Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 731:

  A security team must present a daily briefing to the CISO that includes a report of which of the company's thousands of EC2 instances and on-premises servers are missing the latest security patches. All instances/servers must be brought into compliance within 24 hours so they do not show up on the next day's report. How can the security team fulfill these requirements?

  Please select:

  A. Use Amazon QuickSight and Cloud Trail to generate the report of out of compliance instances/servers. Redeploy all out of compliance instances/servers using an AMI with the latest patches.
  B. Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Use Systems Manager Patch Manger to install the missing patches.
  C. Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Redeploy all out of1 compliance instances/servers using an AMI with the latest patches.
  D. Use Trusted Advisor to generate the report of out of compliance instances/servers. Use Systems Manger Patch Manger to install the missing patches.
  B. Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Use Systems Manager Patch Manger to install the missing patches.

  ---

  Use the Systems Manger Patch Manger to generate the report and also install the missing patches The IAM Documentation mentions the following IAM Systems Manager Patch Manager automates the process of patching managed instances with security-related updates. For Linux-based instances, you can also install patches for non-security updates. You can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type. This includes supported versions of Windows, Ubuntu Server, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), and Amazon Linux. You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches. Option A is invalid because Amazon QuickSight and Cloud Trail cannot be used to generate the list of servers that don't meet compliance needs. Option C is wrong because deploying instances via new AMI'S would impact the applications hosted on these servers Option D is invalid because Amazon Trusted Advisor cannot be used to generate the list of servers that don't meet compliance needs. For more information on the IAM Patch Manager, please visit the below URL: https://docs.IAM.amazon.com/systems-manager/latest/userguide/systems-manager- patch.html ( The correct answer is: Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Use Systems Manager Patch Manger to install the missing patches. Submit your Feedback/Queries to our Experts

• Question 732:

  An IAM user with fill EC2 permissions could bot start an Amazon EC2 instance after it was stopped for a maintenance task. Upon starting the instance, the instance state would change to "Pending", but after a few seconds, it would switch

  back to "Stopped".

  An inspection revealed that the instance has attached Amazon EBS volumes that were encrypted by using a Customer Master Key (CMK). When these encrypted volumes were detached, the IAM user was able to start the EC2 instances.

  The IAM user policy is as follows:

  

  What additional items need to be added to the IAM user policy? (Choose two.)

  A. kms:GenerateDataKey
  B. kms:Decrypt
  C. kms:CreateGrant
  D. "Condition": {"Bool": {"kms:ViaService": "ec2.us-west-2.amazonIAM.com"}}
  E. "Condition": {"Bool": {"kms:GrantIsForIAMResource": true}}
  C. kms:CreateGrant
  E. "Condition": {"Bool": {"kms:GrantIsForIAMResource": true}}

  ---

  Explanation Explanation/Reference:The EBS which is IAM resource service is encrypted with CMK and to allow EC2 to decrypt , the IAM user should create a grant ( action) and a boolean condition for the IAM resource . This link explains how IAM keys works. https://docs.IAM.amazon.com/kms/latest/developerguide/key-policies.html

• Question 733:

  You need to have a cloud security device which would allow to generate encryption keys based on FIPS 140-2 Level 3. Which of the following can be used for this purpose?

