ExamGecko
Search Search Login
Home Home / Amazon / SCS-C02

Amazon SCS-C02 Practice Test - Questions Answers, Page 30

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company's engineering team is developing a new application that creates IAM Key Management Service (IAM KMS) CMK grants for users immediately after a grant IS created users must be able to use the CMK tu encrypt a 512-byte payload. During load testing, a bug appears |intermittently where AccessDeniedExceptions are occasionally triggered when a user rst attempts to encrypt using the CMK Which solution should the c0mpany's security specialist recommend'?
A company Is planning to use Amazon Elastic File System (Amazon EFS) with its on-premises servers. The company has an existing IAM Direct Connect connection established between its on-premises data center and an IAM Region Security policy states that the company's on-premises firewall should only have specific IP addresses added to the allow list and not a CIDR range. The company also wants to restrict access so that only certain data center-based servers have access to Amazon EFS How should a security engineer implement this solution''
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A developer has created an AWS Lambda function in a company's development account. The Lambda function requires the use of an AWS Key Management Service (AWS KMS) customer managed key that exists in a security account that the company's security team controls. The developer obtains the ARN of the KMS key from a previous Lambda function in the development account. The previous Lambda function had been working properly with the KMS key. When the developer uses the ARN and tests the new Lambda function an error message states that access is denied to the KMS key in the security account. The developer tests the previous Lambda function that uses the same KMS key and discovers that the previous Lambda function still can encrypt data as expected. A security engineer must resolve the problem so that the new Lambda function in the development account can use the KMS key from the security account. Which combination of steps should the security engineer take to meet these requirements? (Select TWO.)
A company has two AWS accounts: Account A and Account B. Account A has an IAM role that IAM users in Account B assume when they need to upload sensitive documents to Amazon S3 buckets in Account A. A new requirement mandates that users can assume the role only if they are authenticated with multi-factor authentication (MFA). A security engineer must recommend a solution that meets this requirement with minimum risk and effort. Which solution should the security engineer recommend?
An international company has established a new business entity in South Kore a. The company also has established a new AWS account to contain the workload for the South Korean region. The company has set up the workload in the new account in the ap-northeast-2 Region. The workload consists of three Auto Scaling groups of Amazon EC2 instances. All workloads that operate in this Region must keep system logs and application logs for 7 years. A security engineer must implement a solution to ensure that no logging data is lost for each instance during scaling activities. The solution also must keep the logs for only the required period of 7 years. Which combination of steps should the security engineer take to meet these requirements? (Choose three.)
A security engineer must use AWS Key Management Service (AWS KMS) to design a key management solution for a set of Amazon Elastic Block Store (Amazon EBS) volumes that contain sensitive data. The solution needs to ensure that the key material automatically expires in 90 days. Which solution meets these criteria?
A Development team has built an experimental environment to test a simple stale web application It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer a NAT gateway, and an internet gateway. The private subnet holds ail of the Amazon EC2 instances There are 3 different types of servers Each server type has its own Security Group that limits access lo only required connectivity. The Security Groups nave both inbound and outbound rules applied Each subnet has both inbound and outbound network ACls applied to limit access to only required connectivity Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Select THREE.)
A company is deploying an Amazon EC2-based application. The application will include a custom health-checking component that produces health status data in JSON format. A Security Engineer must implement a secure solution to monitor application availability in near-real time by analyzing the hearth status data. Which approach should the Security Engineer use?
A company purchased a subscription to a third-party cloud security scanning solution that integrates with AWS Security Hub. A security engineer needs to implement a solution that will remediate the findings from the third-party scanning solution automatically. Which solution will meet this requirement?

Question 291

Report
Export
Collapse

A company has a VPC that has no internet access and has the private DNS hostnames option enabled. An Amazon Aurora database is running inside the VPC. A security engineer wants to use AWS Secrets Manager to automatically rotate the credentials for the Aurora database The security engineer configures the Secrets Manager default AWS Lambda rotation function to run inside the same VPC that the Aurora database uses. However, the security engineer determines that the password cannot be rotated properly because the Lambda function cannot communicate with the Secrets Manager endpoint.

What is the MOST secure way that the security engineer can give the Lambda function the ability to communicate with the Secrets Manager endpoint?

