Free Amazon SCS-C02 Exam Questions

Question 1

A company needs a forensic-logging solution for hundreds of applications running in Docker on Amazon EC2 The solution must perform real-time analytics on the togs must support the replay of messages and must persist the logs. Which IAM services should be used to meet these requirements? (Select TWO)

A : Amazon Athena

B : Amazon Kinesis

C : Amazon SQS

D : Amazon Elasticsearch

E : Amazon EMR

Answer: B,D

Question 2

A company in France uses Amazon Cognito with the Cognito Hosted Ul as an identity broker for sign-in and sign-up processes. The company is marketing an application and expects that all the application's users will come from France. When the company launches the application the company's security team observes fraudulent sign-ups for the application. Most of the fraudulent registrations are from users outside of France. The security team needs a solution to perform custom validation at sign-up Based on the results of the validation the solution must accept or deny the registration request. Which combination of steps will meet these requirements? (Select TWO.)

A :

Create a pre sign-up AWS Lambda trigger. Associate the Amazon Cognito function with the Amazon Cognito user pool.

B :

Use a geographic match rule statement to configure an AWS WAF web ACL. Associate the web ACL with the Amazon Cognito user pool.

C :

Configure an app client for the application's Amazon Cognito user pool. Use the app client ID to validate the requests in the hosted Ul.

D :

Update the application's Amazon Cognito user pool to configure a geographic restriction setting.

E :

Use Amazon Cognito to configure a social identity provider (IdP) to validate the requests on the hosted Ul.

Answer: B

Question 3

A security engineer is investigating a malware infection that has spread across a set of Amazon EC2 instances. A key indicator of the compromise is outbound traffic on TCP port 2905 to a set of command and control hosts on the internet. The security engineer creates a network ACL rule that denies the identified outbound traffic. The security engineer applies the network ACL rule to the subnet of the EC2 instances. The security engineer must identify any EC2 instances that are trying to communtcate on TCP port 2905. Which solution will identify the affected EC2 instances with the LEAST operational effort?

A : Create a Network Access Scope in Amazon VPC Network Access Analyzer. Use the Network Access Scope to identify EC2 instances that try to send traffic to TCP port 2905.

B : Enable VPC flow logs for the VPC where the affected EC2 instances are located Configure the flow logs to capture rejected traffic. In the flow logs, search for REJECT records that have a destination TCP port of 2905.

C : Enable Amazon GuardDuty Create a custom GuardDuty IP list to create a finding when an EC2 instance tries to communicate with one of the command and control hosts. Use Amazon Detective to identify the EC2 instances that initiate the communication.

D : Create a firewall in AWS Network Firewall. Attach the firewall to the subnet of the EC2 instances. Create a custom rule to identify and log traffic from the firewall on TCP port 2905. Create an Amazon CloudWatch Logs metric filter to identify firewall logs that reference traffic on TCP port 2905.

Answer: B

Question 4

A company needs to retain tog data archives for several years to be compliant with regulations. The tog data is no longer used but It must be retained What Is the MOST secure and cost-effective solution to meet these requirements?

A : Archive the data to Amazon S3 and apply a restrictive bucket policy to deny the s3 DeleteOotect API

B : Archive the data to Amazon S3 Glacier and apply a Vault Lock policy

C : Archive the data to Amazon S3 and replicate it to a second bucket in a second IAM Region Choose theÃ‚Â S3 Standard-Infrequent Access (S3 Standard-1A) storage class and apply a restrictive bucket policy to deny the s3 DeleteObject API

D : Migrate the log data to a 16 T8 Amazon Elastic Block Store (Amazon EBS) volume Create a snapshot of the EBS volume

Answer: B

Question 5

A security vulnerability has been discovered that could lead to sensitive data being leaked on TCP port 5601. The development team is working on updating the code, but it could take several days. A security engineer must identify any hosts attempting to send data over port 5601 and prevent the traffic leaving the network.

How can the security engineer accomplish this goal?

A : pture IP traffic using VPC Flow Logs and create a metric filter with an alarm that notifies the security team if connection attempts are made. Then, update NACLs to block the traffic

B : tall the unified CloudWatch agent on Amazon EC2 instances and collect log files in CloudWatch Logs. Create a metric filter with an alarm that notifies the security team if connection attempts are made. Then, update NACLs to block the traffic.

C : Run an Amazon Inspector custom network assessment to identify Amazon EC2 instances that have TCP port 5601 open. Then, update security groups to block the traffic.

D : AWS CloudTrail to log API actions in an Amazon S3 bucket. Use Amazon Athena to query the log files and identify attempts to connect. Then, update security groups to block the traffic.

Answer: A