ExamGecko
Search Search Login
Home Home / Amazon / SCS-C02

Amazon SCS-C02 Practice Test - Questions Answers, Page 2

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company's engineering team is developing a new application that creates IAM Key Management Service (IAM KMS) CMK grants for users immediately after a grant IS created users must be able to use the CMK tu encrypt a 512-byte payload. During load testing, a bug appears |intermittently where AccessDeniedExceptions are occasionally triggered when a user rst attempts to encrypt using the CMK Which solution should the c0mpany's security specialist recommend'?
A company Is planning to use Amazon Elastic File System (Amazon EFS) with its on-premises servers. The company has an existing IAM Direct Connect connection established between its on-premises data center and an IAM Region Security policy states that the company's on-premises firewall should only have specific IP addresses added to the allow list and not a CIDR range. The company also wants to restrict access so that only certain data center-based servers have access to Amazon EFS How should a security engineer implement this solution''
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A developer has created an AWS Lambda function in a company's development account. The Lambda function requires the use of an AWS Key Management Service (AWS KMS) customer managed key that exists in a security account that the company's security team controls. The developer obtains the ARN of the KMS key from a previous Lambda function in the development account. The previous Lambda function had been working properly with the KMS key. When the developer uses the ARN and tests the new Lambda function an error message states that access is denied to the KMS key in the security account. The developer tests the previous Lambda function that uses the same KMS key and discovers that the previous Lambda function still can encrypt data as expected. A security engineer must resolve the problem so that the new Lambda function in the development account can use the KMS key from the security account. Which combination of steps should the security engineer take to meet these requirements? (Select TWO.)
A company has two AWS accounts: Account A and Account B. Account A has an IAM role that IAM users in Account B assume when they need to upload sensitive documents to Amazon S3 buckets in Account A. A new requirement mandates that users can assume the role only if they are authenticated with multi-factor authentication (MFA). A security engineer must recommend a solution that meets this requirement with minimum risk and effort. Which solution should the security engineer recommend?
An international company has established a new business entity in South Kore a. The company also has established a new AWS account to contain the workload for the South Korean region. The company has set up the workload in the new account in the ap-northeast-2 Region. The workload consists of three Auto Scaling groups of Amazon EC2 instances. All workloads that operate in this Region must keep system logs and application logs for 7 years. A security engineer must implement a solution to ensure that no logging data is lost for each instance during scaling activities. The solution also must keep the logs for only the required period of 7 years. Which combination of steps should the security engineer take to meet these requirements? (Choose three.)
A Development team has built an experimental environment to test a simple stale web application It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer a NAT gateway, and an internet gateway. The private subnet holds ail of the Amazon EC2 instances There are 3 different types of servers Each server type has its own Security Group that limits access lo only required connectivity. The Security Groups nave both inbound and outbound rules applied Each subnet has both inbound and outbound network ACls applied to limit access to only required connectivity Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Select THREE.)
A security engineer must use AWS Key Management Service (AWS KMS) to design a key management solution for a set of Amazon Elastic Block Store (Amazon EBS) volumes that contain sensitive data. The solution needs to ensure that the key material automatically expires in 90 days. Which solution meets these criteria?
A company is deploying an Amazon EC2-based application. The application will include a custom health-checking component that produces health status data in JSON format. A Security Engineer must implement a secure solution to monitor application availability in near-real time by analyzing the hearth status data. Which approach should the Security Engineer use?
A company purchased a subscription to a third-party cloud security scanning solution that integrates with AWS Security Hub. A security engineer needs to implement a solution that will remediate the findings from the third-party scanning solution automatically. Which solution will meet this requirement?

Question 11

Report
Export
Collapse

Your company has just set up a new central server in a VPC. There is a requirement for other teams who have their servers located in different VPC's in the same region to connect to the central server. Which of the below options is best suited to achieve this requirement.

Please select:

A.
Set up VPC peering between the central server VPC and each of the teams VPCs.
A.
Set up VPC peering between the central server VPC and each of the teams VPCs.
Answers
B.
Set up IAM DirectConnect between the central server VPC and each of the teams VPCs.
B.
Set up IAM DirectConnect between the central server VPC and each of the teams VPCs.
Answers
C.
Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.
C.
Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.
Answers
D.
None of the above options will work.
D.
None of the above options will work.
Answers
Suggested answer: A

Explanation:

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another IAM account within a single region.

Options B and C are invalid because you need to use VPC Peering

Option D is invalid because VPC Peering is available

For more information on VPC Peering please see the below Link:

http://docs.IAM.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html

The correct answer is: Set up VPC peering between the central server VPC and each of the teams VPCs. Submit your Feedback/Queries to our Experts

Question 12

Report
Export
Collapse

There is a requirement for a company to transfer large amounts of data between IAM and an on-premise location. There is an additional requirement for low latency and high consistency traffic to IAM. Given these requirements how would you design a hybrid architecture? Choose the correct answer from the options below

Please select:

A.
Provision a Direct Connect connection to an IAM region using a Direct Connect partner.
A.
Provision a Direct Connect connection to an IAM region using a Direct Connect partner.
Answers
B.
Create a VPN tunnel for private connectivity, which increases network consistency and reduces latency.
B.
Create a VPN tunnel for private connectivity, which increases network consistency and reduces latency.
Answers
C.
Create an iPSec tunnel for private connectivity, which increases network consistency and reduces latency.
C.
Create an iPSec tunnel for private connectivity, which increases network consistency and reduces latency.
Answers
D.
Create a VPC peering connection between IAM and the Customer gateway.
D.
Create a VPC peering connection between IAM and the Customer gateway.
Answers
Suggested answer: A

Explanation:

IAM Direct Connect makes it easy to establish a dedicated network connection from your premises to IAM. Using IAM Direct Connect you can establish private connectivity between IAM and your datacenter, office, or colocation environment which in many cases can reduce your network costs, increase bandwidth throughput and provide a more consistent network experience than Internet-based connections.

Options B and C are invalid because these options will not reduce network latency

Options D is invalid because this is only used to connect 2 VPC's

For more information on IAM direct connect, just browse to the below URL:

https://IAM.amazon.com/directconnect

The correct answer is: Provision a Direct Connect connection to an IAM region using a Direct Connect partner. omit your Feedback/Queries to our Experts

Question 13

Report
Export
Collapse

Which of the following bucket policies will ensure that objects being uploaded to a bucket called 'demo' are encrypted.

Please select:

A.
A.
Answers
B.
B.
Answers
C.
C.
Answers
D.
D.
Answers
Suggested answer: A

Explanation:

The condition of 's3:x-amz-server-side-encryption':'IAM:kms' ensures that objects uploaded need to be encrypted.

Options B,C and D are invalid because you have to ensure the condition of ns3:x-amz-server-side-encryption':'IAM:kms' is present

For more information on IAM KMS best practices, just browse to the below URL:

https://dl.IAMstatic.com/whitepapers/IAM-kms-best-praaices.pdf

Submit your Feedback/Queries to our Expert

Question 14

Report
Export
Collapse

A company's IAM account consists of approximately 300 IAM users. Now there is a mandate that an access change is required for 100 IAM users to have unlimited privileges to S3.As a system administrator, how can you implement this effectively so that there is no need to apply the policy at the individual user level?

Please select:

A.
Create a new role and add each user to the IAM role
A.
Create a new role and add each user to the IAM role
Answers
B.
Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group
B.
Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group
Answers
C.
Create a policy and apply it to multiple users using a JSON script
C.
Create a policy and apply it to multiple users using a JSON script
Answers
D.
Create an S3 bucket policy with unlimited access which includes each user's IAM account ID
D.
Create an S3 bucket policy with unlimited access which includes each user's IAM account ID
Answers
Suggested answer: B

Explanation:

Option A is incorrect since you don't add a user to the IAM Role

Option C is incorrect since you don't assign multiple users to a policy

Option D is incorrect since this is not an ideal approach

An IAM group is used to collectively manage users who need the same set of permissions. By having groups, it becomes easier to manage permissions. So if you change the permissions on the group scale, it will affect all the users in that group

For more information on IAM Groups, just browse to the below URL:

https://docs.IAM.amazon.com/IAM/latest/UserGuide/id_eroups.html

The correct answer is: Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group

Submit your Feedback/Queries to our Experts

Question 15

Report
Export
Collapse

You need to create a policy and apply it for just an individual user. How could you accomplish this in the right way?

Please select:

A.
Add an IAM managed policy for the user
A.
Add an IAM managed policy for the user
Answers
B.
Add a service policy for the user
B.
Add a service policy for the user
Answers
C.
Add an IAM role for the user
C.
Add an IAM role for the user
Answers
D.
Add an inline policy for the user
D.
Add an inline policy for the user
Answers
Suggested answer: D

Explanation:

Options A and B are incorrect since you need to add an inline policy just for the user

Option C is invalid because you don't assign an IAM role to a user

The IAM Documentation mentions the following

An inline policy is a policy that's embedded in a principal entity (a user, group, or role)---that is, the policy is an inherent part of the principal entity. You can create a policy and embed it in a principal entity, either when you create the principal entity or later.

For more information on IAM Access and Inline policies, just browse to the below URL:

https://docs.IAM.amazon.com/IAM/latest/UserGuide/access

The correct answer is: Add an inline policy for the user Submit your Feedback/Queries to our Experts

Question 16

Report
Export
Collapse

Your company is planning on using bastion hosts for administering the servers in IAM. Which of the following is the best description of a bastion host from a security perspective?

Please select:

A.
A Bastion host should be on a private subnet and never a public subnet due to security concerns
A.
A Bastion host should be on a private subnet and never a public subnet due to security concerns
Answers
B.
A Bastion host sits on the outside of an internal network and is used as a gateway into the private network and is considered the critical strong point of the network
B.
A Bastion host sits on the outside of an internal network and is used as a gateway into the private network and is considered the critical strong point of the network
Answers
C.
Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources.
C.
Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources.
Answers
D.
A Bastion host should maintain extremely tight security and monitoring as it is available to the public
D.
A Bastion host should maintain extremely tight security and monitoring as it is available to the public
Answers
Suggested answer: C

Explanation:

A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer.

In IAM, A bastion host is kept on a public subnet. Users log on to the bastion host via SSH or RDP and then use that session to manage other hosts in the private subnets.

Options A and B are invalid because the bastion host needs to sit on the public network. Option D is invalid because bastion hosts are not used for monitoring For more information on bastion hosts, just browse to the below URL:

https://docsIAM.amazon.com/quickstart/latest/linux-bastion/architecture.htl

The correct answer is: Bastion hosts allow users to log in using RDP or SSH and use that session to SSH into internal network to access private subnet resources.

Submit your Feedback/Queries to our Experts

Question 17

Report
Export
Collapse

Your company uses IAM to host its resources. They have the following requirements

1) Record all API calls and Transitions

2) Help in understanding what resources are there in the account

3) Facility to allow auditing credentials and logins Which services would suffice the above requirements

Please select:

A.
IAM Inspector, CloudTrail, IAM Credential Reports
A.
IAM Inspector, CloudTrail, IAM Credential Reports
Answers
B.
CloudTrail. IAM Credential Reports, IAM SNS
B.
CloudTrail. IAM Credential Reports, IAM SNS
Answers
C.
CloudTrail, IAM Config, IAM Credential Reports
C.
CloudTrail, IAM Config, IAM Credential Reports
Answers
D.
IAM SQS, IAM Credential Reports, CloudTrail
D.
IAM SQS, IAM Credential Reports, CloudTrail
Answers
Suggested answer: C

Explanation:

You can use IAM CloudTrail to get a history of IAM API calls and related events for your account. This history includes calls made with the IAM Management Console, IAM Command Line Interface, IAM SDKs, and other IAM services.

Options A,B and D are invalid because you need to ensure that you use the services of CloudTrail, IAM Config, IAM Credential Reports

For more information on Cloudtrail, please visit the below URL:

http://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudtrail-user-guide.html

IAM Config is a service that enables you to assess, audit and evaluate the configurations of your IAM resources. Config continuously monitors and records your IAM resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between IAM resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, char management and operational troubleshooting.

For more information on the config service, please visit the below URL

https://IAM.amazon.com/config/

You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices. You can get a credential report from the IAM Management Console, the IAM SDKs and Command Line Tools, or the IAM API.

For more information on Credentials Report, please visit the below URL:

http://docs.IAM.amazon.com/IAM/latest/UserGuide/id credentials_getting-report.html

The correct answer is: CloudTrail, IAM Config, IAM Credential Reports Submit your Feedback/Queries to our Experts

Question 18

Report
Export
Collapse

Your CTO is very worried about the security of your IAM account. How best can you prevent hackers from completely hijacking your account?

Please select:

A.
Use short but complex password on the root account and any administrators.
A.
Use short but complex password on the root account and any administrators.
Answers
B.
Use IAM IAM Geo-Lock and disallow anyone from logging in except for in your city.
B.
Use IAM IAM Geo-Lock and disallow anyone from logging in except for in your city.
Answers
C.
Use MFA on all users and accounts, especially on the root account.
C.
Use MFA on all users and accounts, especially on the root account.
Answers
D.
Don't write down or remember the root account password after creating the IAM account.
D.
Don't write down or remember the root account password after creating the IAM account.
Answers
Suggested answer: C

Explanation:

Multi-factor authentication can add one more layer of security to your IAM account Even when you go to your Security Credentials dashboard one of the items is to enable MFA on your root account

Option A is invalid because you need to have a good password policy Option B is invalid because there is no IAM Geo-Lock Option D is invalid because this is not a recommended practices For more information on MFA, please visit the below URL

http://docs.IAM.amazon.com/IAM/latest/UserGuide/id credentials mfa.htmll

The correct answer is: Use MFA on all users and accounts, especially on the root account.

Submit your Feedback/Queries to our Experts

Question 19

Report
Export
Collapse

Your CTO thinks your IAM account was hacked. What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated IAM engineers and doing everything they can to cover their tracks?

Please select:

A.
Use CloudTrail Log File Integrity Validation.
A.
Use CloudTrail Log File Integrity Validation.
Answers
B.
Use IAM Config SNS Subscriptions and process events in real time.
B.
Use IAM Config SNS Subscriptions and process events in real time.
Answers
C.
Use CloudTrail backed up to IAM S3 and Glacier.
C.
Use CloudTrail backed up to IAM S3 and Glacier.
Answers
D.
Use IAM Config Timeline forensics.
D.
Use IAM Config Timeline forensics.
Answers
Suggested answer: A

Explanation:

The IAM Documentation mentions the following

To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. You can use the IAM CLI to validate the files in the location where CloudTrail delivered them

Validated log files are invaluable in security and forensic investigations. For example, a validated log file enables you to assert positively that the log file itself has not changed, or that particular user credentials performed specific API activity. The CloudTrail log file integrity validation process also lets you know if a log file has been deleted or changed, or assert positively that no log files were delivered to your account during a given period of time.

Options B.C and D is invalid because you need to check for log File Integrity Validation for cloudtrail logs

For more information on Cloudtrail log file validation, please visit the below URL:

http://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html

The correct answer is: Use CloudTrail Log File Integrity Validation.

omit your Feedback/Queries to our Expert

Question 20

Report
Export
Collapse

Your development team is using access keys to develop an application that has access to S3 and DynamoDB. A new security policy has outlined that the credentials should not be older than 2 months, and should be rotated. How can you achieve this?

Please select:

A.
Use the application to rotate the keys in every 2 months via the SDK
A.
Use the application to rotate the keys in every 2 months via the SDK
Answers
B.
Use a script to query the creation date of the keys. If older than 2 months, create new access key and update all applications to use it inactivate the old key and delete it.
B.
Use a script to query the creation date of the keys. If older than 2 months, create new access key and update all applications to use it inactivate the old key and delete it.
Answers
C.
Delete the user associated with the keys after every 2 months. Then recreate the user again.
C.
Delete the user associated with the keys after every 2 months. Then recreate the user again.
Answers
D.
Delete the IAM Role associated with the keys after every 2 months. Then recreate the IAM Role again.
D.
Delete the IAM Role associated with the keys after every 2 months. Then recreate the IAM Role again.
Answers
Suggested answer: B

Explanation:

One can use the CLI command list-access-keys to get the access keys. This command also returns the 'CreateDate' of the keys. If the CreateDate is older than 2 months, then the keys can be deleted.

The Returns list-access-keys CLI command returns information about the access key IDs associated with the specified IAM user. If there are none, the action returns an empty list

Option A is incorrect because you might as use a script for such maintenance activities

Option C is incorrect because you would not rotate the users themselves

Option D is incorrect because you don't use IAM roles for such a purpose

For more information on the CLI command, please refer to the below Link:

http://docs.IAM.amazon.com/cli/latest/reference/iam/list-access-keys.htmll

The correct answer is: Use a script to query the creation date of the keys. If older than 2 months, create new access key and update all applications to use it inactivate the old key and delete it.

Submit your Feedback/Queries to our Experts

Total 327 questions
Go to page: of 33
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms