Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 661:

  A company uses Microsoft Active Directory for access management for on-premises resources and wants to use the same mechanism for accessing its IAM accounts. Additionally, the development team plans to launch a public-facing

  application for which they need a separate authentication solution.

  When coma nation of the following would satisfy these requirements? (Select TWO)

  A. Set up domain controllers on Amazon EC2 to extend the on-premises directory to IAM
  B. Establish network connectivity between on-premises and the user's VPC
  C. Use Amazon Cognito user pools for application authentication
  D. Use AD Connector tor application authentication.
  E. Set up federated sign-in to IAM through ADFS and SAML.
  C. Use Amazon Cognito user pools for application authentication
  D. Use AD Connector tor application authentication.

• Question 662:

  A Developer who is following IAM best practices for secure code development requires an application to encrypt sensitive data to be stored at rest, locally in the application, using IAM KMS. What is the simplest and MOST secure way to decrypt this data when required?

  A. Request KMS to provide the stored unencrypted data key and then use the retrieved data key to decrypt the data.
  B. Keep the plaintext data key stored in Amazon DynamoDB protected with IAM policies. Query DynamoDB to retrieve the data key to decrypt the data
  C. Use the Encrypt API to store an encrypted version of the data key with another customer managed key. Decrypt the data key and use it to decrypt the data when required.
  D. Store the encrypted data key alongside the encrypted data. Use the Decrypt API to retrieve the data key to decrypt the data when required.
  D. Store the encrypted data key alongside the encrypted data. Use the Decrypt API to retrieve the data key to decrypt the data when required.

  ---

  We recommend that you use the following pattern to locally encrypt data: call the GenerateDataKey API, use the key returned in the Plaintext response field to locally encrypt data, and then erase the plaintext data key from memory. Store the encrypted data key (contained in the CiphertextBlob field) alongside of the locally encrypted data. The Decrypt API returns the plaintext key from the encrypted key. https://docs.IAM.amazon.com/sdkfornet/latest/apidocs/items/ MKeyManagementServiceKey ManagementServiceGenerateDataKeyGenerateDataKeyRequestNET45.html

• Question 663:

  A convoys data lake uses Amazon S3 and Amazon Athena. The company's security engineer has been asked to design an encryption solution that meets the company's data protection requirements. The encryption solution must work with Amazon S3 and keys managed by the company. The encryption solution must be protected in a hardware security module that is validated id Federal information Processing Standards (FPS) 140-2 Level 3.

  Which solution meets these requirements?

  A. Use client-side encryption with an IAM KMS customer-managed key implemented with the IAM Encryption SDK
  B. Use IAM CloudHSM to store the keys and perform cryptographic operations Save the encrypted text in Amazon S3
  C. Use an IAM KMS customer-managed key that is backed by a custom key store using IAM CloudHSM
  D. Use an IAM KMS customer-managed key with the bring your own key (BYOK) feature to import a key stored in IAM CloudHSM
  B. Use IAM CloudHSM to store the keys and perform cryptographic operations Save the encrypted text in Amazon S3

• Question 664:

  A company has an application that processes personally identifiable information (Pll). The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The company's security policies require that data is encrypted in transit at all times to avoid the possibility of exposing any Pll in plaintext.

  Which solutions could a security engineer use to meet these requirements'? (Select TWO )

  A. Terminate SSL from clients on the existing ALB. Use HTTPS to connect from the ALB to the EC2 instances.
  B. Replace the existing ALB with a Network Load Balancer (NLB) On the NLB, configure an SSL listener and TCP passthrough to receive client connections Terminate HTTPS traffic from the NLB on the EC2 instances.
  C. Replace the existing ALB with a Network Load Balancer (NLB) On the NLB, configure TCP passthrough to receive client connections Terminate SSL from the NLB on the EC2 instances
  D. Configure a Network Load Balancer (NLB) with TCP passthrough to receive client connections Terminate SSL on the existing ALB.
  E. Configure a Network Load Balancer (NLB) with a TLS listener to receive client connections Configure TCP passthrough on the existing ALB so that the NLB can reach the EC2 instances Terminate SSL from the ALB on the EC2 instances.
  A. Terminate SSL from clients on the existing ALB. Use HTTPS to connect from the ALB to the EC2 instances.
  B. Replace the existing ALB with a Network Load Balancer (NLB) On the NLB, configure an SSL listener and TCP passthrough to receive client connections Terminate HTTPS traffic from the NLB on the EC2 instances.

• Question 665:

  A company has an encrypted Amazon S3 bucket. An Application Developer has an IAM policy that allows access to the S3 bucket, but the Application Developer is unable to access objects within the bucket. What is a possible cause of the issue?

  A. The S3 ACL for the S3 bucket fails to explicitly grant access to the Application Developer
  B. The IAM KMS key for the S3 bucket fails to list the Application Developer as an administrator
  C. The S3 bucket policy fails to explicitly grant access to the Application Developer
  D. The S3 bucket policy explicitly denies access to the Application Developer
  C. The S3 bucket policy fails to explicitly grant access to the Application Developer

• Question 666:

  In response to the past DDoS attack experiences, a Security Engineer has set up an Amazon CloudFront distribution for an Amazon S3 bucket. There is concern that some users may bypass the CloudFront distribution and access the S3 bucket directly.

  What must be done to prevent users from accessing the S3 objects directly by using URLs?

  A. Change the S3 bucket/object permission so that only the bucket owner has access.
  B. Set up a CloudFront origin access identity (OAI), and change the S3 bucket/object permission so that only the OAI has access.
  C. Create IAM roles for CloudFront, and change the S3 bucket/object permission so that only the IAM role has access.
  D. Redirect S3 bucket access to the corresponding CloudFront distribution.
  B. Set up a CloudFront origin access identity (OAI), and change the S3 bucket/object permission so that only the OAI has access.

