Free Amazon SCS-C02 Exam Questions

Question 1

A company uses AWS Organizations. The company has teams that use an AWS CloudHSM hardware security module (HSM) that is hosted in a central AWS account. One of the teams creates its own new dedicated AWS account and wants to use the HSM that is hosted in the central account. How should a security engineer share the HSM that is hosted in the central account with the new dedicated account?

A : Use AWS Resource Access Manager (AWS RAM) to share the VPC subnet ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.

B : Use AWS Identity and Access Management (IAM) to create a cross-account rote to access the CloudHSM cluster that is in the central account Create a new IAM user in the new dedicated account Assign the cross-account rote to the new IAM user.

C : Use AWS 1AM Identity Center (AWS Single Sign-On) to create an AWS Security Token Service (AWS STS) token to authenticate from the new dedicated account to the central account. Use the crossaccount permissions that are assigned to the STS token to invoke an operation on the HSM in the central account.

D : Use AWS Resource Access Manager (AWS RAM) to share the ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.

Answer: A

Question 2

A fintech company operates a suite of applications on Amazon EC2. The applications have intricate security needs, governed by a set of security groups. After an unintended modification in a security group disrupted the connectivity of some applications, the company wants to be alerted via a designated email whenever changes are made to these security groups.Which solution can fulfill this requirement most efficiently?

A : Use AWS CloudTrail. Enable forwarding to Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter to match patterns indicating security group changes. Configure a CloudWatch alarm to send alerts to an Amazon SNS topic.

B : Use AWS CloudTrail. Forward logs to Amazon S3. Set up an Amazon Athena query to scan for event patterns indicating security group changes. Use AWS Lambda to send query results to Amazon SES for email notifications.

C : Use Amazon Macie. Enable monitoring for changes in security groups. Configure Amazon Macie to send alerts to an Amazon SNS topic.

D : Use AWS Config. Set up a custom AWS Config rule to track changes to security groups. Configure AWS Lambda for automated remediation and to send notifications to an Amazon SNS topic.

Answer: A

Question 3

A fintech company operates a suite of applications on Amazon EC2. The applications have intricate security needs, governed by a set of security groups. After an unintended modification in a security group disrupted the connectivity of some applications, the company wants to be alerted via a designated email whenever changes are made to these security groups.Which solution can fulfill this requirement most efficiently?

A : Use AWS CloudTrail. Enable forwarding to Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter to match patterns indicating security group changes. Configure a CloudWatch alarm to send alerts to an Amazon SNS topic.

B : Use AWS CloudTrail. Forward logs to Amazon S3. Set up an Amazon Athena query to scan for event patterns indicating security group changes. Use AWS Lambda to send query results to Amazon SES for email notifications.

C : Use Amazon Macie. Enable monitoring for changes in security groups. Configure Amazon Macie to send alerts to an Amazon SNS topic.

D : Use AWS Config. Set up a custom AWS Config rule to track changes to security groups. Configure AWS Lambda for automated remediation and to send notifications to an Amazon SNS topic.

Answer: A

Question 4

A developer who was recently fired by a company has a personal laptop that contains the SSH keys used to access multiple Amazon EC2 instances. The security team need to ensure the developer is unable to access the EC2 instances.How can a security engineer protect the running EC2 instances?

A : Connect to each EC2 instance and replace the public key information in the authorized_keys file.

B : Use the modify-instance-attribute API to change the key on any EC2 instance that is using the key.

C : Modify the key pair in the AMIs used to launch the EC2 instances and then restart the EC2 instances.

D : Delete the key pair, create a new key pair, and use the EC2 console to modify the EC2 instances to use the new key pair.

Answer: A

Question 5

A company hosts business-critical applications on Amazon EC2 instances in a VPC. The VPC uses default DHCP options sets. A security engineer needs to log all DNS queries that internal resources make in the VPC. The security engineer also must create a list of the most common DNS queries over time. Which solution will meet these requirements?

A : Install the Amazon CloudWatch agent on each EC2 instance in the VPC. Use the CloudWatch agent to stream the DNS query logs to an Amazon CloudWatch Logs log group. Use CloudWatch metric filters to automatically generate metrics that list the most common ONS queries.

B : Install a BIND DNS server in the VPC. Create a bash script to list the DNS request number of common DNS queries from the BIND logs.

C : Create VPC flow logs for all subnets in the VPC. Stream the flow logs to an Amazon CloudWatch Logs log group. Use CloudWatch Logs Insights to list the most common DNS queries for the log group in a custom dashboard.

D : Configure Amazon Route 53 Resolver query logging. Add an Amazon CloudWatch Logs log group as the destination. Use Amazon CloudWatch Contributor Insights to analyze the data and create time series that display the most common DNS queries.

Answer: D