Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 631:

  A company's security policy requires all Amazon EC2 instances to use the Amazon Time Sync Service. AWS CloudTrail trails are enabled in all of the company's AWS accounts. VPC flow logs are enabled for all VPCs.

  A security engineer must identify any EC2 instances that attempt to use Network Time Protocol (NTP) servers on the internet.

  Which solution will meet these requirements?

  A. Monitor CloudTrail logs for API calls to non-standard time servers.
  B. Monitor CloudTrail logs for API calls to the Amazon Time Sync Service.
  C. Monitor VPC flow logs for traffic to non-standard time servers.
  D. Monitor VPC flow logs for traffic to the Amazon Time Sync Service.
  C. Monitor VPC flow logs for traffic to non-standard time servers.

  ---

  Explanation Explanation/Reference:To identify EC2 instances attempting to use Network Time Protocol (NTP) servers on the internet instead of the Amazon Time Sync Service, monitoring VPC flow logs is appropriate. VPC flow logs capture details about traffic to and from EC2 instances, including any traffic directed to external NTP servers. By analyzing these logs for traffic to non-standard time servers (IP addresses other than the Amazon Time Sync Service endpoint 169.254.169.123), the security engineer can identify instances that are not complying with the company's policy.

• Question 632:

  A security engineer is troubleshooting an AWS Lambda function that is named MyLambdaFunction. The function is encountering an error when the function attempts to read the objects in an Amazon S3 bucket that is named DOC-EXAMPLEBUCKET. The S3 bucket has the following bucket policy:

  

  Which change should the security engineer make to the policy to ensure that the Lambda function can read the bucket objects?

  A. Remove the Condition element. Change the Principal element to the following: { "AWS": "arn "aws" ::: lambda ::: function:MyLambdaFunction" }
  B. Change the Action element to the following: " s3:GetObject*" " s3:GetBucket*"
  C. Change the Resource element to "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*".
  D. Change the Resource element to "arn:aws:lambda:::function:MyLambdaFunction". Change the Principal element to the following: { "Service": "s3.amazonaws.com" }
  C. Change the Resource element to "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*".

  ---

  The correct answer is C. Change the Resource element to "arn:aws:s3:::DOC-EXAMPLE- BUCKET/*". The reason is that the Resource element in the bucket policy specifies which objects in the bucket are affected by the policy. In this case, the policy only applies to the bucket itself, not the objects inside it. Therefore, the Lambda function cannot access the objects with the s3:GetObject permission. To fix this, the Resource element should include a wildcard (*) to match all objects in the bucket. This way, the policy grants the Lambda function permission to read any object in the bucket. The other options are incorrect for the following reasons: A. Removing the Condition element would not help, because it only restricts access based on the source IP address of the request. The Principal element should not be changed to the Lambda function ARN, because it specifies who is allowed or denied access by the policy. The policy should allow access to any principal ("*") and rely on IAM roles or policies to control access to the Lambda function. B. Changing the Action element to include s3:GetBucket* would not help, because it would grant additional permissions that are not needed by the Lambda function, such as s3:GetBucketAcl or s3:GetBucketPolicy. The s3:GetObject* permission is sufficient for reading objects in the bucket. D. Changing the Resource element to the Lambda function ARN would not make sense, because it would mean that the policy applies to the Lambda function itself, not the bucket or its objects. The Principal element should not be changed to s3.amazonaws.com, because it would grant access to any AWS service that uses S3, not just Lambda.

• Question 633:

  Your team is designing a web application. The users for this web application would need to sign in via an external ID provider such asfacebook or Google. Which of the following IAM service would you use for authentication?

  A. IAM Cognito
  B. IAM SAML
  C. IAM IAM
  D. IAM Config
  A. IAM Cognito

  ---

  The IAM Documentation mentions the following Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users ca sign in directly with a user name and password, or through a third party such as Facebook, Amazon, or Google. Option B is incorrect since this is used for identity federation Option C is incorrect since this is pure Identity and Access management Option D is incorrect since IAM is a configuration service For more information on IAM Cognito please refer to the below Link: https://docs.IAM.amazon.com/coenito/latest/developerguide/what-is-amazon-cognito.html The correct answer is: IAM Cognito Submit your Feedback/Queries to our Experts

• Question 634:

  Which of the following is used as a secure way to log into an EC2 Linux Instance?

  A. IAM User name and password
  B. Key pairs
  C. IAM Access keys
  D. IAM SDK keys
  B. Key pairs

  ---

  Explanation Explanation/Reference:The IAM Documentation mentions the following Key pairs consist of a public key and a private key. You use the private key to create a digital signature, and then IAM uses the corresponding public key to validate the signature. Key pairs are used only for Amazon EC2 and Amazon CloudFront. Option A.C and D are all wrong because these are not used to log into EC2 Linux Instances For more information on IAM Security credentials, please visit the below URL: https://docs.IAM.amazon.com/eeneral/latest/er/IAM-sec-cred-types.html The correct answer is: Key pairs Submit your Feedback/Queries to our Experts

• Question 635:

  A company is outsourcing its operational support 1o an external company. The company's security officer must implement an access solution fen delegating operational support that minimizes overhead.

  Which approach should the security officer take to meet these requirements?

