Free Amazon SCS-C02 Exam Questions

Question 1

An Incident Response team is investigating an IAM access key leak that resulted in Amazon EC2 instances being launched. The company did not discover the incident until many months later The Director of Information Security wants to implement new controls that will alert when similar incidents happen in the future Which controls should the company implement to achieve this? {Select TWO.)

A : Enable VPC Flow Logs in all VPCs Create a scheduled IAM Lambda function that downloads and parses the logs, and sends an Amazon SNS notification for violations.

B : Use IAM CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3 bucket to receive all the CloudTrail log files

C : Add the following bucket policy to the company's IAM CloudTrail bucket to prevent log tampering{"Version": "2012-10-17-,"Statement": {"Effect": "Deny","Action": "s3:PutObject","Principal": "-","Resource": "arn:IAM:s3:::cloudtrail/IAMLogs122223333/*"}}Create an Amazon S3 data event for an PutObject attempts, which sends notifications to an Amazon SNS topic

D : Create a Security Auditor role with permissions to access Amazon CloudWatch Logs m all Regions Ship the logs to an Amazon S3 bucket and make a lifecycle policy to ship the logs to Amazon S3 Glacier

E : Verify that Amazon GuardDuty is enabled in all Regions, and create an Amazon CloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as the rule's target

Answer: A,E

Question 2

A security engineer is building an application that is running on Amazon EC2. The application communicates with an Amazon RDS MySQL instance and authenticates with a user name and password. The credentials should be encrypted and rotated every 60 days.

Which steps should the engineer take to protect the credentials and ensure they can be automatically rotated?

A : ore the credentials in AWS Secrets Manager and choose an AWS KMS key. Enable automatic rotation every 60 days and configure the application to retrieve the secret programmatically.

B : ore the credentials on an encrypted Amazon EFS volume. Configure the application instances to mount the volume. Use an AWS Lambda function to update the credentials on the EFS volume every 60 days.

C : ore the credentials as an encrypted string parameter in AWS Systems Manager Parameter Store. Enable automatic rotation every 60 days and grant permission to the EC2 instance role to retrieve the parameter programmatically.

D : ore the credentials in an Amazon S3 bucket configured with SSE-KMS encryption. Grant permission to the EC2 instance role to retrieve the credentials from S3 programmatically. Update the credential files every 60 days.

Answer: A

Question 3

A company has hundreds of AWS accounts in an organization in AWS Organizations. The company operates out of a single AWS Region. The company has a dedicated security tooling AWS account in the organization. The security tooling account is configured as the organization's delegated administrator for Amazon GuardDuty and AWS Security Hub. The company has configured the environment to automatically enable GuardDuty and Security Hub for existing AWS accounts and new AWS accounts. The company is performing control tests on specific GuardDuty findings to make sure that the company's security team can detect and respond to security events. The security team launched an Amazon EC2 instance and attempted to run DNS requests against a test domain, example.com, to generate a DNS finding. However, the GuardDuty finding was never created in the Security Hub delegated administrator account. Why was the finding was not created in the Security Hub delegated administrator account?

A : VPC flow logs were not turned on for the VPC where the EC2 instance was launched.

B : The VPC where the EC2 instance was launched had the DHCP option configured for a custom OpenDNS resolver.

C : The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.

D : Cross-Region aggregation in Security Hub was not configured.

Answer: C

Question 4

An online gaming company has a network of Amazon EC2 instances that are frequently targeted by rogue bots. The security team needs to implement an automated system to block traffic from identified malicious sources. The system needs to respond in near real-time and the security team decided to use AWS Step Functions to orchestrate this solution.Which solution should the security engineer implement to meet these requirements?

A : Use AWS CloudTrail to monitor for malicious traffic. Store the identified IP addresses in a DynamoDB table. Utilize Lambda to update the DynamoDB table and modify a WAF web ACL rule to block the traffic

B : Use Amazon GuardDuty to identify malicious traffic. Store the identified IP addresses in a DynamoDB table. Use Lambda to update the DynamoDB table and modify a Security Group rule to block the traffic from these IP addresses.

C : Use Amazon GuardDuty to identify malicious traffic. Store the identified IP addresses in a DynamoDB table. Use Lambda to update the DynamoDB table and modify an AWS Network Firewall rule group to block the traffic

D : Use AWS WAF to detect malicious traffic. Use DynamoDB to store the identified IP addresses. Utilize Lambda to update the DynamoDB table and modify an AWS Network Firewall rule group to block the traffic

Answer: C

Question 5

An AWS Lambda function has started to cause errors in an application and a security engineer must check the output of the function. The engineer checked Amazon CloudWatch Logs but could not find any log files for the Lambda function.What is the best explanation for why the logs are not available?

A : The Lambda function does not have monitoring enabled to execution output is not being logged.

B : The log output is stored in AWS X-Ray so the security engineer must check there instead

C : The Lambda function execution role does not have permissions to write to Amazon S3.

D : The Lambda function execution role does not have permissions to write to CloudWatch Logs.

Answer: D