Free Amazon SCS-C02 Exam Questions

Question 1

A fintech company offers a web application that stores files on Amazon S3 and processes transactions on Amazon EC2. Users are complaining about slow response times, and recent cybersecurity audits have raised concerns about web content security.The company needs to accelerate content delivery while enhancing security and privacy, without altering the application code.What combination of actions should the company undertake to meet these requirements? (Select TWO.)

A : Use an AWS WAF web ACL with predefined AWS managed rules to add HTTP security headers to origin responses.

B : Configure Amazon CloudFront and set up a distribution for the S3 and EC2 origins to accelerate content delivery

C : Deploy Amazon ElastiCache to cache the responses of the application endpoints

D : Use an AWS Lambda function configured with CloudFront (Lambda@Edge) to add HTTP security headers on origin responses

E : Utilize an Application Load Balancer (ALB) with enabled Sticky Sessions to preserve the connection header from incoming client requests after forwarding the response back to the client.

Answer: B,D

Question 2

A company has a new web-based account management system for an online game Players create a unique username and password to log in to the system. The company has implemented an AWS WAF web ACL for the system. The web ACL includes the core rule set (CRS) AWS managed rule group on the Application Load Balancer that serves the system. The company's security team finds that the system was the target of a credential stuffing attack Credentials that were exposed in other breaches were used to try to log in to the system The security team must implement a solution to reduce the chance of a successful credential stuffing attack in the future The solution also must minimize impact on legitimate users of the system Which combination of actions will meet these requirements? (Select TWO.)

A : Create an Amazon CloudWatch custom metric to analyze the number of successful login responses from a single IP address

B : Add the account takeover prevention (ATP) AWS managed rule group to the web ACL Configure the rule group to inspect login requests to the system Block any requests that have the awswaf managed awsatp signal credential_compromised label

C : Configure a default web ACL action that requires all users to solve a CAPTCHA puzzle when they log in

D : Implement IP-based match rules in the web ACL for any IP addresses that generate many successful login responses Block any IP addresses that generate many successful logins

E : Create a custom block response that redirects users to a secure workflow to reset their password inside the system

Answer: B,E

Question 3

A company has created an AWS account structure with a centralized management account and several child accounts. An AWS Organization has been created to manage this configuration. The security team require API auditing using AWS CloudTrail for all accounts. Administrators in child accounts should not have privileges to modify the CloudTrail trail configuration.How should AWS CloudTrail be configured with the LEAST operational overhead?

A : Create an Amazon S3 bucket in each AWS account and create an Organization trail in the management account that logs to the S3 bucket

B : Create a CloudTrail trail in each AWS account that logs to separate folders within a central S3 bucket in the management account. Create an SCP to limit permissions.

C : Create an Amazon S3 bucket in the management account and create an Organization trail in the management account that logs to the S3 bucket.

D : Create a separate logging account and create a CloudTrail trail within each AWS account that logs to the logging account. Create an SCP to limit permissions

Answer: C

Question 4

A financial institution employs an on-premises hardware security module (HSM) to generate and administer its encryption keys, according to its stringent security policies. Their transaction processing application uses Amazon RDS to store data, and all data must be encrypted at rest. A security specialist has generated an encryption key using the on-premises HSM. What should the security specialist do next to adhere to these requirements?

A : Create a new AWS-managed key in AWS KMS, importing the new key material. Use the AWS SDK to integrate with AWS KMS for local data encryption using the new KMS key. Create a new RDS instance and choose the new key as the encryption key. Deactivate the KMS key following RDS instance creation. Migrate the data into RDS

B : Create a new customer-managed key in AWS KMS, importing the new key material. Create a new RDS instance, choosing the new key as the encryption key. Deactivate the KMS key following the RDS instance creation. Migrate the data into RDS.

C : Create a new customer-managed key in AWS KMS and import the new key material. Provide Amazon RDS permissions to use the key. Create a new RDS instance and choose the new key as the encryption key. Migrate the data into RDS

D : Create a new AWS-managed key in AWS KMS and import the new key material. Give Amazon RDS permission to use the key. Create a new RDS instance and choose the new key as the encryption key. Migrate the data into RDS.

Answer: C

Question 5

A company uses SAML federation to grant users access to AWS accounts. A company workload that is in an isolated AWS account runs on immutable infrastructure with no human access to Amazon EC2. The company requires a specialized user known as a break glass user to have access to the workload AWS account and instances in the case of SAML errors. A recent audit discovered that the company did not create the break glass user for the AWS account that contains the workload. The company must create the break glass user. The company must log any activities of the break glass user and send the logs to a security team. Which combination of solutions will meet these requirements? (Select TWO.)

A : Create a local individual break glass IAM user for the security team. Create a trail in AWS CloudTrail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor local user activities.

B : Create a break glass EC2 key pair for the AWS account. Provide the key pair to the security team. Use AWS CloudTraiI to monitor key pair activity. Send notifications to the security team by using Amazon Simple Notification Service (Amazon SNS).

C : Create a break glass IAM role for the account. Allow security team members to perform the AssumeRoleWithSAML operation. Create an AWS Cloud Trail trail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor security team activities.

D : Create a local individual break glass IAM user on the operating system level of each workload instance. Configure unrestricted security groups on the instances to grant access to the break glass IAM users.

E : Configure AWS Systems Manager Session Manager for Amazon EC2. Configure an AWS Cloud Trail filter based on Session Manager. Send the results to an Amazon Simple Notification Service (Amazon SNS) topic.

Answer: A,E