Free Amazon SCS-C02 Exam Questions

Question 1

A solutions architect is designing a secure, distributed application that will run on Amazon EC2 instances across multiple Availability Zones and AWS Regions and on-premises servers. The has asked a security engineer how encryption will be applied between the EC2 instances and on-premises servers.

Which statements are correct about encryption in transit? (Select TWO.)

A : l intra-region traffic is encrypted between instances for all instance types.

B : l traffic across an AWS Direct Connect connection is automatically encrypted.

C : l traffic between Availability Zones is unencrypted by default.

D : l traffic between Availability Zones is encrypted by default.

E : l inter-region traffic over the AWS global network is automatically encrypted.

Answer: A,D

Question 2

A security engineer is attempting to setup automatic notifications that alert administrators about any changes that are made to an Amazon S3 bucket. The engineer has configured AWS Config and created an SNS topic. Changes have been made to the S3 bucket, but the SNS notifications have not been sent.Which combination of steps should the security engineer take to resolve the issue? (Select THREE.)

A : Configure the trust policy on the IAM role AWS Config uses to allow “s3.amazonaws.com” to assume the role.

B : Configure the trust policy on the IAM role AWS Config uses to allow “config.amazonaws.com” to assume the role.

C : Configure the Amazon S3 bucket ACLs to allow AWS Config to record any changes made to the S3 bucket.

D : Configure the access policy for the Amazon SNS topic to allow “sns:publish” access to “config.amazonaws.com”.

E : Configure the role policy on the IAM role AWS Config uses to allow write access to the Amazon S3 bucket.

F : Configure the access policy for the Amazon SNS topic to allow “sns:write” access to “config.amazonaws.com”.

Answer: B,D,F

Question 3

A company enforces encryption for all Amazon EBS volumes. Following security incidents, EBS snapshots sometimes need to be shared with a forensics account for analysis. The security team must ensure the volumes remain encrypted as much as possible throughout the process.Which steps are required to share the encrypted snapshots with least privilege?

A : Copy an encrypted EBS volume to the target account, use a customer managed KMS key, and allow the Encrypt, Decrypt, and CreateGrant actions in the key policy.

B : Share an encrypted snapshot, use a customer managed KMS key, and allow the Decrypt and CreateGrant actions for the target account in the key policy.

C : Create an unencrypted copy of the encrypted snapshot, share the snapshot with the target account, encrypt the copied snapshot with a customer managed KMS key

D : Share an encrypted snapshot, use an AWS managed KMS key, and allow the kms:* actions for the target account in the key policy.

Answer: B

Question 4

A company has a critical web application running on a fleet of auto scaling Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is associated with an AWS WAF web ACL. The security team has identified suspicious port scans coming from a specific range of internet IP addresses. A security engineer needs to block access from the identified addresses.Which solution meets these requirements?

A : Modify the web ACL with an IP set match rule statement and a block action to deny incoming requests from the IP address range.

B : Modify the web ACL with a rate-based rule statement and a block action to deny incoming requests from the IP address range.

C : Add a rule to the ALB security group to deny incoming requests from the IP address range.

D : Create an Amazon CloudFront distribution in front of the ALB and use geo restrictions to block access from the IP address range.

Answer: A

Question 5