Free Amazon SCS-C02 Exam Questions

Question 1

A company uses AWS Organizations and has production workloads across multiple AWS accounts. A security engineer needs to design a solution that will proactively monitor for suspicious behavior across all the accounts that contain production workloads. The solution must automate remediation of incidents across the production accounts. The solution also must publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic when a critical security finding is detected. In addition, the solution must send all security incident logs to a dedicated account. Which solution will meet these requirements?

A : Activate Amazon GuardDuty in each production account. In a dedicated logging account. aggregate all GuardDuty logs from each production account. Remediate incidents by configuring GuardDuty to directly invoke an AWS Lambda function. Configure the Lambda function to also publish notifications to the SNS topic.

B : Activate AWS security Hub in each production account. In a dedicated logging account. aggregate all security Hub findings from each production account. Remediate incidents by ustng AWS Config and AWS Systems Manager. Configure Systems Manager to also pub11Sh notifications to the SNS topic.

C : Activate Amazon GuardDuty in each production account. In a dedicated logging account. aggregate all GuardDuty logs from each production account Remediate incidents by using Amazon EventBridge to invoke a custom AWS Lambda function from the GuardDuty findings. Configure the Lambda function to also publish notifications to the SNS topic.

D : Activate AWS Security Hub in each production account. In a dedicated logging account. aggregate all Security Hub findings from each production account. Remediate incidents by using Amazon EventBridge to invoke a custom AWS Lambda function from the Security Hub findings. Configure the Lambda function to also publish notifications to the SNS topic.

Answer: D

Question 2

A DevOps engineer has deployed several custom-built images provided by the development team using Amazon Elastic Container Service (ECS) with the Fargate launch type. The engineer now needs to aggregate the logs from all the containers into a pre-existing CloudWatch log group.Which solution will satisfy these requirements?

A : Enable the awslogs log driver by including awslogs-group and awslogs-region parameters in theLogConfiguration property.

B : Install and configure the CloudWatch agent on the running container instances.

C : Define an IAM policy that encompasses the logs:CreateLogGroup action and assign this policy to the running container instances.

D : Implement Fluent Bit and FluentD in a DaemonSet configuration to direct logs to Amazon CloudWatch Logs.

Answer: A

Question 3

A company has deployed an organization in AWS Organizations with several member accounts. The security team requires that there is at least on AWS CloudTrail trail configured for all existing accounts and any accounts that are created in the future. The logs should be sent to a single centralized Amazon S3 bucket and administrators in member accounts should not be able to modify the configuration.Which actions should be taken to accomplish this?

A : Create a new trail in each account and use a cross-account role to log to a central S3 bucket.

B : Enable CloudTrail Insights in the management account and run the “aws cloudtrail lookupevents” CLI command

C : Create an organization trail in the management account and specify a central S3 bucket.

D : Create a new trail in each account and use an SCP to deny the “cloudtrail:Delete” API action.

Answer: C

Question 4

A security engineer is tasked with securing the network access for an application that uses an AWS Lambda function and an Amazon RDS database. The Lambda function and database both run in the same AWS account.

Which network configuration is the MOST secure?

A : eate an interface VPC endpoint for Lambda and update a private subnet route table to point to the endpoint. Update the DB to connect to the private subnet and access the Lambda function. Use endpoint policies to secure network access between the function and DB instance

B : tach an Elastic IP to the Lambda function. Attach a security group to the function that allows outbound access to the DB security group. Update the DB instance security group to allow traffic from the Lambda security group.

C : nnect the Lambda function to a public subnet within the VPC. Attach a security group to the function that allows outbound access to the DB security group only. Update the DB instance security group to allow traffic from the Lambda public address space.

D : nnect the Lambda function to a private subnet within the VPC. Attach a security group to the function that allows outbound access to the VPC CIDR block only. Update the DB instance security group to allow traffic from the Lambda security group.

Answer: D

Question 5

Several AWS accounts belonging to different business units are used for development purposes. An additional account is used by the security team. To ensure security best practices are being followed, the security team requires access to review the configuration of the Amazon EC2 instances in the development accounts.

Which solution will meet these requirements in the MOST secure manner?

A : eate an IAM policy in each development account that has read-only access to Amazon EC2 resources. Assign the policy to an IAM user. Share the user credentials with the security team

B : eate an IAM policy in each development account that has administrator access to Amazon EC2 resources. Assign the policy to a cross-account IAM role. Ask the security team members to assume the role from their account.

C : eate an IAM policy in each development account that has read-only access to Amazon EC2 resources. Assign the policy to a cross-account IAM role. Ask the security team members to assume the role from their account

D : eate an IAM policy in each development account that has administrator access to all Amazon EC2 actions. Assign the policy to an IAM user. Share the user credentials with the security team

Answer: C