Free Amazon SCS-C02 Exam Questions

Question 1

A company has a critical web application running on a fleet of auto scaling Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is associated with an AWS WAF web ACL. The security team has identified suspicious port scans coming from a specific range of internet IP addresses. A security engineer needs to block access from the identified addresses.Which solution meets these requirements?

A : Modify the web ACL with an IP set match rule statement and a block action to deny incoming requests from the IP address range.

B : Modify the web ACL with a rate-based rule statement and a block action to deny incoming requests from the IP address range.

C : Add a rule to the ALB security group to deny incoming requests from the IP address range.

D : Create an Amazon CloudFront distribution in front of the ALB and use geo restrictions to block access from the IP address range.

Answer: A

Question 2

A security engineer is attempting to setup automatic notifications that alert administrators about any changes that are made to an Amazon S3 bucket. The engineer has configured AWS Config and created an SNS topic. Changes have been made to the S3 bucket, but the SNS notifications have not been sent.Which combination of steps should the security engineer take to resolve the issue? (Select THREE.)

A : Configure the trust policy on the IAM role AWS Config uses to allow “s3.amazonaws.com” to assume the role.

B : Configure the trust policy on the IAM role AWS Config uses to allow “config.amazonaws.com” to assume the role.

C : Configure the Amazon S3 bucket ACLs to allow AWS Config to record any changes made to the S3 bucket.

D : Configure the access policy for the Amazon SNS topic to allow “sns:publish” access to “config.amazonaws.com”.

E : Configure the role policy on the IAM role AWS Config uses to allow write access to the Amazon S3 bucket.

F : Configure the access policy for the Amazon SNS topic to allow “sns:write” access to “config.amazonaws.com”.

Answer: B,D,F

Question 3

An IAM user receives an Access Denied message when the user attempts to access objects in an Amazon S3 bucket. The user and the S3 bucket are in the same AWS account. The S3 bucket is configured to use server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all of its objects at rest by using a customer managed key from the same AWS account. The S3 bucket has no bucket policy defined. The IAM user has been granted permissions through an IAM policy that allows the kms:Decrypt permission to the customer managed key. The IAM policy also allows the s3:List* and s3:Get* permissions for the S3 bucket and its objects. Which of the following is a possible reason that the IAM user cannot access the objects in the S3 bucket?

A : The IAM policy needs to allow the kms:DescribeKey permission

B : The S3 bucket has been changed to use the AWS managed key to encrypt objects at rest.

C : An S3 bucket policy needs to be added to allow the IAM user to access the objects.

D : The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key

Answer: D

Question 4

A company has a critical web application running on a fleet of auto scaling Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is associated with an AWS WAF web ACL. The security team has identified suspicious port scans coming from a specific range of internet IP addresses. A security engineer needs to block access from the identified addresses.Which solution meets these requirements?

A : Modify the web ACL with an IP set match rule statement and a block action to deny incoming requests from the IP address range.

B : Modify the web ACL with a rate-based rule statement and a block action to deny incoming requests from the IP address range.

C : Add a rule to the ALB security group to deny incoming requests from the IP address range.

D : Create an Amazon CloudFront distribution in front of the ALB and use geo restrictions to block access from the IP address range.

Answer: A

Question 5

A security engineer is investigating a malware infection that has spread across a set of Amazon EC2 instances. A key indicator of the compromise is outbound traffic on TCP port 2905 to a set of command and control hosts on the internet. The security engineer creates a network ACL rule that denies the identified outbound traffic. The security engineer applies the network ACL rule to the subnet of the EC2 instances. The security engineer must identify any EC2 instances that are trying to communtcate on TCP port 2905. Which solution will identify the affected EC2 instances with the LEAST operational effort?

A : Create a Network Access Scope in Amazon VPC Network Access Analyzer. Use the Network Access Scope to identify EC2 instances that try to send traffic to TCP port 2905.

B : Enable VPC flow logs for the VPC where the affected EC2 instances are located Configure the flow logs to capture rejected traffic. In the flow logs, search for REJECT records that have a destination TCP port of 2905.

C : Enable Amazon GuardDuty Create a custom GuardDuty IP list to create a finding when an EC2 instance tries to communicate with one of the command and control hosts. Use Amazon Detective to identify the EC2 instances that initiate the communication.

D : Create a firewall in AWS Network Firewall. Attach the firewall to the subnet of the EC2 instances. Create a custom rule to identify and log traffic from the firewall on TCP port 2905. Create an Amazon CloudWatch Logs metric filter to identify firewall logs that reference traffic on TCP port 2905.

Answer: B