ExamGecko
Search Search Login
Home Home / Amazon / SCS-C02

Amazon SCS-C02 Practice Test - Questions Answers, Page 4

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company's engineering team is developing a new application that creates IAM Key Management Service (IAM KMS) CMK grants for users immediately after a grant IS created users must be able to use the CMK tu encrypt a 512-byte payload. During load testing, a bug appears |intermittently where AccessDeniedExceptions are occasionally triggered when a user rst attempts to encrypt using the CMK Which solution should the c0mpany's security specialist recommend'?
A company Is planning to use Amazon Elastic File System (Amazon EFS) with its on-premises servers. The company has an existing IAM Direct Connect connection established between its on-premises data center and an IAM Region Security policy states that the company's on-premises firewall should only have specific IP addresses added to the allow list and not a CIDR range. The company also wants to restrict access so that only certain data center-based servers have access to Amazon EFS How should a security engineer implement this solution''
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A developer has created an AWS Lambda function in a company's development account. The Lambda function requires the use of an AWS Key Management Service (AWS KMS) customer managed key that exists in a security account that the company's security team controls. The developer obtains the ARN of the KMS key from a previous Lambda function in the development account. The previous Lambda function had been working properly with the KMS key. When the developer uses the ARN and tests the new Lambda function an error message states that access is denied to the KMS key in the security account. The developer tests the previous Lambda function that uses the same KMS key and discovers that the previous Lambda function still can encrypt data as expected. A security engineer must resolve the problem so that the new Lambda function in the development account can use the KMS key from the security account. Which combination of steps should the security engineer take to meet these requirements? (Select TWO.)
A company has two AWS accounts: Account A and Account B. Account A has an IAM role that IAM users in Account B assume when they need to upload sensitive documents to Amazon S3 buckets in Account A. A new requirement mandates that users can assume the role only if they are authenticated with multi-factor authentication (MFA). A security engineer must recommend a solution that meets this requirement with minimum risk and effort. Which solution should the security engineer recommend?
An international company has established a new business entity in South Kore a. The company also has established a new AWS account to contain the workload for the South Korean region. The company has set up the workload in the new account in the ap-northeast-2 Region. The workload consists of three Auto Scaling groups of Amazon EC2 instances. All workloads that operate in this Region must keep system logs and application logs for 7 years. A security engineer must implement a solution to ensure that no logging data is lost for each instance during scaling activities. The solution also must keep the logs for only the required period of 7 years. Which combination of steps should the security engineer take to meet these requirements? (Choose three.)
A Development team has built an experimental environment to test a simple stale web application It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer a NAT gateway, and an internet gateway. The private subnet holds ail of the Amazon EC2 instances There are 3 different types of servers Each server type has its own Security Group that limits access lo only required connectivity. The Security Groups nave both inbound and outbound rules applied Each subnet has both inbound and outbound network ACls applied to limit access to only required connectivity Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Select THREE.)
A security engineer must use AWS Key Management Service (AWS KMS) to design a key management solution for a set of Amazon Elastic Block Store (Amazon EBS) volumes that contain sensitive data. The solution needs to ensure that the key material automatically expires in 90 days. Which solution meets these criteria?
A company is deploying an Amazon EC2-based application. The application will include a custom health-checking component that produces health status data in JSON format. A Security Engineer must implement a secure solution to monitor application availability in near-real time by analyzing the hearth status data. Which approach should the Security Engineer use?
A company purchased a subscription to a third-party cloud security scanning solution that integrates with AWS Security Hub. A security engineer needs to implement a solution that will remediate the findings from the third-party scanning solution automatically. Which solution will meet this requirement?

Question 31

Report
Export
Collapse

A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised

Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)

A.
Open a support case with the IAM Security team and ask them to remove the malicious code from the affected instance
A.
Open a support case with the IAM Security team and ask them to remove the malicious code from the affected instance
Answers
B.
Respond to the notification and list the actions that have been taken to address the incident
B.
Respond to the notification and list the actions that have been taken to address the incident
Answers
C.
Delete all IAM users and resources in the account
C.
Delete all IAM users and resources in the account
Answers
D.
Detach the internet gateway from the VPC remove aft rules that contain 0.0.0.0V0 from the security groups, and create a NACL rule to deny all traffic Inbound from the internet
D.
Detach the internet gateway from the VPC remove aft rules that contain 0.0.0.0V0 from the security groups, and create a NACL rule to deny all traffic Inbound from the internet
Answers
E.
Delete the identified compromised instances and delete any associated resources that the Security team did not create.
E.
Delete the identified compromised instances and delete any associated resources that the Security team did not create.
Answers
Suggested answer: D, E

Explanation:

these are the recommended actions to take when you receive an abuse notice from AWS8. You should review the abuse notice to see what content or activity was reported and detach the internet gateway from the VPC to isolate the affected instances from the internet. You should also remove any rules that allow inbound traffic from 0.0.0.0/0 from the security groups and create a network access control list (NACL) rule to deny all traffic inbound from the internet. You should then delete the compromised instances and any associated resources that you did not create. The other options are either inappropriate or unnecessary for responding to the abuse notice.

