Free Amazon SCS-C02 Exam Questions

Question 1

A company uses AWS Organizations. The company has teams that use an AWS CloudHSM hardware security module (HSM) that is hosted in a central AWS account. One of the teams creates its own new dedicated AWS account and wants to use the HSM that is hosted in the central account. How should a security engineer share the HSM that is hosted in the central account with the new dedicated account?

A : Use AWS Resource Access Manager (AWS RAM) to share the VPC subnet ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.

B : Use AWS Identity and Access Management (IAM) to create a cross-account rote to access the CloudHSM cluster that is in the central account Create a new IAM user in the new dedicated account Assign the cross-account rote to the new IAM user.

C : Use AWS 1AM Identity Center (AWS Single Sign-On) to create an AWS Security Token Service (AWS STS) token to authenticate from the new dedicated account to the central account. Use the crossaccount permissions that are assigned to the STS token to invoke an operation on the HSM in the central account.

D : Use AWS Resource Access Manager (AWS RAM) to share the ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.

Answer: A

Question 2

A company stores sensitive data in an Amazon S3 bucket. The company encrypts the data at rest by using server-side encryption with Amazon S3 managed keys (SSE-S3). A security engineer must prevent any modifications to the data in the S3 bucket. Which solution will meet this requirement?

A : Configure S3 bucket policies to deny DELETE and PUT object permissions.

B : Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled.

C : Change the encryption on the S3 bucket to use AWS Key Management Service (AWS KMS) customer managed keys.

D : Configure the S3 bucket with multi-factor authentication (MFA) delete protection.

Answer: B

Question 3

A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)

A : Open a support case with the IAM Security team and ask them to remove the malicious code from the affected instance

B : Respond to the notification and list the actions that have been taken to address the incident

C : Delete all IAM users and resources in the account

D : Detach the internet gateway from the VPC remove aft rules that contain 0.0.0.0V0 from the security groups, and create a NACL rule to deny all traffic Inbound from the internet

E : Delete the identified compromised instances and delete any associated resources that the Security team did not create.

Answer: D,E

Question 4

An organization wants to log all IAM API calls made within all of its IAM accounts, and must have a central place to analyze these logs. What steps should be taken to meet these requirements in the MOST secure manner? (Select TWO)

A : Turn on IAM CloudTrail in each IAM account

B : Turn on CloudTrail in only the account that will be storing the logs

C : Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it

D : Create a service-based role for CloudTrail and associate it with CloudTrail in each account

E : Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it

Answer: A,E

Question 5

A company is migrating its Amazon EC2 based applications to use Instance Metadata Service Version 2 (IMDSv2). A security engineer needs to determine whether any of the EC2 instances are still using Instance Metadata Service Version 1 (IMDSv1). What should the security engineer do to confirm that the IMDSv1 endpoint is no longer being used?

A : Configure logging on the Amazon CloudWatch agent for IMDSv1 as part of EC2 instance startup. Create a metric filter and a CloudWatch dashboard. Track the metric in the dashboard.

B : Create an Amazon CloudWatch dashboard Verify that the EC2MetadataNoToken metric is zero across all EC2 instances. Monitor the dashboard.

C : Create a security group that blocks access to HTTP for the IMDSv1 endpoint Attach the security group to all EC2 instances.

D : Configure user data scripts for all EC2 instances to send logging information to AWS CloudTrail when IMDSv1 is used Create a metric filter and an Amazon CloudWatch dashboard Track the metric in the dashboard.

Answer: B