Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 641:

  A company is expanding its group of stores. On the day that each new store opens, the company wants to launch a customized web application for that store. Each store's application will have a non-production environment and a production environment. Each environment will be deployed in a separate AWS account. The company uses AWS Organizations and has an OU that is used only for these accounts.

  The company distributes most of the development work to third-party development teams. A security engineer needs to ensure that each team follows the company's deployment plan for AWS resources. The security engineer also must limit access to the deployment plan to only the developers who need access. The security engineer already has created an AWS CloudFormation template that implements the deployment plan.

  What should the security engineer do next to meet the requirements in the MOST secure way?

  A. Create an AWS Service Catalog portfolio in the organization's management account. Upload the CloudFormation template. Add the template to the portfolio's product list. Share the portfolio with the OIJ.
  B. Use the CloudFormation CLI to create a module from the CloudFormation template. Register the module as a private extension in the CloudFormation registry. Publish the extension. In the OU, create an SCP that allows access to the extension.
  C. Create an AWS Service Catalog portfolio in the organization's management account. Upload the CloudFormation template. Add the template to the portfolio's product list. Create an IAM role that has a trust policy that allows cross-account access to the portfolio for users in the OU accounts. Attach the AWSServiceCatalogEndUserFullAccess managed policy to the role.
  D. Use the CloudFormation CLI to create a module from the CloudFormation template. Register the module as a private extension in the CloudFormation registry. Publish the extension. Share the extension with the OU
  A. Create an AWS Service Catalog portfolio in the organization's management account. Upload the CloudFormation template. Add the template to the portfolio's product list. Share the portfolio with the OIJ.

  ---

  Create an AWS Service Catalog portfolio in the organization's management account. Upload the CloudFormation template. Add the template to the portfolio's product list. Share the portfolio with the OU. According to the AWS documentation, AWS Service Catalog is a service that allows you to create and manage catalogs of IT services that are approved for use on AWS. You can use Service Catalog to centrally manage commonly deployed IT services and help achieve consistent governance and compliance requirements, while enabling users to quickly deploy only the approved IT services they need. To use Service Catalog with multiple AWS accounts, you need to enable AWS Organizations with all features enabled. This allows you to centrally manage your accounts and apply policies across your organization. You can also use Service Catalog as a service principal for AWS Organizations, which lets you share your portfolios with organizational units (OUs) or accounts in your organization. To create a Service Catalog portfolio, you need to use an administrator account, such as the organization's management account. You can upload your CloudFormation template as a product in your portfolio, and define constraints and tags for it. You can then share your portfolio with the OU that contains the accounts for the web applications. This will allow the developers in those accounts to launch products from the shared portfolio using the Service Catalog end user console. Option B is incorrect because CloudFormation modules are reusable components that encapsulate one or more resources and their configurations. They are not meant to be used as templates for deploying entire stacks of resources. Moreover, sharing a module with an OU does not grant access to launch stacks from it. Option C is incorrect because creating an IAM role that has a trust policy that allows cross- account access to the portfolio is not secure. It would allow any user in the OU accounts to assume the role and access the portfolio, regardless of their job function or access requirements. Option D is incorrect because sharing a module with an OU does not grant access to launch stacks from it. It also does not limit access to the deployment plan to only the developers who need access.

• Question 642:

  The Information Technology department has stopped using Classic Load Balancers and switched to Application Load Balancers to save costs. After the switch, some users on older devices are no longer able to connect to the website.

  What is causing this situation?

  A. Application Load Balancers do not support older web browsers.
  B. The Perfect Forward Secrecy settings are not configured correctly.
  C. The intermediate certificate is installed within the Application Load Balancer.
  D. The cipher suites on the Application Load Balancers are blocking connections.
  D. The cipher suites on the Application Load Balancers are blocking connections.

