SCS-C02 by Amazon Actual Free Exam Questions And Answers

Question 1

A company is migrating its Amazon EC2 based applications to use Instance Metadata Service Version 2 (IMDSv2). A security engineer needs to determine whether any of the EC2 instances are still using Instance Metadata Service Version 1 (IMDSv1).
What should the security engineer do to confirm that the IMDSv1 endpoint is no longer being used?

A. Create an Amazon CloudWatch dashboard Verify that the EC2MetadataNoToken metric is zero across all EC2 instances. Monitor the dashboard.

B. Create a security group that blocks access to HTTP for the IMDSv1 endpoint Attach the security group to all EC2 instances.

C. Configure user data scripts for all EC2 instances to send logging information to AWS CloudTrail when IMDSv1 is used Create a metric filter and an Amazon CloudWatch dashboard Track the metric in the dashboard.

D. Configure logging on the Amazon CloudWatch agent for IMDSv1 as part of EC2 instance startup. Create a metric filter and a CloudWatch dashboard. Track the metric in the dashboard.

Discussion 0

Correct Answer: A Vote an answer

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Question 2

A company created an IAM account for its developers to use for testing and learning purposes Because MM account will be shared among multiple teams of developers, the company wants to restrict the ability to stop and terminate Amazon EC2 instances so that a team can perform these actions only on the instances it owns.
Developers were Instructed to tag al their instances with a Team tag key and use the team name in the tag value One of the first teams to use this account is Business Intelligence A security engineer needs to develop a highly scalable solution for providing developers with access to the appropriate resources within the account The security engineer has already created individual IAM roles for each team.
Which additional configuration steps should the security engineer take to complete the task?

A. D. Tag each IAM role with the Team key, and use the team name in the tag value. Create an IAM policy similar to the one that follows, and it to all the IAM roles used by developers.

B. C. Tag each IAM role with a Team lag key. and use the team name in the tag value. Create an IAM policy similar to the one that follows, and attach 4 to all the IAM roles used by developers.

C. For each team, create an AM policy similar to the one that fellows Populate the ec2: ResourceTag/Team condition key with a proper team name Attach resulting policies to the corresponding IAM roles.

D. B. For each team create an IAM policy similar to the one that follows Populate the IAM TagKeys/Team condition key with a proper team name.Attach the resuming policies to the corresponding IAM roles.

Discussion 0

Correct Answer: C Vote an answer

Question 3

A company uses AWS Organizations to manage several AWs accounts. The company processes a large volume of sensitive dat a. The company uses a serverless approach to microservices. The company stores all the data in either Amazon S3 or Amazon DynamoDB. The company reads the data by using either AWS lambda functions or container-based services that the company hosts on Amazon Elastic Kubernetes Service (Amazon EKS) on AWS Fargate.
The company must implement a solution to encrypt all the data at rest and enforce least privilege data access controls. The company creates an AWS Key Management Service (AWS KMS) customer managed key.
What should the company do next to meet these requirements?

A. Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.

B. Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.

C. Create a key policy that allows the kms:Decrypt action only for Amazon S3 and DynamoDB. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.

D. Create an 1AM policy that denies the kms:Decrypt action for the key. Create a Lambda function than runs on a schedule to attach the policy to any new roles. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.

Discussion 0

Correct Answer: D Vote an answer

Question 4

A company has hundreds of AWS accounts and uses AWS Organizations. The company plans to create many different IAM roles and policies for its product team, security team, and platform team. Some IAM policies will be shared across teams.
A security engineer needs to implement a solution to logically group together the IAM roles of each team. The solution must allow only the platform team to delegate IAM permissions to AWS services.
Which solution will meet these requirements?

A. Apply different tags for each team to the IAM roles. Deploy an SCP that denies the sts:AssumeRole permission to all entities except the roles of the platform team.

B. Set up an IAM path with the IAM roles for each team. Deploy an SCP that denies the iam:PassRole permission to all entities except the IAM path of the platform team.

C. Set up an IAM path with the IAM roles for each team. Use IAM permissions boundaries to deny the sts:AssumeRole permission to the IAM roles for the product team and the security team.

Discussion 0

Correct Answer: B Vote an answer

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Question 5

The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet.
What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.)

A. Use Elastic Load Balancing to offload Secure Sockets Layer encryption.

B. Use AWS Key Management Services to encrypt all the traffic between the client and application servers.

C. Use Amazon Inspector to periodically scan the backend instances.

D. Use AWS Certificate Manager to encrypt all traffic between the client and application servers.

E. Review the application security groups to ensure that only the necessary ports are open.

Discussion 0

Correct Answer: C,E Vote an answer

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Question 6

A company stores sensitive data in an Amazon S3 bucket. The company encrypts the data at rest by using server-side encryption with Amazon S3 managed keys (SSE-S3). A security engineer must prevent any modifications to the data in the S3 bucket. Which solution will meet this requirement?

A. Configure the S3 bucket with multi-factor authentication (MFA) delete protection.

B. Change the encryption on the S3 bucket to use AWS Key Management Service (AWS KMS) customer managed keys.

C. Configure S3 bucket policies to deny DELETE and PUT object permissions.

D. Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled.

Discussion 0

Correct Answer: D Vote an answer

Question 7

A company has multiple departments. Each department has its own IAM account. All these accounts belong to the same organization in IAM Organizations.
A large .csv file is stored in an Amazon S3 bucket in the sales department's IAM account. The company wants to allow users from the other accounts to access the .csv file's content through the combination of IAM Glue and Amazon Athen a. However, the company does not want to allow users from the other accounts to access other files in the same folder.
Which solution will meet these requirements?

A. Define an IAM Glue Data Catalog resource policy in IAM Glue to grant cross-account S3 object access to the .csv file.

B. Apply a user policy in the other accounts to allow IAM Glue and Athena lo access the .csv We.

C. Grant IAM Glue access to Amazon S3 in a resource-based policy that specifies the organization as the principal.

D. Use S3 Select to restrict access to the .csv lie. In IAM Glue Data Catalog, use S3 Select as the source of the IAM Glue database.

Discussion 0

Correct Answer: B Vote an answer

Question 8

A company is running a container-based workload on AWS. The workload runs on an Amazon Elastic Container Service (Amazon ECS) cluster and uses container images from an Amazon Elastic Container Registry (Amazon ECR) repository.
The company recently experienced a security incident that involved a container image that included critical vulnerabilities. A CI/CD pipeline that was running outside AWS uploaded the image to the ECR repository and deployed the image to the ECS cluster.
Which solution will prevent images that have vulnerabilities from being pushed to the ECR repository?

A. Configure the private ECR registry to use enhanced scanning with the scan on push option. Create an Amazon EventBridge rule that invokes an AWS Lambda function when a critical vulnerability is found. Program the Lambda function to block the image push.

B. Configure Amazon Inspector. Invoke the Amazon Inspector Scan API operation from the CI/CD pipeline. Create an Amazon EventBridge rule that invokes an AWS Lambda function when a critical vulnerability is found. Program the Lambda function to return a failed result to Amazon Inspector.

C. Create an Amazon Inspector custom CI/CD integration. Install and configure the Amazon Inspector Software Bill of Materials (SBOM) Generator (Sbomgen) binary. Generate an SBOM. Invoke the Amazon Inspector Scan API operation. In case of critical vulnerabilities, fail the CI/CD pipeline.

D. Enable ECR image scanning on the ECR repository. Configure the continuous scanning option. Set the scanning configuration setting for the private registry to basic scanning. In case of critical vulnerabilities, fail the CI/CD pipeline.

Discussion 0

Correct Answer: C Vote an answer

Question 9

A company has launched an Amazon EC2 instance with an Amazon Elastic Block Store(Amazon EBS) volume in the us-east-1 Region The volume is encrypted with an AWS Key Management Service (AWS KMS) customer managed key that the company's security team created The security team has created an 1AM key policy and has assigned the policy to the key The security team has also created an 1AM instance profile and has assigned the profile to the instance The EC2 instance will not start and transitions from the pending state to the shutting-down state to the terminated state Which combination of steps should a security engineer take to troubleshoot this issue? (Select TWO )

A. Verify that the KMS key that is associated with the EBS volume is set to the Symmetric key type

B. Verify that the EC2 role that is associated with the instance profile has the correct 1AM instance policy to launch an EC2 instance with the EBS volume

C. Verify that the KMS key policy specifies a deny statement that prevents access to the key by using the aws SourcelP condition key Check that the range includes the EC2 instance IP address that is associated with the EBS volume

D. Verify that the key that is associated with the EBS volume has not expired and needs to be rotated

E. Verify that the KMS key that is associated with the EBS volume is in the Enabled state

Discussion 0

Correct Answer: B,E Vote an answer

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Question 10

A company uses Amazon CloudWatch to monitor application metrics. A security engineer needs to centralize the metrics from several AWS accounts. The security engineer also must create a dashboard to securely share the metrics with customers.
Which solution will meet these requirements?

A. Set up a designated monitoring account Configure the necessary permissions for a CloudWatch wizard to query the metrics from source accounts. Create a CloudWatch dashboard that includes the metrics Share the dashboard by using SSO Configure AWS 1AM Identity Center as the SSO provider.

B. Use AWS Resource Access Manager (AWS RAM) to share CloudWatch metrics between the accounts. Set up a designated monitoring account. Create a CloudWatch dashboard that includes the metncs Share the dashboard by using SSO Configure AWS 1AM Identity Center as the SSO provider.

C. Set up a designated monitoring account. Configure the necessary permissions in CloudWatch for source accounts to send metrics to the monitoring account. Create a CloudWatch dashboard that includes the metrics Share the dashboard by using SSO Configure Amazon Cognito as the SSO provider.

D. Use AWS Resource Access Manager (AWS RAM) to share CloudWatch metrics between the accounts. Set up a designated monitoring account Create a CloudWatch dashboard that includes the metrics. Share the dashboard Specify the email addresses of users who can use a password to view the dashboard.

Discussion 0

Correct Answer: C Vote an answer

Question 11

A medical company recently completed an acquisition and inherited an existing AWS environment. The company has an upcoming audit and is concerned about the compliance posture of its acquisition.
The company must identify personal health information inside Amazon S3 buckets and must identify S3 buckets that are publicly accessible. The company needs to prepare for the audit by collecting evidence in the environment.
Which combination of steps will meet these requirements with the LEAST operational overhead? (Select THREE.)

A. Enable AWS Security Hub. Use the AWS Foundational Security Best Practices standard. Review the controls dashboard for evidence of failed S3 Block Public Access controls.

B. Enable AWS Config Set up the s3-bucket-public-write-prohibited AWS Config managed rule.

C. Enable AWS Audit Manager. Create an assessment by using a supported framework.

D. Use AWS Glue with the Detect Pll transform to identify sensitive data and to mask the sensitive data.

E. Enable Amazon Macie. Run an on-demand sensitive data discovery job that uses the PERSONALJNFORMATION managed data identifier.

F. Enable Amazon GuardDuty S3 Protection Document any findings that are related to suspicious access of S3 buckets.

Discussion 0

Correct Answer: A,C,E Vote an answer

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Amazon AWS Certified Security - Specialty - SCS-C02 Exam Practice Test

Contact Us

Useful Links

Latest Updated