Amazon SCS-C02 Online Practice Questions and Exam Preparation

Amazon SCS-C02 Online Questions & Answers

• Question 761:

  A company needs to follow security best practices to deploy resources from an AWS CloudFormation template. The CloudFormation template must be able to configure sensitive database credentials.

  The company already uses AWS Key Management Service (AWS KMS) and AWS Secrets Manager.

  Which solution will meet the requirements?

  A. Use a dynamic reference in the CloudFormation template to reference the database credentials in Secrets Manager.
  B. Use a parameter in the CloudFormation template to reference the database credentials. Encrypt the CloudFormation template by using AWS KMS.
  C. Use a SecureString parameter in the CloudFormation template to reference the database credentials in Secrets Manager.
  D. Use a SecureString parameter in the CloudFormation template to reference an encrypted value in AWS KMS
  A. Use a dynamic reference in the CloudFormation template to reference the database credentials in Secrets Manager.

  ---

  Option A: This option meets the requirements of following security best practices and configuring sensitive database credentials in the CloudFormation template. A dynamic reference is a way to specify external values that are stored and managed in other services, such as Secrets Manager, in the stack templates1. When using a dynamic reference, CloudFormation retrieves the value of the specified reference when necessary during stack and change set operations1. Dynamic references can be used for certain resources that support them, such as AWS::RDS::DBInstance1. By using a dynamic reference to reference the database credentials in Secrets Manager, the company can leverage the existing integration between these services and avoid hardcoding the secret information in the template. Secrets Manager is a service that helps you protect secrets needed to access your applications, services, and IT resources2. Secrets Manager enables you to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle2.

• Question 762:

  A company uses Amazon Elastic Kubernetes Service (Amazon EKS) clusters to run its Kubernetes-based applications. The company uses Amazon GuardDuty to protect the applications.

  EKS Protection is enabled in GuardDuty. However, the corresponding GuardDuty feature is not monitoring the Kubernetes-based applications.

  Which solution will cause GuardDuty to monitor the Kubernetes-based applications?

  A. Enable VPC flow logs for the VPC that hosts the EKS clusters.
  B. Assign the CloudWatchEventsFullAccess AWS managed policy to the EKS clusters.
  C. Ensure that the AmazonGuardDutyFullAccess AWS managed policy is attached to the GuardDuty service role.
  D. Enable the control plane logs in Amazon EKS. Ensure that the logs are ingested into Amazon CloudWatch.
  D. Enable the control plane logs in Amazon EKS. Ensure that the logs are ingested into Amazon CloudWatch.

  ---

  Explanation Explanation/Reference:Amazon GuardDuty's EKS Protection relies on Amazon EKS control plane logs to monitor Kubernetes activity and detect potential security threats. Enabling control plane logging (e.g., API server logs) in EKS and sending these logs to Amazon CloudWatch allows GuardDuty to analyze the Kubernetes activity, making it possible to detect threats in the EKS clusters.

• Question 763:

  You are building a system to distribute confidential training videos to employees. Using CloudFront, what method could be used to serve content that is stored in S3, but not publicly accessible from S3 directly?

  A. Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAl.
  B. Add the CloudFront account security group "amazon-cf/amazon-cf-sg" to the appropriate S3 bucket policy.
  C. Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User.
  D. Create a S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).
  A. Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAl.

  ---

  You can optionally secure the content in your Amazon S3 bucket so users can access it through CloudFront but cannot access it directly by using Amazon S3 URLs. This prevents anyone from bypassing CloudFront and using the Amazon S3 URL to get content that you want to restrict access to. This step isn't required to use signed URLs, but we recommend it To require that users access your content through CloudFront URLs, you perform the following tasks: Create a special CloudFront user called an origin access identity. Give the origin access identity permission to read the objects in your bucket. Remove permission for anyone else to use Amazon S3 URLs to read the objects. Option B,C and D are all automatically invalid, because the right way is to ensure to create Origin Access Identity (OAI) for CloudFront and grant access accordingly. For more information on serving private content via Cloudfront, please visit the following URL: https://docs.IAM.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.ht mll The correct answer is: Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket t that OAI. You can optionally secure the content in your Amazon S3 bucket so users can access it through CloudFront but cannot access it directly by using Amazon S3 URLs. This prevents anyone from bypassing CloudFront and using the Amazon S3 URL to get content that you want to restrict access to. This step isn't required to use signed URLs, but we recommend it To require that users access your content through CloudFront URLs, you perform the following tasks: Create a special CloudFront user called an origin access identity. Give the origin access identity permission to read the objects in your bucket. Remove permission for anyone else to use Amazon S3 URLs to read the objects. Option B,C and D are all automatically invalid, because the right way is to ensure to create Origin Access Identity (OAI) for CloudFront and grant access accordingly. For more information on serving private content via Cloudfront, please visit the following URL: https://docs.IAM.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.ht mll The correct answer is: Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket t that OAI. Submit your Feedback/Queries to our Experts Submit your Feedback/Queries to our Experts

