Free Amazon SCS-C02 Exam Questions

Question 1

An AWS Lambda function has started to cause errors in an application and a security engineer must check the output of the function. The engineer checked Amazon CloudWatch Logs but could not find any log files for the Lambda function.What is the best explanation for why the logs are not available?

A : The Lambda function does not have monitoring enabled to execution output is not being logged.

B : The log output is stored in AWS X-Ray so the security engineer must check there instead

C : The Lambda function execution role does not have permissions to write to Amazon S3.

D : The Lambda function execution role does not have permissions to write to CloudWatch Logs.

Answer: D

Question 2

A company is hosting a static website on Amazon S3 The company has configured an Amazon CloudFront distribution to serve the website contents The company has associated an IAM WAF web ACL with the CloudFront distribution. The web ACL ensures that requests originate from the United States to address compliance restrictions. THE company is worried that the S3 URL might still be accessible directly and that requests can bypass the CloudFront distribution Which combination of steps should the company take to remove direct access to the S3 URL? (Select TWO. )

A :

Select "Restrict Bucket Access" in the origin settings of the CloudFront distribution

B :

Create an origin access identity (OAI) for the S3 origin

C :

Update the S3 bucket policy to allow s3 GetObject with a condition that the IAM Referer key matches the secret value Deny all other requests

D :

Configure the S3 bucket poky so that only the origin access identity (OAI) has read permission for objects in the bucket

E :

Add an origin custom header that has the name Referer to the CloudFront distribution Give the header a secret value.

Answer: A,D

Question 3

A company stores sensitive data in an Amazon S3 bucket. The company encrypts the data at rest by using server-side encryption with Amazon S3 managed keys (SSE-S3). A security engineer must prevent any modifications to the data in the S3 bucket. Which solution will meet this requirement?

A : Configure S3 bucket policies to deny DELETE and PUT object permissions.

B : Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled.

C : Change the encryption on the S3 bucket to use AWS Key Management Service (AWS KMS) customer managed keys.

D : Configure the S3 bucket with multi-factor authentication (MFA) delete protection.

Answer: B

Question 4

An AWS Lambda function has started to cause errors in an application and a security engineer must check the output of the function. The engineer checked Amazon CloudWatch Logs but could not find any log files for the Lambda function.What is the best explanation for why the logs are not available?

A : The Lambda function does not have monitoring enabled to execution output is not being logged.

B : The log output is stored in AWS X-Ray so the security engineer must check there instead

C : The Lambda function execution role does not have permissions to write to Amazon S3.

D : The Lambda function execution role does not have permissions to write to CloudWatch Logs.

Answer: D

Question 5

A developer who was recently fired by a company has a personal laptop that contains the SSH keys used to access multiple Amazon EC2 instances. The security team need to ensure the developer is unable to access the EC2 instances.How can a security engineer protect the running EC2 instances?

A : Connect to each EC2 instance and replace the public key information in the authorized_keys file.

B : Use the modify-instance-attribute API to change the key on any EC2 instance that is using the key.

C : Modify the key pair in the AMIs used to launch the EC2 instances and then restart the EC2 instances.

D : Delete the key pair, create a new key pair, and use the EC2 console to modify the EC2 instances to use the new key pair.

Answer: A