Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 691:

  A company wants to configure DNS Security Extensions (DNSSEC) for the company's primary domain. The company registers the domain with Amazon Route 53. The company hosts the domain on Amazon EC2 instances by using BIND.

  What is the MOST operationally efficient solution that meets this requirement?

  A. Set the dnssec-enable option to yes in the BIND configuration. Create a zone-signing key (ZSK) and a key-signing key (KSK) Restart the BIND service.
  B. Migrate the zone to Route 53 with DNSSEC signing enabled. Create a zone-signing key (ZSK) and a key-signing key (KSK) that are based on an AWS. Key Management Service (AWS KMS) customer managed key.
  C. Set the dnssec-enable option to yes in the BIND configuration. Create a zone-signing key (ZSK) and a key-signing key (KSK). Run the dnssec-signzone command to generate a delegation signer (DS) record Use AWS. Key Management Service (AWS KMS) to secure the keys.
  D. Migrate the zone to Route 53 with DNSSEC signing enabled. Create a key-signing key (KSK) that is based on an AWS Key Management Service (AWS KMS) customer managed key. Add a delegation signer (DS) record to the parent zone.
  D. Migrate the zone to Route 53 with DNSSEC signing enabled. Create a key-signing key (KSK) that is based on an AWS Key Management Service (AWS KMS) customer managed key. Add a delegation signer (DS) record to the parent zone.

  ---

  To configure DNSSEC for a domain registered with Route 53, the most operationally efficient solution is to migrate the zone to Route 53 with DNSSEC signing enabled, create a key-signing key (KSK) that is based on an AWS Key Management Service (AWS KMS) customer managed key, and add a delegation signer (DS) record to the parent zone. This way, Route 53 handles the zone-signing key (ZSK) and the signing of the records in the hosted zone, and the customer only needs to manage the KSK in AWS KMS and provide the DS record to the domain registrar. Option A is incorrect because it does not involve migrating the zone to Route 53, which would simplify the DNSSEC configuration. Option B is incorrect because it creates both a ZSK and a KSK based on AWS KMS customer managed keys, which is unnecessary and less efficient than letting Route 53 manage the ZSK. Option C is incorrect because it does not involve migrating the zone to Route 53, and it requires running the dnssec-signzone command manually, which is less efficient than letting Route 53 sign the zone automatically. Verified References: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure- dnssec.html https://aws.amazon.com/about-aws/whats-new/2020/12/announcing-amazon- route-53-support-dnssec/

• Question 692:

  A company needs to log object-level activity in its Amazon S3 buckets. The company also needs to validate the integrity of the log file by using a digital signature. Which solution will meet these requirements?

  A. Create an AWS CloudTrail trail with log file validation enabled. Enable data events. Specify Amazon S3 as the data event type.
  B. Create a new S3 bucket for S3 server access logs. Configure the existing S3 buckets to send their S3 server access logs to the new S3 bucket.
  C. Create an Amazon CloudWatch Logs log group. Configure the existing S3 buckets to send their S3 server access logs to the log group.
  D. Create a new S3 bucket for S3 server access logs with log file validation enabled. Enable data events. Specify Amazon S3 as the data event type.
  A. Create an AWS CloudTrail trail with log file validation enabled. Enable data events. Specify Amazon S3 as the data event type.

  ---

  Explanation Explanation/Reference:Enabling AWS CloudTrail with log file validation and data events for Amazon S3 provides object-level logging for S3 buckets and ensures log file integrity through digital signatures. CloudTrail data events capture detailed records of object-level activity, such as read and write operations, in S3 buckets. By enabling log file validation, CloudTrail adds a digital signature to each log file, allowing you to verify its integrity.

• Question 693:

  You have setup a set of applications across 2 VPC's. You have also setup VPC Peering. The applications are still not able to communicate across the Peering connection. Which network troubleshooting steps should be taken to resolve the issue?

  A. Ensure the applications are hosted in a public subnet
  B. Check to see if the VPC has an Internet gateway attached.
  C. Check to see if the VPC has a NAT gateway attached.
  D. Check the Route tables for the VPC's
  D. Check the Route tables for the VPC's

  ---

  After the VPC peering connection is established, you need to ensure that the route tables are modified to ensure traffic can between the VPCs Option A ,B and C are invalid because allowing access the Internet gateway and usage of public subnets can help for Inter, access, but not for VPC Peering. For more information on VPC peering routing, please visit the below URL: com/AmazonVPC/latest/Peeri The correct answer is: Check the Route tables for the VPCs Submit your Feedback/Queries to our Experts

• Question 694:

  A security engineer wants to evaluate configuration changes to a specific AWS resource to ensure that the resource meets compliance standards. However, the security engineer is concerned about a situation in which several configuration changes are made to the resource in quick succession. The security engineer wants to record only the latest configuration of that resource to indicate the cumulative impact of the set of changes.

