Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 701:

  A company had one of its Amazon EC2 key pairs compromised. A Security Engineer must identify which current Linux EC2 instances were deployed and used the compromised key pair.

  How can this task be accomplished?

  A. Obtain the list of instances by directly querying Amazon EC2 using: IAM ec2 describe- instances --fi1ters "Name=key-name,Values=KEYNAMEHERE".
  B. Obtain the fingerprint for the key pair from the IAM Management Console, then search for the fingerprint in the Amazon Inspector logs.
  C. Obtain the output from the EC2 instance metadata using: curl http: //169.254.169.254/latest/meta-data/public- keys/0/.
  D. Obtain the fingerprint for the key pair from the IAM Management Console, then search for the fingerprint in Amazon CloudWatch Logs using: IAM logs filter-log-events.
  A. Obtain the list of instances by directly querying Amazon EC2 using: IAM ec2 describe- instances --fi1ters "Name=key-name,Values=KEYNAMEHERE".

• Question 702:

  A company wants to store all objects that contain sensitive data in an Amazon S3 bucket. The company will use server-side encryption to encrypt the S3 bucket. The company's operations team manages access to the company's S3 buckets. The company's security team manages access to encryption keys.

  The company wants to separate the duties of the two teams to ensure that configuration errors by only one of these teams will not compromise the data by granting unauthorized access to plaintext data.

  Which solution will meet this requirement?

  A. Ensure that the operations team configures default bucket encryption on the S3 bucket to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to use the encryption keys.
  B. Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with AWS KMS keys (SSE-KMS) that are customer managed. Ensure that the security team creates a key policy that controls access to the encryption keys.
  C. Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with Amazon S3 managed keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to the encryption keys.
  D. Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with customer-provided encryption keys (SSE-C). Ensure that the security team stores the customer-provided keys in AWS Key Management Service (AWS KMS). Ensure that the security team creates a key policy that controls access to the encryption keys.
  B. Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with AWS KMS keys (SSE-KMS) that are customer managed. Ensure that the security team creates a key policy that controls access to the encryption keys.

  ---

  Using SSE-KMS with customer-managed keys (CMKs) in AWS Key Management Service (KMS) allows the company to separate duties between the operations and security teams effectively. The operations team can enforce bucket policies that require objects to be encrypted with KMS keys, while the security team manages access to the keys through KMS key policies. This setup ensures that the operations team can manage the S3 bucket without access to the encryption keys, and the security team can control access to the keys without managing the bucket directly, fulfilling the company's need for duty separation and reducing the risk of unauthorized access to plaintext data.

• Question 703:

  A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee Even after updating the policy the employee still receives an access denied message.

  What is the likely cause of this access denial?

  A. The ACL in the bucket needs to be updated.
  B. The IAM policy does not allow the user to access the bucket
  C. It takes a few minutes for a bucket policy to take effect
  D. The allow permission is being overridden by the deny.
  D. The allow permission is being overridden by the deny.

• Question 704:

  A company needs to retain data that is stored in Amazon CloudWatch Logs log groups. The company must retain this data for 90 days. The company must receive notification in AWS Security Hub when log group retention is not compliant with this requirement.

  Which solution will provide the appropriate notification?

  A. Create a Security Hub custom action to assess the log group retention period.
  B. Create a data protection policy in CloudWatch Logs to assess the log group retention period.
  C. Create a Security Hub automation rule. Configure the automation rule to assess the log group retention period.
  D. Use the AWS Config managed rule that assesses the log group retention period. Ensure that AWS Config integration is enabled in Security Hub.
  D. Use the AWS Config managed rule that assesses the log group retention period. Ensure that AWS Config integration is enabled in Security Hub.

  ---

  AWS Config provides managed rules that can assess various configurations, including the retention period of CloudWatch Logs log groups. By enabling the appropriate AWS Config managed rule to check if the log groups have a retention period of 90 days, the company can automatically monitor compliance with this requirement. Integrating AWS Config with AWS Security Hub allows non-compliant findings to be sent to Security Hub, providing the necessary notifications when the retention period is not compliant.

• Question 705:

  A company runs a web application on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are in the same VPC subnet as other workloads.

  A security engineer deploys an Amazon GuardDuty detector in the same AWS Region as the EC2 instances. The security engineer also sets up an AWS Security Hub integration with GuardDuty.

  The security engineer needs to implement an automated solution to detect and appropriately respond to anomalous traffic patterns for the web application. The solution must comply with AWS best practices for initial response to security incidents and must minimize disruption to the web application.

  Which solution will meet these requirements?

  A. Create an Amazon EventBridge rule that detects the Behavior:EC2/TrafficVolumeUnusual GuardDuty finding. Configure the rule to invoke an AWS Lambda function to disable the EC2 instance profile access keys.
  B. Create an Amazon EventBridge rule that invokes an AWS Lambda function when GuardDuty detects anomalous traffic. Program the Lambda function to disassociate the identified instance from the Auto Scaling group and to isolate the instance by using a new restricted security group.
  C. Create a Security Hub automated response that updates the network ACL that is associated with the subnet of the EC2 instances. Configure the response to update the network ACL to deny traffic from the source of detected anomalous traffic.
  D. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security engineer's email address to the SNS topic. Configure GuardDuty to send all findings to the SNS topic.
  B. Create an Amazon EventBridge rule that invokes an AWS Lambda function when GuardDuty detects anomalous traffic. Program the Lambda function to disassociate the identified instance from the Auto Scaling group and to isolate the instance by using a new restricted security group.

• Question 706:

  A company wants to ensure that its IAM resources can be launched only in the us-east-1 and us-west-2 Regions.

  What is the MOST operationally efficient solution that will prevent developers from launching Amazon EC2 instances in other Regions?

  A. Enable Amazon GuardDuty in all Regions. Create alerts to detect unauthorized activity outside us-east-1 and us-west-2.
  B. Use an organization in IAM Organizations. Attach an SCP that allows all actions when the IAM: Requested Region condition key is either us-east-1 or us-west-2. Delete the FullIAMAccess policy.
  C. Provision EC2 resources by using IAM Cloud Formation templates through IAM CodePipeline. Allow only the values of us-east-1 and us-west-2 in the IAM CloudFormation template's parameters.
  D. Create an IAM Config rule to prevent unauthorized activity outside us-east-1 and us- west-2.
  C. Provision EC2 resources by using IAM Cloud Formation templates through IAM CodePipeline. Allow only the values of us-east-1 and us-west-2 in the IAM CloudFormation template's parameters.

• Question 707:

  A company deploys a set of standard IAM roles in IAM accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented IAM Organizations SCPs to restrict access to critical security services in all company accounts.

  All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and AWS Security Hub. The security engineer also must not override other permissions that are granted by IAM policies that are defined in the accounts.

  Which SCP should the security engineer attach to the root of the organization to meet these requirements?

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  A. Option A

• Question 708:

  Amazon CloudWatch Logs agent is successfully delivering logs to the CloudWatch Logs service. However, logs stop being delivered after the associated log stream has been active for a specific number of hours.

  What steps are necessary to identify the cause of this phenomenon? (Choose two.)

  A. Ensure that file permissions for monitored files that allow the CloudWatch Logs agent to read the file have not been modified.
  B. Verify that the OS Log rotation rules are compatible with the configuration requirements for agent streaming.
  C. Configure an Amazon Kinesis producer to first put the logs into Amazon Kinesis Streams.
  D. Create a CloudWatch Logs metric to isolate a value that changes at least once during the period before logging stops.
  E. Use IAM CloudFormation to dynamically create and maintain the configuration file for the CloudWatch Logs agent.
  A. Ensure that file permissions for monitored files that allow the CloudWatch Logs agent to read the file have not been modified.
  B. Verify that the OS Log rotation rules are compatible with the configuration requirements for agent streaming.

  ---

  Explanation Ensure that file permissions for monitored files that allow the CloudWatch Logs agent to read the file have not been modified.If the file permissions of the monitored files are changed, the CloudWatch Logs agent may no longer have the ability to read the logs, which would stop log delivery. Verify that the OS log rotation rules are compatible with the configuration requirements for agent streaming.Log rotation could result in the monitored file being renamed or moved, which would disrupt the agent's ability to read and stream logs. Ensuring that the rotation rules are compatible with the CloudWatch Logs agent will help resolve this issue. These steps address potential file permission changes and log rotation, both of which could cause the logging to stop after a certain period of time. https://acloud.guru/forums/IAM-certified-security-specialty/discussion/- Lm5A3w6_NybQPhh6tRP/Cloudwatch%20Log%20question

• Question 709:

  A Security Administrator is restricting the capabilities of company root user accounts. The company uses IAM Organizations and has enabled it for all feature sets, including consolidated billing. The top-level account is used for billing and administrative purposes, not for operational IAM resource purposes.

  How can the Administrator restrict usage of member root user accounts across the organization?

  A. Disable the use of the root user account at the organizational root. Enable multi-factor authentication of the root user account for each organizational member account.
  B. Configure IAM user policies to restrict root account capabilities for each Organizations member account.
  C. Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU.
  D. Configure IAM CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric filter for RootAccountUsage.
  C. Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU.

  ---

  Applying a "Control Policy" in your organization. A policy applied to: 1) root applies to all accounts in the organization 2) OU applies to all accounts in the OU and to any child OUs 3) account applies to one account only Note- this requires that Acquirements: -all features are enabled for the organization in IAM Organizations -Only service control policy (SCP) are supported https://docs.IAM.amazon.com/organizations/ latest/userguide/orgs_manage_policies.html

• Question 710:

  A company has decided to move its fleet of Linux-based web server instances to an Amazon EC2 Auto Scaling group. Currently, the instances are static and are launched manually. When an administrator needs to view log files, the administrator uses SSH to establish a connection to the instances and retrieves the logs manually.

  The company often needs to query the logs to produce results about application sessions and user issues. The company does not want its new automatically scaling architecture to result in the loss of any log files when instances are scaled in.

  Which combination of steps should a security engineer take to meet these requirements MOST cost-effectively? (Choose two.)

  A. Configure a cron job on the instances to forward the log files to Amazon S3 periodically.
  B. Configure AWS Glue and Amazon Athena to query the log files.
  C. Configure the Amazon CloudWatch agent on the instances to forward the logs to Amazon CloudWatch Logs.
  D. Configure Amazon CloudWatch Logs Insights to query the log files.
  E. Configure the instances to write the logs to an Amazon Elastic File System (Amazon EFS) volume.
  C. Configure the Amazon CloudWatch agent on the instances to forward the logs to Amazon CloudWatch Logs.
  D. Configure Amazon CloudWatch Logs Insights to query the log files.