Free Amazon SCS-C02 Exam Questions

Question 1

A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message. What is the likely cause of this access denial?

A :

The ACL in the bucket needs to be updated

B :

The IAM policy does not allow the user to access the bucket

C :

It takes a few minutes for a bucket policy to take effect

D :

The allow permission is being overridden by the deny

Answer: D

Question 2

A security engineer is investigating a malware infection that has spread across a set of Amazon EC2 instances. A key indicator of the compromise is outbound traffic on TCP port 2905 to a set of command and control hosts on the internet. The security engineer creates a network ACL rule that denies the identified outbound traffic. The security engineer applies the network ACL rule to the subnet of the EC2 instances. The security engineer must identify any EC2 instances that are trying to communtcate on TCP port 2905. Which solution will identify the affected EC2 instances with the LEAST operational effort?

A : Create a Network Access Scope in Amazon VPC Network Access Analyzer. Use the Network Access Scope to identify EC2 instances that try to send traffic to TCP port 2905.

B : Enable VPC flow logs for the VPC where the affected EC2 instances are located Configure the flow logs to capture rejected traffic. In the flow logs, search for REJECT records that have a destination TCP port of 2905.

C : Enable Amazon GuardDuty Create a custom GuardDuty IP list to create a finding when an EC2 instance tries to communicate with one of the command and control hosts. Use Amazon Detective to identify the EC2 instances that initiate the communication.

D : Create a firewall in AWS Network Firewall. Attach the firewall to the subnet of the EC2 instances. Create a custom rule to identify and log traffic from the firewall on TCP port 2905. Create an Amazon CloudWatch Logs metric filter to identify firewall logs that reference traffic on TCP port 2905.

Answer: B

Question 3

A security engineer needs to see up an Amazon CloudFront distribution for an Amazon S3 bucket that hosts a static website. The security engineer must allow only specified IP addresses to access the website. The security engineer also must prevent users from accessing the website directly by using S3 URLs. Which solution will meet these requirements?

A :

Generate an S3 bucket policy. Specify cloudfront amazonaws com as the principal. Use the aws Sourcelp condition key to allow access only if the request conies from the specified IP addresses.

B :

Create a CloudFront origin access identity (OAl). Create the S3 bucket policy so that only the OAl has access. Create an AWS WAF web ACL and add an IP set rule. Associate the web ACL with the CloudFront distribution.

C :

Implement security groups to allow only the specified IP addresses access and to restrict S3 bucket access by using the CloudFront distribution.

D :

Create an S3 bucket access point to allow access from only the CloudFront distribution. Create an AWS WAF web ACL and add an IP set rule. Associate the web ACL with the CloudFront distribution.

Answer: B

Question 4

A company wants to start processing sensitive data on Amazon EC2 instances. The company will use Amazon CloudWatch Logs to monitor, store, and access log files from the EC2 instances. The company's developers use CloudWatch Logs for troubleshooting. A security engineer must implement a solution that prevents the developers from viewing the sensitive data The solution must automatically apply to any new log groups that are created in the account in the future. Which solution will meet these requirements?

A : Create a CloudWatch Logs account-wide data protection policy. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logs:Unmask 1AM permission.

B : Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Create a custom data identifier for the sensitive data. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.

C : Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Specify the appropriate managed data identifiers. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.

D : Create a CloudWatch Logs data protection policy for each log group. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logsiUnmask 1AM permission

Answer: A

Question 5

A company is hosting a static website on Amazon S3 The company has configured an Amazon CloudFront distribution to serve the website contents The company has associated an IAM WAF web ACL with the CloudFront distribution. The web ACL ensures that requests originate from the United States to address compliance restrictions. THE company is worried that the S3 URL might still be accessible directly and that requests can bypass the CloudFront distribution Which combination of steps should the company take to remove direct access to the S3 URL? (Select TWO. )

A :

Select "Restrict Bucket Access" in the origin settings of the CloudFront distribution

B :

Create an origin access identity (OAI) for the S3 origin

C :

Update the S3 bucket policy to allow s3 GetObject with a condition that the IAM Referer key matches the secret value Deny all other requests

D :

Configure the S3 bucket poky so that only the origin access identity (OAI) has read permission for objects in the bucket

E :

Add an origin custom header that has the name Referer to the CloudFront distribution Give the header a secret value.

Answer: A,D