  Which solution will meet this requirement in the MOST operationally efficient way?

  A. Use AWS CloudTrail to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls
  B. Use AWS Config to detect the configuration changes and to record the latest configuration in case of multiple configuration changes.
  C. Use Amazon CloudWatch to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls.
  D. Use AWS Cloud Map to detect the configuration changes. Generate a report of configuration changes from AWS Cloud Map to track the latest state by using a sliding time window.
  B. Use AWS Config to detect the configuration changes and to record the latest configuration in case of multiple configuration changes.

  ---

  AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. To evaluate configuration changes to a specific AWS resource and ensure that it meets compliance standards, the security engineer should use AWS Config to detect the configuration changes and to record the latest configuration in case of multiple configuration changes. This will allow the security engineer to view the current state of the resource and its compliance status, as well as its configuration history and timeline. AWS Config records configuration changes as ConfigurationItems, which are point-in-time snapshots of the resource's attributes, relationships, and metadata. If multiple configuration changes occur within a short period of time, AWS Config records only the latest ConfigurationItem for that resource. This indicates the cumulative impact of the set of changes on the resource's configuration. This solution will meet the requirement in the most operationally efficient way, as it leverages AWS Config's features to monitor, record, and evaluate resource configurations without requiring additional tools or services. The other options are incorrect because they either do not record the latest configuration in case of multiple configuration changes (A, C), or do not use a valid service for evaluating resource configurations (D). Verified References: https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html https://docs.aws.amazon.com/config/latest/developerguide/config-item-table.html

• Question 695:

  An auditor needs access to logs that record all API events on IAM. The auditor only needs read-only access to the log files and does not need access to each IAM account. The company has multiple IAM accounts, and the auditor needs access to all the logs for all the accounts. What is the best way to configure access for the auditor to view event logs from all accounts? Choose the correct answer from the options below

  A. Configure the CloudTrail service in each IAM account, and have the logs delivered to an IAM bucket on each account, while granting the auditor permissions to the bucket via roles in the secondary accounts and a single primary IAM account that can assume a read-only role in the secondary IAM accounts.
  B. Configure the CloudTrail service in the primary IAM account and configure consolidated billing for all the secondary accounts. Then grant the auditor access to the S3 bucket that receives the CloudTrail log files.
  C. Configure the CloudTrail service in each IAM account and enable consolidated logging inside of CloudTrail.
  D. Configure the CloudTrail service in each IAM account and have the logs delivered to a single IAM bucket in the primary account and erant the auditor access to that single bucket in the orimarv account.
  D. Configure the CloudTrail service in each IAM account and have the logs delivered to a single IAM bucket in the primary account and erant the auditor access to that single bucket in the orimarv account.

  ---

  Given the current requirements, assume the method of "least privilege" security design and only allow the auditor access to the minimum amount of IAM resources as possibli IAM CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your IAM account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your IAM infrastructure. CloudTrail provides a history of IAM API calls for your account including API calls made through the IAM Management Console, IAM SDKs, command line tools, and other IAM services. This history simplifies security analysis, resource change tracking, and troubleshooting only be granted access in one location Option Option A is incorrect since the auditor should B is incorrect since consolidated billing is not a key requirement as part of the question Option C is incorrect since there is not consolidated logging For more information on Cloudtrail please refer to the below URL: https://IAM.amazon.com/cloudtraiL ( The correct answer is: Configure the CloudTrail service in each IAM account and have the logs delivered to a single IAM bud in the primary account and grant the auditor access to that single bucket in the primary account. Submit your Feedback/Queries to our Experts

• Question 696:

  An IAM user receives an Access Denied message when the user attempts to access objects in an Amazon S3 bucket. The user and the S3 bucket are in the same AWS account. The S3 bucket is configured to use server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all of its objects at rest by using a customer managed key from the same AWS account. The S3 bucket has no bucket policy defined. The IAM user has been granted permissions through an IAM policy that allows the kms:Decrypt permission to the customer managed key. The IAM policy also allows the s3:List* and s3:Get* permissions for the S3 bucket and its objects.

  Which of the following is a possible reason that the IAM user cannot access the objects in the S3 bucket?

  A. The IAM policy needs to allow the kms:DescribeKey permission.
  B. The S3 bucket has been changed to use the AWS managed key to encrypt objects at rest.
  C. An S3 bucket policy needs to be added to allow the IAM user to access the objects.
  D. The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key.
  D. The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key.

  ---

  The possible reason that the IAM user cannot access the objects in the S3 bucket is D. The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key. This answer is correct because the KMS key policy is the primary way to control access to the KMS key, and it must explicitly allow the AWS account to have full access to the key. If the KMS key policy has been edited to remove this permission, then the IAM policy that grants kms:Decrypt permission to the IAM user has no effect, and the IAM user cannot decrypt the objects in the S3 bucket12. The other options are incorrect because: A. The IAM policy does not need to allow the kms:DescribeKey permission, because this permission is not required for decrypting objects in S3 using SSE- KMS. The kms:DescribeKey permission allows getting information about a KMS key, such as its creation date, description, and key state3. B. The S3 bucket has not been changed to use the AWS managed key to encrypt objects at rest, because this would not cause an Access Denied message for the IAM user. The AWS managed key is a default KMS key that is created and managed by AWS for each AWS account and Region. The IAM user does not need any permissions on this key to use it for SSE-KMS4. C. An S3 bucket policy does not need to be added to allow the IAM user to access the objects, because the IAM user already has s3:List* and s3:Get* permissions for the S3 bucket and its objects through an IAM policy. An S3 bucket policy is an optional way to grant cross-account access or public access to an S3 bucket5. References: 1: Key policies in AWS KMS 2: Using server-side encryption with AWS KMS keys (SSE- KMS) 3: AWS KMS API Permissions Reference 4: Using server-side encryption with Amazon S3 managed keys (SSE-S3) 5: Bucket policy examples

• Question 697:

  A Security Engineer is working with a Product team building a web application on IAM. The application uses Amazon S3 to host the static content, Amazon API Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider.

  Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)

  A. Create a custom authorization service using IAM Lambda.
  B. Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.
  C. Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.
  D. Configure an Amazon Cognito identity pool to integrate with social login providers.
  E. Update DynamoDB to store the user email addresses and passwords.
  F. Update API Gateway to use a COGNITO_USER_POOLS authorizer.
  B. Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.
  C. Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.
  F. Update API Gateway to use a COGNITO_USER_POOLS authorizer.

• Question 698:

  A company manages multiple IAM accounts using IAM Organizations. The company's security team notices that some member accounts are not sending IAM CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured (or all existing accounts and for any account that is created in the future.

  Which set of actions should the security team implement to accomplish this?

  A. Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.
  B. Deploy an IAM Lambda function in every account to check if there is an existing trail and create a new trail, if needed.
  C. Edit the existing trail in the Organizations master account and apply it to the organization.
  D. Create an SCP to deny the cloudtrail:Delete" and cloudtrail:Stop' actions. Apply the SCP to all accounts.
  C. Edit the existing trail in the Organizations master account and apply it to the organization.

• Question 699:

  A company's security team is building a solution for logging and visualization. The solution will assist the company with the large variety and velocity of data that it receives from IAM across multiple accounts. The security team has enabled IAM CloudTrail and VPC Flow Logs in all of its accounts. In addition, the company has an organization in IAM Organizations and has an IAM Security Hub master account.

  The security team wants to use Amazon Detective However the security team cannot enable Detective and is unsure why.

  What must the security team do to enable Detective?

  A. Enable Amazon Macie so that Secunty H jb will allow Detective to process findings from Macie.
  B. Disable IAM Key Management Service (IAM KMS) encryption on CtoudTrail logs in every member account of the organization
  C. Enable Amazon GuardDuty on all member accounts Try to enable Detective in 48 hours
  D. Ensure that the principal that launches Detective has the organizations ListAccounts permission
  D. Ensure that the principal that launches Detective has the organizations ListAccounts permission

• Question 700:

  A company has a serverless application for internal users deployed on IAM. The application uses IAM Lambda for the front end and for business logic. The Lambda function accesses an Amazon RDS database inside a VPC The company uses IAM Systems Manager Parameter Store for storing database credentials. A recent security review highlighted the following issues

  1.

  The Lambda function has internet access.

  2.

  The relational database is publicly accessible.

  3.

  The database credentials are not stored in an encrypted state.

  Which combination of steps should the company take to resolve these security issues? (Select THREE)

  A. Disable public access to the RDS database inside the VPC
  B. Move all the Lambda functions inside the VPC.
  C. Edit the IAM role used by Lambda to restrict internet access.
  D. Create a VPC endpoint for Systems Manager. Store the credentials as a string parameter. Change the parameter type to an advanced parameter.
  E. Edit the IAM role used by RDS to restrict internet access.
  F. Create a VPC endpoint for Systems Manager. Store the credentials as a SecureString parameter.
  A. Disable public access to the RDS database inside the VPC
  B. Move all the Lambda functions inside the VPC.
  E. Edit the IAM role used by RDS to restrict internet access.