Free Amazon SCS-C02 Exam Questions

Question 1

A new application requires an AWS KMS key for encrypting sensitive data. The security policy requires that separate keys are used for different AWS services.How can the AWS KMS key be constrained to work with only Amazon S3?

A : Configure the key policy with a kms:CallerAccount condition key that limits use of the KMS key to identities in the specific AWS account.

B : Configure the key policy with a kms:RequestAlias condition key that limits use of the KMS key to requests that use a specific alias.

C : Configure the key policy with a kms:ViaService condition key that limits use of the KMS key to the Amazon S3 service name.

D : Configure the key policy with a kms:ViaService condition key that limits use of the KMS key to the Amazon S3 service name.

Answer: C

Question 2

A financial firm receives a warning from the AWS Trust and Safety team about a potential security threat. An IAM access key linked to an IT administrator seems to have been compromised. This key is employed in an automated process that uses AWS Lambda functions to launch AWS Elastic Beanstalk environments.The firm's security engineer is tasked with addressing this security issue, preventing further use of the exposed access key, and bolstering security practices.Which of the following steps would be the most appropriate in this scenario?

A : Track down the exposed IAM access key and deactivate or remove it. Establish new access keys for the Lambda automation process and integrate them into the system. In the AWS account associated with the exposed key, create a new support case in AWS Support detailing the remediation measures.

B : Find the exposed IAM access key and remove the associated IAM user. Generate a new access key, store it in AWS Systems Manager Parameter Store, and encrypt it using an AWS KMS customer-managed key. Modify the AWS Lambda functions to fetch the access key from Parameter Store during execution. Log a new support case with AWS Support providing the details of the remediation steps.

C : Deactivate or delete the compromised IAM access key. Generate a new access key and save it as an environment variable within the configuration settings of the automation system-s Lambda functions. Respond to the AWS Trust and Safety team detailing the remediation actions taken.

D : Disable or delete the compromised IAM access key. Stop using static IAM access keys and instead, create a new IAM role for the Lambda automation process. Assign this role to the AWS Lambda functions. Respond to the AWS Trust and Safety team detailing the remediation actions.

Answer: D

Question 3

A security engineer has been asked to review an Amazon S3 bucket policy to determine if the data is properly secured against public access. The policy statement is as follows:What should the response be from the security engineer?Is this bucket policy sufficient to ensure that the data is not publicly accessible?

A : The S3 bucket ACL and object ACLs will need to be checked to determine if public access is possible.

B : The bucket policy does not block access from public IP addresses regardless of the bucket ACL and object ACL settings.

C : The bucket policy will block all access from public IP addresses and will only allow connections from the specified private CIDR.

D : IAM user policies will need to be checked to determine if public access is granted through these policies.

Answer: A

Question 4

A company has created an AWS account structure with a centralized management account and several child accounts. An AWS Organization has been created to manage this configuration. The security team require API auditing using AWS CloudTrail for all accounts. Administrators in child accounts should not have privileges to modify the CloudTrail trail configuration.How should AWS CloudTrail be configured with the LEAST operational overhead?

A : Create an Amazon S3 bucket in each AWS account and create an Organization trail in the management account that logs to the S3 bucket

B : Create a CloudTrail trail in each AWS account that logs to separate folders within a central S3 bucket in the management account. Create an SCP to limit permissions.

C : Create an Amazon S3 bucket in the management account and create an Organization trail in the management account that logs to the S3 bucket.

D : Create a separate logging account and create a CloudTrail trail within each AWS account that logs to the logging account. Create an SCP to limit permissions

Answer: C

Question 5

A company has several AWS Lambda functions. While reviewing the Lambda functions a security engineer discovers that sensitive information is being stored in environment variables and is viewable as plaintext in the Lambda console. The values of the sensitive information are less than 8 KB and there are over 10,000 values stored across the functions.

What is the MOST cost-effective way to address this security issue?

A : ore the environment variables in an encrypted Amazon EFS file system and access them at runtime. Use POSIX permissions to restrict access to only the Lambda functions that require access

B : ore the environment variables in AWS Secrets Manager and access them at runtime. Use IAM permissions to restrict access to the secrets to only the Lambda functions that require access

C : ore the environment variables in AWS Systems Manager Parameter Store as secure string parameters and access them at runtime. Use IAM permissions to restrict access to the parameters to only the Lambda functions that require access.

D : AWS Config to store the environment variables. Access the environment variables at runtime. Use IAM permissions to restrict access to the environment variables to only the Lambda functions that require access.

Answer: B