  A. IAM KMS
  B. IAM Customer Keys
  C. IAM managed keys
  D. IAM Cloud HSM
  A. IAM KMS
  D. IAM Cloud HSM

  ---

  IAM Key Management Service (KMS) now uses FIPS 140-2 validated hardware security modules (HSM) and supports FIPS 140-2 validated endpoints, which provide independent assurances about the confidentiality and integrity of your keys. All master keys in IAM KMS regardless of their creation date or origin are automatically protected using FIPS 140-2 validated HSMs. defines four levels of security, simply named "Level 1'' to "Level 4". It does not specify in detail what level of security is required by any particular application. ?FIPS 140-2 Level 1 the lowest, imposes very limited requirements; loosely, all components must be "production-grade" anc various egregious kinds of insecurity must be absent ?FIPS 140-2 Level 2 adds requirements for physical tamper-evidence and role-based authentication. ?FIPS 140-2 Level 3 adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to sensitive information contained in the module) and identity- based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces. ?FIPS 140-2 Level 4 makes the physical security requirements more stringent and requires robustness against environmental attacks. IAMCIoudHSM provides you with a FIPS 140-2 Level 3 validated single-tenant HSM cluster in your Amazon Virtual Private Cloud (VPQ to store and use your keys. You have exclusive control over how your keys are used via an authentication mechanism independent from IAM. You interact with keys in your IAM CloudHSM cluster similar to the way you interact with your applications running in Amazon EC2. IAM KMS allows you to create and control the encryption keys used by your applications and supported IAM services in multiple regions around the world from a single console. The service uses a FIPS 140-2 validated HSM to protect the security of your keys. Centralized management of all your keys in IAM KMS lets you enforce who can use your keys under which conditions, when they get rotated, and who can manage them. IAM KMS HSMs are validated at level 2 overall and at level 3 in the following areas: ?Cryptographic Module Specification ?Roles, Services, and Authentication ?Physical Security ?Design Assurance So I think that we can have 2 answers for this question. Both A and D. ?https://IAM.amazon.com/blo15s/security/IAM-key-management-service- now-ffers-flps- 140-2-validated-cryptographic-m< enabling-easier-adoption-of-the-service-forregulated- workloads/ ?https://a ws.amazon.com/cloudhsm/faqs/ ?https://IAM.amazon.com/kms/faqs/ ?https://en.wikipedia.org/wiki/RPS The IAM Documentation mentions the following IAM CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the IAM Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs. CloudHSM offers you the flexibility to integrate with your applications using industry- standard APIs, such as PKCS#11, Java Cryptography Extensions ()CE). and Microsoft CryptoNG (CNG) libraries. CloudHSM is also standards-compliant and enables you to export all of your keys to most other commercially-available HSMs. It is a fully-managed service that automates time-consuming administrative tasks for you, such as hardware provisioning, software patching, high-availability, and backups. CloudHSM also enables you to scale quickly by adding and removing HSM capacity on-demand, with no up-front costs. All other options are invalid since IAM Cloud HSM is the prime service that offers FIPS 140-2 Level 3 compliance For more information on CloudHSM, please visit the following url https://IAM.amazon.com/cloudhsm; The correct answers are: IAM KMS, IAM Cloud HSM Submit your Feedback/Queries to our Experts

• Question 734:

  IAM CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected. What initial actions should be taken to allow delivery of CloudTrail events to S3? (Select two.)

  A. Verify that the S3 bucket policy allow CloudTrail to write objects.
  B. Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs.
  C. Remove any lifecycle policies on the S3 bucket that are archiving objects to Amazon Glacier.
  D. Verify that the S3 bucket defined in CloudTrail exists.
  E. Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.
  A. Verify that the S3 bucket policy allow CloudTrail to write objects.
  D. Verify that the S3 bucket defined in CloudTrail exists.

  ---

  https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/create-s3-bucket-policy-for- cloudtrail.html

• Question 735:

  A company is collecting IAM CloudTrail log data from multiple IAM accounts by managing individual trails in each account and forwarding log data to a centralized Amazon S3 bucket residing in a log archive account. After CloudTrail introduced support for IAM Organizations trails, the company decided to further centralize management and automate deployment of the CloudTrail logging capability across all of its IAM accounts.

  The company's security engineer created an IAM Organizations trail in the master account, enabled server-side encryption with IAM KMS managed keys (SSE-KMS) for the log files, and specified the same bucket as the storage location. However, the engineer noticed that logs recorded by the new trail were not delivered to the bucket.

  Which factors could cause this issue? (Select TWO.)

  A. The CMK key policy does not allow CloudTrail to make encrypt and decrypt API calls against the key.
  B. The CMK key policy does not allow CloudTrail to make GenerateDataKey API calls against the key.
  C. The IAM role used by the CloudTrail trail does not have permissions to make PutObject API calls against a folder created for the Organizations trail.
  D. The S3 bucket policy does not allow CloudTrail to make PutObject API calls against a folder created for the Organizations trail.
  E. The CMK key policy does not allow the IAM role used by the CloudTrail trail to use the key for crypto graphicaI operations.
  A. The CMK key policy does not allow CloudTrail to make encrypt and decrypt API calls against the key.
  D. The S3 bucket policy does not allow CloudTrail to make PutObject API calls against a folder created for the Organizations trail.

• Question 736:

  A Security Engineer manages IAM Organizations for a company. The Engineer would like to restrict IAM usage to allow Amazon S3 only in one of the organizational units (OUs). The Engineer adds the following SCP to the OU:

  

  The next day. API calls to IAM IAM appear in IAM CloudTrail logs In an account under that OU. How should the Security Engineer resolve this issue?

  A. Move the account to a new OU and deny IAM:* permissions.
  B. Add a Deny policy for all non-S3 services at the account level.
  C. Change the policy to: { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowS3", "Effect": "Allow", "Action": "s3:*", "Resource": "*/*? } ] }
  D. Detach the default FullIAMAccess SCP
  D. Detach the default FullIAMAccess SCP

  ---

  https://docs.IAM.amazon.com/organizations/latest/APIReference/API_DetachPolicy.html Every root, OU, and account must have at least one SCP attached. If you want to replace the default FullIAMAccess policy with an SCP that limits the permissions that can be delegated, you must attach the replacement SCP before you can remove the default SCP. This is the authorization strategy of an "allow list". If you instead attach a second SCP and leave the FullIAMAccess SCP still attached, and specify "Effect": "Deny" in the second SCP to override the "Effect": "Allow" in the FullIAMAccess policy (or any other attached SCP), you're using the authorization strategy of a "deny list".

• Question 737:

  An audit reveals that a company has multiple applications that are susceptible to SQL injection attacks.

  The company wants a formal penetration testing program as soon as possible to identify future risks in applications that are deployed on AWS.

  The company's legal department is concerned that such testing might create AWS abuse notifications and violate the AWS Acceptable Use policy.

  The company must ensure compliance in these areas.

  Which testing procedures are allowed on AWS as part of a penetration testing strategy? (Select TWO.)

  A. Port scanning inside the company's VPC
  B. Brute force test of the Amazon S3 bucket namespace
  C. Use of a SQL injection tool on the company's web application against an Amazon RDS for PostgreSQL DB instance
  D. Packet flooding of the company's web application
  E. DNS zone walking through Amazon Route 53 hosted zones
  A. Port scanning inside the company's VPC
  C. Use of a SQL injection tool on the company's web application against an Amazon RDS for PostgreSQL DB instance

• Question 738:

  A developer has created an AWS Lambda function in a company's development account. The Lambda function requires the use of an AWS Key Management Service (AWS KMS) customer managed key that exists in a security account that the company's security team controls. The developer obtains the ARN of the KMS key from a previous Lambda function in the development account. The previous Lambda function had been working properly with the KMS key.

  When the developer uses the ARN and tests the new Lambda function an error message states that access is denied to the KMS key in the security account. The developer tests the previous Lambda function that uses the same KMS key and discovers that the previous Lambda function still can encrypt data as expected.

  A security engineer must resolve the problem so that the new Lambda function in the development account can use the KMS key from the security account.

  Which combination of steps should the security engineer take to meet these requirements? (Select TWO.)

  A. In the security account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.
  B. In the development account configure an IAM role for the new Lambda function. Attach a key policy that allows access to the KMS key in the security account.
  C. In the development account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.
  D. Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the security account.
  E. Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account.
  C. In the development account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.
  E. Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account.

  ---

  To allow cross-account access to a KMS key, the key policy of the KMS key must grant permission to the external account or principal, and the IAM policy of the external account or principal must delegate the key policy permission. In this case, the new Lambda function in the development account needs to use the KMS key in the security account, so the key policy of the KMS key must allow access to the IAM role of the new Lambda function in the development account (option E), and the IAM role of the new Lambda function in the development account must have an IAM policy that allows access to the KMS key in the security account (option C). Option A is incorrect because it creates an IAM role for the new Lambda function in the security account, not in the development account. Option B is incorrect because it attaches a key policy to an IAM role, which is not valid. Option D is incorrect because it allows access to the IAM role of the new Lambda function in the security account, not in the development account. Verified References: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying- external-accounts.html https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements- EBS-encryption.html

• Question 739:

  A company has several workloads running on IAM. Employees are required to authenticate using on-premises ADFS and SSO to access the IAM Management

  Console. Developers migrated an existing legacy web application to an Amazon EC2 instance. Employees need to access this application from anywhere on the internet, but currently, there is no authentication system built into the application.

  How should the Security Engineer implement employee-only access to this system without changing the application?

  A. Place the application behind an Application Load Balancer (ALB). Use Amazon Cognito as authentication for the ALB. Define a SAML-based Amazon Cognito user pool and connect it to ADFS.
  B. Implement IAM SSO in the master account and link it to ADFS as an identity provider. Define the EC2 instance as a managed resource, then apply an IAM policy on the resource.
  C. Define an Amazon Cognito identity pool, then install the connector on the Active Directory server. Use the Amazon Cognito SDK on the application instance to authenticate the employees using their Active Directory user names and passwords.
  D. Create an IAM Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2. Ensure the security group on Amazon EC2 only allows access from the Lambda function.
  A. Place the application behind an Application Load Balancer (ALB). Use Amazon Cognito as authentication for the ALB. Define a SAML-based Amazon Cognito user pool and connect it to ADFS.

  ---

  https://docs.IAM.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html - Authenticate users through social IdPs, such as Amazon, Facebook, or Google, through the user pools supported by Amazon Cognito. - Authenticate users through corporate identities, using SAML, LDAP, or Microsoft AD, through the user pools supported by Amazon Cognito.

• Question 740:

  You are trying to use the IAM Systems Manager run command on a set of Instances. The run command on a set of Instances. What can you do to diagnose the issue? Choose 2 answers from the options given

  A. Ensure that the SSM agent is running on the target machine
  B. Check the /var/log/amazon/ssm/errors.log file
  C. Ensure the right AMI is used for the Instance
  D. Ensure the security groups allow outbound communication for the instance
  A. Ensure that the SSM agent is running on the target machine
  B. Check the /var/log/amazon/ssm/errors.log file

  ---

  The IAM Documentation mentions the following If you experience problems executing commands using Run Command, there might be a problem with the SSM Agent. Use the following information to help you troubleshoot the agent View Agent Logs The SSM Agent logs information in the following files. The information in these files can help you troubleshoot problems. On Windows %PROGRAMDATA%\Amazon\SSM\Logs\amazon-ssm-agent.log %PROGRAMDATA%\Amazon\SSM\Logs\error.log The default filename of the seelog is seelog-xml.template. If you modify a seelog, you must rename the file to seelog.xml. On Linux /var/log/amazon/ssm/amazon-ssm-agentlog /var/log/amazon/ssm/errors.log Option C is invalid because the right AMI has nothing to do with the issues. The agent which is used to execute run commands can run on a variety of AMI'S Option D is invalid because security groups does not come into the picture with the communication between the agent and the SSM service For more information on troubleshooting IAM SSM, please visit the following URL: https://docs.IAM.amazon.com/systems-manaeer/latest/userguide/troubleshootine-remote- commands.htmll The correct answers are: Ensure that the SSM agent is running on the target machine. Check the /var/log/amazon/ssm/errors.log file Submit your Feedback/Queries to our Experts