  ---

  https://docs.IAM.amazon.com/elasticloadbalancing/latest/application/create-https- listener.html

• Question 643:

  A company hosts critical data in an S3 bucket. Even though they have assigned the appropriate permissions to the bucket, they are still worried about data deletion. What measures can be taken to restrict the risk of data deletion on the bucket? Choose 2 answers from the options given below

  A. Enable versioning on the S3 bucket
  B. Enable data at rest for the objects in the bucket
  C. Enable MFA Delete in the bucket policy
  D. Enable data in transit for the objects in the bucket
  A. Enable versioning on the S3 bucket
  C. Enable MFA Delete in the bucket policy

  ---

  One of the IAM Security blogs mentions the followinj Versioning keeps multiple versions of an object in the same bucket. When you enable it on a bucket Amazon S3 automatically adds a unique version ID to every object stored in the bucket. At that point, a simple DELETE action does not permanently delete an object version; it merely associates a delete marker with the object. If you want to permanently delete an object version, you must specify its version ID in your DELETE request. You can add another layer of protection by enabling MFA Delete on a versioned bucket. Once you do so, you must provide your IAM accounts access keys and a valid code from the account's MFA device in order to permanently delete an object version or suspend or reactivate versioning on the bucket. Option B is invalid because enabling encryption does not guarantee risk of data deletion. Option D is invalid because this option does not guarantee risk of data deletion. For more information on IAM S3 versioning and MFA please refer to the below URL: https://IAM.amazon.com/blogs/security/securing-access-to-IAM-using-mfa-part-3/ The correct answers are: Enable versioning on the S3 bucket Enable MFA Delete in the bucket policy Submit your Feedback/Queries to our Experts

• Question 644:

  A security engineer needs to detect malware on Amazon Elastic Block Store (Amazon EBS) volumes that are attached to Amazon EC2 instances.

  Which solution will meet this requirement?

  A. Enable Amazon GuardDuty Configure Matware Protection for EC2 Run an on-demand malware scan of the EC2 instances.
  B. Enable Amazon GuardDuty Configure Runtime Monitoring Enable the automated agent configuration for the EC2 instances.
  C. Enable Amazon Inspector Configure agentless scanning for the EC2 instances.
  D. Enable Amazon Inspector Configure deep inspection of the EC2 instances Run an on-demand scan of the EC2 instances.
  A. Enable Amazon GuardDuty Configure Matware Protection for EC2 Run an on-demand malware scan of the EC2 instances.

• Question 645:

  After a recent security audit involving Amazon S3, a company has asked assistance reviewing its S3 buckets to determine whether data is properly secured. The first S3 bucket on the list has the following bucket policy.

  

  Is this bucket policy sufficient to ensure that the data is not publicity accessible?

  A. Yes, the bucket policy makes the whole bucket publicly accessible despite now the S3 bucket ACL or object ACLs are configured.
  B. Yes, none of the data in the bucket is publicity accessible, regardless of how the S3 bucket ACL and object ACLs are configured.
  C. No, the IAM user policy would need to be examined first to determine whether any data is publicly accessible.
  D. No, the S3 bucket ACL and object ACLs need to be examined first to determine whether any data is publicly accessible.
  D. No, the S3 bucket ACL and object ACLs need to be examined first to determine whether any data is publicly accessible.

• Question 646:

  A company wants to encrypt the private network between its orvpremises environment and IAM. The company also wants a consistent network experience for its employees.

  What should the company do to meet these requirements?

  A. Establish an IAM Direct Connect connection with IAM and set up a Direct Connect gateway. In the Direct Connect gateway configuration, enable IPsec and BGP, and then leverage native IAM network encryption between Availability Zones and Regions,
  B. Establish an IAM Direct Connect connection with IAM and set up a Direct Connect gateway. Using the Direct Connect gateway, create a private virtual interface and advertise the customer gateway private IP addresses. Create a VPN connection using the customer gateway and the virtual private gateway
  C. Establish a VPN connection with the IAM virtual private cloud over the internet
  D. Establish an IAM Direct Connect connection with IAM and establish a public virtual interface. For prefixes that need to be advertised, enter the customer gateway public IP addresses. Create a VPN connection over Direct Connect using the customer gateway and the virtual private gateway.
  D. Establish an IAM Direct Connect connection with IAM and establish a public virtual interface. For prefixes that need to be advertised, enter the customer gateway public IP addresses. Create a VPN connection over Direct Connect using the customer gateway and the virtual private gateway.