A.
Add a NAT gateway to the VPC to allow access to the Secrets Manager endpoint.
A.
Add a NAT gateway to the VPC to allow access to the Secrets Manager endpoint.
Answers
B.
Add a gateway VPC endpoint to the VPC to allow access to the Secrets Manager endpoint.
B.
Add a gateway VPC endpoint to the VPC to allow access to the Secrets Manager endpoint.
Answers
C.
Add an interface VPC endpoint to the VPC to allow access to the Secrets Manager endpoint.
C.
Add an interface VPC endpoint to the VPC to allow access to the Secrets Manager endpoint.
Answers
D.
Add an internet gateway for the VPC to allow access to the Secrets Manager endpoint.
D.
Add an internet gateway for the VPC to allow access to the Secrets Manager endpoint.
Answers
Suggested answer: C

Explanation:

In an AWS environment where a VPC has no internet access and requires communication with AWS services such as Secrets Manager, the most secure method is to use an interface VPC endpoint (AWS PrivateLink). This allows private connectivity to services like Secrets Manager, enabling AWS Lambda functions and other resources within the VPC to access Secrets Manager without requiring an internet gateway, NAT gateway, or VPN connection. Interface VPC endpoints are powered by AWS PrivateLink, a technology that enables private connectivity between AWS services using Elastic Network Interfaces (ENI) with private IPs in your VPCs. This option is more secure than creating a NAT gateway because it doesn't expose the resources to the internet and adheres to the principle of least privilege by providing direct access to only the required service.

Question 292

Report
Export
Collapse

A security engineer is implementing a solution to allow users to seamlessly encrypt Amazon S3 objects without having to touch the keys directly. The solution must be highly scalable without requiring continual management. Additionally, the organization must be able to immediately delete the encryption keys.

Which solution meets these requirements?

A.
Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary.
A.
Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary.
Answers
B.
Use KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.
B.
Use KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.
Answers
C.
Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.
C.
Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.
Answers
D.
Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the keys if necessary.
D.
Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the keys if necessary.
Answers
Suggested answer: A

Question 293

Report
Export
Collapse

An Amazon EC2 Auto Scaling group launches Amazon Linux EC2 instances and installs the Amazon CloudWatch agent to publish logs to Amazon CloudWatch Logs. The EC2 instances launch with an IAM role that has an IAM policy attached. The policy provides access to publish custom metrics to CloudWatch. The EC2 instances run in a private subnet inside a VPC. The VPC provides ^ccess to the internet for private subnets through a NAT gateway.

A security engineer notices that no logs are being published to CloudWatch Logs for the EC2 instances that the Auto Scaling group launches. The security engineer validates that the CloudWatch Logs agent is running and is configured properly on the EC2 instances. In addition, the security engineer validates that network communications are working properly to AWS services.

What can the security engineer do to ensure that the logs are published to CloudWatch Logs?

A.
Configure the IAM policy in use by the IAM role to have access to the required cloudwatch: API actions thatwill publish logs.
A.
Configure the IAM policy in use by the IAM role to have access to the required cloudwatch: API actions thatwill publish logs.
Answers
B.
Adjust the Amazon EC2 Auto Scaling service-linked role to have permissions to write to CloudWatch Logs.
B.
Adjust the Amazon EC2 Auto Scaling service-linked role to have permissions to write to CloudWatch Logs.
Answers
C.
Configure the IAM policy in use by the IAM role to have access to the required AWS logs: API actions that willpublish logs.
C.
Configure the IAM policy in use by the IAM role to have access to the required AWS logs: API actions that willpublish logs.
Answers
D.
Add an interface VPC endpoint to provide a route to CloudWatch Logs.
D.
Add an interface VPC endpoint to provide a route to CloudWatch Logs.
Answers
Suggested answer: C

Explanation:

Adjusting the IAM policy attached to the IAM role used by EC2 instances to include the necessary AWS Logs API actions for publishing logs to CloudWatch Logs addresses the issue. This ensures that the EC2 instances have the required permissions to interact with CloudWatch Logs, facilitating the successful publication of logs from the instances.


Question 294

Report
Export
Collapse

A company needs to create a centralized solution to analyze log files. The company uses an organization in AWS Organizations to manage its AWS accounts.

The solution must aggregate and normalize events from the following sources:

* The entire organization in Organizations

* All AWS Marketplace offerings that run in the company's AWS accounts

* The company's on-premises systems

Which solution will meet these requirements?