Question 32

Report
Export
Collapse

A company is deploying an Amazon EC2-based application. The application will include a custom health-checking component that produces health status data in JSON format. A Security Engineer must implement a secure solution to monitor application availability in near-real time by analyzing the hearth status data.

Which approach should the Security Engineer use?

A.
Use Amazon CloudWatch monitoring to capture Amazon EC2 and networking metrics Visualize metrics using Amazon CloudWatch dashboards.
A.
Use Amazon CloudWatch monitoring to capture Amazon EC2 and networking metrics Visualize metrics using Amazon CloudWatch dashboards.
Answers
B.
Run the Amazon Kinesis Agent to write the status data to Amazon Kinesis Data Firehose Store the streaming data from Kinesis Data Firehose in Amazon Redshift. (hen run a script on the pool data and analyze the data in Amazon Redshift
B.
Run the Amazon Kinesis Agent to write the status data to Amazon Kinesis Data Firehose Store the streaming data from Kinesis Data Firehose in Amazon Redshift. (hen run a script on the pool data and analyze the data in Amazon Redshift
Answers
C.
Write the status data directly to a public Amazon S3 bucket from the health-checking component Configure S3 events to invoke an IAM Lambda function that analyzes the data
C.
Write the status data directly to a public Amazon S3 bucket from the health-checking component Configure S3 events to invoke an IAM Lambda function that analyzes the data
Answers
D.
Generate events from the health-checking component and send them to Amazon CloudWatch Events. Include the status data as event payloads. Use CloudWatch Events rules to invoke an IAM Lambda function that analyzes the data.
D.
Generate events from the health-checking component and send them to Amazon CloudWatch Events. Include the status data as event payloads. Use CloudWatch Events rules to invoke an IAM Lambda function that analyzes the data.
Answers
Suggested answer: A

Explanation:

Amazon CloudWatch monitoring is a service that collects and tracks metrics from AWS resources and applications, and provides visualization tools and alarms to monitor performance and availability1.The health status data in JSON format can be sent to CloudWatch as custom metrics2, and then displayed in CloudWatch dashboards3. The other options are either inefficient or insecure for monitoring application availability in near-real time.

Question 33

Report
Export
Collapse

An organization must establish the ability to delete an IAM KMS Customer Master Key (CMK) within a 24-hour timeframe to keep it from being used for encrypt or decrypt operations Which of tne following actions will address this requirement?

A.
Manually rotate a key within KMS to create a new CMK immediately
A.
Manually rotate a key within KMS to create a new CMK immediately
Answers
B.
Use the KMS import key functionality to execute a delete key operation
B.
Use the KMS import key functionality to execute a delete key operation
Answers
C.
Use the schedule key deletion function within KMS to specify the minimum wait period for deletion
C.
Use the schedule key deletion function within KMS to specify the minimum wait period for deletion
Answers
D.
Change the KMS CMK alias to immediately prevent any services from using the CMK.
D.
Change the KMS CMK alias to immediately prevent any services from using the CMK.
Answers
Suggested answer: C

Explanation:

the schedule key deletion function within KMS allows you to specify a waiting period before deleting a customer master key (CMK)4.The minimum waiting period is 7 days and the maximum is 30 days5.This function prevents the CMK from being used for encryption or decryption operations during the waiting period4. The other options are either invalid or ineffective for deleting a CMK within a 24-hour timeframe.

Question 34

Report
Export
Collapse

An Application team has requested a new IAM KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different IAM services to limit blast radius.

How can an IAM KMS customer master key (CMK) be constrained to work with only Amazon S3?

