Free Amazon SCS-C02 Exam Questions

Question 1

A company enforces encryption for all Amazon EBS volumes. Following security incidents, EBS snapshots sometimes need to be shared with a forensics account for analysis. The security team must ensure the volumes remain encrypted as much as possible throughout the process.Which steps are required to share the encrypted snapshots with least privilege?

A : Copy an encrypted EBS volume to the target account, use a customer managed KMS key, and allow the Encrypt, Decrypt, and CreateGrant actions in the key policy.

B : Share an encrypted snapshot, use a customer managed KMS key, and allow the Decrypt and CreateGrant actions for the target account in the key policy.

C : Create an unencrypted copy of the encrypted snapshot, share the snapshot with the target account, encrypt the copied snapshot with a customer managed KMS key

D : Share an encrypted snapshot, use an AWS managed KMS key, and allow the kms:* actions for the target account in the key policy.

Answer: B

Question 2

A company has a group of Amazon EC2 instances in a single private subnet of a VPC with no internet gateway attached. A security engineer has installed the Amazon CloudWatch agent on all instances in that subnet to capture logs from a specific application. To ensure that the logs flow securely, the company's networking team has created VPC endpoints for CloudWatch monitoring and CloudWatch logs. The networking team has attached the endpoints to the VPC. The application is generating logs. However, when the security engineer queries CloudWatch, the logs do not appear. Which combination of steps should the security engineer take to troubleshoot this issue? (Choose three.)

A : Ensure that the EC2 instance profile that is attached to the EC2 instances has permissions to create log streams and write logs.

B : Create a metric filter on the logs so that they can be viewed in the AWS Management Console.

C : Check the CloudWatch agent configuration file on each EC2 instance to make sure that the CloudWatch agent is collecting the proper log files.

D : Check the VPC endpoint policies of both VPC endpoints to ensure that the EC2 instances have permissions to use them.

E : Create a NAT gateway in the subnet so that the EC2 instances can communicate with CloudWatch.

F : Ensure that the security groups allow all the EC2 instances to communicate with each other to aggregate logs before sending.

Answer: A,C,D

Question 3

A company uses HTTP Live Streaming (HL'S) to stream live video content to paying subscribers by using Amazon CloudFront. HLS splits the video content into chunks sothat the user can request the right chunk based on different conditions. Because the video events last for several hours, the total video is made up of thousands of chunks. The origin URL is not disclosed, and every user is forced to access the CloudFront URL. The company has a web application that authenticates the paying users against aninternal repository and a CloudFront key pair that is already issued. What is the simplest and MOST effective way to protect the content?

A : Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content.

B : Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.

C : Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content

D : Keep the CloudFront URL encrypted inside the application, and use AWS KMS to resolve the URL on-the-fly after the user is authenticated.

Answer: B

Question 4

An Amazon EC2 Auto Scaling group launches Amazon Linux EC2 instances and installs the Amazon CloudWatch agent to publish logs to Amazon CloudWatch Logs. The EC2 instances launch with an IAM role that has an IAM policy attached. The policy provides access to publish custom metrics to CloudWatch. The EC2 instances run in a private subnet inside a VPC. The VPC provides ^ccess to the internet for private subnets through a NAT gateway. A security engineer notices that no logs are being published to CloudWatch Logs for the EC2 instances that the Auto Scaling group launches. The security engineer validates that the CloudWatch Logs agent is running and is configured properly on the EC2 instances. In addition, the security engineer validates that network communications are working properly to AWS services. What can the security engineer do to ensure that the logs are published to CloudWatch Logs?

A : Configure the IAM policy in use by the IAM role to have access to the required cloudwatch: API actions thatwill publish logs.

B : Adjust the Amazon EC2 Auto Scaling service-linked role to have permissions to write to CloudWatch Logs.

C : Configure the IAM policy in use by the IAM role to have access to the required AWS logs: API actions that willpublish logs.

D : Add an interface VPC endpoint to provide a route to CloudWatch Logs.

Answer: C

Question 5

A corporation is preparing to acquire several companies. A Security Engineer must design a solution to ensure that newly acquired IAM accounts follow the corporation's security best practices. The solution should monitor each Amazon S3 bucket for unrestricted public write access and use IAM managed services. What should the Security Engineer do to meet these requirements? Configure Amazon Macie to continuously check the configuration of all S3 buckets.

A : Configure Amazon Macie to continuously check the configuration of all S3 buckets.

B : Enable IAM Config to check the configuration of each S3 bucket.

C : Set up IAM Systems Manager to monitor S3 bucket policies for public write access.

D : Configure an Amazon EC2 instance to have an IAM role and a cron job that checks the status of all S3 buckets.

Answer: C