Free Amazon SCS-C02 Exam Questions

Question 1

You have an S3 bucket defined in IAM. You want to ensure that you encrypt the data before sending it across the wire. What is the best way to achieve this. Please select:

A :

Enable server side encryption for the S3 bucket. This request will ensure that the data is encrypted first.

B :

Use the IAM Encryption CLI to encrypt the data first

C :

Use a Lambda function to encrypt the data before sending it to the S3 bucket.

D :

Enable client encryption for the bucket

Answer: B

Question 2

A company has a new web-based account management system for an online game Players create a unique username and password to log in to the system. The company has implemented an AWS WAF web ACL for the system. The web ACL includes the core rule set (CRS) AWS managed rule group on the Application Load Balancer that serves the system. The company's security team finds that the system was the target of a credential stuffing attack Credentials that were exposed in other breaches were used to try to log in to the system The security team must implement a solution to reduce the chance of a successful credential stuffing attack in the future The solution also must minimize impact on legitimate users of the system Which combination of actions will meet these requirements? (Select TWO.)

A : Create an Amazon CloudWatch custom metric to analyze the number of successful login responses from a single IP address

B : Add the account takeover prevention (ATP) AWS managed rule group to the web ACL Configure the rule group to inspect login requests to the system Block any requests that have the awswaf managed awsatp signal credential_compromised label

C : Configure a default web ACL action that requires all users to solve a CAPTCHA puzzle when they log in

D : Implement IP-based match rules in the web ACL for any IP addresses that generate many successful login responses Block any IP addresses that generate many successful logins

E : Create a custom block response that redirects users to a secure workflow to reset their password inside the system

Answer: B,E

Question 3

A company hired an external consultant who needs to use a laptop to access the company's VPCs Specifically, the consultant needs access to two VPCs that are peered together in the same AWS Region. The company wants to provide the consultant with access to these VPCs without also providing any unnecessary access to other network resources. Which solution will meet these requirements? Create an AWS Site-to-Site VPN endpoint in the same Region as the VPCs. Configure access through an appropriate subnet and authorization rule. Create an AWS account Use the VPC sharing feature through AWS Resource Access Manager to allow the consultant to access the VPCs.

A : Create an AWS Client VPN endpoint in the same Region as the B. VPCs. Configure access through an appropriate subnet and authorization rule.

B : Create a gateway VPC endpoint in the same Region as the VPCs. D. Configure access through an appropriate subnet and authorization rule.

Answer: B

Question 4

A company is using IAM Organizations to develop a multi-account secure networking strategy. The company plans to use separate centrally managed accounts for shared services, auditing, and security inspection. The company plans to provide dozens of additional accounts to application owners for production and development environments. Company security policy requires that all internet traffic be routed through a centrally managed security inspection layer in the security inspection account. A security engineer must recommend a solution that minimizes administrative overhead and complexity. Which solution meets these requirements?

A : Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route table. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account.

B : Create a centrally managed VPC in the security inspection account. Establish VPC peering connections between the security inspection account and other accounts. Instruct account owners to create default routes in their account route tables that point to the VPC peer. Create an SCP that denies theAttach InternetGateway action. Attach the SCP to all accounts except the security inspection account.

C : Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transitgateway and to create a default route to the transit gateway in the default route table. Create an SCP that denies the AttachlnternetGateway action. Attach the SCP to all accounts except the security inspection account.

D : Enable IAM Resource Access Manager (IAM RAM) for IAM Organizations. Create a shared transit gateway, and make it available by using an IAM RAM resource share. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account. Create routes in the route tables of all accounts that point to the shared transit gateway.

Answer: C

Question 5

A company needs to delect unauthenticated access to its Amazon Elastic Kubernetes Service (Amazon EKS) clusters. The company needs a solution that requires no additional configuration ot the existing EKS deployment. Which solution will meet these requirements with the LEAST operational effort?

A : Install an Amazon EKS add-on from a security vendor.

B : Enable AWS Security Hub Monitor the Kubernetes findings

C : Monitor Amazon CloudWatch Container Insights metrics for Amazon EKS.

D : Enable Amazon GuardDuty Use EKS Audit Log Monitoring.

Answer: D