Free Amazon SCS-C02 Exam Questions

Question 1

A company uses a third-party identity provider and SAML-based SSO for its AWS accounts. After the third-party identity provider renewed an expired signing certificate, users saw the following message when trying to log in: Error: Response Signature Invalid (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidldentityToken) A security engineer needs to provide a solution that corrects the error and min-imizes operational overhead. Which solution meets these requirements?

A :

Upload the third-party signing certificate's new private key to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS Management Console.

B :

Sign the identity provider's metadata file with the new public key. Upload the signature to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CU.

C :

Download the updated SAML metadata file from the identity service provid-er. Update the file in the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CLI.

D :

Configure the AWS identity provider entity defined in AWS Identity and Ac-cess Management (IAM) to synchronously fetch the new public key by using the AWS Management Console.

Answer: C

Question 2

A fintech company operates a suite of applications on Amazon EC2. The applications have intricate security needs, governed by a set of security groups. After an unintended modification in a security group disrupted the connectivity of some applications, the company wants to be alerted via a designated email whenever changes are made to these security groups.Which solution can fulfill this requirement most efficiently?

A : Use AWS CloudTrail. Enable forwarding to Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter to match patterns indicating security group changes. Configure a CloudWatch alarm to send alerts to an Amazon SNS topic.

B : Use AWS CloudTrail. Forward logs to Amazon S3. Set up an Amazon Athena query to scan for event patterns indicating security group changes. Use AWS Lambda to send query results to Amazon SES for email notifications.

C : Use Amazon Macie. Enable monitoring for changes in security groups. Configure Amazon Macie to send alerts to an Amazon SNS topic.

D : Use AWS Config. Set up a custom AWS Config rule to track changes to security groups. Configure AWS Lambda for automated remediation and to send notifications to an Amazon SNS topic.

Answer: A

Question 3

A company has a group of Amazon EC2 instances in a single private subnet of a VPC with no internet gateway attached. A security engineer has installed the Amazon CloudWatch agent on all instances in that subnet to capture logs from a specific application. To ensure that the logs flow securely, the company's networking team has created VPC endpoints for CloudWatch monitoring and CloudWatch logs. The networking team has attached the endpoints to the VPC. The application is generating logs. However, when the security engineer queries CloudWatch, the logs do not appear. Which combination of steps should the security engineer take to troubleshoot this issue? (Choose three.)

A : Ensure that the EC2 instance profile that is attached to the EC2 instances has permissions to create log streams and write logs.

B : Create a metric filter on the logs so that they can be viewed in the AWS Management Console.

C : Check the CloudWatch agent configuration file on each EC2 instance to make sure that the CloudWatch agent is collecting the proper log files.c

D : Check the VPC endpoint policies of both VPC endpoints to ensure that the EC2 instances have permissions to use them.

E : Create a NAT gateway in the subnet so that the EC2 instances can communicate with CloudWatch.

F : Ensure that the security groups allow all the EC2 instances to communicate with each other to aggregate logs before sending.

Answer: A,C,D

Question 4

A fintech company offers a web application that stores files on Amazon S3 and processes transactions on Amazon EC2. Users are complaining about slow response times, and recent cybersecurity audits have raised concerns about web content security.The company needs to accelerate content delivery while enhancing security and privacy, without altering the application code.What combination of actions should the company undertake to meet these requirements? (Select TWO.)

A : Use an AWS WAF web ACL with predefined AWS managed rules to add HTTP security headers to origin responses.

B : Configure Amazon CloudFront and set up a distribution for the S3 and EC2 origins to accelerate content delivery

C : Deploy Amazon ElastiCache to cache the responses of the application endpoints

D : Use an AWS Lambda function configured with CloudFront (Lambda@Edge) to add HTTP security headers on origin responses

E : Utilize an Application Load Balancer (ALB) with enabled Sticky Sessions to preserve the connection header from incoming client requests after forwarding the response back to the client.

Answer: B,D

Question 5

A new application requires an AWS KMS key for encrypting sensitive data. The security policy requires that separate keys are used for different AWS services.How can the AWS KMS key be constrained to work with only Amazon S3?

A : Configure the key policy with a kms:CallerAccount condition key that limits use of the KMS key to identities in the specific AWS account.

B : Configure the key policy with a kms:RequestAlias condition key that limits use of the KMS key to requests that use a specific alias.

C : Configure the key policy with a kms:ViaService condition key that limits use of the KMS key to the Amazon S3 service name.

D : Configure the key policy with a kms:ViaService condition key that limits use of the KMS key to the Amazon S3 service name.

Answer: C