Free Amazon SCS-C02 Exam Questions

Question 1

An online gaming company has a network of Amazon EC2 instances that are frequently targeted by rogue bots. The security team needs to implement an automated system to block traffic from identified malicious sources. The system needs to respond in near real-time and the security team decided to use AWS Step Functions to orchestrate this solution.Which solution should the security engineer implement to meet these requirements?

A : Use AWS CloudTrail to monitor for malicious traffic. Store the identified IP addresses in a DynamoDB table. Utilize Lambda to update the DynamoDB table and modify a WAF web ACL rule to block the traffic

B : Use Amazon GuardDuty to identify malicious traffic. Store the identified IP addresses in a DynamoDB table. Use Lambda to update the DynamoDB table and modify a Security Group rule to block the traffic from these IP addresses.

C : Use Amazon GuardDuty to identify malicious traffic. Store the identified IP addresses in a DynamoDB table. Use Lambda to update the DynamoDB table and modify an AWS Network Firewall rule group to block the traffic

D : Use AWS WAF to detect malicious traffic. Use DynamoDB to store the identified IP addresses. Utilize Lambda to update the DynamoDB table and modify an AWS Network Firewall rule group to block the traffic

Answer: C

Question 2

An Amazon EC2 Auto Scaling group launches Amazon Linux EC2 instances and installs the Amazon CloudWatch agent to publish logs to Amazon CloudWatch Logs. The EC2 instances launch with an IAM role that has an IAM policy attached. The policy provides access to publish custom metrics to CloudWatch. The EC2 instances run in a private subnet inside a VPC. The VPC provides ^ccess to the internet for private subnets through a NAT gateway. A security engineer notices that no logs are being published to CloudWatch Logs for the EC2 instances that the Auto Scaling group launches. The security engineer validates that the CloudWatch Logs agent is running and is configured properly on the EC2 instances. In addition, the security engineer validates that network communications are working properly to AWS services. What can the security engineer do to ensure that the logs are published to CloudWatch Logs?

A : Configure the IAM policy in use by the IAM role to have access to the required cloudwatch: API actions thatwill publish logs.

B : Adjust the Amazon EC2 Auto Scaling service-linked role to have permissions to write to CloudWatch Logs.

C : Configure the IAM policy in use by the IAM role to have access to the required AWS logs: API actions that willpublish logs.

D : Add an interface VPC endpoint to provide a route to CloudWatch Logs.

Answer: C

Question 3

A company enforces encryption for all Amazon EBS volumes. Following security incidents, EBS snapshots sometimes need to be shared with a forensics account for analysis. The security team must ensure the volumes remain encrypted as much as possible throughout the process.Which steps are required to share the encrypted snapshots with least privilege?

A : Copy an encrypted EBS volume to the target account, use a customer managed KMS key, and allow the Encrypt, Decrypt, and CreateGrant actions in the key policy.

B : Share an encrypted snapshot, use a customer managed KMS key, and allow the Decrypt and CreateGrant actions for the target account in the key policy.

C : Create an unencrypted copy of the encrypted snapshot, share the snapshot with the target account, encrypt the copied snapshot with a customer managed KMS key

D : Share an encrypted snapshot, use an AWS managed KMS key, and allow the kms:* actions for the target account in the key policy.

Answer: B

Question 4

A new application requires an AWS KMS key for encrypting sensitive data. The security policy requires that separate keys are used for different AWS services.How can the AWS KMS key be constrained to work with only Amazon S3?

A : Configure the key policy with a kms:CallerAccount condition key that limits use of the KMS key to identities in the specific AWS account.

B : Configure the key policy with a kms:RequestAlias condition key that limits use of the KMS key to requests that use a specific alias.

C : Configure the key policy with a kms:ViaService condition key that limits use of the KMS key to the Amazon S3 service name.

D : Configure the key policy with a kms:ViaService condition key that limits use of the KMS key to the Amazon S3 service name.

Answer: C

Question 5

A company needs to follow security best practices to deploy resources from an AWS CloudFormation template. The CloudFormation template must be able to configure sensitive database credentials. The company already uses AWS Key Management Service (AWS KMS) and AWS Secrets Manager. Which solution will meet the requirements?

A : Use a dynamic reference in the CloudFormation template to reference the database credentials in Secrets Manager.

B : Use a parameter in the CloudFormation template to reference the database credentials. Encrypt the CloudFormation template by using AWS KMS.

C : Use a SecureString parameter in the CloudFormation template to reference the database credentials in Secrets Manager.

D : Use a SecureString parameter in the CloudFormation template to reference an encrypted value in AWS KMS

Answer: A