Free Amazon SCS-C02 Exam Questions

Question 1

A financial firm receives a warning from the AWS Trust and Safety team about a potential security threat. An IAM access key linked to an IT administrator seems to have been compromised. This key is employed in an automated process that uses AWS Lambda functions to launch AWS Elastic Beanstalk environments.The firm's security engineer is tasked with addressing this security issue, preventing further use of the exposed access key, and bolstering security practices.Which of the following steps would be the most appropriate in this scenario?

A : Track down the exposed IAM access key and deactivate or remove it. Establish new access keys for the Lambda automation process and integrate them into the system. In the AWS account associated with the exposed key, create a new support case in AWS Support detailing the remediation measures.

B : Find the exposed IAM access key and remove the associated IAM user. Generate a new access key, store it in AWS Systems Manager Parameter Store, and encrypt it using an AWS KMS customer-managed key. Modify the AWS Lambda functions to fetch the access key from Parameter Store during execution. Log a new support case with AWS Support providing the details of the remediation steps.

C : Deactivate or delete the compromised IAM access key. Generate a new access key and save it as an environment variable within the configuration settings of the automation system-s Lambda functions. Respond to the AWS Trust and Safety team detailing the remediation actions taken.

D : Disable or delete the compromised IAM access key. Stop using static IAM access keys and instead, create a new IAM role for the Lambda automation process. Assign this role to the AWS Lambda functions. Respond to the AWS Trust and Safety team detailing the remediation actions.

Answer: D

Question 2

A company is running a batch data processing application in an Amazon EC2 instance, which requires frequent access to an Amazon DynamoDB table. The company's security policies mandate that all connections to DynamoDB should be private and secure.

The company has set up a Gateway VPC Endpoint for DynamoDB in the VPC where the EC2 instance resides. Even though the EC2 instance is configured to be within a private subnet with a NAT gateway for internet access, the traffic from the EC2 to DynamoDB goes through the NAT gateway instead of the Gateway VPC endpoint.

What action can a security engineer take to ensure the EC2 instance uses the Gateway VPC Endpoint for DynamoDB?

A : date the route table of the private subnet, where the EC2 instance resides, to remove the route to the NAT gateway.

B : ter the security group of the EC2 instance to permit connections to the DynamoDB network address space

C : ociate the Gateway VPC Endpoint with the route table of the private subnet, where the EC2 instance resides

D : dify the policy of the Gateway VPC Endpoint to permit access from the EC2 instance's private IP.

Answer: C

Question 3

A company is deploying a solution that will allow users to encrypt Amazon S3 objects seamlessly. The solution must be cost effective, highly scalable, and use a managed service. The company must also be able to immediately delete the encryption keys if necessary.Which solution is suitable and will allow immediate deletion of encryption keys?

A : Use AWS CloudHSM to store the keys and then use the CloudHSM API for key deletion.

B : Use AWS KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material.

C : Use AWS KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material.

D : Use AWS CloudHSM with the importPrivateKey API and then use the deleteKey API for key deletion.

Answer: B

Question 4

A security vulnerability has been discovered that could lead to sensitive data being leaked on TCP port 5601. The development team is working on updating the code, but it could take several days. A security engineer must identify any hosts attempting to send data over port 5601 and prevent the traffic leaving the network.

How can the security engineer accomplish this goal?

A : pture IP traffic using VPC Flow Logs and create a metric filter with an alarm that notifies the security team if connection attempts are made. Then, update NACLs to block the traffic

B : tall the unified CloudWatch agent on Amazon EC2 instances and collect log files in CloudWatch Logs. Create a metric filter with an alarm that notifies the security team if connection attempts are made. Then, update NACLs to block the traffic.

C : Run an Amazon Inspector custom network assessment to identify Amazon EC2 instances that have TCP port 5601 open. Then, update security groups to block the traffic.

D : AWS CloudTrail to log API actions in an Amazon S3 bucket. Use Amazon Athena to query the log files and identify attempts to connect. Then, update security groups to block the traffic.

Answer: A

Question 5

A company has deployed an organization in AWS Organizations with several member accounts. The security team requires that there is at least on AWS CloudTrail trail configured for all existing accounts and any accounts that are created in the future. The logs should be sent to a single centralized Amazon S3 bucket and administrators in member accounts should not be able to modify the configuration.Which actions should be taken to accomplish this?

A : Create a new trail in each account and use a cross-account role to log to a central S3 bucket.

B : Enable CloudTrail Insights in the management account and run the “aws cloudtrail lookupevents” CLI command

C : Create an organization trail in the management account and specify a central S3 bucket.

D : Create a new trail in each account and use an SCP to deny the “cloudtrail:Delete” API action.

Answer: C