  A. implement Amazon Cognito identity pools with a role that uses a policy that denies the actions related to Amazon Cognito API management Allow the external company to federate through its identity provider
  B. Federate IAM identity and Access Management (IAM) with the external company's identity provider Create an IAM role and attach a policy with the necessary permissions
  C. Create an IAM group for me external company Add a policy to the group that denies IAM modifications Securely provide the credentials to the eternal company.
  D. Use IAM SSO with the external company's identity provider. Create an IAM group to map to the identity provider user group, and attach a policy with the necessary permissions.
  B. Federate IAM identity and Access Management (IAM) with the external company's identity provider Create an IAM role and attach a policy with the necessary permissions

• Question 636:

  A company is using IAM Organizations to develop a multi-account secure networking strategy. The company plans to use separate centrally managed accounts for shared services, auditing, and security inspection. The company plans to provide dozens of additional accounts to application owners for production and development environments.

  Company security policy requires that all internet traffic be routed through a centrally managed security inspection layer in the security inspection account. A security engineer must recommend a solution that minimizes administrative overhead and complexity.

  Which solution meets these requirements?

  A. Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route table. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account.
  B. Create a centrally managed VPC in the security inspection account. Establish VPC peering connections between the security inspection account and other accounts. Instruct account owners to create default routes in their account route tables that point to the VPC peer. Create an SCP that denies the Attach InternetGateway action. Attach the SCP to all accounts except the security inspection account.
  C. Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transit gateway and to create a default route to the transit gateway in the default route table. Create an SCP that denies the AttachlnternetGateway action. Attach the SCP to all accounts except the security inspection account.
  D. Enable IAM Resource Access Manager (IAM RAM) for IAM Organizations. Create a shared transit gateway, and make it available by using an IAM RAM resource share. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account. Create routes in the route tables of all accounts that point to the shared transit gateway.
  C. Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transit gateway and to create a default route to the transit gateway in the default route table. Create an SCP that denies the AttachlnternetGateway action. Attach the SCP to all accounts except the security inspection account.

• Question 637:

  A company has created a set of AWS Lambda functions to automate incident response steps for incidents that occur on Amazon EC2 instances. The Lambda functions need to collect relevant artifacts, such as instance ID and security group

  configuration. The Lambda functions must then write a summary to an Amazon S3 bucket.

  The company runs its workloads in a VPC that uses public subnets and private subnets. The public subnets use an internet gateway to access the internet. The private subnets use a NAT gateway to access the internet.

  All network traffic to Amazon S3 that is related to the incident response process must use the AWS network. This traffic must not travel across the internet.

  Which solution will meet these requirements?

  A. Deploy the Lambda functions to a private subnet in the VPC. Configure the Lambda functions to access the S3 service through the NAT gateway.
  B. Deploy the Lambda functions to a private subnet in the VPC. Create an S3 gateway endpoint to access the S3 service.
  C. Deploy the S3 bucket and the Lambda functions in the same private subnet. Configure the Lambda functions to use the default endpoint for the S3 service.
  D. Deploy an Amazon Simple Queue Service (Amazon SQS) queue and the Lambda functions in the same private subnet. Configure the Lambda functions to send data to the SQS queue. Configure the SQS queue to send data to the S3 bucket.
  B. Deploy the Lambda functions to a private subnet in the VPC. Create an S3 gateway endpoint to access the S3 service.

• Question 638:

  A Security Engineer has been tasked with enabling IAM Security Hub to monitor Amazon EC2 instances fix CVE in a single IAM account The Engineer has already enabled IAM Security Hub and Amazon Inspector in the IAM Management Console and has installed me Amazon Inspector agent on an EC2 instances that need to be monitored.

  Which additional steps should the Security Engineer lake 10 meet this requirement?

  A. Configure the Amazon inspector agent to use the CVE rule package
  B. Configure the Amazon Inspector agent to use the CVE rule package Configure Security Hub to ingest from IAM inspector by writing a custom resource policy
  C. Configure the Security Hub agent to use the CVE rule package Configure IAM Inspector lo ingest from Security Hub by writing a custom resource policy
  D. Configure the Amazon Inspector agent to use the CVE rule package Install an additional Integration library Allow the Amazon Inspector agent to communicate with Security Hub
  D. Configure the Amazon Inspector agent to use the CVE rule package Install an additional Integration library Allow the Amazon Inspector agent to communicate with Security Hub

• Question 639:

  The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet.

  What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.)

  A. Use IAM Certificate Manager to encrypt all traffic between the client and application servers.
  B. Review the application security groups to ensure that only the necessary ports are open.
  C. Use Elastic Load Balancing to offload Secure Sockets Layer encryption.
  D. Use Amazon Inspector to periodically scan the backend instances.
  E. Use IAM Key Management Services to encrypt all the traffic between the client and application servers.
  B. Review the application security groups to ensure that only the necessary ports are open.
  D. Use Amazon Inspector to periodically scan the backend instances.

• Question 640:

  A company is testing incident response procedures for destination containment. The company needs to contain a critical Amazon EC2 instance as quickly as possible while keeping the EC2 instance running. The EC2 instance is the only resource in a public subnet and has active connections to other resources.

  Which solution will contain the EC2 instance IMMEDIATELY?

  A. Create a new security group that has no inbound rules or outbound rules. Attach the new security group to the EC2 instance.
  B. Configure the existing security group for the EC2 instance. Remove all existing inbound rules and outbound rules from the security group.
  C. Create a new network ACL that has a single Deny rule for inbound traffic and outbound traffic. Associate the new network ACL with the subnet that contains the EC2 instance.
  D. Create a new VPC for isolation. Stop the EC2 instance. Create a new AMI from the EC2 instance. Use the new AMI to launch a new EC2 instance in the new VPC.
  A. Create a new security group that has no inbound rules or outbound rules. Attach the new security group to the EC2 instance.

  ---

  Explanation Explanation/Reference:To contain the EC2 instance quickly while keeping it running, you can attach a security group with no inbound or outbound rules. This approach will effectively cut off all network traffic to and from the instance, isolating it immediately while keeping the instance active.