ExamGecko
Search Search Login
Home Home / Amazon / SCS-C02

Amazon SCS-C02 Practice Test - Questions Answers, Page 33

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company's engineering team is developing a new application that creates IAM Key Management Service (IAM KMS) CMK grants for users immediately after a grant IS created users must be able to use the CMK tu encrypt a 512-byte payload. During load testing, a bug appears |intermittently where AccessDeniedExceptions are occasionally triggered when a user rst attempts to encrypt using the CMK Which solution should the c0mpany's security specialist recommend'?
A company Is planning to use Amazon Elastic File System (Amazon EFS) with its on-premises servers. The company has an existing IAM Direct Connect connection established between its on-premises data center and an IAM Region Security policy states that the company's on-premises firewall should only have specific IP addresses added to the allow list and not a CIDR range. The company also wants to restrict access so that only certain data center-based servers have access to Amazon EFS How should a security engineer implement this solution''
A developer has created an AWS Lambda function in a company's development account. The Lambda function requires the use of an AWS Key Management Service (AWS KMS) customer managed key that exists in a security account that the company's security team controls. The developer obtains the ARN of the KMS key from a previous Lambda function in the development account. The previous Lambda function had been working properly with the KMS key. When the developer uses the ARN and tests the new Lambda function an error message states that access is denied to the KMS key in the security account. The developer tests the previous Lambda function that uses the same KMS key and discovers that the previous Lambda function still can encrypt data as expected. A security engineer must resolve the problem so that the new Lambda function in the development account can use the KMS key from the security account. Which combination of steps should the security engineer take to meet these requirements? (Select TWO.)
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A company has two AWS accounts: Account A and Account B. Account A has an IAM role that IAM users in Account B assume when they need to upload sensitive documents to Amazon S3 buckets in Account A. A new requirement mandates that users can assume the role only if they are authenticated with multi-factor authentication (MFA). A security engineer must recommend a solution that meets this requirement with minimum risk and effort. Which solution should the security engineer recommend?
An international company has established a new business entity in South Kore a. The company also has established a new AWS account to contain the workload for the South Korean region. The company has set up the workload in the new account in the ap-northeast-2 Region. The workload consists of three Auto Scaling groups of Amazon EC2 instances. All workloads that operate in this Region must keep system logs and application logs for 7 years. A security engineer must implement a solution to ensure that no logging data is lost for each instance during scaling activities. The solution also must keep the logs for only the required period of 7 years. Which combination of steps should the security engineer take to meet these requirements? (Choose three.)
A security engineer must use AWS Key Management Service (AWS KMS) to design a key management solution for a set of Amazon Elastic Block Store (Amazon EBS) volumes that contain sensitive data. The solution needs to ensure that the key material automatically expires in 90 days. Which solution meets these criteria?
A Development team has built an experimental environment to test a simple stale web application It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer a NAT gateway, and an internet gateway. The private subnet holds ail of the Amazon EC2 instances There are 3 different types of servers Each server type has its own Security Group that limits access lo only required connectivity. The Security Groups nave both inbound and outbound rules applied Each subnet has both inbound and outbound network ACls applied to limit access to only required connectivity Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Select THREE.)
A company is deploying an Amazon EC2-based application. The application will include a custom health-checking component that produces health status data in JSON format. A Security Engineer must implement a secure solution to monitor application availability in near-real time by analyzing the hearth status data. Which approach should the Security Engineer use?
A company purchased a subscription to a third-party cloud security scanning solution that integrates with AWS Security Hub. A security engineer needs to implement a solution that will remediate the findings from the third-party scanning solution automatically. Which solution will meet this requirement?

Question 321

Report
Export
Collapse

A security analyst attempted to troubleshoot the monitoring of suspicious security group changes. The analyst was told that there is an Amazon CloudWatch alarm in place for these AWS CloudTrail log events. The analyst tested the monitoring setup by making a configuration change to the security group but did not receive any alerts.

Which of the following troubleshooting steps should the analyst perform?

A.
Ensure that CloudTrail and S3 bucket access logging is enabled for the analyst's AWS account.
A.
Ensure that CloudTrail and S3 bucket access logging is enabled for the analyst's AWS account.
Answers
B.
Verify that a metric filter was created and then mapped to an alarm. Check the alarm notification action.
B.
Verify that a metric filter was created and then mapped to an alarm. Check the alarm notification action.
Answers
C.
Check the CloudWatch dashboards to ensure that there is a metric configured with an appropriate dimension for security group changes.
C.
Check the CloudWatch dashboards to ensure that there is a metric configured with an appropriate dimension for security group changes.
Answers
D.
Verify that the analyst's account is mapped to an IAM policy that includes permissions for cloudwatch:GetMetricStatistics and cloudwatch:ListMetrics.
D.
Verify that the analyst's account is mapped to an IAM policy that includes permissions for cloudwatch:GetMetricStatistics and cloudwatch:ListMetrics.
Answers
Suggested answer: B

Explanation:

The correct answer is B because it checks the configuration of the CloudWatch alarm that is supposed to monitor the CloudTrail log events. The analyst should verify that a metric filter was created to extract the relevant information from the log events, such as the event name, source, and user identity.The analyst should also verify that the metric filter was mapped to an alarm that triggers when a certain threshold is reached, and that the alarm notification action is set up correctly to send alerts to the analyst1.

The other options are incorrect because they do not address the issue of the CloudWatch alarm not working as expected. Option A is incorrect because CloudTrail and S3 bucket access logging are not related to the monitoring of security group changes.CloudTrail logs the API calls made to AWS services, and S3 bucket access logging records the requests made to the bucket2.Option C is incorrect because CloudWatch dashboards are used to display metrics and alarms in a graphical way, but they do not affect the functionality of the alarm3. Option D is incorrect because the IAM policy permissions for cloudwatch:GetMetricStatistics and cloudwatch:ListMetrics are not required to monitor the CloudTrail log events.These permissions are used to retrieve the statistics and list of metrics for a given namespace4.

Question 322

Report
Export
Collapse

An Amazon API Gateway API invokes an AWS Lambda function that needs to interact with a software-as-a-service (SaaS) platform. A unique client token is generated in the SaaS platform to grant access to the Lambda function. A security engineer needs to design a solution to encrypt the access token at rest and pass the token to the Lambda function at runtime.

Which solution will meet these requirements MOST cost-effectively?

A.
Store the client token as a secret in AWS Secrets Manager. Use th^AWS SDK to retneve the secret in the Lambda function.
A.
Store the client token as a secret in AWS Secrets Manager. Use th^AWS SDK to retneve the secret in the Lambda function.
Answers
B.
Configure a token-based Lambda authorizer in API Gateway.
B.
Configure a token-based Lambda authorizer in API Gateway.
Answers
C.
Store the client token as a SecureString parameter in AWS Systems Manager Parameter Store. Use the AWS SDK to retrieve the value of the SecureString parameter in the Lambda function.
C.
Store the client token as a SecureString parameter in AWS Systems Manager Parameter Store. Use the AWS SDK to retrieve the value of the SecureString parameter in the Lambda function.
Answers
D.
Use AWS Key Management Service (AWS KMS) to encrypt the client token. Pass the token to the Lambda function at runtime through an environment variable.
D.
Use AWS Key Management Service (AWS KMS) to encrypt the client token. Pass the token to the Lambda function at runtime through an environment variable.
Answers
Suggested answer: C

Question 323

Report
Export
Collapse

AWS CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected.

What initial actions should be taken to allow delivery of CloudTrail events to S3? (Select TWO.)

A.
Verify thattheS3 bucket policy allows CloudTrail to write objects.
A.
Verify thattheS3 bucket policy allows CloudTrail to write objects.
Answers
B.
Verify thatthe1AM role used by CloudTrail has access to write to Amazon CloudWatch Logs.
B.
Verify thatthe1AM role used by CloudTrail has access to write to Amazon CloudWatch Logs.
Answers
C.
Remove any lifecycle policies on the S3 bucket that are archiving objects to S3 Glacier Flexible Retrieval.
C.
Remove any lifecycle policies on the S3 bucket that are archiving objects to S3 Glacier Flexible Retrieval.
Answers
D.
Verify thattheS3 bucket defined in CloudTrail exists.
D.
Verify thattheS3 bucket defined in CloudTrail exists.
Answers
E.
Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.
E.
Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.
Answers
Suggested answer: A, D

Explanation:

To resolve CloudTrail's failure to deliver events to S3, verifying the S3 bucket policy for CloudTrail's write permissions (A) and ensuring the existence of the specified S3 bucket (D) are critical initial steps. These actions ensure that CloudTrail has the necessary permissions and a valid destination for log file delivery, addressing common configuration issues that can interrupt event logging.

Question 324

Report
Export
Collapse

A company has two AWS accounts: Account A and Account B Each account has a VPC. An application that runs in the VPC in Account A needs to write to an Amazon S3 bucket in Account B. The application in Account A already has permission to write to the S3 bucket in Account B.

The application and the S3 bucket are in the same AWS Region. The company cannot send network traffic over the public internet.

Which solution will meet these requirements?

A.
In both accounts, create a transit gateway and VPC attachments in a subnet in each Availability Zone. Update the VPC route tables.
A.
In both accounts, create a transit gateway and VPC attachments in a subnet in each Availability Zone. Update the VPC route tables.
Answers
B.
Deploy a software VPN appliance in Account A. Create a VPN connection between the software VPN appliance and a virtual private gateway in Account B
B.
Deploy a software VPN appliance in Account A. Create a VPN connection between the software VPN appliance and a virtual private gateway in Account B
Answers
C.
Create a VPC peering connection between the VPC in Account A and the VPC in Account B. Update the VPC route tables, network ACLs, and security groups to allow network traffic between the peered IP ranges.
C.
Create a VPC peering connection between the VPC in Account A and the VPC in Account B. Update the VPC route tables, network ACLs, and security groups to allow network traffic between the peered IP ranges.
Answers
D.
In Account A. create a gateway VPC endpoint for Amazon S3. Update the VPC route table in Account A.
D.
In Account A. create a gateway VPC endpoint for Amazon S3. Update the VPC route table in Account A.
Answers
Suggested answer: C

Explanation:

Establishing a VPC peering connection between the VPCs in Account A and Account B and updating route tables, network ACLs, and security groups to permit the necessary traffic ensures private connectivity for the application to write to the S3 bucket without traversing the public internet. This solution is efficient and maintains network security and integrity.

Question 325

Report
Export
Collapse

A company has public certificates that are managed by AWS Certificate Manager (ACM). The certificates are either imported certificates or managed certificates from ACM with mixed validation methods. A security engineer needs to design a monitoring solution to provide alerts by email when a certificate is approaching its expiration date.

What is the MOST operationally efficient way to meet this requirement?

A.
Create an AWS Lambda function to list all certificates and to go through each certificate to describe the certificate by using the AWS SDK. Filter on the NotAfter attribute and send an email notification. Use an Amazon EventBridge rate expression to schedule the Lambda function to run daily.
A.
Create an AWS Lambda function to list all certificates and to go through each certificate to describe the certificate by using the AWS SDK. Filter on the NotAfter attribute and send an email notification. Use an Amazon EventBridge rate expression to schedule the Lambda function to run daily.
Answers
B.
Create an Amazon CloudWatch alarm Add all the certificate ARNs in the AWS/CertificateManager namespace to the DaysToExpiry metnc. Configure the alarm to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic when the value for the DaysToExpiry metric is less than or equal to 31.
B.
Create an Amazon CloudWatch alarm Add all the certificate ARNs in the AWS/CertificateManager namespace to the DaysToExpiry metnc. Configure the alarm to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic when the value for the DaysToExpiry metric is less than or equal to 31.
Answers
C.
Set up AWS Security Hub. Turn on the AWS Foundational Security Best Practices standard with integrated ACM to send findings. Configure and use a custom action by creating a rule to match the pattern from the ACM findings on the NotBefore attribute as the event source Create an Amazon Simple Notification Service (Amazon SNS) topic as the target
C.
Set up AWS Security Hub. Turn on the AWS Foundational Security Best Practices standard with integrated ACM to send findings. Configure and use a custom action by creating a rule to match the pattern from the ACM findings on the NotBefore attribute as the event source Create an Amazon Simple Notification Service (Amazon SNS) topic as the target
Answers
D.
Create an Amazon EventBridge rule by using a predefined pattern for ACM Choose the metric in the ACM Certificate Approaching Expiration event as the event pattern. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target
D.
Create an Amazon EventBridge rule by using a predefined pattern for ACM Choose the metric in the ACM Certificate Approaching Expiration event as the event pattern. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target
Answers
Suggested answer: D

Explanation:

Using Amazon EventBridge to create a rule for ACM Certificate Approaching Expiration events and configuring an SNS topic as the target provides an operationally efficient way to monitor and alert on certificate expirations. This method leverages AWS's native capabilities for event monitoring and notifications, reducing the need for custom implementations and ensuring timely alerts.

Question 326

Report
Export
Collapse

A security team is responsible for reviewing AWS API call activity in the cloud environment for security violations. These events must be recorded and retained in a centralized location for both current and future AWS regions.

What is the SIMPLEST way to meet these requirements?

A.
Enable AWS Trusted Advisor security checks in the AWS Console, tsnd report all security incidents for all regions.
A.
Enable AWS Trusted Advisor security checks in the AWS Console, tsnd report all security incidents for all regions.
Answers
B.
Enable AWS CloudTrail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later analysis.
B.
Enable AWS CloudTrail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later analysis.
Answers
C.
Enable AWS CloudTrail by creating a new trail and applying the trail to all regions. Specify a single Amazon S3 bucket as the storage location.
C.
Enable AWS CloudTrail by creating a new trail and applying the trail to all regions. Specify a single Amazon S3 bucket as the storage location.
Answers
D.
Enable Amazon CloudWatch logging for all AWS services across all regions, and aggregate them to a single Amazon S3 bucket for later analysis.
D.
Enable Amazon CloudWatch logging for all AWS services across all regions, and aggregate them to a single Amazon S3 bucket for later analysis.
Answers
Suggested answer: C

Explanation:

Enabling AWS CloudTrail with a trail applied to all regions and specifying a single S3 bucket for storage is the simplest method to record and retain API call activity for security analysis. This configuration ensures comprehensive coverage across all current and future AWS regions, centralizing log collection and simplification of log management.

Question 327

Report
Export
Collapse

A company used AWS Organizations to set up an environment with multiple AWS accounts. The company's organization currently has two AWS accounts, and the company expects to add more than 50 AWS accounts during the next 12 months The company will require all existing and future AWS accounts to use Amazon GuardDuty. Each existing AWS account has GuardDuty active. The company reviews GuardDuty findings by logging into each AWS account individually.

The company wants a centralized view of the GuardDuty findings for the existing AWS accounts and any future AWS accounts. The company also must ensure that any new AWS account has GuardDuty automatically turned on.

Which solution will meet these requirements?

A.
Enable AWS Security Hub in the organization's management account. Configure GuardDuty within the management account to send all GuardDuty findings to Security Hub.
A.
Enable AWS Security Hub in the organization's management account. Configure GuardDuty within the management account to send all GuardDuty findings to Security Hub.
Answers
B.
Create a new AWS account in the organization. Enable GuardDuty in the new account. Designate the new account as the delegated administrator account for GuardDuty. Configure GuardDuty to add existing accounts as member accounts. Select the option to automatically add new AWS accounts to the organization
B.
Create a new AWS account in the organization. Enable GuardDuty in the new account. Designate the new account as the delegated administrator account for GuardDuty. Configure GuardDuty to add existing accounts as member accounts. Select the option to automatically add new AWS accounts to the organization
Answers
C.
Create a new AWS account in the organization. Enable GuardDuty in the new account. Enable AWS Security Hub in each account. Select the option to automatically add new AWS accounts to the organization.
C.
Create a new AWS account in the organization. Enable GuardDuty in the new account. Enable AWS Security Hub in each account. Select the option to automatically add new AWS accounts to the organization.
Answers
D.
Enable AWS Security Hub in the organization's management account. Designate the management account as the delegated administrator account for Security Hub. Add existing accounts as member accounts. Select the option to automatically add new AWS accounts to the organization. Send all Security Hub findings to the organization's GuardDuty account.
D.
Enable AWS Security Hub in the organization's management account. Designate the management account as the delegated administrator account for Security Hub. Add existing accounts as member accounts. Select the option to automatically add new AWS accounts to the organization. Send all Security Hub findings to the organization's GuardDuty account.
Answers
Suggested answer: B

Explanation:

For a company using AWS Organizations that requires centralized management and automatic activation of Amazon GuardDuty across all current and future AWS accounts, setting up a delegated administrator account for GuardDuty is the optimal solution. By enabling GuardDuty in a new account and designating it as the delegated administrator, the company can centrally manage GuardDuty findings and automatically enroll new AWS accounts into GuardDuty as they are created within the organization. This approach ensures consistent threat detection and continuous monitoring across all accounts, aligning with best security practices.

Total 327 questions
Go to page: of 33
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms