle, add a hook to create and attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is created. When the instance is terminated, the EBS volume can be reattached to another instance for log review.
  B. Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation. Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system.
  C. Add an Amazon CloudWatch agent into the AMI used in the Auto Scaling group. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review.
  D. Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to allow manual review of the security logs prior to instance termination.
  C. Add an Amazon CloudWatch agent into the AMI used in the Auto Scaling group. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review.