Free Amazon SCS-C02 Exam Questions

Question 1

A security engineer has been asked to review an Amazon S3 bucket policy to determine if the data is properly secured against public access. The policy statement is as follows:What should the response be from the security engineer?Is this bucket policy sufficient to ensure that the data is not publicly accessible?

A : The S3 bucket ACL and object ACLs will need to be checked to determine if public access is possible.

B : The bucket policy does not block access from public IP addresses regardless of the bucket ACL and object ACL settings.

C : The bucket policy will block all access from public IP addresses and will only allow connections from the specified private CIDR.

D : IAM user policies will need to be checked to determine if public access is granted through these policies.

Answer: A

Question 2

A company uses an external identity provider to allow federation into different IAM accounts. A security engineer for the company needs to identify the federated user that terminated a production Amazon EC2 instance a week ago. What is the FASTEST way for the security engineer to identify the federated user?

A : Review the IAM CloudTrail event history logs in an Amazon S3 bucket and look for the Terminatelnstances event to identify the federated user from the role session name.

B : Filter the IAM CloudTrail event history for the Terminatelnstances event and identify the assumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username.

C : Search the IAM CloudTrail logs for the Terminatelnstances event and note the event time. Review the IAM Access Advisor tab for all federated roles. The last accessed time should match the time when the instance was terminated.

D : Use Amazon Athena to run a SQL query on the IAM CloudTrail logs stored in an Amazon S3 bucket and filter on the Terminatelnstances event. Identify the corresponding role and run another query to filter the AssumeRoleWithWebldentity event for the user name.

Answer: B

Question 3

A new application requires an AWS KMS key for encrypting sensitive data. The security policy requires that separate keys are used for different AWS services.How can the AWS KMS key be constrained to work with only Amazon S3?

A : Configure the key policy with a kms:CallerAccount condition key that limits use of the KMS key to identities in the specific AWS account.

B : Configure the key policy with a kms:RequestAlias condition key that limits use of the KMS key to requests that use a specific alias.

C : Configure the key policy with a kms:ViaService condition key that limits use of the KMS key to the Amazon S3 service name.

D : Configure the key policy with a kms:ViaService condition key that limits use of the KMS key to the Amazon S3 service name.

Answer: C

Question 4

A security engineer has created an Amazon GuardDuty detector in several AWS accounts. The accounts are in an organization in AWS Organizations. The security engineer needs centralized visibility of the security findings from the detectors.

A : Configure Amazon CloudWatch Logs Insights

B : Create an Amazon CloudWatch dashboard

C : Configure AWS Security Hub integrations

D : Query the findings by using Amazon Athena

Answer: C

Question 5

A company has hundreds of AWS accounts in an organization in AWS Organizations. The company operates out of a single AWS Region. The company has a dedicated security tooling AWS account in the organization. The security tooling account is configured as the organization's delegated administrator for Amazon GuardDuty and AWS Security Hub. The company has configured the environment to automatically enable GuardDuty and Security Hub for existing AWS accounts and new AWS accounts. The company is performing control tests on specific GuardDuty findings to make sure that the company's security team can detect and respond to security events. The security team launched an Amazon EC2 instance and attempted to run DNS requests against a test domain, example.com, to generate a DNS finding. However, the GuardDuty finding was never created in the Security Hub delegated administrator account. Why was the finding was not created in the Security Hub delegated administrator account?

A : VPC flow logs were not turned on for the VPC where the EC2 instance was launched.

B : The VPC where the EC2 instance was launched had the DHCP option configured for a custom OpenDNS resolver.

C : The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.

D : Cross-Region aggregation in Security Hub was not configured.

Answer: C