Free Amazon SCS-C02 Exam Questions

Question 1

A security engineer has created an Amazon GuardDuty detector in several AWS accounts. The accounts are in an organization in AWS Organizations. The security engineer needs centralized visibility of the security findings from the detectors.

A : Configure Amazon CloudWatch Logs Insights

B : Create an Amazon CloudWatch dashboard

C : Configure AWS Security Hub integrations

D : Query the findings by using Amazon Athena

Answer: C

Question 2

A company has multiple accounts in the AWS Cloud. Users in the developer account need to have access to specific resources in the production account. What is the MOST secure way to provide this access?

A :

Create one IAM user in the production account. Grant the appropriate permissions to the resources that are needed. Share the password only with the users that need access.

B :

Create cross-account access with an IAM role in the developer account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.

C :

Create cross-account access with an IAM user account in the production account. Grant the appropriate permissions to this user account. Allow users in the developer account to use this user account to access the production resources.

D :

Create cross-account access with an IAM role in the production account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.

Answer: D

Question 3

A fintech company offers a web application that stores files on Amazon S3 and processes transactions on Amazon EC2. Users are complaining about slow response times, and recent cybersecurity audits have raised concerns about web content security.The company needs to accelerate content delivery while enhancing security and privacy, without altering the application code.What combination of actions should the company undertake to meet these requirements? (Select TWO.)

A : Use an AWS WAF web ACL with predefined AWS managed rules to add HTTP security headers to origin responses.

B : Configure Amazon CloudFront and set up a distribution for the S3 and EC2 origins to accelerate content delivery

C : Deploy Amazon ElastiCache to cache the responses of the application endpoints

D : Use an AWS Lambda function configured with CloudFront (Lambda@Edge) to add HTTP security headers on origin responses

E : Utilize an Application Load Balancer (ALB) with enabled Sticky Sessions to preserve the connection header from incoming client requests after forwarding the response back to the client.

Answer: B,D

Question 4

An administrative user accidentally exposed an access key ID and secret access key to a public support forum. The user notified the security team about the incident after removing the exposed credentials from the forum.Which initial steps should a security engineer take to mitigate the exposure without interrupting operations? (Select TWO.)

A : Reset the password for the root user on the account.

B : Terminate or disable any resources the user has access to.

C : Implement a deny policy blocking access to resources.

D : Invalidate any temporary security credentials.

E : Delete the access key ID and secret access key.

Answer: C,E

Question 5

A company enforces encryption for all Amazon EBS volumes. Following security incidents, EBS snapshots sometimes need to be shared with a forensics account for analysis. The security team must ensure the volumes remain encrypted as much as possible throughout the process.Which steps are required to share the encrypted snapshots with least privilege?

A : Copy an encrypted EBS volume to the target account, use a customer managed KMS key, and allow the Encrypt, Decrypt, and CreateGrant actions in the key policy.

B : Share an encrypted snapshot, use a customer managed KMS key, and allow the Decrypt and CreateGrant actions for the target account in the key policy.

C : Create an unencrypted copy of the encrypted snapshot, share the snapshot with the target account, encrypt the copied snapshot with a customer managed KMS key

D : Share an encrypted snapshot, use an AWS managed KMS key, and allow the kms:* actions for the target account in the key policy.

Answer: B