A.
Configure the CMK key policy to allow only the Amazon S3 service to use the kms Encrypt action
A.
Configure the CMK key policy to allow only the Amazon S3 service to use the kms Encrypt action
Answers
B.
Configure the CMK key policy to allow IAM KMS actions only when the kms ViaService condition matches the Amazon S3 service name.
B.
Configure the CMK key policy to allow IAM KMS actions only when the kms ViaService condition matches the Amazon S3 service name.
Answers
C.
Configure the IAM user's policy lo allow KMS to pass a rote lo Amazon S3
C.
Configure the IAM user's policy lo allow KMS to pass a rote lo Amazon S3
Answers
D.
Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK
D.
Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK
Answers
Suggested answer: B

Explanation:

the kms:ViaService condition key can be used to restrict a CMK to work with only a specific AWS service6.By configuring the CMK key policy to allow KMS actions only when the kms:ViaService condition matches the Amazon S3 service name, you can ensure that only Amazon S3 can use the CMK7. The other options are either incorrect or insufficient for constraining a CMK to work with only Amazon S3.

Question 35

Report
Export
Collapse

A Development team has built an experimental environment to test a simple stale web application It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer a NAT gateway, and an internet gateway. The private subnet holds ail of the Amazon EC2 instances

There are 3 different types of servers Each server type has its own Security Group that limits access lo only required connectivity. The Security Groups nave both inbound and outbound rules applied Each subnet has both inbound and outbound network ACls applied to limit access to only required connectivity

Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Select THREE.)

A.
The route tables and the outbound rules on the appropriate private subnet security group
A.
The route tables and the outbound rules on the appropriate private subnet security group
Answers
B.
The outbound network ACL rules on the private subnet and the Inbound network ACL rules on the public subnet
B.
The outbound network ACL rules on the private subnet and the Inbound network ACL rules on the public subnet
Answers
C.
The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet
C.
The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet
Answers
D.
The rules on any host-based firewall that may be applied on the Amazon EC2 instances
D.
The rules on any host-based firewall that may be applied on the Amazon EC2 instances
Answers
E.
The Security Group applied to the Application Load Balancer and NAT gateway
E.
The Security Group applied to the Application Load Balancer and NAT gateway
Answers
F.
That the 0.0.0./0 route in the private subnet route table points to the internet gateway in the public subnet
F.
That the 0.0.0./0 route in the private subnet route table points to the internet gateway in the public subnet
Answers
Suggested answer: C, E, F

Explanation:

because these are the factors that could affect the outbound connection to the internet from a server in a private subnet.The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet must allow the traffic to pass through8.The security group applied to the application load balancer and NAT gateway must also allow the traffic from the private subnet9.The 0.0.0.0/0 route in the private subnet route table must point to the NAT gateway in the public subnet, not the internet gateway10. The other options are either irrelevant or incorrect for troubleshooting the outbound connection issue.

Question 36

Report
Export
Collapse

A company uses a third-party application to store encrypted data in Amazon S3. The company uses another third-party application trial decrypts the data from Amazon S3 to ensure separation of duties Between the applications A Security Engineer warns to separate the permissions using IAM roles attached to Amazon EC2 instances. The company prefers to use native IAM services.

Which encryption method will meet these requirements?

A.
Use encrypted Amazon EBS volumes with Amazon default keys (IAM EBS)
A.
Use encrypted Amazon EBS volumes with Amazon default keys (IAM EBS)
Answers
B.
Use server-side encryption with customer-provided keys (SSE-C)
B.
Use server-side encryption with customer-provided keys (SSE-C)
Answers
C.
Use server-side encryption with IAM KMS managed keys (SSE-KMS)
C.
Use server-side encryption with IAM KMS managed keys (SSE-KMS)
Answers
D.
Use server-side encryption with Amazon S3 managed keys (SSE-S3)
D.
Use server-side encryption with Amazon S3 managed keys (SSE-S3)
Answers
Suggested answer: C

Question 37

Report
Export
Collapse

A recent security audit found that IAM CloudTrail logs are insufficiently protected from tampering and unauthorized access Which actions must the Security Engineer take to address these audit findings? (Select THREE )

A.
Ensure CloudTrail log file validation is turned on
A.
Ensure CloudTrail log file validation is turned on
Answers
B.
Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage
B.
Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage
Answers
C.
Use an S3 bucket with tight access controls that exists m a separate account
C.
Use an S3 bucket with tight access controls that exists m a separate account
Answers
D.
Use Amazon Inspector to monitor the file integrity of CloudTrail log files.
D.
Use Amazon Inspector to monitor the file integrity of CloudTrail log files.
Answers
E.
Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files
E.
Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files
Answers
F.
Encrypt the CloudTrail log files with server-side encryption with IAM KMS-managed keys (SSE-KMS)
F.
Encrypt the CloudTrail log files with server-side encryption with IAM KMS-managed keys (SSE-KMS)
Answers
Suggested answer: A, D, E

Question 38

Report
Export
Collapse

A company's Security Auditor discovers that users are able to assume roles without using multi-factor authentication (MFA). An example of a current policy being applied to these users is as follows:

The Security Auditor finds that the users who are able to assume roles without MFA are alt coming from the IAM CLI. These users are using long-term IAM credentials. Which changes should a Security Engineer implement to resolve this security issue? (Select TWO.)

A)

B)

C)

D)

E)

A.
Option A
A.
Option A
Answers
B.
Option B
B.
Option B
Answers
C.
Option C
C.
Option C
Answers
D.
Option D
D.
Option D
Answers
E.
Option E
E.
Option E
Answers
Suggested answer: A, D

Question 39

Report
Export
Collapse

A company hosts multiple externally facing applications, each isolated in its own IAM account The company'B Security team has enabled IAM WAF. IAM Config. and Amazon GuardDuty on all accounts. The company's Operations team has also joined all of the accounts to IAM Organizations and established centralized logging for CloudTrail. IAM Config, and GuardDuty. The company wants the Security team to take a reactive remediation in one account, and automate implementing this remediation as proactive prevention in all the other accounts.

How should the Security team accomplish this?

A.
Update the IAM WAF rules in the affected account and use IAM Firewall Manager to push updated IAM WAF rules across all other accounts.
A.
Update the IAM WAF rules in the affected account and use IAM Firewall Manager to push updated IAM WAF rules across all other accounts.
Answers
B.
Use GuardDuty centralized logging and Amazon SNS to set up alerts to notify all application teams of security incidents.
B.
Use GuardDuty centralized logging and Amazon SNS to set up alerts to notify all application teams of security incidents.
Answers
C.
Use GuardDuty alerts to write an IAM Lambda function that updates all accounts by adding additional NACLs on the Amazon EC2 instances to block known malicious IP addresses.
C.
Use GuardDuty alerts to write an IAM Lambda function that updates all accounts by adding additional NACLs on the Amazon EC2 instances to block known malicious IP addresses.
Answers
D.
Use IAM Shield Advanced to identify threats in each individual account and then apply the account-based protections to all other accounts through Organizations.
D.
Use IAM Shield Advanced to identify threats in each individual account and then apply the account-based protections to all other accounts through Organizations.
Answers
Suggested answer: C

Question 40

Report
Export
Collapse

A company is using IAM Secrets Manager to store secrets for its production Amazon RDS database. The Security Officer has asked that secrets be rotated every 3 months. Which solution would allow the company to securely rotate the secrets? (Select TWO.)

A.
Place the RDS instance in a public subnet and an IAM Lambda function outside the VPC. Schedule the Lambda function to run every 3 months to rotate the secrets.
A.
Place the RDS instance in a public subnet and an IAM Lambda function outside the VPC. Schedule the Lambda function to run every 3 months to rotate the secrets.
Answers
B.
Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure the private subnet to use a NAT gateway. Schedule the Lambda function to run every 3 months to rotate the secrets.
B.
Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure the private subnet to use a NAT gateway. Schedule the Lambda function to run every 3 months to rotate the secrets.
Answers
C.
Place the RDS instance in a private subnet and an IAM Lambda function outside the VPC. Configure the private subnet to use an internet gateway. Schedule the Lambda function to run every 3 months lo rotate the secrets.
C.
Place the RDS instance in a private subnet and an IAM Lambda function outside the VPC. Configure the private subnet to use an internet gateway. Schedule the Lambda function to run every 3 months lo rotate the secrets.
Answers
D.
Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Schedule the Lambda function to run quarterly to rotate the secrets.
D.
Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Schedule the Lambda function to run quarterly to rotate the secrets.
Answers
E.
Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure a Secrets Manager interface endpoint. Schedule the Lambda function to run every 3 months to rotate the secrets.
E.
Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure a Secrets Manager interface endpoint. Schedule the Lambda function to run every 3 months to rotate the secrets.
Answers
Suggested answer: B, E

Explanation:

these are the solutions that can securely rotate the secrets for the production RDS database using Secrets Manager. Secrets Manager is a service that helps you manage secrets such as database credentials, API keys, and passwords. You can use Secrets Manager to rotate secrets automatically by using a Lambda function that runs on a schedule. The Lambda function needs to have access to both the RDS instance and the Secrets Manager service. Option B places the RDS instance in a private subnet and the Lambda function in the same VPC in another private subnet. The private subnet with the Lambda function needs to use a NAT gateway to access Secrets Manager over the internet. Option E places the RDS instance and the Lambda function in the same private subnet and configures a Secrets Manager interface endpoint, which is a private connection between the VPC and Secrets Manager. The other options are either insecure or incorrect for rotating secrets using Secrets Manager.

Total 327 questions
Go to page: of 33
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms