Free Amazon SCS-C02 Exam Questions

Question 1

A fintech company operates a suite of applications on Amazon EC2. The applications have intricate security needs, governed by a set of security groups. After an unintended modification in a security group disrupted the connectivity of some applications, the company wants to be alerted via a designated email whenever changes are made to these security groups.

Which solution can fulfill this requirement most efficiently?

A : AWS CloudTrail. Enable forwarding to Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter to match patterns indicating security group changes. Configure a CloudWatch alarm to send alerts to an Amazon SNS topic.

B : AWS CloudTrail. Forward logs to Amazon S3. Set up an Amazon Athena query to scan for event patterns indicating security group changes. Use AWS Lambda to send query results to Amazon SES for email notifications.

C : Amazon Macie. Enable monitoring for changes in security groups. Configure Amazon Macie to send alerts to an Amazon SNS topic.

D : AWS Config. Set up a custom AWS Config rule to track changes to security groups. Configure AWS Lambda for automated remediation and to send notifications to an Amazon SNS topic.

Answer: A

Question 2

A business requires a forensic logging solution for hundreds of Docker-based apps running on Amazon EC2. The solution must analyze logs in real time, provide message replay, and persist logs. Which Amazon Web Offerings (IAM) services should be employed to satisfy these requirements? (Select two.)

A : Amazon Athena

B : Amazon Kinesis

C : Amazon SQS

D : Amazon Elasticsearch

E : Amazon EMR

Answer: B,D

Question 3

A security team is working on a solution that will use Amazon EventBridge (Amazon CloudWatch Events) to monitor new Amazon S3 objects. The solution will monitor for public access and for changes to any S3 bucket policy or setting that result in public access. The security team configures EventBridge to watch for specific API calls that are logged from AWS CloudTrail. EventBridge has an action to send an email notification through Amazon Simple Notification Service (Amazon SNS) to the security team immediately with details of the API call. Specifically, the security team wants EventBridge to watch for the s3:PutObjectAcl, s3:DeleteBucketPolicy, and s3:PutBucketPolicy API invocation logs from CloudTrail. While developing the solution in a single account, the security team discovers that the s3:PutObjectAcl API call does not invoke an EventBridge event. However, the s3:DeleteBucketPolicy API call and the s3:PutBucketPolicy API call do invoke an event. The security team has enabled CloudTrail for AWS management events with a basic configuration in the AWS Region in which EventBridge is being tested. Verification of the EventBridge event pattern indicates that the pattern is set up correctly. The security team must implement a solution so that the s3:PutObjectAcl API call will invoke an EventBridge event. The solution must not generate false notifications. Which solution will meet these requirements?

A : Modify the EventBridge event pattern by selecting Amazon S3. Select All Events as the event type.

B : Modify the EventBridge event pattern by selecting Amazon S3. Select Bucket Level Operations as the event type.

C : Enable CloudTrail Insights to identify unusual API activity.

D : Enable CloudTrail to monitor data events for read and write operations to S3 buckets.

Answer: D

Question 4

A company wants to start processing sensitive data on Amazon EC2 instances. The company will use Amazon CloudWatch Logs to monitor, store, and access log files from the EC2 instances. The company's developers use CloudWatch Logs for troubleshooting. A security engineer must implement a solution that prevents the developers from viewing the sensitive data The solution must automatically apply to any new log groups that are created in the account in the future. Which solution will meet these requirements?

A : Create a CloudWatch Logs account-wide data protection policy. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logs:Unmask 1AM permission.

B : Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Create a custom data identifier for the sensitive data. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.

C : Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Specify the appropriate managed data identifiers. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.

D : Create a CloudWatch Logs data protection policy for each log group. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logsiUnmask 1AM permission

Answer: A

Question 5

A developer who was recently fired by a company has a personal laptop that contains the SSH keys used to access multiple Amazon EC2 instances. The security team need to ensure the developer is unable to access the EC2 instances.How can a security engineer protect the running EC2 instances?

A : Connect to each EC2 instance and replace the public key information in the authorized_keys file.

B : Use the modify-instance-attribute API to change the key on any EC2 instance that is using the key.

C : Modify the key pair in the AMIs used to launch the EC2 instances and then restart the EC2 instances.

D : Delete the key pair, create a new key pair, and use the EC2 console to modify the EC2 instances to use the new key pair.

Answer: A