ExamGecko
Home / Amazon / SCS-C02 / List of questions
Ask Question

Amazon SCS-C02 Practice Test - Questions Answers, Page 5

List of questions

Question 41

Report
Export
Collapse

A corporation is preparing to acquire several companies. A Security Engineer must design a solution to ensure that newly acquired IAM accounts follow the corporation's security best practices. The solution should monitor each Amazon S3 bucket for unrestricted public write access and use IAM managed services.

What should the Security Engineer do to meet these requirements?

Configure Amazon Macie to continuously check the configuration of all S3 buckets.
Configure Amazon Macie to continuously check the configuration of all S3 buckets.
Enable IAM Config to check the configuration of each S3 bucket.
Enable IAM Config to check the configuration of each S3 bucket.
Set up IAM Systems Manager to monitor S3 bucket policies for public write access.
Set up IAM Systems Manager to monitor S3 bucket policies for public write access.
Configure an Amazon EC2 instance to have an IAM role and a cron job that checks the status of all S3 buckets.
Configure an Amazon EC2 instance to have an IAM role and a cron job that checks the status of all S3 buckets.
Suggested answer: C

Explanation:

because this is a solution that can monitor each S3 bucket for unrestricted public write access and use IAM managed services. S3 is a service that provides object storage in the cloud. Systems Manager is a service that helps you automate and manage your AWS resources. You can use Systems Manager to monitor S3 bucket policies for public write access by using a State Manager association that runs a predefined document calledAWS-FindS3BucketWithPublicWriteAccess. This document checks each S3 bucket in an account and reports any bucket that has public write access enabled. The other options are either not suitable or not feasible for meeting the requirements.

asked 16/09/2024
Matthew Hillson
37 questions

Question 42

Report
Export
Collapse

A Security Engineer is troubleshooting an issue with a company's custom logging application. The application logs are written to an Amazon S3 bucket with event notifications enabled to send events lo an Amazon SNS topic. All logs are encrypted at rest using an IAM KMS CMK. The SNS topic is subscribed to an encrypted Amazon SQS queue. The logging application polls the queue for new messages that contain metadata about the S3 object. The application then reads the content of the object from the S3 bucket for indexing.

The Logging team reported that Amazon CloudWatch metrics for the number of messages sent or received is showing zero. No togs are being received.

What should the Security Engineer do to troubleshoot this issue?

A) Add the following statement to the IAM managed CMKs:

Amazon SCS-C02 image Question 42 7750 09162024005941000000

B)

Add the following statement to the CMK key policy:

Amazon SCS-C02 image Question 42 7750 09162024005941000000

C)

Add the following statement to the CMK key policy:

Amazon SCS-C02 image Question 42 7750 09162024005941000000

D)

Add the following statement to the CMK key policy:

Amazon SCS-C02 image Question 42 7750 09162024005941000000

Option A
Option A
Option B
Option B
Option C
Option C
Option D
Option D
Suggested answer: D
asked 16/09/2024
Danyail Storey
28 questions

Question 43

Report
Export
Collapse

Developers in an organization have moved from a standard application deployment to containers. The Security Engineer is tasked with ensuring that the containers are secure. Which strategies will reduce the attack surface and enhance the security of the containers? (Select TWO.)

Use the containers to automate security deployments.
Use the containers to automate security deployments.
Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries.
Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries.
Segregate containers by host, function, and data classification.
Segregate containers by host, function, and data classification.
Use Docker Notary framework to sign task definitions.
Use Docker Notary framework to sign task definitions.
Enable container breakout at the host kernel.
Enable container breakout at the host kernel.
Suggested answer: A, C

Explanation:

these are the strategies that can reduce the attack surface and enhance the security of the containers. Containers are a method of packaging and running applications in isolated environments. Using containers to automate security deployments can help ensure that security patches and updates are applied consistently and quickly across the container fleet. Segregating containers by host, function, and data classification can help limit the impact of a compromise and enforce the principle of least privilege. The other options are either irrelevant or risky for securing containers.

asked 16/09/2024
Rajeev Parameswaran
38 questions

Question 44

Report
Export
Collapse

An organization wants to log all IAM API calls made within all of its IAM accounts, and must have a central place to analyze these logs. What steps should be taken to meet these requirements in the MOST secure manner? (Select TWO)

Turn on IAM CloudTrail in each IAM account
Turn on IAM CloudTrail in each IAM account
Turn on CloudTrail in only the account that will be storing the logs
Turn on CloudTrail in only the account that will be storing the logs
Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it
Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it
Create a service-based role for CloudTrail and associate it with CloudTrail in each account
Create a service-based role for CloudTrail and associate it with CloudTrail in each account
Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it
Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it
Suggested answer: A, E

Explanation:

these are the steps that can meet the requirements in the most secure manner. CloudTrail is a service that records AWS API calls and delivers log files to an S3 bucket. Turning on CloudTrail in each IAM account can help capture all IAM API calls made within those accounts. Updating the bucket policy of the bucket in the account that will be storing the logs can help grant other accounts permission to write log files to that bucket. The other options are either unnecessary or insecure for logging and analyzing IAM API calls.

asked 16/09/2024
Gabriel Pereira Dias
36 questions

Question 45

Report
Export
Collapse

An IT department currently has a Java web application deployed on Apache Tomcat running on Amazon EC2 instances. All traffic to the EC2 instances is sent through an internet-facing Application Load Balancer (ALB) The Security team has noticed during the past two days thousands of unusual read requests coming from hundreds of IP addresses. This is causing the Tomcat server to run out of threads and reject new connections

Which the SIMPLEST change that would address this server issue?

Create an Amazon CloudFront distribution and configure the ALB as the origin
Create an Amazon CloudFront distribution and configure the ALB as the origin
Block the malicious IPs with a network access list (NACL).
Block the malicious IPs with a network access list (NACL).
Create an IAM Web Application Firewall (WAF). and attach it to the ALB
Create an IAM Web Application Firewall (WAF). and attach it to the ALB
Map the application domain name to use Route 53
Map the application domain name to use Route 53
Suggested answer: A

Explanation:

this is the simplest change that can address the server issue. CloudFront is a service that provides a global network of edge locations that cache and deliver web content. Creating a CloudFront distribution and configuring the ALB as the origin can help reduce the load on the Tomcat server by serving cached content to the end users. CloudFront can also provide protection against distributed denial-of-service (DDoS) attacks by filtering malicious traffic at the edge locations. The other options are either ineffective or complex for solving the server issue.

asked 16/09/2024
Jaques Rautenbach
36 questions

Question 46

Report
Export
Collapse

An organization has a multi-petabyte workload that it is moving to Amazon S3, but the CISO is concerned about cryptographic wear-out and the blast radius if a key is compromised. How can the CISO be assured that IAM KMS and Amazon S3 are addressing the concerns? (Select TWO )

There is no API operation to retrieve an S3 object in its encrypted form.
There is no API operation to retrieve an S3 object in its encrypted form.
Encryption of S3 objects is performed within the secure boundary of the KMS service.
Encryption of S3 objects is performed within the secure boundary of the KMS service.
S3 uses KMS to generate a unique data key for each individual object.
S3 uses KMS to generate a unique data key for each individual object.
Using a single master key to encrypt all data includes having a single place to perform audits and usage validation.
Using a single master key to encrypt all data includes having a single place to perform audits and usage validation.
The KMS encryption envelope digitally signs the master key during encryption to prevent cryptographic wear-out
The KMS encryption envelope digitally signs the master key during encryption to prevent cryptographic wear-out
Suggested answer: C, E

Explanation:

because these are the features that can address the CISO's concerns about cryptographic wear-out and blast radius. Cryptographic wear-out is a phenomenon that occurs when a key is used too frequently or for too long, which increases the risk of compromise or degradation. Blast radius is a measure of how much damage a compromised key can cause to the encrypted data. S3 uses KMS to generate a unique data key for each individual object, which reduces both cryptographic wear-out and blast radius. The KMS encryption envelope digitally signs the master key during encryption, which prevents cryptographic wear-out by ensuring that only authorized parties can use the master key. The other options are either incorrect or irrelevant for addressing the CISO's concerns.

asked 16/09/2024
Areeluck Parnsoonthorn
38 questions

Question 47

Report
Export
Collapse

A company wants to deploy a distributed web application on a fleet of EC2 instances. The fleet will be fronted by a Classic Load Balancer that will be configured to terminate the TLS connection The company wants to make sure that all past and current TLS traffic to the Classic Load Balancer stays secure even if the certificate private key is leaked.

To ensure the company meets these requirements, a Security Engineer can configure a Classic Load Balancer with:

An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.
An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.
An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites
An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites
An HTTPS listener that uses the latest IAM predefined ELBSecuntyPolicy-TLS-1 -2-2017-01 security policy
An HTTPS listener that uses the latest IAM predefined ELBSecuntyPolicy-TLS-1 -2-2017-01 security policy
A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.
A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.
Suggested answer: B

Explanation:

this is a way to configure a Classic Load Balancer with perfect forward secrecy cipher suites. Perfect forward secrecy is a property of encryption protocols that ensures that past and current TLS traffic stays secure even if the certificate private key is leaked. Cipher suites are sets of algorithms that determine how encryption is performed. A custom security policy is a set of cipher suites and protocols that you can select for your load balancer to support. An HTTPS listener is a process that checks for connection requests using encrypted SSL/TLS protocol. By using an HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites, you can ensure that your Classic Load Balancer meets the requirements. The other options are either invalid or insufficient for configuring a Classic Load Balancer with perfect forward secrecy cipher suites.

asked 16/09/2024
Opeyemi Alabi
39 questions

Question 48

Report
Export
Collapse

A company has two IAM accounts within IAM Organizations. In Account-1. Amazon EC2 Auto Scaling is launched using a service-linked role. In Account-2. Amazon EBS volumes are encrypted with an IAM KMS key A Security Engineer needs to ensure that the service-linked role can launch instances with these encrypted volumes

Which combination of steps should the Security Engineer take in both accounts? (Select TWO.)

Allow Account-1 to access the KMS key in Account-2 using a key policy
Allow Account-1 to access the KMS key in Account-2 using a key policy
Attach an IAM policy to the service-linked role in Account-1 that allows these actions CreateGrant. DescnbeKey, Encrypt, GenerateDataKey, Decrypt, and ReEncrypt
Attach an IAM policy to the service-linked role in Account-1 that allows these actions CreateGrant. DescnbeKey, Encrypt, GenerateDataKey, Decrypt, and ReEncrypt
Create a KMS grant for the service-linked role with these actions CreateGrant, DescnbeKey Encrypt GenerateDataKey Decrypt, and ReEncrypt
Create a KMS grant for the service-linked role with these actions CreateGrant, DescnbeKey Encrypt GenerateDataKey Decrypt, and ReEncrypt
Attach an IAM policy to the role attached to the EC2 instances with KMS actions and then allow Account-1 in the KMS key policy.
Attach an IAM policy to the role attached to the EC2 instances with KMS actions and then allow Account-1 in the KMS key policy.
Attach an IAM policy to the user who is launching EC2 instances and allow the user to access the KMS key policy of Account-2.
Attach an IAM policy to the user who is launching EC2 instances and allow the user to access the KMS key policy of Account-2.
Suggested answer: C, D

Explanation:

because these are the steps that can ensure that the service-linked role can launch instances with encrypted volumes. A service-linked role is a type of IAM role that is linked to an AWS service and allows the service to perform actions on your behalf. A KMS grant is a mechanism that allows you to delegate permissions to use a customer master key (CMK) to a principal such as a service-linked role. A KMS grant specifies the actions that the principal can perform, such as encrypting and decrypting data. By creating a KMS grant for the service-linked role with the specified actions, you can allow the service-linked role to use the CMK in Account-2 to launch instances with encrypted volumes. By attaching an IAM policy to the role attached to the EC2 instances with KMS actions and then allowing Account-1 in the KMS key policy, you can also enable cross-account access to the CMK and allow the EC2 instances to use the encrypted volumes. The other options are either incorrect or unnecessary for meeting the requirement.

asked 16/09/2024
Matthew Montgomery
32 questions

Question 49

Report
Export
Collapse

During a manual review of system logs from an Amazon Linux EC2 instance, a Security Engineer noticed that there are sudo commands that were never properly alerted or reported on the Amazon CloudWatch Logs agent

Why were there no alerts on the sudo commands?

There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs
There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs
The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch
The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch
CloudWatch Logs status is set to ON versus SECURE, which prevents it from pulling in OS security event logs
CloudWatch Logs status is set to ON versus SECURE, which prevents it from pulling in OS security event logs
The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.
The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.
Suggested answer: B

Explanation:

the reason why there were no alerts on the sudo commands. Sudo commands are commands that allow a user to execute commands as another user, usually the superuser or root. CloudWatch Logs agent is a software agent that can send log data from an EC2 instance to CloudWatch Logs, a service that monitors and stores log data. The CloudWatch Logs agent needs an IAM instance profile, which is a container for an IAM role that allows applications running on an EC2 instance to make API requests to AWS services. If the IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch, then there would be no alerts on the sudo commands. The other options are either irrelevant or invalid for explaining why there were no alerts on the sudo commands.

asked 16/09/2024
First Last
36 questions

Question 50

Report
Export
Collapse

A large corporation is creating a multi-account strategy and needs to determine how its employees should access the IAM infrastructure.

Which of the following solutions would provide the MOST scalable solution?

Create dedicated IAM users within each IAM account that employees can assume through federation based upon group membership in their existing identity provider
Create dedicated IAM users within each IAM account that employees can assume through federation based upon group membership in their existing identity provider
Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider Use cross-account roles to allow the federated users to assume their target role in the resource accounts.
Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider Use cross-account roles to allow the federated users to assume their target role in the resource accounts.
Configure the IAM Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access IAM resources directly
Configure the IAM Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access IAM resources directly
Configure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider allowing users to assume the role based off their SAML token
Configure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider allowing users to assume the role based off their SAML token
Suggested answer: B

Explanation:

the most scalable solution for accessing the IAM infrastructure in a multi-account strategy. A multi-account strategy is a way of organizing your AWS resources into multiple IAM accounts for security, billing, and management purposes. Federation is a process that allows users to access AWS resources using credentials from an external identity provider such as Active Directory or SAML. IAM roles are sets of permissions that grant access to AWS resources. Cross-account roles are IAM roles that allow users in one account to access resources in another account. By using a centralized account with IAM roles that employees can assume through federation with their existing identity provider, you can simplify and streamline the access management process. By using cross-account roles to allow the federated users to assume their target role in the resource accounts, you can enable granular and flexible access control across multiple accounts. The other options are either less scalable or less secure for accessing the IAM infrastructure in a multi-account strategy.

asked 16/09/2024
Kofi Amedorme
44 questions
Total 372 questions
Go to page: of 38
Search

Related questions