Free Amazon SCS-C02 Exam Questions

Question 1

A company stores sensitive data in an Amazon S3 bucket. The company encrypts the data at rest by using server-side encryption with Amazon S3 managed keys (SSE-S3). A security engineer must prevent any modifications to the data in the S3 bucket. Which solution will meet this requirement?

A : Configure S3 bucket policies to deny DELETE and PUT object permissions.

B : Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled.

C : Change the encryption on the S3 bucket to use AWS Key Management Service (AWS KMS) customer managed keys.

D : Configure the S3 bucket with multi-factor authentication (MFA) delete protection.

Answer: B

Question 2

A financial firm receives a warning from the AWS Trust and Safety team about a potential security threat. An IAM access key linked to an IT administrator seems to have been compromised. This key is employed in an automated process that uses AWS Lambda functions to launch AWS Elastic Beanstalk environments.The firm's security engineer is tasked with addressing this security issue, preventing further use of the exposed access key, and bolstering security practices.Which of the following steps would be the most appropriate in this scenario?

A : Track down the exposed IAM access key and deactivate or remove it. Establish new access keys for the Lambda automation process and integrate them into the system. In the AWS account associated with the exposed key, create a new support case in AWS Support detailing the remediation measures.

B : Find the exposed IAM access key and remove the associated IAM user. Generate a new access key, store it in AWS Systems Manager Parameter Store, and encrypt it using an AWS KMS customer-managed key. Modify the AWS Lambda functions to fetch the access key from Parameter Store during execution. Log a new support case with AWS Support providing the details of the remediation steps.

C : Deactivate or delete the compromised IAM access key. Generate a new access key and save it as an environment variable within the configuration settings of the automation system-s Lambda functions. Respond to the AWS Trust and Safety team detailing the remediation actions taken.

D : Disable or delete the compromised IAM access key. Stop using static IAM access keys and instead, create a new IAM role for the Lambda automation process. Assign this role to the AWS Lambda functions. Respond to the AWS Trust and Safety team detailing the remediation actions.

Answer: D

Question 3

A company wants to start processing sensitive data on Amazon EC2 instances. The company will use Amazon CloudWatch Logs to monitor, store, and access log files from the EC2 instances. The company's developers use CloudWatch Logs for troubleshooting. A security engineer must implement a solution that prevents the developers from viewing the sensitive data The solution must automatically apply to any new log groups that are created in the account in the future. Which solution will meet these requirements?

A : Create a CloudWatch Logs account-wide data protection policy. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logs:Unmask 1AM permission.

B : Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Create a custom data identifier for the sensitive data. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.

C : Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Specify the appropriate managed data identifiers. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.

D : Create a CloudWatch Logs data protection policy for each log group. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logsiUnmask 1AM permission

Answer: A

Question 4

A security team is working on a solution that will use Amazon EventBridge (Amazon CloudWatch Events) to monitor new Amazon S3 objects. The solution will monitor for public access and for changes to any S3 bucket policy or setting that result in public access. The security team configures EventBridge to watch for specific API calls that are logged from AWS CloudTrail. EventBridge has an action to send an email notification through Amazon Simple Notification Service (Amazon SNS) to the security team immediately with details of the API call. Specifically, the security team wants EventBridge to watch for the s3:PutObjectAcl, s3:DeleteBucketPolicy, and s3:PutBucketPolicy API invocation logs from CloudTrail. While developing the solution in a single account, the security team discovers that the s3:PutObjectAcl API call does not invoke an EventBridge event. However, the s3:DeleteBucketPolicy API call and the s3:PutBucketPolicy API call do invoke an event. The security team has enabled CloudTrail for AWS management events with a basic configuration in the AWS Region in which EventBridge is being tested. Verification of the EventBridge event pattern indicates that the pattern is set up correctly. The security team must implement a solution so that the s3:PutObjectAcl API call will invoke an EventBridge event. The solution must not generate false notifications. Which solution will meet these requirements?

A : Modify the EventBridge event pattern by selecting Amazon S3. Select All Events as the event type.

B : Modify the EventBridge event pattern by selecting Amazon S3. Select Bucket Level Operations as the event type.

C : Enable CloudTrail Insights to identify unusual API activity.

D : Enable CloudTrail to monitor data events for read and write operations to S3 buckets.

Answer: D

Question 5

A company hosts a public website on an Amazon EC2 instance. HTTPS traffic must be able to access the website. The company uses SSH for management of the web server. The website is on the subnet 10.0.1.0. The management subnet is 192.168.100.0. A security engineer must create a security group for the EC2 instance. Which combination of steps should the security engineer take to meet these requirements in the MOST secure manner? (Select TWO.)

A : Allow port 22 from source 0.0.0.0/0.

B : Allow port 443 from source 0.0.0.0/0.

C : Allow port 22 from 192.168.100.0.

D : Allow port 22 from 10.0.1.0.

E : Allow port 443 from 10.0.1.0.

Answer: B,C