Free Amazon SCS-C02 Exam Questions

Become Amazon Certified with updated SCS-C02 exam questions and correct answers

Page: 1 / 105

Total 522 Questions | Updated On: Jul 25, 2023

Add To Cart

Question 1

A company hosts business-critical applications on Amazon EC2 instances in a VPC. The VPC uses default DHCP options sets. A security engineer needs to log all DNS queries that internal resources make in the VPC. The security engineer also must create a list of the most common DNS queries over time. Which solution will meet these requirements?

A :

Install the Amazon CloudWatch agent on each EC2 instance in the VPC. Use the CloudWatch agent to stream the DNS query logs to an Amazon CloudWatch Logs log group. Use CloudWatch metric filters to automatically generate metrics that list the most common ONS queries.

B :

Install a BIND DNS server in the VPC. Create a bash script to list the DNS request number of common DNS queries from the BIND logs.

C :

Create VPC flow logs for all subnets in the VPC. Stream the flow logs to an Amazon CloudWatch Logs log group. Use CloudWatch Logs Insights to list the most common DNS queries for the log group in a custom dashboard.

D :

Configure Amazon Route 53 Resolver query logging. Add an Amazon CloudWatch Logs log group as the destination. Use Amazon CloudWatch Contributor Insights to analyze the data and create time series that display the most common DNS queries.

Answer: D

Question 2

A company needs to follow security best practices to deploy resources from an AWS CloudFormation template. The CloudFormation template must be able to configure sensitive database credentials. The company already uses AWS Key Management Service (AWS KMS) and AWS Secrets Manager. Which solution will meet the requirements?

A : Use a dynamic reference in the CloudFormation template to reference the database credentials in Secrets Manager.

B : Use a parameter in the CloudFormation template to reference the database credentials. Encrypt the CloudFormation template by using AWS KMS.

C : Use a SecureString parameter in the CloudFormation template to reference the database credentials in Secrets Manager.

D : Use a SecureString parameter in the CloudFormation template to reference an encrypted value in AWS KMS

Answer: A

Question 3

A security engineer has created an Amazon GuardDuty detector in several AWS accounts. The accounts are in an organization in AWS Organizations. The security engineer needs centralized visibility of the security findings from the detectors.

A : Configure Amazon CloudWatch Logs Insights

B : Create an Amazon CloudWatch dashboard

C : Configure AWS Security Hub integrations

D : Query the findings by using Amazon Athena

Answer: C

Question 4

A company deployed Amazon GuardDuty In the us-east-1 Region. The company wants all DNS logs that relate to the company's Amazon EC2 instances to be inspected. What should a security engineer do to ensure that the EC2 instances are logged?

A : Use IPv6 addresses that are configured for hostnames.

B : Configure external DNS resolvers as internal resolvers that are visible only to IAM.

C : Use IAM DNS resolvers for all EC2 instances.

D : Configure a third-party DNS resolver with logging for all EC2 instances.

Answer: C

Question 5

A business is developing a cloud-native application on AWS and has selected AWS CodeBuild for automating the process of building, testing, and packaging their software code. To meet their security requirements, the company needs to ensure that all CodeBuild API operations executed within the VPC do not traverse the public internet.

What should a security engineer do to meet this requirement?

A : tablish a connection to the VPC using AWS Direct Connect.

B : ploy an interface VPC endpoint for CodeBuild API operations.

C : plement a gateway VPC endpoint for CodeBuild API operations.

D : unch a NAT gateway in a public subnet in the VPC.

Answer: B

Page: 1 / 105

Total 522 Questions | Updated On: Jul 25, 2023

Add To Cart