A.
Configure a centralized Amazon S3 bucket for the logs Enable VPC Flow Logs, AWS CloudTrail, and Amazon Route 53 logs in all accounts. Configure all accounts to use the centralized S3 bucket. Configure AWS Glue crawlers to parse the log files Use Amazon Athena to query the log data.
A.
Configure a centralized Amazon S3 bucket for the logs Enable VPC Flow Logs, AWS CloudTrail, and Amazon Route 53 logs in all accounts. Configure all accounts to use the centralized S3 bucket. Configure AWS Glue crawlers to parse the log files Use Amazon Athena to query the log data.
Answers
B.
Configure log streams in Amazon CloudWatch Logs for the sources that need monitoring. Create log subscription filters for each log stream. Forward the messages to Amazon OpenSearch Service for analysis.
B.
Configure log streams in Amazon CloudWatch Logs for the sources that need monitoring. Create log subscription filters for each log stream. Forward the messages to Amazon OpenSearch Service for analysis.
Answers
C.
Set up a delegated Amazon Security Lake administrator account in Organizations. Enable and configure Security Lake for the organization. Add the accounts that need monitoring. Use Amazon Athena to query the log data.
C.
Set up a delegated Amazon Security Lake administrator account in Organizations. Enable and configure Security Lake for the organization. Add the accounts that need monitoring. Use Amazon Athena to query the log data.
Answers
D.
Apply an SCP to configure all member accounts and services to deliver log files to a centralized Amazon S3 bucket. Use Amazon OpenSearch Service to query the centralized S3 bucket for log entries.
D.
Apply an SCP to configure all member accounts and services to deliver log files to a centralized Amazon S3 bucket. Use Amazon OpenSearch Service to query the centralized S3 bucket for log entries.
Answers
Suggested answer: C

Explanation:

Amazon Security Lake, when configured with a delegated administrator account in AWS Organizations, provides a centralized solution for aggregating, organizing, and prioritizing security data from multiple sources including AWS services, AWS Marketplace solutions, and on-premises systems. By enabling Security Lake for the organization and adding the necessary AWS accounts, the solution centralizes the collection and analysis of log data. This setup leverages the organization's structure to streamline log aggregation and normalization, making it an efficient solution for the specified requirements. The use of Amazon Athena for querying the log data further enhances the ability to analyze and respond to security findings across the organization.

Question 295

Report
Export
Collapse

A company has AWS accounts in an organization in AWS Organizations. The company needs to install a corporate software package on all Amazon EC2 instances for all the accounts in the organization.

A central account provides base AMIs for the EC2 instances. The company uses AWS Systems Manager for software inventory and patching operations.

A security engineer must implement a solution that detects EC2 instances ttjat do not have the required software. The solution also must automatically install the software if the software is not present.

Which solution will meet these requirements?

A.
Provide new AMIs that have the required software pre-installed. Apply a tag to the AMIs to indicate that the AMIs have the required software. Configure an SCP that allows new EC2 instances to be launched only if the instances have the tagged AMIs. Tag all existing EC2 instances.
A.
Provide new AMIs that have the required software pre-installed. Apply a tag to the AMIs to indicate that the AMIs have the required software. Configure an SCP that allows new EC2 instances to be launched only if the instances have the tagged AMIs. Tag all existing EC2 instances.
Answers
B.
Configure a custom patch baseline in Systems Manager Patch Manager. Add the package name for the required software to the approved packages list. Associate the new patch baseline with all EC2 instances. Set up a maintenance window for software deployment.
B.
Configure a custom patch baseline in Systems Manager Patch Manager. Add the package name for the required software to the approved packages list. Associate the new patch baseline with all EC2 instances. Set up a maintenance window for software deployment.
Answers
C.
Centrally enable AWS Config. Set up the ec2-managedinstance-applications-required AWS Config rule for all accounts Create an Amazon EventBridge rule that reacts to AWS Config events. Configure the EventBridge rule to invoke an AWS Lambda function that uses Systems Manager Run Command to install the required software.
C.
Centrally enable AWS Config. Set up the ec2-managedinstance-applications-required AWS Config rule for all accounts Create an Amazon EventBridge rule that reacts to AWS Config events. Configure the EventBridge rule to invoke an AWS Lambda function that uses Systems Manager Run Command to install the required software.
Answers
D.
Create a new Systems Manager Distributor package for the required software. Specify the download location. Select all EC2 instances in the different accounts. Install the software by using Systems Manager Run Command.
D.
Create a new Systems Manager Distributor package for the required software. Specify the download location. Select all EC2 instances in the different accounts. Install the software by using Systems Manager Run Command.
Answers
Suggested answer: C

Explanation:

Utilizing AWS Config with a custom AWS Config rule (ec2-managedinstance-applications-required) enables detection of EC2 instances lacking the required software across all accounts in an organization. By creating an Amazon EventBridge rule that triggers on AWS Config events, and configuring it to invoke an AWS Lambda function, automated actions can be taken to ensure compliance. The Lambda function can leverage AWS Systems Manager Run Command to install the necessary software on non-compliant instances. This approach ensures continuous compliance and automated remediation, aligning with best practices for cloud security and management.

Question 296

Report
Export
Collapse

A company needs to implement DNS Security Extensions (DNSSEC) for a specific subdomain. The subdomain is already registered with Amazon Route 53. A security engineer has enabled DNSSEC signing and has created a key-signing key (KSK). When the security engineer tries to test the configuration, the security engineer receives an error for a broken trust chain.

What should the security engineer do to resolve this error?

A.
Replace the KSK with a zone-signing key (ZSK).
A.
Replace the KSK with a zone-signing key (ZSK).
Answers
B.
Deactivate and then activate the KSK.
B.
Deactivate and then activate the KSK.
Answers
C.
Create a Delegation Signer (DS) record in the parent hosted zone.
C.
Create a Delegation Signer (DS) record in the parent hosted zone.
Answers
D.
Create a Delegation Signer (DS) record in the subdomain.
D.
Create a Delegation Signer (DS) record in the subdomain.
Answers
Suggested answer: C

Question 297

Report
Export
Collapse

A company has a web-based application that runs behind an Application Load Balancer (ALB). The application is experiencing a credential stuffing attack that is producing many failed login attempts. The attack is coming from many IP addresses. The login attempts are using a user agent string of a known mobile device emulator.

A security engineer needs to implement a solution to mitigate the credential stuffing attack. The solution must still allow legitimate logins to the application.

Which solution will meet these requirements?

A.
Create an Amazon CloudWatch alarm that reacts to login attempts that contain the specified user agent string. Add an Amazon Simple Notification Service (Amazon SNS) topic to the alarm.
A.
Create an Amazon CloudWatch alarm that reacts to login attempts that contain the specified user agent string. Add an Amazon Simple Notification Service (Amazon SNS) topic to the alarm.
Answers
B.
Modify the inbound security group on the ALB to deny traffic from the IP addresses that are involved in the attack.
B.
Modify the inbound security group on the ALB to deny traffic from the IP addresses that are involved in the attack.
Answers
C.
Create an AWS WAF web ACL for the ALB. Create a custom rule that blocks requests that contain the user agent string of the device emulator.
C.
Create an AWS WAF web ACL for the ALB. Create a custom rule that blocks requests that contain the user agent string of the device emulator.
Answers
D.
Create an AWS WAF web ACL for the ALB Create a custom rule that allows requests from legitimate user agent strings
D.
Create an AWS WAF web ACL for the ALB Create a custom rule that allows requests from legitimate user agent strings
Answers
Suggested answer: C

Explanation:

To mitigate a credential stuffing attack against a web-based application behind an Application Load Balancer (ALB), creating an AWS WAF web ACL with a custom rule to block requests containing the known malicious user agent string is an effective solution. This approach allows for precise targeting of the attack vector (the user agent string of the device emulator) without impacting legitimate users. AWS WAF provides the capability to inspect HTTP(S) requests and block those that match defined criteria, such as specific strings in the user agent header, thereby preventing malicious requests from reaching the application.

Question 298

Report
Export
Collapse

A company has two AWS accounts: Account A and Account B. Account A has an IAM role that IAM users in Account B assume when they need to upload sensitive documents to Amazon S3 buckets in Account A.

A new requirement mandates that users can assume the role only if they are authenticated with multi-factor authentication (MFA). A security engineer must recommend a solution that meets this requirement with minimum risk and effort.

Which solution should the security engineer recommend?

A.
Add an aws:MultiFactorAuthPresent condition to therole's permissions policy.
A.
Add an aws:MultiFactorAuthPresent condition to therole's permissions policy.
Answers
B.
Add an aws:MultiFactorAuthPresent condition to therole's trust policy.
B.
Add an aws:MultiFactorAuthPresent condition to therole's trust policy.
Answers
C.
Add an aws:MultiFactorAuthPresent condition to thesession policy.
C.
Add an aws:MultiFactorAuthPresent condition to thesession policy.
Answers
D.
Add an aws:MultiFactorAuthPresent condition to theS3 bucket policies.
D.
Add an aws:MultiFactorAuthPresent condition to theS3 bucket policies.
Answers
Suggested answer: B

Explanation:

To ensure that IAM users in Account B can only assume a role in Account A if they are authenticated with Multi-Factor Authentication (MFA), the recommended solution is to add an aws:MultiFactorAuthPresent condition to the role's trust policy in Account A. The trust policy defines which principals (users, applications, services) can assume the role and under what conditions. By adding the aws:MultiFactorAuthPresent condition, the policy explicitly requires MFA to be present for the assume role action to succeed. This ensures that only authenticated users with MFA can assume the role, enhancing the security posture with minimal operational overhead and without modifying permissions or session policies, which could affect the role's intended capabilities.

