SCS-C02 Online Practice Questions and Answers

A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?

A. Add a rule to the Application Load Balancer to route the traffic originating from the IP address in question and show a static webpage.

B. Implement a rate-based rule with IAM WAF

C. Use IAM Shield to limit the originating traffic hit rate.

D. Implement the GeoLocation feature in Amazon Route 53.

The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet.

What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.)

A. Use IAM Certificate Manager to encrypt all traffic between the client and application servers.

B. Review the application security groups to ensure that only the necessary ports are open.

C. Use Elastic Load Balancing to offload Secure Sockets Layer encryption.

D. Use Amazon Inspector to periodically scan the backend instances.

E. Use IAM Key Management Services to encrypt all the traffic between the client and application servers.

The IAM Systems Manager Parameter Store is being used to store database passwords used by an IAM Lambda function. Because this is sensitive data, the parameters are stored as type SecureString and protected by an IAM KMS key that allows access through IAM. When the function executes, this parameter cannot be retrieved as the result of an access denied error.

Which of the following actions will resolve the access denied error?

A. Update the ssm.amazonIAM.com principal in the KMS key policy to allow kms: Decrypt.

B. Update the Lambda configuration to launch the function in a VPC.

C. Add a policy to the role that the Lambda function uses, allowing kms: Decrypt for the KMS key.

D. Add lambda.amazonIAM.com as a trusted entity on the IAM role that the Lambda function uses.

Your company has an EC2 Instance hosted in IAM. This EC2 Instance hosts an application. Currently this application is experiencing a number of issues. You need to inspect the network packets to see what the type of error that is occurring? Which one of the below steps can help address this issue?

Please select:

A. Use the VPC Flow Logs.

B. Use a network monitoring tool provided by an IAM partner.

C. Use another instance. Setup a port to "promiscuous mode" and sniff the traffic to analyze the packets.

D. Use Cloudwatch metric

Your company has confidential documents stored in the simple storage service. Due to compliance requirements, you have to ensure that the data in the S3 bucket is available in a different geographical location. As an architect what is the change you would make to comply with this requirement.

Please select:

A. Apply Multi-AZ for the underlying 53 bucket

B. Copy the data to an EBS Volume in another Region

C. Create a snapshot of the S3 bucket and copy it to another region

D. Enable Cross region replication for the S3 bucket

You are planning to use IAM Configto check the configuration of the resources in your IAM account. You are planning on using an existing IAM role and using it for the IAM Config resource. Which of the following is required to ensure the IAM config service can work as required?

Please select:

A. Ensure that there is a trust policy in place for the IAM Config service within the role

B. Ensure that there is a grant policy in place for the IAM Config service within the role

C. Ensure that there is a user policy in place for the IAM Config service within the role

D. Ensure that there is a group policy in place for the IAM Config service within the role

Your organization is preparing for a security assessment of your use of IAM. In preparation for this assessment, which three IAM best practices should you consider implementing?

Please select:

A. Create individual IAM users

B. Configure MFA on the root account and for privileged IAM users

C. Assign IAM users and groups configured with policies granting least privilege access

D. Ensure all users have been assigned and dre frequently rotating a password, access ID/secret key, and X.509 certificate

A business stores website images in an Amazon S3 bucket. The firm serves the photos to end users through Amazon CloudFront. The firm learned lately that the photographs are being accessible from nations in which it does not have a distribution license.

Which steps should the business take to safeguard the photographs and restrict their distribution? (Select two.)

A. Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).

B. Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.

C. Add a CloudFront geo restriction deny list of countries where the company lacks a license.

D. Update the S3 bucket policy with a deny list of countries where the company lacks a license.

E. Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.

A System Administrator is unable to start an Amazon EC2 instance in the eu-west-1 Region using an IAM role The same System Administrator is able to start an EC2 instance in the eu-west-2 and eu-west-3 Regions. The IAMSystemAdministrator access policy attached to the System Administrator IAM role allows unconditional access to all IAM services and resources within the account

Which configuration caused this issue?

A. An SCP is attached to the account with the following permission statement:

B. A permission boundary policy is attached to the System Administrator role with the following permission statement:

C. A permission boundary is attached to the System Administrator role with the following permission statement:

D. An SCP is attached to the account with the following statement:

A company is testing its incident response plan for compromised credentials. The company runs a database on an Amazon EC2 instance and stores the sensitive data-base credentials as a secret in AWS Secrets Manager. The secret has rotation configured with an AWS Lambda function that uses the generic rotation function template. The EC2 instance and the Lambda function are deployed in the same pri-vate subnet. The VPC has a Secrets Manager VPC endpoint.

A security engineer discovers that the secret cannot rotate. The security engi-neer determines that the VPC endpoint is working as intended. The Amazon Cloud-Watch logs contain the following error:

"setSecret: Unable to log into database".

Which solution will resolve this error?

A. Use the AWS Management Console to edit the JSON structure of the secret in Secrets Manager so that the secret automatically conforms with the struc-ture that the database requires.

B. Ensure that the security group that is attached to the Lambda function al-lows outbound connections to the EC2 instance. Ensure that the security group that is attached to the EC2 instance allows inbound connections from the security group that is attached to the Lambda function.

C. Use the Secrets Manager list-secrets command in the AWS CLI to list the secret. Identify the database credentials. Use the Secrets Manager rotate-secret command in the AWS CLI to force the immediate rotation of the se-cret.

D. Add an internet gateway to the VPC. Create a NAT gateway in a public sub-net. Update the VPC route tables so that traffic from the Lambda function and traffic from the EC2 instance can reach the Secrets Manager public endpoint.