Free Amazon SCS-C02 Exam Questions

Question 1

A company wants to deploy a distributed web application on a fleet of EC2 instances. The fleet will be fronted by a Classic Load Balancer that will be configured to terminate the TLS connection The company wants to make sure that all past and current TLS traffic to the Classic Load Balancer stays secure even if the certificate private key is leaked. To ensure the company meets these requirements, a Security Engineer can configure a Classic Load Balancer with:

A : An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.

B : An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites

C : An HTTPS listener that uses the latest IAM predefined ELBSecuntyPolicy-TLS-1 -2-2017-01 security policy

D : A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.

Answer: B

Question 2

A company is implementing a customized notification solution to detect repeated unauthorized authentication attempts to bastion hosts. The company's security engineer needs to implement a solution that will provide notification when 5 failed attempts occur within a 5-minute period. The solution must use native AWS services and must notify only the designated system administrator who is assigned to the specific bastion host. Which solution will meet these requirements?

A : Use the Amazon CloudWatch agent to collect operating system logs. Use Amazon EventBridge to configure an alarm based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use Amazon EC2 instance tags to determine which SNS topics receive notifications.

B : Use AWS Systems Manager Agent to collect operating system logs. Use the Systems Manager Run Command AWS-ConfigureCloudWatch document to configure an Amazon EventBridge event based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use SNS messaging filters to control who receives notifications.

C : Use the Amazon CloudWatch agent to collect operating system logs Create a CloudWatch alarm based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use SNS messaging filters to control who receives notifications.

D : Use AWS Systems Manager Agent to collect operating system logs. Use the Systems Manager Run Command AWS-ConfigureCloudWatch document to configure an Amazon CloudWatch alarm based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use EC2 instance tags to determine which SNS topics receive notifications.

Answer: C

Question 3

A DevOps engineer has deployed several custom-built images provided by the development team using Amazon Elastic Container Service (ECS) with the Fargate launch type. The engineer now needs to aggregate the logs from all the containers into a pre-existing CloudWatch log group.Which solution will satisfy these requirements?

A : Enable the awslogs log driver by including awslogs-group and awslogs-region parameters in theLogConfiguration property.

B : Install and configure the CloudWatch agent on the running container instances.

C : Define an IAM policy that encompasses the logs:CreateLogGroup action and assign this policy to the running container instances.

D : Implement Fluent Bit and FluentD in a DaemonSet configuration to direct logs to Amazon CloudWatch Logs.

Answer: A

Question 4

A security engineer is attempting to setup automatic notifications that alert administrators about any changes that are made to an Amazon S3 bucket. The engineer has configured AWS Config and created an SNS topic. Changes have been made to the S3 bucket, but the SNS notifications have not been sent.Which combination of steps should the security engineer take to resolve the issue? (Select THREE.)

A : Configure the trust policy on the IAM role AWS Config uses to allow “s3.amazonaws.com” to assume the role.

B : Configure the trust policy on the IAM role AWS Config uses to allow “config.amazonaws.com” to assume the role.

C : Configure the Amazon S3 bucket ACLs to allow AWS Config to record any changes made to the S3 bucket.

D : Configure the access policy for the Amazon SNS topic to allow “sns:publish” access to “config.amazonaws.com”.

E : Configure the role policy on the IAM role AWS Config uses to allow write access to the Amazon S3 bucket.

F : Configure the access policy for the Amazon SNS topic to allow “sns:write” access to “config.amazonaws.com”.

Answer: B,D,F

Question 5

A developer who was recently fired by a company has a personal laptop that contains the SSH keys used to access multiple Amazon EC2 instances. The security team need to ensure the developer is unable to access the EC2 instances.

How can a security engineer protect the running EC2 instances?

A : nnect to each EC2 instance and replace the public key information in the authorized_keys file.

B : the modify-instance-attribute API to change the key on any EC2 instance that is using the key.

C : Modify the key pair in the AMIs used to launch the EC2 instances and then restart the EC2 instances.

D : lete the key pair, create a new key pair, and use the EC2 console to modify the EC2 instances to use the new key pair.

Answer: A