Question 299

Report
Export
Collapse

A company wants to receive automated email notifications when AWS access keys from developer AWS accounts are detected on code repository sites.

Which solution will provide the required email notifications?

A.
Create an Amazon EventBridge rule to send Amazon Simple Notification Service (Amazon SNS) email notifications for Amazon GuardDuty UnauthorizedAccesslAMUser/lnstanceCredentialExfiltration OutsideAWS findings.
A.
Create an Amazon EventBridge rule to send Amazon Simple Notification Service (Amazon SNS) email notifications for Amazon GuardDuty UnauthorizedAccesslAMUser/lnstanceCredentialExfiltration OutsideAWS findings.
Answers
B.
Change the AWS account contact information for the Operations type to a separate email address. Periodically poll this email address for notifications.
B.
Change the AWS account contact information for the Operations type to a separate email address. Periodically poll this email address for notifications.
Answers
C.
Create an Amazon EventBridge rule that reacts to AWS Health events that have a value of Risk for the service category Configure email notifications by using Amazon Simple Notification Service (Amazon SNS).
C.
Create an Amazon EventBridge rule that reacts to AWS Health events that have a value of Risk for the service category Configure email notifications by using Amazon Simple Notification Service (Amazon SNS).
Answers
D.
Implement new anomaly detection software. Ingest AWS CloudTrail logs. Configure monitoring for ConsoleLogin events in the AWS Management Console. Configure email notifications from the anomaly detection software.
D.
Implement new anomaly detection software. Ingest AWS CloudTrail logs. Configure monitoring for ConsoleLogin events in the AWS Management Console. Configure email notifications from the anomaly detection software.
Answers
Suggested answer: A

Explanation:

The solution to receiving automated email notifications when AWS access keys are detected on code repository sites is to use Amazon EventBridge with Amazon GuardDuty findings. Specifically, creating an EventBridge rule that targets Amazon GuardDuty findings, particularly the UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration finding type, allows for the detection of potential unauthorized use or exposure of AWS credentials. When such a finding is detected, EventBridge can then trigger an action to send a notification via Amazon Simple Notification Service (Amazon SNS). By configuring an SNS topic to send emails, stakeholders can be promptly informed of such security incidents. This approach leverages AWS's native security and monitoring services to provide timely alerts with minimal operational overhead, ensuring that the company can respond quickly to potential security breaches involving exposed AWS credentials.

Question 300

Report
Export
Collapse

A company deployed an Amazon EC2 instance to a VPC on AWS. A recent alert indicates that the EC2 instance is receiving a suspicious number of requests over an open TCP port from an external source. The TCP port remains open for long periods of time.

The company's security team needs to stop all activity to this port from the external source to ensure that the EC2 instance is not being compromised. The application must remain available to other users.

Which solution will mefet these requirements?

A.
Update the network ACL that is attached to the subnet that is associated with the EC2 instance. Add a Deny statement for the port and the source IP addresses.
A.
Update the network ACL that is attached to the subnet that is associated with the EC2 instance. Add a Deny statement for the port and the source IP addresses.
Answers
B.
Update the elastic network interface security group that is attached to the EC2 instance to remove the port from theinbound rule list.
B.
Update the elastic network interface security group that is attached to the EC2 instance to remove the port from theinbound rule list.
Answers
C.
Update the elastic network interface security group that is attached to the EC2 instance by adding a Deny entry in the inbound list for the port and the source IP addresses.
C.
Update the elastic network interface security group that is attached to the EC2 instance by adding a Deny entry in the inbound list for the port and the source IP addresses.
Answers
D.
Create a new network ACL for the subnet. Deny all traffic from the EC2 instance to prevent data from being removed.
D.
Create a new network ACL for the subnet. Deny all traffic from the EC2 instance to prevent data from being removed.
Answers
Suggested answer: A

Explanation:

To address the issue of an Amazon EC2 instance receiving suspicious requests over an open TCP port, the most effective solution is to update the Network Access Control List (NACL) associated with the subnet where the EC2 instance resides. By adding a deny rule for the specific TCP port and source IP addresses involved in the suspicious activity, the security team can effectively block unwanted traffic at the subnet level. NACLs act as a stateless firewall for controlling traffic in and out of subnets, allowing for broad-based traffic filtering. This measure ensures that only legitimate traffic can reach the EC2 instance, thereby enhancing security without affecting the application's availability to other users. It's a more granular and immediate way to block specific traffic compared to modifying security group rules, which are stateful and apply at the instance level.

Total 327 questions
Go to page: of 33
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms