Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 681:

  A company's security engineer is developing an incident response plan to detect suspicious activity in an AWS account for VPC hosted resources. The security engineer needs to provide visibility for as many AWS Regions as possible.

  Which combination of steps will meet these requirements MOST cost-effectively? (Select TWO.)

  A. Turn on VPC Flow Logs for all VPCs in the account.
  B. Activate Amazon GuardDuty across all AWS Regions.
  C. Activate Amazon Detective across all AWS Regions.
  D. Create an Amazon Simple Notification Service (Amazon SNS) topic. Create an Amazon EventBridge rule that responds to findings and publishes the find-ings to the SNS topic.
  E. Create an AWS Lambda function. Create an Amazon EventBridge rule that in-vokes the Lambda function to publish findings to Amazon Simple Email Ser-vice (Amazon SES).
  B. Activate Amazon GuardDuty across all AWS Regions.
  D. Create an Amazon Simple Notification Service (Amazon SNS) topic. Create an Amazon EventBridge rule that responds to findings and publishes the find-ings to the SNS topic.

  ---

  To detect suspicious activity in an AWS account for VPC hosted resources, the security engineer needs to use a service that can monitor network traffic and API calls across all AWS Regions. Amazon GuardDuty is a threat detection service that can do this by analyzing VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. By activating GuardDuty across all AWS Regions, the security engineer can provide visibility for as many regions as possible. GuardDuty generates findings that contain details about the potential threats detected in the account. To respond to these findings, the security engineer needs to create a mechanism that can notify the relevant stakeholders or take remedial actions. One way to do this is to use Amazon EventBridge, which is a serverless event bus service that can connect AWS services and third-party applications. By creating an EventBridge rule that responds to GuardDuty findings and publishes them to an Amazon Simple Notification Service (Amazon SNS) topic, the security engineer can enable subscribers of the topic to receive notifications via email, SMS, or other methods. This is a cost-effective solution that does not require any additional infrastructure or code.

• Question 682:

  A company is using Amazon Elastic Container Service (Amazon ECS) to run its container- based application on AWS. The company needs to ensure that the container images contain no severe vulnerabilities. The company also must ensure that only specific IAM roles and specific AWS accounts can access the container images.

  Which solution will meet these requirements with the LEAST management overhead?

  A. Pull images from the public container registry. Publish the images to Amazon Elastic Container Registry (Amazon ECR) repositories with scan on push configured in a centralized AWS account. Use a CI/CD pipeline to deploy the images to different AWS accounts. Use identity-based policies to restrict access to which IAM principals can access the images.
  B. Pull images from the public container registry. Publish the images to a private container registry that is hosted on Amazon EC2 instances in a centralized AWS account. Deploy host-based container scanning tools to EC2 instances that run Amazon ECS. Restrict access to the container images by using basic authentication over HTTPS.
  C. Pull images from the public container registry. Publish the images to Amazon Elastic Container Registry (Amazon ECR) repositories with scan on push configured in a centralized AWS account. Use a CI/CD pipeline to deploy the images to different AWS accounts. Use repository policies and identity-based policies to restrict access to which IAM principals and accounts can access the images.
  D. Pull images from the public container registry. Publish the images to AWS CodeArtifact repositories in a centralized AWS account. Use a CI/CD pipeline to deploy the images to different AWS accounts. Use repository policies and identity-based policies to restrict access to which IAM principals and accounts can access the images.
  C. Pull images from the public container registry. Publish the images to Amazon Elastic Container Registry (Amazon ECR) repositories with scan on push configured in a centralized AWS account. Use a CI/CD pipeline to deploy the images to different AWS accounts. Use repository policies and identity-based policies to restrict access to which IAM principals and accounts can access the images.

  ---

  The correct answer is C. Pull images from the public container registry. Publish the images to Amazon Elastic Container Registry (Amazon ECR) repositories with scan on push configured in a centralized AWS account. Use a CI/CD pipeline to deploy the images to different AWS accounts. Use repository policies and identity-based policies to restrict access to which IAM principals and accounts can access the images. This solution meets the requirements because: Amazon ECR is a fully managed container registry service that supports Docker and OCI images and artifacts1. It integrates with Amazon ECS and other AWS services to simplify the development and deployment of container-based applications. Amazon ECR provides image scanning on push, which uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project to detect software vulnerabilities in container images2. The scan results are available in the AWS Management Console, AWS CLI, or AWS SDKs2. Amazon ECR supports cross-account access to repositories, which allows sharing images across multiple AWS accounts3. This can be achieved by using repository policies, which are resource-based policies that specify which IAM principals and accounts can access the repositories and what actions they can perform4. Additionally, identity-based policies can be used to control which IAM roles in each account can access the repositories5. The other options are incorrect because: A. This option does not use repository policies to restrict cross-account access to the images, which is a requirement. Identity-based policies alone are not sufficient to control access to Amazon ECR repositories5. B. This option does not use Amazon ECR, which is a fully managed service that provides image scanning and cross-account access features. Hosting a private container registry on EC2 instances would require more management overhead and additional security measures. D. This option uses AWS CodeArtifact, which is a fully managed artifact repository service that supports Maven, npm, NuGet, PyPI, and generic package formats6. However, AWS CodeArtifact does not support Docker or OCI container images, which are required for Amazon ECS applications.

• Question 683:

  A company created an IAM account for its developers to use for testing and learning purposes Because MM account will be shared among multiple teams of developers, the company wants to restrict the ability to stop and terminate Amazon EC2 instances so that a team can perform these actions only on the instances it owns.

  Developers were Instructed to tag al their instances with a Team tag key and use the team name in the tag value One of the first teams to use this account is Business Intelligence A security engineer needs to develop a highly scalable solution for providing developers with access to the appropriate resources within the account The security engineer has already created individual IAM roles for each team.

  Which additional configuration steps should the security engineer take to complete the task?

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  A. Option A

• Question 684:

  A company's security information events management (SIEM) tool receives new IAM CloudTrail logs from an Amazon S3 bucket that is configured to send all object created event notification to an Amazon SNS topic An Amazon SQS queue

  is subscribed to this SNS topic. The company's SEM tool then ports this SQS queue for new messages using an IAM role and fetches new log events from the S3 bucket based on the SQS messages.

  After a recent security review that resulted in restricted permissions, the SEM tool has stopped receiving new CloudTral logs

  Which of the following are possible causes of this issue? (Select THREE)

  A. The SOS queue does not allow the SQS SendMessage action from the SNS topic
  B. The SNS topic does not allow the SNS Publish action from Amazon S3
  C. The SNS topic is not delivering raw messages to the SQS queue
  D. The S3 bucket policy does not allow CloudTrail to perform the PutObject action
  E. The IAM role used by the 5EM tool does not have permission to subscribe to the SNS topic
  F. The IAM role used by the SEM tool does not allow the SQS DeleteMessage action.
  A. The SOS queue does not allow the SQS SendMessage action from the SNS topic
  D. The S3 bucket policy does not allow CloudTrail to perform the PutObject action
  F. The IAM role used by the SEM tool does not allow the SQS DeleteMessage action.

  ---

  Explanation Explanation/Reference:

• Question 685:

  A company has a set of resources defined in IAM. It is mandated that all API calls to the resources be monitored. Also all API calls must be stored for lookup purposes. Any log data greater than 6 months must be archived. Which of the following meets these requirements? Choose 2 answers from the options given below. Each answer forms part of the solution.

  A. Enable CloudTrail logging in all accounts into S3 buckets
  B. Enable CloudTrail logging in all accounts into Amazon Glacier
  C. Ensure a lifecycle policy is defined on the S3 bucket to move the data to EBS volumes after 6 months.
  D. Ensure a lifecycle policy is defined on the S3 bucket to move the data to Amazon Glacier after 6 months.
  A. Enable CloudTrail logging in all accounts into S3 buckets
  D. Ensure a lifecycle policy is defined on the S3 bucket to move the data to Amazon Glacier after 6 months.

  ---

  Cloudtrail publishes the trail of API logs to an S3 bucket Option B is invalid because you cannot put the logs into Glacier from CloudTrail Option C is invalid because lifecycle policies cannot be used to move data to EBS volumes For more information on Cloudtrail logging, please visit the below URL: https://docs.IAM.amazon.com/IAMcloudtrail/latest/usereuide/cloudtrail-find-log-files.htmll You can then use Lifecycle policies to transfer data to Amazon Glacier after 6 months For more information on S3 lifecycle policies, please visit the below URL: https://docs.IAM.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html The correct answers are: Enable CloudTrail logging in all accounts into S3 buckets. Ensure a lifecycle policy is defined on the bucket to move the data to Amazon Glacier after 6 months. Submit your Feedback/Queries to our Experts

• Question 686:

  A security engineer is implementing authentication for a multi-account environment by using federated access with SAML 2.0. The security engineer has configured AWS IAM Identity Center as an identity provider (IdP). The security engineer

  also has created IAM roles to grant access to the AWS accounts.

  A federated user reports an authentication failure when the user attempts to authenticate with the new system.

  What should the security engineer do to troubleshoot this issue in the MOST operationally efficient way?

  A. Review the SAML IdP logs to identify errors. Check AWS CloudTrail to verify the API calls that the user made.
  B. Review the SAML IdP logs to identify errors. Use the IAM policy simulator to validate access to the IAM roles.
  C. Use IAM access advisor to review recent service access. Use the IAM policy simulator to validate access to the IAM roles.
  D. Recreate the SAML IdP in a separate account to confirm the behavior that the user is experiencing.
  A. Review the SAML IdP logs to identify errors. Check AWS CloudTrail to verify the API calls that the user made.

  ---

  Explanation Explanation/Reference:When troubleshooting SAML-based authentication issues, it's essential to review the logs from the SAML identity provider (IdP) to identify potential errors or misconfigurations in the authentication flow. Additionally, AWS CloudTrail logs provide insights into the API calls made by the user, allowing the security engineer to verify if the authentication attempt reached AWS and identify any issues at that level. This approach is operationally efficient because it focuses on the primary logs related to authentication without recreating the setup or simulating access.

• Question 687:

  A security engineer is investigating a malware infection that has spread across a set of Amazon EC2 instances. A key indicator of the compromise is outbound traffic on TCP port 2905 to a set of command and control hosts on the internet.

  The security engineer creates a network ACL rule that denies the identified outbound traffic. The security engineer applies the network ACL rule to the subnet of the EC2 instances. The security engineer must identify any EC2 instances that are trying to communicate on TCP port 2905.

  Which solution will identify the affected EC2 instances with the LEAST operational effort?

  A. Create a Network Access Scope in Amazon VPC Network Access Analyzer. Use the Network Access Scope to identify EC2 instances that try to send traffic to TCP port 2905.
  B. Enable VPC flow logs for the VPC where the affected EC2 instances are located. Configure the flow logs to capture rejected traffic. In the flow logs, search for REJECT records that have a destination TCP port of 2905.
  C. Enable Amazon GuardDuty. Create a custom GuardDuty IP list to create a finding when an EC2 instance tries to communicate with one of the command and control hosts. Use Amazon Detective to identify the EC2 instances that initiate the communication.
  D. Create a firewall in AWS Network Firewall. Attach the firewall to the subnet of the EC2 instances. Create a custom rule to identify and log traffic from the firewall on TCP port 2905. Create an Amazon CloudWatch Logs metric filter to identify firewall logs that reference traffic on TCP port 2905.
  B. Enable VPC flow logs for the VPC where the affected EC2 instances are located. Configure the flow logs to capture rejected traffic. In the flow logs, search for REJECT records that have a destination TCP port of 2905.

  ---

  VPC Flow Logs provide a simple way to capture network traffic information for a VPC, including details on rejected traffic. By enabling flow logs, you can filter for REJECT records on TCP port 2905, which will help identify the EC2 instances trying to communicate with the command and control hosts. This requires minimal setup and effort, making it an efficient solution.

• Question 688:

  A company's application team needs to host a MySQL database on IAM. According to the company's security policy, all data that is stored on IAM must be encrypted at rest. In addition, all cryptographic material must be compliant with FIPS 140-2 Level 3 validation.

  The application team needs a solution that satisfies the company's security requirements and minimizes operational overhead.

  Which solution will meet these requirements?

  A. Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an IAM Key Management Service (IAM KMS) custom key store that is backed by IAM CloudHSM for key management.
  B. Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an IAM managed CMK in IAM Key Management Service (IAM KMS) for key management.
  C. Host the database on an Amazon EC2 instance. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use a customer managed CMK in IAM Key Management Service (IAM KMS) for key management.
  D. Host the database on an Amazon EC2 instance. Use Transparent Data Encryption (TDE) for encryption and key management.
  B. Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an IAM managed CMK in IAM Key Management Service (IAM KMS) for key management.

• Question 689:

  A company requires that SSH commands used to access its IAM instance be traceable to the user who executed each command.

  How should a Security Engineer accomplish this?

  A. Allow inbound access on port 22 at the security group attached to the instance Use IAM Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging tor Systems Manager sessions
  B. Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each user Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on port 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance
  C. Deny inbound access on port 22 at the security group attached to the instance Use IAM Systems Manager Session Manager tor shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging for Systems Manager sessions
  D. Use Amazon S3 to securely store one Privacy Enhanced Mall Certificate (PEM fie) for each team or group Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on pod 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance
  C. Deny inbound access on port 22 at the security group attached to the instance Use IAM Systems Manager Session Manager tor shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging for Systems Manager sessions

• Question 690:

  You are creating a Lambda function which will be triggered by a Cloudwatch Event. The data from these events needs to be stored in a DynamoDB table. How should the Lambda function be given access to the DynamoDB table?

  A. Put the IAM Access keys in the Lambda function since the Lambda function by default is secure
  B. Use an IAM role which has permissions to the DynamoDB table and attach it to the Lambda function.
  C. Use the IAM Access keys which has access to DynamoDB and then place it in an S3 bucket.
  D. Create a VPC endpoint for the DynamoDB table. Access the VPC endpoint from the Lambda function.
  B. Use an IAM role which has permissions to the DynamoDB table and attach it to the Lambda function.

  ---

  IAM Lambda functions uses roles to interact with other IAM services. So use an IAM role which has permissions to the DynamoDB table and attach it to the Lambda function. Options A and C are all invalid because you should never use IAM keys for access. Option D is invalid because the VPC endpoint is used for VPCs For more information on Lambda function Permission model, please visit the URL https:// docs.IAM.amazon.com/lambda/latest/dg/intro-permission-model.html The correct answer is: Use an IAM role which has permissions to the DynamoDB table and attach it to the Lambda function. Submit your Feedback/Queries to our Experts