Free Amazon SCS-C02 Exam Questions

Question 1

A financial institution employs an on-premises hardware security module (HSM) to generate and administer its encryption keys, according to its stringent security policies. Their transaction processing application uses Amazon RDS to store data, and all data must be encrypted at rest. A security specialist has generated an encryption key using the on-premises HSM. What should the security specialist do next to adhere to these requirements?

A : Create a new AWS-managed key in AWS KMS, importing the new key material. Use the AWS SDK to integrate with AWS KMS for local data encryption using the new KMS key. Create a new RDS instance and choose the new key as the encryption key. Deactivate the KMS key following RDS instance creation. Migrate the data into RDS

B : Create a new customer-managed key in AWS KMS, importing the new key material. Create a new RDS instance, choosing the new key as the encryption key. Deactivate the KMS key following the RDS instance creation. Migrate the data into RDS.

C : Create a new customer-managed key in AWS KMS and import the new key material. Provide Amazon RDS permissions to use the key. Create a new RDS instance and choose the new key as the encryption key. Migrate the data into RDS

D : Create a new AWS-managed key in AWS KMS and import the new key material. Give Amazon RDS permission to use the key. Create a new RDS instance and choose the new key as the encryption key. Migrate the data into RDS.

Answer: C

Question 2

A company uses Amazon API Gateway to present REST APIs to users. An API developer wants to analyze API access patterns without the need to parse the log files. Which combination of steps will meet these requirements with the LEAST effort? (Select TWO.)

A :

Configure access logging for the required API stage.

B :

Configure an AWS CloudTrail trail destination for API Gateway events. Configure filters on the userldentity, userAgent, and sourcelPAddress fields.

C :

Configure an Amazon S3 destination for API Gateway logs. Run Amazon Athena queries to analyze API access information.

D :

Use Amazon CloudWatch Logs Insights to analyze API access information.

E :

Select the Enable Detailed CloudWatch Metrics option on the required API stage.

Answer: C,D

Question 3

A company uses AWS Organizations to manage a multi-accountAWS environment in a single AWS Region. The organization's management account is named management-01. The company has turned on AWS Config in all accounts in the organization. The company has designated an account named security-01 as the delegated administra-tor for AWS Config. All accounts report the compliance status of each account's rules to the AWS Config delegated administrator account by using an AWS Config aggregator. Each account administrator can configure and manage the account's own AWS Config rules to handle each account's unique compliance requirements. A security engineer needs to implement a solution to automatically deploy a set of 10 AWS Config rules to all existing and future AWS accounts in the organiza-tion. The solution must turn on AWS Config automatically during account crea-tion. Which combination of steps will meet these requirements? (Select TWO.)Create an AWS CloudFormation template that contains the 1 0 required AVVS Config rules. Deploy the template by using CloudFormation StackSets in the security-01 account.

A : Create an AWS CloudFormation template that contains the 1 0 required AVVS Config rules. Deploy the template by using CloudFormation StackSets in the security-01 account.

B : Create a conformance pack that contains the 10 required AWS Config rules. Deploy the conformance pack from the security-01 account.

C : Create a conformance pack that contains the 10 required AWS Config rules. Deploy the conformance pack from the management-01 account.

D : Create an AWS CloudFormation template that will activate AWS Config. De-ploy the template by using CloudFormation StackSets in the security-01 ac-count.

E : Create an AWS CloudFormation template that will activate AWS Config. De-ploy the template by using CloudFormation StackSets in the management-01 account.

Answer: B,E

Question 4

A developer operations team uses AWS Identity and Access Management (1AM) to manage user permissions The team created an Amazon EC2 instance profile role that uses an AWS managed Readonly Access policy. When an application that is running on Amazon EC2 tries to read a file from an encrypted Amazon S3 bucket, the application receives an AccessDenied error. The team administrator has verified that the S3 bucket policy allows everyone in the account to access the S3 bucket. There is no object ACL that is attached to the file. What should the administrator do to fix the 1AM access issue?

A : Edit the ReadOnlyAccess policy to add kms:Decrypt actions.

B : Add the EC2 1AM role as the authorized Principal to the S3 bucket policy.

C : Attach an inline policy with kms Decrypt permissions to the 1AM role

D : Attach an inline policy with S3: * permissions to the 1AM role.

Answer: C

Question 5

An online fitness platform based in Germany uses Amazon Cognito with the Cognito Hosted UI to manage user registrations and sign-ins. Recently, the platform's security team has noticed an unusual number of fraudulent sign-ups originating from outside Germany.The security team wants to implement a mechanism that can add a layer of custom validation during the registration process that checks the location of the customer. The mechanism should be able to accept or reject user registration requests based on the outcome of the validation process.Which solution should the security team implement to fulfill these requirements?

A : Configure a social identity provider (IdP) in Amazon Cognito to validate requests through the hosted UI.

B : Implement AWS WAF with a geographic match statement and connect it to the Amazon Cognito user pool-s domain to filter requests based on geographical origin.

C : Configure a Pre Sign-Up AWS Lambda trigger and associate it with the Amazon Cognito user pool to execute custom validation during sign-up

D : Enable a multi-factor authentication (MFA) method in the Cognito user pool to add an extra layer of security during the user authentication process.

Answer: C