Free Amazon SCS-C02 Exam Questions

Question 1

An online gaming company has a network of Amazon EC2 instances that are frequently targeted by rogue bots. The security team needs to implement an automated system to block traffic from identified malicious sources. The system needs to respond in near real-time and the security team decided to use AWS Step Functions to orchestrate this solution.Which solution should the security engineer implement to meet these requirements?

A : Use AWS CloudTrail to monitor for malicious traffic. Store the identified IP addresses in a DynamoDB table. Utilize Lambda to update the DynamoDB table and modify a WAF web ACL rule to block the traffic

B : Use Amazon GuardDuty to identify malicious traffic. Store the identified IP addresses in a DynamoDB table. Use Lambda to update the DynamoDB table and modify a Security Group rule to block the traffic from these IP addresses.

C : Use Amazon GuardDuty to identify malicious traffic. Store the identified IP addresses in a DynamoDB table. Use Lambda to update the DynamoDB table and modify an AWS Network Firewall rule group to block the traffic

D : Use AWS WAF to detect malicious traffic. Use DynamoDB to store the identified IP addresses. Utilize Lambda to update the DynamoDB table and modify an AWS Network Firewall rule group to block the traffic

Answer: C

Question 2

A company wants to start processing sensitive data on Amazon EC2 instances. The company will use Amazon CloudWatch Logs to monitor, store, and access log files from the EC2 instances. The company's developers use CloudWatch Logs for troubleshooting. A security engineer must implement a solution that prevents the developers from viewing the sensitive data The solution must automatically apply to any new log groups that are created in the account in the future. Which solution will meet these requirements?

A : Create a CloudWatch Logs account-wide data protection policy. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logs:Unmask 1AM permission.

B : Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Create a custom data identifier for the sensitive data. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.

C : Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Specify the appropriate managed data identifiers. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.

D : Create a CloudWatch Logs data protection policy for each log group. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logsiUnmask 1AM permission

Answer: A

Question 3

A financial institution employs an on-premises hardware security module (HSM) to generate and administer its encryption keys, according to its stringent security policies. Their transaction processing application uses Amazon RDS to store data, and all data must be encrypted at rest. A security specialist has generated an encryption key using the on-premises HSM. What should the security specialist do next to adhere to these requirements?

A : Create a new AWS-managed key in AWS KMS, importing the new key material. Use the AWS SDK to integrate with AWS KMS for local data encryption using the new KMS key. Create a new RDS instance and choose the new key as the encryption key. Deactivate the KMS key following RDS instance creation. Migrate the data into RDS

B : Create a new customer-managed key in AWS KMS, importing the new key material. Create a new RDS instance, choosing the new key as the encryption key. Deactivate the KMS key following the RDS instance creation. Migrate the data into RDS.

C : Create a new customer-managed key in AWS KMS and import the new key material. Provide Amazon RDS permissions to use the key. Create a new RDS instance and choose the new key as the encryption key. Migrate the data into RDS

D : Create a new AWS-managed key in AWS KMS and import the new key material. Give Amazon RDS permission to use the key. Create a new RDS instance and choose the new key as the encryption key. Migrate the data into RDS.

Answer: C

Question 4

A company has a requirement that no Amazon EC2 security group can allow SSH access from the CIDR block 0.0.0.070. The company wants to monitor compliance with this requirement at all times and wants to receive a near-real-time notification if any security group is noncompliant. A security engineer has configured AWS Config and will use the restricted-ssh managed rule to monitor the security groups. What should the security engineer do next to meet these requirements?

A : Configure AWS Config to send its configuration snapshots to an Amazon S3 bucket. Create an AWS Lambda function to run on a PutEvent to the S3 bucket. Configure the Lambda function to parse the snapshot for a compliance change to the restricled-ssh managed rule. Configure the Lambda function to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if a change is discovered.

B : Configure AWS Config to send its configuration snapshots to an Amazon S3 bucket. Create an AWS Lambda function to run on a PutEvent to the S3 bucket. Configure the Lambda function to parse the snapshot for a compliance change to the restricled-ssh managed rule. Configure the Lambda function to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if a change is discovered.

C : Configure AWS Config to push all its compliance notifications to Amazon CloudWatch Logs Configure a CloudWatch Logs metric filter on the AWS Config log group to look for a compliance notification change on the restricted-ssh managed rule. Create an Amazon CloudWatch alarm on the metric filter to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if the alarm is in the ALARM state.

D : Configure an Amazon CloudWatch alarm on (he CloudWatch metric for the restricted-ssh managed rule. Configure the CloudWatch alarm to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if the alarm is in the ALARM state.

Answer: B

Question 5

A fintech company operates a suite of applications on Amazon EC2. The applications have intricate security needs, governed by a set of security groups. After an unintended modification in a security group disrupted the connectivity of some applications, the company wants to be alerted via a designated email whenever changes are made to these security groups.Which solution can fulfill this requirement most efficiently?

A : Use AWS CloudTrail. Enable forwarding to Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter to match patterns indicating security group changes. Configure a CloudWatch alarm to send alerts to an Amazon SNS topic.

B : Use AWS CloudTrail. Forward logs to Amazon S3. Set up an Amazon Athena query to scan for event patterns indicating security group changes. Use AWS Lambda to send query results to Amazon SES for email notifications.

C : Use Amazon Macie. Enable monitoring for changes in security groups. Configure Amazon Macie to send alerts to an Amazon SNS topic.

D : Use AWS Config. Set up a custom AWS Config rule to track changes to security groups. Configure AWS Lambda for automated remediation and to send notifications to an Amazon SNS topic.

Answer: A