Free Amazon SCS-C02 Exam Questions

Question 1

A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)

A : Open a support case with the IAM Security team and ask them to remove the malicious code from the affected instance

B : Respond to the notification and list the actions that have been taken to address the incident

C : Delete all IAM users and resources in the account

D : Detach the internet gateway from the VPC remove aft rules that contain 0.0.0.0V0 from the security groups, and create a NACL rule to deny all traffic Inbound from the internet

E : Delete the identified compromised instances and delete any associated resources that the Security team did not create.

Answer: D,E

Question 2

A company wants to deploy a distributed web application on a fleet of EC2 instances. The fleet will be fronted by a Classic Load Balancer that will be configured to terminate the TLS connection The company wants to make sure that all past and current TLS traffic to the Classic Load Balancer stays secure even if the certificate private key is leaked. To ensure the company meets these requirements, a Security Engineer can configure a Classic Load Balancer with:

A : An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.

B : An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites

C : An HTTPS listener that uses the latest IAM predefined ELBSecuntyPolicy-TLS-1 -2-2017-01 security policy

D : A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.

Answer: B

Question 3

A company has a web-based application that runs behind an Application Load Balancer (ALB). The application is experiencing a credential stuffing attack that is producing many failed login attempts. The attack is coming from many IP addresses. The login attempts are using a user agent string of a known mobile device emulator. A security engineer needs to implement a solution to mitigate the credential stuffing attack. The solution must still allow legitimate logins to the application. Which solution will meet these requirements?

A : Create an Amazon CloudWatch alarm that reacts to login attempts that contain the specified user agent string. Add an Amazon Simple Notification Service (Amazon SNS) topic to the alarm.

B : Modify the inbound security group on the ALB to deny traffic from the IP addresses that are involved in the attack.

C : Create an AWS WAF web ACL for the ALB. Create a custom rule that blocks requests that contain the user agent string of the device emulator.

D : Create an AWS WAF web ACL for the ALB Create a custom rule that allows requests from legitimate user agent strings

Answer: C

Question 4

A new application runs on Amazon EC2 instances behind an Application Load Balancer. Some of the company’s other applications have recently seen attacks with high rates of requests from single IP addresses. A security engineer wants to ensure the new application is protected from such attacks.

How can the security engineer add protection to the application without permanently blocking the IP address?

A : nerate a custom error page in Amazon CloudFront.

B : able geo restriction in Amazon CloudFront.

C : AWS WAF to create a rate-based rule.

D : AWS Shield protection to the Application Load Balancer.

Answer: C

Question 5

A company has a group of Amazon EC2 instances in a private subnet that does not have a NAT gateway attached. A security engineer needs to capture logs from an application and collect the log files in Amazon CloudWatch Logs.

Which steps should the security engineer take to securely meet the requirements? (Select TWO.)

A : tall and configure the unified CloudWatch agent on the EC2 instances and attach an instance profile with permissions to write to CloudWatch Logs.

B : tach an internet gateway to the subnet and update the subnet route table to point to the internet gateway.

C : eate an interface VPC endpoint for CloudWatch Logs. Configure the endpoint policy to allow the EC2 instances to use the endpoint.

D : hedule a local cron job on each EC2 instance that copies the log files to an Amazon S3 bucket. Point CloudWatch Logs to the S3 bucket.

E : eate a gateway VPC endpoint for Amazon S3. Configure the bucket policy to allow access only for connections from the VPC endpoint.

Answer: A,C