Free Amazon SCS-C02 Exam Questions

Question 1

A developer operations team uses AWS Identity and Access Management (1AM) to manage user permissions The team created an Amazon EC2 instance profile role that uses an AWS managed Readonly Access policy. When an application that is running on Amazon EC2 tries to read a file from an encrypted Amazon S3 bucket, the application receives an AccessDenied error. The team administrator has verified that the S3 bucket policy allows everyone in the account to access the S3 bucket. There is no object ACL that is attached to the file. What should the administrator do to fix the 1AM access issue?

A : Edit the ReadOnlyAccess policy to add kms:Decrypt actions.

B : Add the EC2 1AM role as the authorized Principal to the S3 bucket policy.

C : Attach an inline policy with kms Decrypt permissions to the 1AM role

D : Attach an inline policy with S3: * permissions to the 1AM role.

Answer: C

Question 2

A security engineer needs to create an IAM Key Management Service used to encrypt all data stored in a companyâ€™s Amazon S3 Buckets in the us-west-1 Region. The keywill use server-side encryption. Usage of the key must be limited to requests coming from AmazonS3 within the company's account.Which statement in the KMS key policy will meet these requirements?

A :

B :

C :

Answer: A

Question 3

A company has several AWS Lambda functions. While reviewing the Lambda functions a security engineer discovers that sensitive information is being stored in environment variables and is viewable as plaintext in the Lambda console. The values of the sensitive information are less than 8 KB and there are over 10,000 values stored across the functions.

What is the MOST cost-effective way to address this security issue?

A : ore the environment variables in an encrypted Amazon EFS file system and access them at runtime. Use POSIX permissions to restrict access to only the Lambda functions that require access

B : ore the environment variables in AWS Secrets Manager and access them at runtime. Use IAM permissions to restrict access to the secrets to only the Lambda functions that require access

C : ore the environment variables in AWS Systems Manager Parameter Store as secure string parameters and access them at runtime. Use IAM permissions to restrict access to the parameters to only the Lambda functions that require access.

D : AWS Config to store the environment variables. Access the environment variables at runtime. Use IAM permissions to restrict access to the environment variables to only the Lambda functions that require access.

Answer: B

Question 4

A financial firm receives a warning from the AWS Trust and Safety team about a potential security threat. An IAM access key linked to an IT administrator seems to have been compromised. This key is employed in an automated process that uses AWS Lambda functions to launch AWS Elastic Beanstalk environments.The firm's security engineer is tasked with addressing this security issue, preventing further use of the exposed access key, and bolstering security practices.Which of the following steps would be the most appropriate in this scenario?

A : Track down the exposed IAM access key and deactivate or remove it. Establish new access keys for the Lambda automation process and integrate them into the system. In the AWS account associated with the exposed key, create a new support case in AWS Support detailing the remediation measures.

B : Find the exposed IAM access key and remove the associated IAM user. Generate a new access key, store it in AWS Systems Manager Parameter Store, and encrypt it using an AWS KMS customer-managed key. Modify the AWS Lambda functions to fetch the access key from Parameter Store during execution. Log a new support case with AWS Support providing the details of the remediation steps.

C : Deactivate or delete the compromised IAM access key. Generate a new access key and save it as an environment variable within the configuration settings of the automation system-s Lambda functions. Respond to the AWS Trust and Safety team detailing the remediation actions taken.

D : Disable or delete the compromised IAM access key. Stop using static IAM access keys and instead, create a new IAM role for the Lambda automation process. Assign this role to the AWS Lambda functions. Respond to the AWS Trust and Safety team detailing the remediation actions.

Answer: D

Question 5

An organization wants to log all IAM API calls made within all of its IAM accounts, and must have a central place to analyze these logs. What steps should be taken to meet these requirements in the MOST secure manner? (Select TWO)

A : Turn on IAM CloudTrail in each IAM account

B : Turn on CloudTrail in only the account that will be storing the logs

C : Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it

D : Create a service-based role for CloudTrail and associate it with CloudTrail in each account

E : Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it

Answer: A,E