  ---

  https://docs.IAM.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content- restricting-access-to-s3.html

• Question 667:

  A company has a requirement that none of its Amazon RDS resources can be publicly accessible.

  A security engineer needs to set up monitoring for this requirement and must receive a near-real-time notification if any RDS resource is noncompliant.

  Which combination of steps should the security engineer take to meet these requirements? (Select THREE.)

  A. Configure RDS event notifications on each RDS resource. Target an AWS Lambda function that notifies AWS Config of a change to the RDS public access setting
  B. Configure the rds-instance-public-access-check AWS Config managed rule to monitor the RDS resources.
  C. Configure the Amazon EventBridge (Amazon CloudWatch Events) rule to target an Amazon Simple Notification Service (Amazon SNS) topic to provide a notification to the security engineer.
  D. Configure RDS event notifications to post events to an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the SQS queue to an Amazon Simple Notification Service (Amazon SNS) topic to provide a notification to the security engineer.
  E. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that is invoked by a compliance change event from the rds-instance-public-access-check rule.
  F. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that is invoked when the AWS Lambda function notifies AWS Config of an RDS event change.
  B. Configure the rds-instance-public-access-check AWS Config managed rule to monitor the RDS resources.
  C. Configure the Amazon EventBridge (Amazon CloudWatch Events) rule to target an Amazon Simple Notification Service (Amazon SNS) topic to provide a notification to the security engineer.
  E. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that is invoked by a compliance change event from the rds-instance-public-access-check rule.

• Question 668:

  Your IT Security team has advised to carry out a penetration test on the resources in their company's IAM Account. This is as part of their capability to analyze the security of the Infrastructure.

  What should be done first in this regard?

  A. Turn on Cloud trail and carry out the penetration test
  B. Turn on VPC Flow Logs and carry out the penetration test
  C. Submit a request to IAM Support
  D. Use a custom IAM Marketplace solution for conducting the penetration test
  C. Submit a request to IAM Support

  ---

  This concept is given in the IAM Documentation How do I submit a penetration testing request for my IAM resources? Issue I want to run a penetration test or other simulated event on my IAM architecture. How do I get permission from IAM to do that? Resolution Before performing security testing on IAM resources, you must obtain approval from IAM. After you submit your request IAM will reply in about two business days. IAM might have additional questions about your test which can extend the approval process, so plan accordingly and be sure that your initial request is as detailed as possible. If your request is approved, you'll receive an authorization number. Option A.B and D are all invalid because the first step is to get prior authorization from IAM for penetration tests For more information on penetration testing, please visit the below URL * https://IAM.amazon.com/security/penetration-testing/ * https://IAM.amazon.com/premiumsupport/knowledge-center/penetration-testing/ ( The correct answer is: Submit a request to IAM Support Submit your Feedback/Queries to our Experts

• Question 669:

  A company has the software development teams that are creating applications that store sensitive data in Amazon S3 Each team's data must always be separate. The company's security team must design a data encryption strategy for both teams that provides the ability to audit key usage. The solution must also minimize operational overhead.

  What should me security team recommend?

  A. Tell the application teams to use two different S3 buckets with separate IAM Key Management Service (IAM KMS) IAM managed CMKs Limit the key process to allow encryption and decryption of the CMKs to their respective teams only. Force the teams to use encryption context to encrypt and decrypt
  B. Tell the application teams to use two different S3 buckets with a single IAM Key Management Service (IAM KMS) IAM managed CMK Limit the key policy to allow encryption and decryption of the CMK only. Do not allow the teams to use encryption context to encrypt and decrypt
  C. Tell the application teams to use two different S3 buckets with separate IAM Key Management Service (IAM KMS) customer managed CMKs Limit the key policies to allow encryption and decryption of the CMKs to their respective teams only Force the teams to use encryption context to encrypt and decrypt
  D. Tell the application teams to use two different S3 buckets with a single IAM Key Management Service (IAM KMS) customer managed CMK Limit the key policy to allow encryption and decryption of the CMK only Do not allow the teams to use encryption context to encrypt and decrypt
  A. Tell the application teams to use two different S3 buckets with separate IAM Key Management Service (IAM KMS) IAM managed CMKs Limit the key process to allow encryption and decryption of the CMKs to their respective teams only. Force the teams to use encryption context to encrypt and decrypt

• Question 670:

  A company is configuring three Amazon EC2 instances with each instance in a separate Availability Zone. The EC2 instances wilt be used as transparent proxies for outbound internet traffic for ports 80 and 443 so the proxies can block traffic to certain internet destinations as required by the company's security policies. A Security Engineer completed the following:

  1.

  Set up the proxy software on the EC2 instances.

  2.

  Modified the route tables on the private subnets to use the proxy EC2 instances as the default route.

  3.

  Created a security group rule opening inbound port 80 and 443 TCP protocols on the proxy EC2 instance security group.

  However, the proxy EC2 instances are not successfully forwarding traffic to the internet.

  What should the Security Engineer do to make the proxy EC2 instances route traffic to the internet?

  A. Put all the proxy EC2 instances in a cluster placement group.
  B. Disable source and destination checks on the proxy EC2 instances.
  C. Open all inbound ports on the proxy EC2 instance security group.
  D. Change the VPC's DHCP domain-name-server's options set to the IP addresses of proxy EC2 instances.
  B. Disable source and destination checks on the proxy EC2 instances.