Free Amazon SCS-C02 Exam Questions

Question 1

A company is deploying Amazon EC2 instances into a new VPC. The instances must be scanned to detect any known software vulnerabilities. The instances should also be checked for compliance with CIS benchmarks.

Which solution addresses these requirements?

A : Amazon Inspector and run the “Common vulnerabilities and exposures” assessment and the “Center for Internet Security (CIS) Benchmarks” assessment.

B : AWS CloudTrail and monitor the “PutEventSelectors” and “PutInsightSelectors” API actions.

C : AWS Config and configure the “restricted-common-ports” and ‘wafv2-logging-enabled” managed rules.

D : Amazon Inspector and run the “Network Reachability” assessment and the “Center for Internet Security (CIS) Benchmarks” assessment.

Answer: A

Question 2

A company has hundreds of AWS accounts in an organization in AWS Organizations. The company operates out of a single AWS Region. The company has a dedicated security tooling AWS account in the organization. The security tooling account is configured as the organization's delegated administrator for Amazon GuardDuty and AWS Security Hub. The company has configured the environment to automatically enable GuardDuty and Security Hub for existing AWS accounts and new AWS accounts. The company is performing control tests on specific GuardDuty findings to make sure that the company's security team can detect and respond to security events. The security team launched an Amazon EC2 instance and attempted to run DNS requests against a test domain, example.com, to generate a DNS finding. However, the GuardDuty finding was never created in the Security Hub delegated administrator account. Why was the finding was not created in the Security Hub delegated administrator account?

A : VPC flow logs were not turned on for the VPC where the EC2 instance was launched.

B : The VPC where the EC2 instance was launched had the DHCP option configured for a custom OpenDNS resolver.

C : The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.

D : Cross-Region aggregation in Security Hub was not configured.

Answer: C

Question 3

A company is using IAM Organizations to develop a multi-account secure networking strategy. The company plans to use separate centrally managed accounts for shared services, auditing, and security inspection. The company plans to provide dozens of additional accounts to application owners for production and development environments. Company security policy requires that all internet traffic be routed through a centrally managed security inspection layer in the security inspection account. A security engineer must recommend a solution that minimizes administrative overhead and complexity. Which solution meets these requirements?

A : Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route table. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account.

B : Create a centrally managed VPC in the security inspection account. Establish VPC peering connections between the security inspection account and other accounts. Instruct account owners to create default routes in their account route tables that point to the VPC peer. Create an SCP that denies theAttach InternetGateway action. Attach the SCP to all accounts except the security inspection account.

C : Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transitgateway and to create a default route to the transit gateway in the default route table. Create an SCP that denies the AttachlnternetGateway action. Attach the SCP to all accounts except the security inspection account.

D : Enable IAM Resource Access Manager (IAM RAM) for IAM Organizations. Create a shared transit gateway, and make it available by using an IAM RAM resource share. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account. Create routes in the route tables of all accounts that point to the shared transit gateway.

Answer: C

Question 4

A security engineer is attempting to setup automatic notifications that alert administrators about any changes that are made to an Amazon S3 bucket. The engineer has configured AWS Config and created an SNS topic. Changes have been made to the S3 bucket, but the SNS notifications have not been sent.Which combination of steps should the security engineer take to resolve the issue? (Select THREE.)

A : Configure the trust policy on the IAM role AWS Config uses to allow “s3.amazonaws.com” to assume the role.

B : Configure the trust policy on the IAM role AWS Config uses to allow “config.amazonaws.com” to assume the role.

C : Configure the Amazon S3 bucket ACLs to allow AWS Config to record any changes made to the S3 bucket.

D : Configure the access policy for the Amazon SNS topic to allow “sns:publish” access to “config.amazonaws.com”.

E : Configure the role policy on the IAM role AWS Config uses to allow write access to the Amazon S3 bucket.

F : Configure the access policy for the Amazon SNS topic to allow “sns:write” access to “config.amazonaws.com”.

Answer: B,D,F

Question 5

A company stores sensitive data in an Amazon S3 bucket. The company encrypts the data at rest by using server-side encryption with Amazon S3 managed keys (SSE-S3). A security engineer must prevent any modifications to the data in the S3 bucket. Which solution will meet this requirement?

A : Configure S3 bucket policies to deny DELETE and PUT object permissions.

B : Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled.

C : Change the encryption on the S3 bucket to use AWS Key Management Service (AWS KMS) customer managed keys.

D : Configure the S3 bucket with multi-factor authentication (MFA) delete protection.

Answer: B