• Question 764:

  An application has been written that publishes custom metrics to Amazon CloudWatch. Recently, IAM changes have been made on the account and the metrics are no longer being reported.

  Which of the following is the LEAST permissive solution that will allow the metrics to be delivered?

  A. Add a statement to the IAM policy used by the application to allow logs:putLogEvents and logs:createLogStream
  B. Modify the IAM role used by the application by adding the CloudWatchFullAccess managed policy.
  C. Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData.
  D. Add a trust relationship to the IAM role used by the application for cloudwatch.amazonIAM.com.
  C. Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData.

  ---

  https://docs.IAM.amazon.com/AmazonCloudWatch/latest/monitoring/permissions-reference-cw.html

• Question 765:

  For compliance reasons a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied. The Engineer must also ensure that no system goes more than 30 days without the latest approved updates being applied

  What would the MOST efficient way to achieve these goals?

  A. Use Amazon inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version
  B. Configure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows
  C. Examine IAM CloudTrail togs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances
  D. Update the AMls with the latest approved patches and redeploy each instance during the defined maintenance window
  B. Configure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows

• Question 766:

  A company's Developers plan to migrate their on-premises applications to Amazon EC2 instances running Amazon Linux AMIs. The applications are accessed by a group of partner companies The Security Engineer needs to implement the following host-based security measures for these instances:

  Block traffic from documented known bad IP addresses

  Detect known software vulnerabilities and CIS Benchmarks compliance.

  Which solution addresses these requirements?

  A. Launch the EC2 instances with an IAM role attached. Include a user data script that uses the IAM CLI to retrieve the list of bad IP addresses from IAM Secrets Manager and uploads it as a threat list in Amazon GuardDuty Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance
  B. Launch the EC2 instances with an IAM role attached Include a user data script that uses the IAM CLl to create NACLs blocking ingress traffic from the known bad IP addresses in the EC2 instance's subnets Use IAM Systems Manager to scan the instances for known software vulnerabilities, and IAM Trusted Advisor to check instances for CIS Benchmarks compliance
  C. Launch the EC2 instances with an IAM role attached Include a user data script that uses the IAM CLl to create and attach security groups that only allow an allow listed source IP address range inbound. Use Amazon Inspector to scan the instances for known software vulnerabilities, and IAM Trusted Advisor to check instances for CIS Benchmarks compliance
  D. Launch the EC2 instances with an IAM role attached Include a user data script that creates a cron job to periodically retrieve the list of bad IP addresses from Amazon S3, and configures iptabies on the instances blocking the list of bad IP addresses Use Amazon inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.
  D. Launch the EC2 instances with an IAM role attached Include a user data script that creates a cron job to periodically retrieve the list of bad IP addresses from Amazon S3, and configures iptabies on the instances blocking the list of bad IP addresses Use Amazon inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.

• Question 767:

  A company accidentally deleted the private key for an Amazon Elastic Block Store (Amazon EBS)-backed Amazon EC2 instance. A security engineer needs to regain access to the instance.

  Which combination of steps will meet this requirement? (Choose two.)

  A. Stop the instance. Detach the root volume. Generate a new key pair.
  B. Keep the instance running. Detach the root volume. Generate a new key pair.
  C. When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new public key. Move the volume back to the original instance. Start the instance.
  D. When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new private key. Move the volume back to the original instance. Start the instance.
  E. When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new public key. Move the volume back to the original instance that is running.
  A. Stop the instance. Detach the root volume. Generate a new key pair.
  C. When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new public key. Move the volume back to the original instance. Start the instance.

  ---

  If you lose the private key for an EBS-backed instance, you can regain access to your instance. You must stop the instance, detach its root volume and attach it to another instance as a data volume, modify the authorized_keys file with a new public key, move the volume back to the original instance, and restart the instance. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConne cting.html#replacing-lost-key-pai

• Question 768:

  A company needs to detect unauthenticated access to its Amazon Elastic Kubernetes Service (Amazon EKS) clusters. The company needs a solution that requires no additional configuration of the existing EKS deployment.

  Which solution will meet these requirements with the LEAST operational effort?

  A. Install an Amazon EKS add-on from a security vendor.
  B. Enable AWS Security Hub. Monitor the Kubernetes findings.
  C. Monitor Amazon CloudWatch Container Insights metrics for Amazon EKS.
  D. Enable Amazon GuardDuty. Use EKS Audit Log Monitoring.
  D. Enable Amazon GuardDuty. Use EKS Audit Log Monitoring.

  ---

  Amazon GuardDuty is a managed threat detection service that provides security monitoring and threat detection for AWS environments, including Amazon EKS. GuardDuty recently introduced EKS Audit Log Monitoring, which automatically detects suspicious activity and potential security threats (including unauthenticated access attempts) within EKS clusters. This solution requires no changes to the existing EKS deployment and offers built-in detection capabilities with minimal operational overhead.

• Question 769:

  A company runs workloads that are spread across hundreds of Amazon EC2 instances. During a recent security incident, an EC2 instance was compromised and ran malware code until the company manually terminated the instance.

  The company is now using Amazon GuardDuty to detect malware on EC2 instances. A security engineer needs to implement a solution that automates a response when GuardDuty determines that an instance is infected. The solution must mitigate the incident and must comply with the AWS Well-Architected Framework guidance for incident response.

  Which solution will meet these requirements?

  A. Configure AWS Systems Manager Run Command to run when a GuardDuty scan determines that an instance is infected. Use Run Command to remove all network adapters from the operating system of the infected instance. Use Run Command to also add a tag of "Infected" to the instance.
  B. Create an AWS Lambda function that runs when a GuardDuty scan determines that an instance is infected. Program the Lambda function to delete all elastic network interfaces that are associated with the instance. Program the Lambda function to also add a tag of "Infected" to the instance.
  C. Create an AWS Lambda function that runs when a GuardDuty scan determines that an instance is infected. Program the Lambda function to detach all Amazon Elastic Block Store (Amazon EBS) volumes from the instance. Program the Lambda function to also add a tag of "Infected" to the EBS volumes and to terminate the instance afterward.
  D. Define a separate VPC to isolate EC2 instances. Define a security group that does not allow any network traffic. Create an AWS Lambda function that runs when a GuardDuty scan determines that an instance is infected. Program the Lambda function to move the instance into the separate VPC and to assign the security group to the instance.
  D. Define a separate VPC to isolate EC2 instances. Define a security group that does not allow any network traffic. Create an AWS Lambda function that runs when a GuardDuty scan determines that an instance is infected. Program the Lambda function to move the instance into the separate VPC and to assign the security group to the instance.

  ---

  In accordance with the AWS Well-Architected Framework guidance for incident response, isolating a compromised instance to prevent further damage is a recommended practice. By moving the instance to a separate VPC with a restrictive security group that blocks all network traffic, the Lambda function effectively isolates the infected instance. This approach mitigates the incident by ensuring the instance can no longer communicate with other resources, preventing further spread or damage.

• Question 770:

  Your company has a requirement to work with a DynamoDB table. There is a security mandate that all data should be encrypted at rest. What is the easiest way to accomplish this for DynamoDB?

  A. Use the IAM SDK to encrypt the data before sending it to the DynamoDB table
  B. Encrypt the DynamoDB table using KMS during its creation
  C. Encrypt the table using IAM KMS after it is created
  D. Use S3 buckets to encrypt the data before sending it to DynamoDB
  B. Encrypt the DynamoDB table using KMS during its creation

  ---

  The most easiest option is to enable encryption when the DynamoDB table is created. The IAM Documentation mentions the following Amazon DynamoDB offers fully managed encryption at rest. DynamoDB encryption at rest provides enhanced security by encrypting your data at rest using an IAM Key Management Service (IAM KMS) managed encryption key for DynamoDB. This functionality eliminates the operational burden and complexity involved in protecting sensitive data. Option A is partially correct, you can use the IAM SDK to encrypt the data, but the easier option would be to encrypt the table before hand. Option C is invalid because you cannot encrypt the table after it is created Option D is invalid because encryption for S3 buckets is for the objects in S3 only. For more information on securing data at rest for DynamoDB please refer to below URL: https://docs.IAM.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.h tmll The correct answer is: Encrypt the DynamoDB table using KMS during its creation Submit your Feedback/Queries to our Experts