• Question 647:

  A Security Engineer discovers that developers have been adding rules to security groups that allow SSH and RDP traffic from 0.0.0.0/0 instead of the organization firewall IP.

  What is the most efficient way to remediate the risk of this activity?

  A. Delete the internet gateway associated with the VPC.
  B. Use network access control lists to block source IP addresses matching 0.0.0.0/0.
  C. Use a host-based firewall to prevent access from all but the organization's firewall IP.
  D. Use IAM Config rules to detect 0.0.0.0/0 and invoke an IAM Lambda function to update the security group with the organization's firewall IP.
  D. Use IAM Config rules to detect 0.0.0.0/0 and invoke an IAM Lambda function to update the security group with the organization's firewall IP.

• Question 648:

  Which of the following are valid configurations for using SSL certificates with Amazon CloudFront? (Select THREE )

  A. Default AWS Certificate Manager certificate
  B. Custom SSL certificate stored in AWS KMS
  C. Default CloudFront certificate
  D. Custom SSL certificate stored in AWS Certificate Manager
  E. Default SSL certificate stored in AWS Secrets Manager
  F. Custom SSL certificate stored in AWS IAM
  A. Default AWS Certificate Manager certificate
  B. Custom SSL certificate stored in AWS KMS
  C. Default CloudFront certificate

  ---

  The key length for an RSA certificate that you use with CloudFront is 2048 bits, even though ACM supports larger keys. If you use an imported certificate with CloudFront, your key length must be 1024 or 2048 bits and cannot exceed 2048 bits. You must import the certificate in the US East (N. Virginia) Region. You must have permission to use and import the SSL/TLS certificate https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and- httpsrequirements.html

• Question 649:

  A company controls user access by using IAM users and groups in AWS accounts across an organization in AWS Organizations. The company uses an external identity provider (IdP) for workforce single sign-on (SSO).

  The company needs to implement a solution to provide a single management portal to access accounts within the organization. The solution must support the external IdP as a federation source.

  Which solution will meet these requirements?

  A. Enable AWS IAM Identity Center. Specify the external IdP as the identity source.
  B. Enable federation with AWS Identity and Access Management (IAM). Specify the external IdP as the identity source.
  C. Migrate to Amazon Verified Permissions. Implement fine-grained access to AWS by using policy-based access control (PBAC).
  D. Migrate users to AWS Directory Service. Use AWS Control Tower to centralize security across the organization.
  A. Enable AWS IAM Identity Center. Specify the external IdP as the identity source.

  ---

  Explanation Explanation/Reference:AWS IAM Identity Center (formerly AWS Single Sign-On) provides a single management portal for accessing AWS accounts across an organization. It supports integration with external identity providers (IdPs) via SAML, allowing the external IdP to be used as the identity source. This approach enables users to access multiple AWS accounts in the organization from a centralized portal, meeting the requirements for single sign-on and external IdP integration.

• Question 650:

  A company must create annual snapshots of Amazon Elastic Block Store (Amazon EBS) volumes. The company must retain the snapshots for 10 years. The company will use AWS Key Management Service (AWS KMS) to encrypt the EBS

  volumes and snapshots.

  The encryption keys must be rotated automatically every year. Snapshots that were created in previous years must be readable after rotation of the encryption keys.

  Which type of KMS keys should the company use for encryption to meet these requirements?

  A. Asymmetric AWS managed KMS keys with key material created by AWS KMS
  B. Symmetric customer managed KMS keys with key material created by AWS KMS
  C. Symmetric customer managed KMS keys with custom imported key material
  D. Asymmetric AWS managed KMS keys with custom imported key material
  B. Symmetric customer managed KMS keys with key material created by AWS KMS

  ---

  Explanation Explanation/Reference:For EBS volume encryption with AWS KMS, symmetric customer managed KMS keys are recommended because they support automatic key rotation and are compatible with EBS volume and snapshot encryption. AWS KMS automatically manages previous key versions, ensuring that snapshots created with older key versions remain readable even after key rotation. This meets the requirement for automatic annual rotation and backward compatibility for reading older snapshots.