Free Amazon SCS-C02 Exam Questions

Question 1

An organization wants to log all IAM API calls made within all of its IAM accounts, and must have a central place to analyze these logs. What steps should be taken to meet these requirements in the MOST secure manner? (Select TWO)

A : Turn on IAM CloudTrail in each IAM account

B : Turn on CloudTrail in only the account that will be storing the logs

C : Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it

D : Create a service-based role for CloudTrail and associate it with CloudTrail in each account

E : Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it

Answer: A,E

Question 2

A company stores sensitive data in an Amazon S3 bucket. The company encrypts the data at rest by using server-side encryption with Amazon S3 managed keys (SSE-S3). A security engineer must prevent any modifications to the data in the S3 bucket. Which solution will meet this requirement?

A : Configure S3 bucket policies to deny DELETE and PUT object permissions.

B : Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled.

C : Change the encryption on the S3 bucket to use AWS Key Management Service (AWS KMS) customer managed keys.

D : Configure the S3 bucket with multi-factor authentication (MFA) delete protection.

Answer: B

Question 3

Due to compliance requirements, a company must rotate encryption keys every year. An AWS KMS key was created using imported key material. A security engineer needs a process to rotate the KMS key.

Which key rotation process is MOST efficient?

A : lect the option to enable automatic rotation for the existing KMS key.

B : load new key material into the existing KMS key.

C : eate a new KMS key and update the existing Key Alias to point to the new KMS key.

D : eate a new KMS key and change the application to point to the new KMS key.

Answer: C

Question 4

A company enforces encryption for all Amazon EBS volumes. Following security incidents, EBS snapshots sometimes need to be shared with a forensics account for analysis. The security team must ensure the volumes remain encrypted as much as possible throughout the process.Which steps are required to share the encrypted snapshots with least privilege?

A : Copy an encrypted EBS volume to the target account, use a customer managed KMS key, and allow the Encrypt, Decrypt, and CreateGrant actions in the key policy.

B : Share an encrypted snapshot, use a customer managed KMS key, and allow the Decrypt and CreateGrant actions for the target account in the key policy.

C : Create an unencrypted copy of the encrypted snapshot, share the snapshot with the target account, encrypt the copied snapshot with a customer managed KMS key

D : Share an encrypted snapshot, use an AWS managed KMS key, and allow the kms:* actions for the target account in the key policy.

Answer: B

Question 5

A company has a new web-based account management system for an online game Players create a unique username and password to log in to the system. The company has implemented an AWS WAF web ACL for the system. The web ACL includes the core rule set (CRS) AWS managed rule group on the Application Load Balancer that serves the system. The company's security team finds that the system was the target of a credential stuffing attack Credentials that were exposed in other breaches were used to try to log in to the system The security team must implement a solution to reduce the chance of a successful credential stuffing attack in the future The solution also must minimize impact on legitimate users of the system Which combination of actions will meet these requirements? (Select TWO.)

A : Create an Amazon CloudWatch custom metric to analyze the number of successful login responses from a single IP address

B : Add the account takeover prevention (ATP) AWS managed rule group to the web ACL Configure the rule group to inspect login requests to the system Block any requests that have the awswaf managed awsatp signal credential_compromised label

C : Configure a default web ACL action that requires all users to solve a CAPTCHA puzzle when they log in

D : Implement IP-based match rules in the web ACL for any IP addresses that generate many successful login responses Block any IP addresses that generate many successful logins

E : Create a custom block response that redirects users to a secure workflow to reset their password inside the system

Answer: B,E