Free Amazon SCS-C02 Exam Questions

Question 1

A Security Engineer is troubleshooting an issue with a company's custom logging application. The application logs are written to an Amazon S3 bucket with event notifications enabled to send events lo an Amazon SNS topic. All logs are encrypted at rest using an IAM KMS CMK. The SNS topic is subscribed to an encrypted Amazon SQS queue. The logging application polls the queue for new messages that contain metadata about the S3 object. The application then reads the content of the object from the S3 bucket for indexing. The Logging team reported that Amazon CloudWatch metrics for the number of messages sent or received is showing zero. No togs are being received. What should the Security Engineer do to troubleshoot this issue?

A :

Add the following statement to the IAM managed CMKs:

"Sid": "Allow Amazon SNS to use this key",

"Effect": "Allow",

"Principal":

"Service": ["sns.amazonaws.com", "sqs.amazonaws.com", "s3.amazonaws.com"]

"Action":[

],

"kms: Decrypt",

"kms: GenerateDatakey"

"Resource":

B :

Add the following statement to the CMK key policy:

Â "Sid": "Allow Amazon SNS to use this key",

"Effect": "Allow",

"Principal": {

"Service": "ons.amazonaws.com"

"Action": [

"kms: Decrypt",

"kms: GenerateDatakey"

"Resource": "*"

C :

Add the following statement to the CMK key policy:

Â "Sid": "Allow Amazon SNS to use this key",

"Effect": "Allow",

"Principal": [

"Service": "sqs.amazonaws.com"

"Action":[

"kms: Decrypt",

"kms: GenerateDatakey"

"Resource": "*"

D :

Add the following statement to the CMK key policy:

Â "Sid": "Allow Amazon SNS to use this key",

"Effect": "Allow",

"Principal": {

"Service": "s3.amazonaws.com"

"Action":[

1.

"kms: Decrypt",

"kms: GenerateDatakey"

"Resource":

Answer: D

Question 2

A security engineer needs to create an Amazon S3 bucket policy to grant least privilege read access to IAM user accounts that are named User=1, User2. and User3. These IAM user accounts are members of the AuthorizedPeople IAM group. The security engineer drafts the following S3 bucket policy:

When the security engineer tries to add the policy to the S3 bucket, the following error message appears: "Missing required field Principal." The security engineer is adding a Principal element to the policy. The addition must provide read access to only User1. User2, and User3. Which solution meets these requirements?

A :

"Principal" : {

"AWS" : [

"arn : aws : iam: : 1234567890 : user/User1 ",

"arn : aws : iam: : 1234567890 : user/User2 ",

"arn : aws : iam: : 1234567890 : user/User3 ",

]

}

B :

"Principal" : {

"AWS" : [

"arn : aws : iam: : 1234567890 : root "

]

}

C :

"Principal" : {

"AWS" : [

"*"

]

}

D :

"Principal" : {

"AWS" : "arn : aws : iam: : 1234567890 : group/AuthorizedPeople "

}

Answer: A

Question 3

A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code In the company's source code repository A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates. The solution must also minimize administrate overhead Which solution meets these requirements?

A : Use the IAM Systems Manager Parameter Store to generate database credentials. Use an IAM profile for ECS tasks to restrict access to database credentials to specific containers only.

B : Use IAM Secrets Manager to store database credentials. Use an IAM inline policy for ECS tasks to restrict access to database credentials to specific containers only.

C : Use the IAM Systems Manager Parameter Store to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials lo specific containers only

D : Use IAM Secrets Manager to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.

Answer: D

Question 4

A financial institution employs an on-premises hardware security module (HSM) to generate and administer its encryption keys, according to its stringent security policies. Their transaction processing application uses Amazon RDS to store data, and all data must be encrypted at rest. A security specialist has generated an encryption key using the on-premises HSM. What should the security specialist do next to adhere to these requirements?

A : Create a new AWS-managed key in AWS KMS, importing the new key material. Use the AWS SDK to integrate with AWS KMS for local data encryption using the new KMS key. Create a new RDS instance and choose the new key as the encryption key. Deactivate the KMS key following RDS instance creation. Migrate the data into RDS

B : Create a new customer-managed key in AWS KMS, importing the new key material. Create a new RDS instance, choosing the new key as the encryption key. Deactivate the KMS key following the RDS instance creation. Migrate the data into RDS.

C : Create a new customer-managed key in AWS KMS and import the new key material. Provide Amazon RDS permissions to use the key. Create a new RDS instance and choose the new key as the encryption key. Migrate the data into RDS

D : Create a new AWS-managed key in AWS KMS and import the new key material. Give Amazon RDS permission to use the key. Create a new RDS instance and choose the new key as the encryption key. Migrate the data into RDS.

Answer: C

Question 5

A company has created an AWS account structure with a centralized management account and several child accounts. An AWS Organization has been created to manage this configuration. The security team require API auditing using AWS CloudTrail for all accounts. Administrators in child accounts should not have privileges to modify the CloudTrail trail configuration.How should AWS CloudTrail be configured with the LEAST operational overhead?

A : Create an Amazon S3 bucket in each AWS account and create an Organization trail in the management account that logs to the S3 bucket

B : Create a CloudTrail trail in each AWS account that logs to separate folders within a central S3 bucket in the management account. Create an SCP to limit permissions.

C : Create an Amazon S3 bucket in the management account and create an Organization trail in the management account that logs to the S3 bucket.

D : Create a separate logging account and create a CloudTrail trail within each AWS account that logs to the logging account. Create an SCP to limit permissions

Answer: C