Free Amazon SCS-C02 Exam Questions

Question 1

A company uses AWS Organizations. The company has teams that use an AWS CloudHSM hardware security module (HSM) that is hosted in a central AWS account. One of the teams creates its own new dedicated AWS account and wants to use the HSM that is hosted in the central account. How should a security engineer share the HSM that is hosted in the central account with the new dedicated account?

A : Use AWS Resource Access Manager (AWS RAM) to share the VPC subnet ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.

B : Use AWS Identity and Access Management (IAM) to create a cross-account rote to access the CloudHSM cluster that is in the central account Create a new IAM user in the new dedicated account Assign the cross-account rote to the new IAM user.

C : Use AWS 1AM Identity Center (AWS Single Sign-On) to create an AWS Security Token Service (AWS STS) token to authenticate from the new dedicated account to the central account. Use the crossaccount permissions that are assigned to the STS token to invoke an operation on the HSM in the central account.

D : Use AWS Resource Access Manager (AWS RAM) to share the ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.

Answer: A

Question 2

A company has created an AWS account structure with a centralized management account and several child accounts. An AWS Organization has been created to manage this configuration. The security team require API auditing using AWS CloudTrail for all accounts. Administrators in child accounts should not have privileges to modify the CloudTrail trail configuration.How should AWS CloudTrail be configured with the LEAST operational overhead?

A : Create an Amazon S3 bucket in each AWS account and create an Organization trail in the management account that logs to the S3 bucket

B : Create a CloudTrail trail in each AWS account that logs to separate folders within a central S3 bucket in the management account. Create an SCP to limit permissions.

C : Create an Amazon S3 bucket in the management account and create an Organization trail in the management account that logs to the S3 bucket.

D : Create a separate logging account and create a CloudTrail trail within each AWS account that logs to the logging account. Create an SCP to limit permissions

Answer: C

Question 3

Due to compliance requirements, a company must rotate encryption keys every year. An AWS KMS key was created using imported key material. A security engineer needs a process to rotate the KMS key.

Which key rotation process is MOST efficient?

A : lect the option to enable automatic rotation for the existing KMS key.

B : load new key material into the existing KMS key.

C : eate a new KMS key and update the existing Key Alias to point to the new KMS key.

D : eate a new KMS key and change the application to point to the new KMS key.

Answer: C

Question 4

A new application requires an AWS KMS key for encrypting sensitive data. The security policy requires that separate keys are used for different AWS services.How can the AWS KMS key be constrained to work with only Amazon S3?

A : Configure the key policy with a kms:CallerAccount condition key that limits use of the KMS key to identities in the specific AWS account.

B : Configure the key policy with a kms:RequestAlias condition key that limits use of the KMS key to requests that use a specific alias.

C : Configure the key policy with a kms:ViaService condition key that limits use of the KMS key to the Amazon S3 service name.

D : Configure the key policy with a kms:ViaService condition key that limits use of the KMS key to the Amazon S3 service name.

Answer: C

Question 5

A fintech company offers a web application that stores files on Amazon S3 and processes transactions on Amazon EC2. Users are complaining about slow response times, and recent cybersecurity audits have raised concerns about web content security.The company needs to accelerate content delivery while enhancing security and privacy, without altering the application code.What combination of actions should the company undertake to meet these requirements? (Select TWO.)

A : Use an AWS WAF web ACL with predefined AWS managed rules to add HTTP security headers to origin responses.

B : Configure Amazon CloudFront and set up a distribution for the S3 and EC2 origins to accelerate content delivery

C : Deploy Amazon ElastiCache to cache the responses of the application endpoints

D : Use an AWS Lambda function configured with CloudFront (Lambda@Edge) to add HTTP security headers on origin responses

E : Utilize an Application Load Balancer (ALB) with enabled Sticky Sessions to preserve the connection header from incoming client requests after forwarding the response back to the client.

Answer: B,D