Free Amazon SCS-C02 Exam Questions

Question 1

A company uses AWS Organizations. The company has teams that use an AWS CloudHSM hardware security module (HSM) that is hosted in a central AWS account. One of the teams creates its own new dedicated AWS account and wants to use the HSM that is hosted in the central account. How should a security engineer share the HSM that is hosted in the central account with the new dedicated account?

A : Use AWS Resource Access Manager (AWS RAM) to share the VPC subnet ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.

B : Use AWS Identity and Access Management (IAM) to create a cross-account rote to access the CloudHSM cluster that is in the central account Create a new IAM user in the new dedicated account Assign the cross-account rote to the new IAM user.

C : Use AWS 1AM Identity Center (AWS Single Sign-On) to create an AWS Security Token Service (AWS STS) token to authenticate from the new dedicated account to the central account. Use the crossaccount permissions that are assigned to the STS token to invoke an operation on the HSM in the central account.

D : Use AWS Resource Access Manager (AWS RAM) to share the ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.

Answer: A

Question 2

A security engineer has been asked to review an Amazon S3 bucket policy to determine if the data is properly secured against public access. The policy statement is as follows:What should the response be from the security engineer?Is this bucket policy sufficient to ensure that the data is not publicly accessible?

A : The S3 bucket ACL and object ACLs will need to be checked to determine if public access is possible.

B : The bucket policy does not block access from public IP addresses regardless of the bucket ACL and object ACL settings.

C : The bucket policy will block all access from public IP addresses and will only allow connections from the specified private CIDR.

D : IAM user policies will need to be checked to determine if public access is granted through these policies.

Answer: A

Question 3

An IT department currently has a Java web application deployed on Apache Tomcat running on Amazon EC2 instances. All traffic to the EC2 instances is sent through an internet-facing Application Load Balancer (ALB) The Security team has noticed during the past two days thousands of unusual read requests coming from hundreds of IP addresses. This is causing the Tomcat server to run out of threads and reject new connections Which the SIMPLEST change that would address this server issue?

A : Create an Amazon CloudFront distribution and configure the ALB as the origin

B : Block the malicious IPs with a network access list (NACL).

C : Create an IAM Web Application Firewall (WAF). and attach it to the ALB

D : Map the application domain name to use Route 53

Answer: A

Question 4

A company has deployed an organization in AWS Organizations with several member accounts. The security team requires that there is at least on AWS CloudTrail trail configured for all existing accounts and any accounts that are created in the future. The logs should be sent to a single centralized Amazon S3 bucket and administrators in member accounts should not be able to modify the configuration.Which actions should be taken to accomplish this?

A : Create a new trail in each account and use a cross-account role to log to a central S3 bucket.

B : Enable CloudTrail Insights in the management account and run the “aws cloudtrail lookupevents” CLI command

C : Create an organization trail in the management account and specify a central S3 bucket.

D : Create a new trail in each account and use an SCP to deny the “cloudtrail:Delete” API action.

Answer: C

Question 5

A company enforces encryption for all Amazon EBS volumes. Following security incidents, EBS snapshots sometimes need to be shared with a forensics account for analysis. The security team must ensure the volumes remain encrypted as much as possible throughout the process.Which steps are required to share the encrypted snapshots with least privilege?

A : Copy an encrypted EBS volume to the target account, use a customer managed KMS key, and allow the Encrypt, Decrypt, and CreateGrant actions in the key policy.

B : Share an encrypted snapshot, use a customer managed KMS key, and allow the Decrypt and CreateGrant actions for the target account in the key policy.

C : Create an unencrypted copy of the encrypted snapshot, share the snapshot with the target account, encrypt the copied snapshot with a customer managed KMS key

D : Share an encrypted snapshot, use an AWS managed KMS key, and allow the kms:* actions for the target account in the key policy.

Answer: B