ExamGecko
Search Search Login
Home Home / Amazon / SCS-C02

Amazon SCS-C02 Practice Test - Questions Answers, Page 3

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company's engineering team is developing a new application that creates IAM Key Management Service (IAM KMS) CMK grants for users immediately after a grant IS created users must be able to use the CMK tu encrypt a 512-byte payload. During load testing, a bug appears |intermittently where AccessDeniedExceptions are occasionally triggered when a user rst attempts to encrypt using the CMK Which solution should the c0mpany's security specialist recommend'?
A company Is planning to use Amazon Elastic File System (Amazon EFS) with its on-premises servers. The company has an existing IAM Direct Connect connection established between its on-premises data center and an IAM Region Security policy states that the company's on-premises firewall should only have specific IP addresses added to the allow list and not a CIDR range. The company also wants to restrict access so that only certain data center-based servers have access to Amazon EFS How should a security engineer implement this solution''
A developer has created an AWS Lambda function in a company's development account. The Lambda function requires the use of an AWS Key Management Service (AWS KMS) customer managed key that exists in a security account that the company's security team controls. The developer obtains the ARN of the KMS key from a previous Lambda function in the development account. The previous Lambda function had been working properly with the KMS key. When the developer uses the ARN and tests the new Lambda function an error message states that access is denied to the KMS key in the security account. The developer tests the previous Lambda function that uses the same KMS key and discovers that the previous Lambda function still can encrypt data as expected. A security engineer must resolve the problem so that the new Lambda function in the development account can use the KMS key from the security account. Which combination of steps should the security engineer take to meet these requirements? (Select TWO.)
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A company has two AWS accounts: Account A and Account B. Account A has an IAM role that IAM users in Account B assume when they need to upload sensitive documents to Amazon S3 buckets in Account A. A new requirement mandates that users can assume the role only if they are authenticated with multi-factor authentication (MFA). A security engineer must recommend a solution that meets this requirement with minimum risk and effort. Which solution should the security engineer recommend?
An international company has established a new business entity in South Kore a. The company also has established a new AWS account to contain the workload for the South Korean region. The company has set up the workload in the new account in the ap-northeast-2 Region. The workload consists of three Auto Scaling groups of Amazon EC2 instances. All workloads that operate in this Region must keep system logs and application logs for 7 years. A security engineer must implement a solution to ensure that no logging data is lost for each instance during scaling activities. The solution also must keep the logs for only the required period of 7 years. Which combination of steps should the security engineer take to meet these requirements? (Choose three.)
A security engineer must use AWS Key Management Service (AWS KMS) to design a key management solution for a set of Amazon Elastic Block Store (Amazon EBS) volumes that contain sensitive data. The solution needs to ensure that the key material automatically expires in 90 days. Which solution meets these criteria?
A Development team has built an experimental environment to test a simple stale web application It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer a NAT gateway, and an internet gateway. The private subnet holds ail of the Amazon EC2 instances There are 3 different types of servers Each server type has its own Security Group that limits access lo only required connectivity. The Security Groups nave both inbound and outbound rules applied Each subnet has both inbound and outbound network ACls applied to limit access to only required connectivity Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Select THREE.)
A company is deploying an Amazon EC2-based application. The application will include a custom health-checking component that produces health status data in JSON format. A Security Engineer must implement a secure solution to monitor application availability in near-real time by analyzing the hearth status data. Which approach should the Security Engineer use?
A company purchased a subscription to a third-party cloud security scanning solution that integrates with AWS Security Hub. A security engineer needs to implement a solution that will remediate the findings from the third-party scanning solution automatically. Which solution will meet this requirement?

Question 21

Report
Export
Collapse

You work at a company that makes use of IAM resources. One of the key security policies is to ensure that all data i encrypted both at rest and in transit. Which of the following is one of the right ways to implement this.

Please select:

A.
Use S3 SSE and use SSL for data in transit
A.
Use S3 SSE and use SSL for data in transit
Answers
B.
SSL termination on the ELB
B.
SSL termination on the ELB
Answers
C.
Enabling Proxy Protocol
C.
Enabling Proxy Protocol
Answers
D.
Enabling sticky sessions on your load balancer
D.
Enabling sticky sessions on your load balancer
Answers
Suggested answer: A

Explanation:

By disabling SSL termination, you are leaving an unsecure connection from the ELB to the back end instances. Hence this means that part of the data transit is not being encrypted.

Option B is incorrect because this would not guarantee complete encryption of data in transit

Option C and D are incorrect because these would not guarantee encryption

For more information on SSL Listeners for your load balancer, please visit the below URL:

http://docs.IAM.amazon.com/elasticloadbalancine/latest/classic/elb-https-load-balancers.htmll

The correct answer is: Use S3 SSE and use SSL for data in transit

Submit your Feedback/Queries to our Experts

Question 22

Report
Export
Collapse

There are currently multiple applications hosted in a VPC. During monitoring it has been noticed that multiple port scans are coming in from a specific IP Address block. The internal security team has requested that all offending IP Addresses be denied for the next 24 hours. Which of the following is the best method to quickly and temporarily deny access from the specified IP Address's.

Please select:

A.
Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.
A.
Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.
Answers
B.
Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.
B.
Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.
Answers
C.
Add a rule to all of the VPC Security Groups to deny access from the IP Address block.
C.
Add a rule to all of the VPC Security Groups to deny access from the IP Address block.
Answers
D.
Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block.
D.
Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block.
Answers
Suggested answer: B

Explanation:

NACL acts as a firewall at the subnet level of the VPC and we can deny the offending IP address block at the subnet level using NACL rules to block the incoming traffic to the VPC instances. Since NACL rules are applied as per the Rule numbers make sure that this rule number should take precedence over other rule numbers if there are any such rules that will allow traffic from these IP ranges. The lowest rule number has more precedence over a rule that has a higher number.

The IAM Documentation mentions the following as a best practices for IAM users

For extra security, enable multi-factor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or APIs). With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP). Users must provide both their normal credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone).

Options C is invalid because these options are not available

Option D is invalid because there is not root access for users

For more information on IAM best practices, please visit the below URL:

https://docs.IAM.amazon.com/IAM/latest/UserGuide/best-practices.html

The correct answer is: Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.

omit your Feedback/Queries to our Experts

Question 23

Report
Export
Collapse

A company has a set of EC2 Instances hosted in IAM. The EC2 Instances have EBS volumes which is used to store critical information. There is a business continuity requirement to ensure high availability for the EBS volumes. How can you achieve this?

A.
Use lifecycle policies for the EBS volumes
A.
Use lifecycle policies for the EBS volumes
Answers
B.
Use EBS Snapshots
B.
Use EBS Snapshots
Answers
C.
Use EBS volume replication
C.
Use EBS volume replication
Answers
D.
Use EBS volume encryption
D.
Use EBS volume encryption
Answers
Suggested answer: B

Explanation:

Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations as part of normal operation of those services and at no additional charge. However, Amazon EBS replication is stored within the same availability zone, not across multiple zones; therefore, it is highly recommended that you conduct regular snapshots to Amazon S3 for long-term data durability Option A is invalid because there is no lifecycle policy for EBS volumes Option C is invalid because there is no EBS volume replication Option D is invalid because EBS volume encryption will not ensure business continuity For information on security for Compute Resources, please visit the below URL: https://d1.awsstatic.com/whitepapers/Security/Security_Compute_Services_Whitepaper.pdf

Question 24

Report
Export
Collapse

A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances . The application will store highly sensitive user data in Amazon RDS tables

The application must

* Include migration to a different IAM Region in the application disaster recovery plan.

* Provide a full audit trail of encryption key administration events

* Allow only company administrators to administer keys.

* Protect data at rest using application layer encryption

A Security Engineer is evaluating options for encryption key management

Why should the Security Engineer choose IAM CloudHSM over IAM KMS for encryption key management in this situation?

A.
The key administration event logging generated by CloudHSM is significantly more extensive than IAM KMS.
A.
The key administration event logging generated by CloudHSM is significantly more extensive than IAM KMS.
Answers
B.
CloudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys
B.
CloudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys
Answers
C.
The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by IAM KMS
C.
The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by IAM KMS
Answers
D.
CloudHSM provides the ability to copy keys to a different Region, whereas IAM KMS does not
D.
CloudHSM provides the ability to copy keys to a different Region, whereas IAM KMS does not
Answers
Suggested answer: B

Explanation:

CloudHSM allows full control of your keys such including Symmetric (AES), Asymmetric (RSA), Sha-256, SHA 512, Hash Based, Digital Signatures (RSA).On the other hand, AWS Key Management Service is a multi-tenant key storage that is owned and managed by AWS1.

Question 25

Report
Export
Collapse

A company has multiple Amazon S3 buckets encrypted with customer-managed CMKs Due to regulatory requirements the keys must be rotated every year. The company's Security Engineer has enabled automatic key rotation for the CMKs; however the company wants to verity that the rotation has occurred.

What should the Security Engineer do to accomplish this?

A.
Filter IAM CloudTrail logs for KeyRotaton events
A.
Filter IAM CloudTrail logs for KeyRotaton events
Answers
B.
Monitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events
B.
Monitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events
Answers
C.
Using the IAM CLI. run the IAM kms gel-key-relation-status operation with the --key-id parameter to check the CMK rotation date
C.
Using the IAM CLI. run the IAM kms gel-key-relation-status operation with the --key-id parameter to check the CMK rotation date
Answers
D.
Use Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filter Generate New Key events
D.
Use Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filter Generate New Key events
Answers
Suggested answer: C

Explanation:

theaws kms get-key-rotation-statuscommand returns a boolean value that indicates whether automatic rotation of the customer master key (CMK) is enabled1.This command also shows the date and time when the CMK was last rotated2. The other options are not valid ways to check the CMK rotation status.

Question 26

Report
Export
Collapse

A company needs a forensic-logging solution for hundreds of applications running in Docker on Amazon EC2 The solution must perform real-time analytics on the togs must support the replay of messages and must persist the logs.

Which IAM services should be used to meet these requirements? (Select TWO)

A.
Amazon Athena
A.
Amazon Athena
Answers
B.
Amazon Kinesis
B.
Amazon Kinesis
Answers
C.
Amazon SQS
C.
Amazon SQS
Answers
D.
Amazon Elasticsearch
D.
Amazon Elasticsearch
Answers
E.
Amazon EMR
E.
Amazon EMR
Answers
Suggested answer: B, D

Explanation:

Amazon Kinesis and Amazon Elasticsearch are both suitable for forensic-logging solutions.Amazon Kinesis can collect, process, and analyze streaming data in real time3. Amazon Elasticsearch can store, search, and analyze log data using the popular open-source tool Elasticsearch. The other options are not designed for forensic-logging purposes. Amazon Athena is a query service that can analyze data in S3, Amazon SQS is a message queue service that can decouple and scale microservices, and Amazon EMR is a big data platform that can run Apache Spark and Hadoop clusters.

Question 27

Report
Export
Collapse

Auditors for a health care company have mandated that all data volumes be encrypted at rest Infrastructure is deployed mainly via IAM CloudFormation however third-party frameworks and manual deployment are required on some legacy systems

What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

A.
On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume
A.
On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume
Answers
B.
Configure an IAM Config rule lo run on a recurring basis 'or volume encryption
B.
Configure an IAM Config rule lo run on a recurring basis 'or volume encryption
Answers
C.
Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule
C.
Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule
Answers
D.
Use CloudWatch Logs to determine whether instances were created with an encrypted volume
D.
Use CloudWatch Logs to determine whether instances were created with an encrypted volume
Answers
Suggested answer: B

Explanation:

To support answer B, use the reference https://d1.IAMstatic.com/whitepapers/IAM-security-whitepaper.pdf

'For example, IAM Config provides a managed IAM Config Rules to ensure that encryption is turned on for all EBS volumes in your account.'

Question 28

Report
Export
Collapse

A company became aware that one of its access keys was exposed on a code sharing website 11 days ago. A Security Engineer must review all use of the exposed access keys to determine the extent of the exposure. The company enabled IAM CloudTrail m an regions when it opened the account

Which of the following will allow (he Security Engineer 10 complete the task?

A.
Filter the event history on the exposed access key in the CloudTrail console Examine the data from the past 11 days.
A.
Filter the event history on the exposed access key in the CloudTrail console Examine the data from the past 11 days.
Answers
B.
Use the IAM CLI lo generate an IAM credential report Extract all the data from the past 11 days.
B.
Use the IAM CLI lo generate an IAM credential report Extract all the data from the past 11 days.
Answers
C.
Use Amazon Athena to query the CloudTrail logs from Amazon S3 Retrieve the rows for the exposed access key tor the past 11 days.
C.
Use Amazon Athena to query the CloudTrail logs from Amazon S3 Retrieve the rows for the exposed access key tor the past 11 days.
Answers
D.
Use the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days.
D.
Use the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days.
Answers
Suggested answer: C

Explanation:

Amazon Athena is a service that enables you to analyze data in Amazon S3 using standard SQL1.You can use Athena to query the CloudTrail logs that are stored in S3 and filter them by the exposed access key and the date range2. The other options are not effective ways to review the use of the exposed access key.

Question 29

Report
Export
Collapse

For compliance reasons a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied. The Engineer must also ensure that no system goes more than 30 days without the latest approved updates being applied

What would the MOST efficient way to achieve these goals?

A.
Use Amazon inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version
A.
Use Amazon inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version
Answers
B.
Configure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows
B.
Configure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows
Answers
C.
Examine IAM CloudTrail togs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances
C.
Examine IAM CloudTrail togs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances
Answers
D.
Update the AMls with the latest approved patches and redeploy each instance during the defined maintenance window
D.
Update the AMls with the latest approved patches and redeploy each instance during the defined maintenance window
Answers
Suggested answer: B

Explanation:

Amazon EC2 Systems Manager is a service that helps you automatically collect software inventory, apply OS patches, create system images, and configure Windows and Linux operating systems3.You can use Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows4. The other options are either inefficient or not feasible for achieving the goals.

Question 30

Report
Export
Collapse

A Security Engineer has been tasked with enabling IAM Security Hub to monitor Amazon EC2 instances fix CVE in a single IAM account The Engineer has already enabled IAM Security Hub and Amazon Inspector m the IAM Management Console and has installed me Amazon Inspector agent on an EC2 instances that need to be monitored.

Which additional steps should the Security Engineer lake 10 meet this requirement?

A.
Configure the Amazon inspector agent to use the CVE rule package
A.
Configure the Amazon inspector agent to use the CVE rule package
Answers
B.
Configure the Amazon Inspector agent to use the CVE rule package Configure Security Hub to ingest from IAM inspector by writing a custom resource policy
B.
Configure the Amazon Inspector agent to use the CVE rule package Configure Security Hub to ingest from IAM inspector by writing a custom resource policy
Answers
C.
Configure the Security Hub agent to use the CVE rule package Configure IAM Inspector lo ingest from Security Hub by writing a custom resource policy
C.
Configure the Security Hub agent to use the CVE rule package Configure IAM Inspector lo ingest from Security Hub by writing a custom resource policy
Answers
D.
Configure the Amazon Inspector agent to use the CVE rule package Install an additional Integration library Allow the Amazon Inspector agent to communicate with Security Hub
D.
Configure the Amazon Inspector agent to use the CVE rule package Install an additional Integration library Allow the Amazon Inspector agent to communicate with Security Hub
Answers
Suggested answer: D

Explanation:

you need to configure the Amazon Inspector agent to use the CVE rule package, which is a set of rules that check for vulnerabilities and exposures on your EC2 instances5.You also need to install an additional integration library that enables communication between the Amazon Inspector agent and Security Hub6.Security Hub is a service that provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices7. The other options are either incorrect or incomplete for meeting the requirement.

Total 327 questions
Go to page: of 33
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms