Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 751:

  An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise's account. The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party. Which of the following would meet all of these conditions?

  A. From the IAM Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.
  B. Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application. Create a new access and secret key for the user and provide these credentials to the SaaS provider.
  C. Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.
  D. Create an IAM role for EC2 instances, assign it a policy that allows only the actions required tor the Saas application to work, provide the role ARN to the SaaS provider to use when launching their application instances.
  C. Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.

  ---

  The below diagram from an IAM blog shows how access is given to other accounts for the services in your own account Options A and B are invalid because you should not user IAM users or IAM Access keys Options D is invalid because you need to create a role for cross account access For more information on Allowing access to external accounts, please visit the below URL: |https://IAM.amazon.com/blogs/apn/how-to-best-architect-your-IAM-marketplace-saas- subscription-across-multiple-IAM-accounts; The correct answer is: Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application. Submit your Feedback/Queries to our Experts

• Question 752:

  A company has multiple IAM accounts that are part of IAM Organizations. The company's Security team wants to ensure that even those Administrators with full access to the company's IAM accounts are unable to access the company's Amazon S3 buckets

  How should this be accomplished?

  A. UseSCPs
  B. Add a permissions boundary to deny access to Amazon S3 and attach it to all roles
  C. Use an S3 bucket policy
  D. Create a VPC endpoint for Amazon S3 and deny statements for access to Amazon S3
  A. UseSCPs

• Question 753:

  A company runs a web application on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB).

  The ALB is associated with an AWS WAF web ACL that includes several AWS managed rules in Block mode

  The ALB and the web ACL are configured to send togs to Amazon S3 Additionally, the web application sends requests to a log group in Amazon CloudWatch Logs.

  The web ACL is blocking a specific request to the web application.

  A security engineer must determine which web ACL rule is blocking the request

  Which solution will provide this information?

  A. Use Amazon Athena to query the ALB logs by the request ID of the blocked request.
  B. Use Amazon Athena to query the web ACL logs by the request ID of the blocked request.
  C. Use CloudWatch Logs Insights to query the application logs by the request ID of the blocked request.
  D. Use CloudWatch Logs Instghts to query the web ACL logs by the request ID of the blocked request.
  B. Use Amazon Athena to query the web ACL logs by the request ID of the blocked request.

• Question 754:

  A company has a new partnership with a vendor. The vendor will process data from the company's customers. The company will upload data files as objects into an Amazon S3 bucket. The vendor will download the objects to perform data processing. The objects will contain sensi-tive data.

  A security engineer must implement a solution that prevents objects from resid-ing in the S3 bucket for longer than 72 hours.

  Which solution will meet these requirements?

  A. Use Amazon Macie to scan the S3 bucket for sensitive data every 72 hours. Configure Macie to delete the objects that contain sensitive data when they are discovered.
  B. Configure an S3 Lifecycle rule on the S3 bucket to expire objects that have been in the S3 bucket for 72 hours.
  C. Create an Amazon EventBridge scheduled rule that invokes an AWS Lambda function every day. Program the Lambda function to remove any objects that have been in the S3 bucket for 72 hours.
  D. Use the S3 Intelligent-Tiering storage class for all objects that are up-loaded to the S3 bucket. Use S3 Intelligent-Tiering to expire objects that have been in the S3 bucket for 72 hours.
  B. Configure an S3 Lifecycle rule on the S3 bucket to expire objects that have been in the S3 bucket for 72 hours.

• Question 755:

  A Systems Engineer has been tasked with configuring outbound mail through Simple Email Service (SES) and requires compliance with current TLS standards.

  The mail application should be configured to connect to which of the following endpoints and corresponding ports?

  A. email.us-east-1.amazonIAM.com over port 8080
  B. email-pop3.us-east-1.amazonIAM.com over port 995
  C. email-smtp.us-east-1.amazonIAM.com over port 587
  D. email-imap.us-east-1.amazonIAM.com over port 993
  C. email-smtp.us-east-1.amazonIAM.com over port 587

  ---

  https://docs.IAM.amazon.com/ses/latest/DeveloperGuide/smtp-connect.html

• Question 756:

  A company uses identity federation to authenticate users into an identity account (987654321987) where the users assume an IAM role named IdentityRole. The users then assume an IAM role named JobFunctionRole in the target IAM account (123456789123) to perform their job functions.

  A user is unable to assume the IAM role in the target account. The policy attached to the role in the identity account is:

  

  What should be done to enable the user to assume the appropriate role in the target account?

  

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  B. Option B

• Question 757:

  A company plans to create Amazon S3 buckets to store log data. All the S3 buckets will have versioning enabled and will use the S3 Standard storage class.

  A security engineer needs to implement a solution that protects objects in the S3 buckets from deletion for 90 days. The solution must ensure that no object can be deleted during this time period, even by an administrator or the AWS account root user.

  Which solution will meet these requirements?

  A. Enable S3 Object Lock in governance mode. Set a legal hold of 90 days.
  B. Enable S3 Object Lock in governance mode. Set a retention period of 90 days.
  C. Enable S3 Object Lock in compliance mode. Set a retention period of 90 days.
  D. Create an S3 Glacier Vault Lock policy that prevents deletion for 90 days.
  C. Enable S3 Object Lock in compliance mode. Set a retention period of 90 days.

  ---

  The key requirement here is that no object can be deleted for 90 days, even by an administrator or the root user. To achieve this level of immutability, S3 Object Lock in compliance mode must be used, along with setting a retention period for 90 days. Compliance mode ensures that no user, including the root user, can delete the objects during the retention period, providing the highest level of protection against deletions.

• Question 758:

  Some highly sensitive analytics workloads are to be moved to Amazon EC2 hosts. Threat modeling has found that a risk exists where a subnet could be maliciously or accidentally exposed to the internet. Which of the following mitigations should be recommended?

  A. Use IAM Config to detect whether an Internet Gateway is added and use an IAM Lambda function to provide auto-remediation.
  B. Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses.
  C. Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet.
  D. Move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.
  A. Use IAM Config to detect whether an Internet Gateway is added and use an IAM Lambda function to provide auto-remediation.

  ---

  Explanation Explanation/Reference:By default, Private instance has a private IP address, but no public IP address. These instances can communicate with each other, but can't access the Internet. You can enable Internet access for an instance launched into a nondefault subnet by attaching an Internet gateway to its VPC (if its VPC is not a default VPC) and associating an Elastic IP address with the instance. Alternatively, to allow an instance in your VPC to initiate outbound connections to the Internet but prevent unsolicited inbound connections from the Internet, you can use a network address translation (NAT) instance. NAT maps multiple private IP addresses to a single public IP address. A NAT instance has an Elastic IP address and is connected to the Internet through an Internet gateway.You can connect an instance in a private subnet to the Internet through the NAT instance, which routes traffic from the instance to the Internet gateway, and routes any responses to the instance.

• Question 759:

  A security engineer needs to implement a solution to create and control the keys that a company uses for cryptographic operations. The security engineer must create symmetric keys in which the key material is generated and used within a

  custom key store that is backed by an AWS CloudHSM cluster.

  The security engineer will use symmetric and asymmetric data key pairs for local use within applications. The security engineer also must audit the use of the keys.

  How can the security engineer meet these requirements?

  A. To create the keys use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon Athena
  B. To create the keys use Amazon S3 and the custom key stores with the CloudHSM cluster. For auditing use AWS CloudTrail.
  C. To create the keys use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon GuardDuty.
  D. To create the keys use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use AWS CloudTrail.
  D. To create the keys use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use AWS CloudTrail.

  ---

  Explanation Explanation/Reference:AWS KMS supports asymmetric KMS keys that represent a mathematically related RSA, elliptic curve (ECC), or SM2 (China Regions only) public and private key pair. These key pairs are generated in AWS KMS hardware security modules certified under the FIPS 140-2 Cryptographic Module Validation Program, except in the China (Beijing) and China (Ningxia) Regions. The private key never leaves the AWS KMS HSMs unencrypted. https://docs.aws.amazon.com/kms/latest/ developerguide/symmetric-asymmetric.html

• Question 760:

  A company's engineering team is developing a new application that creates IAM Key Management Service (IAM KMS) CMK grants for users immediately after a grant IS created users must be able to use the CMK tu encrypt a 512-byte payload. During load testing, a bug appears |intermittently where AccessDeniedExceptions are occasionally triggered when a user rst attempts to encrypt using the CMK

  Which solution should the company's security specialist recommend?

  A. Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.
  B. Instruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token. Instruct use to use that grant token in their call to encrypt.
  C. Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name as the grant token in the call to encrypt.
  D. Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.
  D. Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.

  ---

  When creating a grant in AWS KMS, the operation returns a grant token that can be used immediately to make API calls with the newly created grant. Without using the grant token, there can be a delay before the grant is fully available for use, which can result in AccessDeniedException errors. By passing the grant token to users and instructing them to use it in their encrypt requests, they can use the grant immediately without waiting for full grant propagation, eliminating the error.