Practice Free SCS-C02 Exam Online Questions
A company uses AWS Organizations. The company has teams that use an AWS CloudHSM hardware security module (HSM) that is hosted in a central AWS account. One of the teams creates its own new dedicated AWS account and wants to use the HSM that is hosted in the central account.
How should a security engineer share the HSM that is hosted in the central account with the new dedicated account?
- A . Use AWS Resource Access Manager (AWS RAM) to share the VPC subnet ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.
- B . Use AWS Identity and Access Management (IAM) to create a cross-account rote to access the CloudHSM cluster that is in the central account Create a new IAM user in the new dedicated account Assign the cross-account rote to the new IAM user.
- C . Use AWS 1AM Identity Center (AWS Single Sign-On) to create an AWS Security Token Service (AWS STS) token to authenticate from the new dedicated account to the central account. Use the cross-account permissions that are assigned to the STS token to invoke an operation on the HSM in the central account.
- D . Use AWS Resource Access Manager (AWS RAM) to share the ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.
A
Explanation:
https://aws.amazon.com/premiumsupport/knowledge-center/cloudhsm-share-clusters/#:~:text=In%20the%20nav
A website currently runs on Amazon EC2, wan mostly statics content on the site. Recently the site was subjected to a DDoS attack a security engineer was (asked was redesigning the edge security to help Mitigate this risk in the future.
What are some ways the engineer could achieve this (Select THREE)?
- A . Use IAM X-Ray to inspect the trafc going to the EC2 instances.
- B . Move the static content to Amazon S3, and front this with an Amazon Cloud Front distribution.
- C . Change the security group conguration to block the source of the attack trafc
- D . Use IAM WAF security rules to inspect the inbound trafc.
- E . Use Amazon Inspector assessment templates to inspect the inbound traffic.
- F . Use Amazon Route 53 to distribute trafc.
A company is designing a new application stack. The design includes web servers and backend servers that are hosted on Amazon EC2 instances. The design also includes an Amazon Aurora MySQL DB cluster.
The EC2 instances are m an Auto Scaling group that uses launch templates. The EC2 instances for the web layer and the backend layer are backed by Amazon Elastic Block Store (Amazon EBS) volumes. No layers are encrypted at rest. A security engineer needs to implement encryption at rest.
Which combination of steps will meet these requirements? (Select TWO.)
- A . Modify EBS default encryption settings in the target AWS Region to enable encryption. Use an Auto Scaling group instance refresh.
- B . Modify the launch templates for the web layer and the backend layer to add AWS Certificate Manager (ACM) encryption for the attached EBS volumes. Use an Auto Scaling group instance refresh.
- C . Create a new AWS Key Management Service (AWS KMS) encrypted DB cluster from a snapshot of the existing DB cluster.
- D . Apply AWS Key Management Service (AWS KMS) encryption to the existing DB cluster.
- E . Apply AWS Certificate Manager (ACM) encryption to the existing DB cluster.
A C
Explanation:
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.html
https://aws.amazon.com/premiumsupport/knowledge-center/ebs-automatic-encryption/
To implement encryption at rest for both the EC2 instances and the Aurora DB cluster, the following steps are required:
For the EC2 instances, modify the EBS default encryption settings in the target AWS Region to enable encryption. This will ensure that any new EBS volumes created in that Region are encrypted by default using an AWS managed key. Alternatively, you can specify a customer managed key when creating new EBS volumes. For more information, see Amazon EBS encryption.
Use an Auto Scaling group instance refresh to replace the existing EC2 instances with new ones that have encrypted EBS volumes attached. An instance refresh is a feature that helps you update all instances in an Auto Scaling group in a rolling fashion without the need to manage the instance replacement process manually. For more information, see Replacing Auto Scaling instances based on an instance refresh.
For the Aurora DB cluster, create a new AWS Key Management Service (AWS KMS) encrypted DB cluster from a snapshot of the existing DB cluster. You can use either an AWS managed key or a customer managed key to encrypt the new DB cluster. You cannot enable or disable encryption for an existing DB cluster, so you have to create a new one from a snapshot. For more information, see Encrypting Amazon Aurora resources.
The other options are incorrect because they either do not enable encryption at rest for the resources (B, D), or they use the wrong service for encryption (E).
Verified References:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
https://docs.aws.amazon.com/autoscaling/ec2/userguide/asg-instance-refresh.html
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.html
A company is attempting to conduct forensic analysis on an Amazon EC2 instance, but the company is unable to connect to the instance by using AWS Systems Manager Session Manager. The company has installed AWS Systems Manager Agent (SSM Agent) on the EC2 instance.
The EC2 instance is in a subnet in a VPC that does not have an internet gateway attached. The company has associated a security group with the EC2 instance. The security group does not have inbound or outbound rules. The subnet’s network ACL allows all inbound and outbound traffic.
Which combination of actions will allow the company to conduct forensic analysis on the EC2 instance without compromising forensic data? (Select THREE.)
- A . Update the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0/0.
- B . Update the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC’s CIDR range.
- C . Create an EC2 key pair. Associate the key pair with the EC2 instance.
- D . Create a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance is located.
- E . Attach a security group to the VPC interface endpoint. Allow inbound traffic on port 443 to the VPC’s CIDR range.
- F . Create a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.
A security engineer is designing an IAM policy for a script that will use the AWS CLI. The script currently assumes an IAM role that is attached to three AWS managed IAM policies: AmazonEC2FullAccess, AmazonDynamoDBFullAccess, and Ama-zonVPCFull Access.
The security engineer needs to construct a least privilege IAM policy that will replace the AWS managed IAM policies that are attached to this role.
Which solution will meet these requirements in the MOST operationally efficient way?
- A . In AWS CloudTrail, create a trail for management events. Run the script with the existing AWS managed IAM policies. Use IAM Access Analyzer to generate a new IAM policy that is based on access activity in the trail. Replace the existing AWS managed IAM policies with the generated IAM poli-cy for the role.
- B . Remove the existing AWS managed IAM policies from the role. Attach the IAM Access Analyzer Role Policy Generator to the role. Run the script. Return to IAM Access Analyzer and generate a least privilege IAM policy. Attach the new IAM policy to the role.
- C . Create an account analyzer in IAM Access Analyzer. Create an archive rule that has a filter that checks whether the Principal Arn value matches the ARN of the role. Run the script. Remove the existing AWS managed IAM policies from the role.
- D . In AWS CloudTrail, create a trail for management events. Remove the existing AWS managed IAM policies from the role. Run the script. Find the authorization failure in the trail event that is associated with the script. Create a new IAM policy that includes the action and resource that caused the authorization failure. Repeat the process until the script succeeds. Attach the new IAM policy to the role.
A company deployed Amazon GuardDuty In the us-east-1 Region. The company wants all DNS logs that relate to the company’s Amazon EC2 instances to be inspected.
What should a security engineer do to ensure that the EC2 instances are logged?
- A . Use IPv6 addresses that are configured for hostnames.
- B . Configure external DNS resolvers as internal resolvers that are visible only to IAM.
- C . Use IAM DNS resolvers for all EC2 instances.
- D . Configure a third-party DNS resolver with logging for all EC2 instances.
A company uses HTTP Live Streaming (HL’S) to stream live video content to paying subscribers by using Amazon CloudFront. HLS splits the video content into chunks so that the user can request the
right chunk based on different conditions. Because the video events last for several hours, the total video is made up of thousands of chunks.
The origin URL is not disclosed, and every user is forced to access the CloudFront URL. The company has a web application that authenticates the paying users against an internal repository and a CloudFront key pair that is already issued.
What is the simplest and MOST effective way to protect the content?
- A . Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content.
- B . Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.
- C . Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content
- D . Keep the CloudFront URL encrypted inside the application, and use AWS KMS to resolve the URL on-the-fly after the user is authenticated.
B
Explanation:
Utilizing CloudFront signed cookies is the simplest and most effective way to protect HLS video content for paying subscribers. Signed cookies provide access control for multiple files, such as video chunks in HLS streaming, without the need to generate a signed URL for each video chunk. This method simplifies the process for long video events with thousands of chunks, enhancing user experience while ensuring content protection.
A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The website is experiencing a global DDoS attack by a specific loT device brand that has a unique user agent.
A security engineer is creating an AWS WAF web ACL and will associate the web ACL with the ALB. The security engineer must implement a rule statement as part of the web ACL to block the requests. The rule statement must mitigate the current attack and future attacks from these loT devices without blocking requests from customers.
Which rule statement will meet these requirements?
- A . Use an IP set match rule statement that includes the IP address for loT devices from the user agent.
- B . Use a geographic match rule statement. Configure the statement to block countries that the loT devices are located in.
- C . Use a rate-based rule statement. Set a rate limit that is equal to the number of requests that are coming from the loT devices.
- D . Use a string match rule statement that includes details of the loT device brand from the user agent.
A security engineer is creating an AWS Lambda function. The Lambda function needs to use a role that is named LambdaAuditRole to assume a role that is named AcmeAuditFactoryRole in a different AWS account.
When the code is processed, the following error message appears: "An error oc-curred (AccessDenied) when calling the AssumeRole operation."
Which combination of steps should the security engineer take to resolve this er-ror? (Select TWO.)
- A . Ensure that LambdaAuditRole has the sts:AssumeRole permission for Ac-meAuditFactoryRole.
- B . Ensure that LambdaAuditRole has the AWSLambdaBasicExecutionRole managed policy attached.
- C . Ensure that the trust policy for AcmeAuditFactoryRole allows the sts:AssumeRole action from LambdaAuditRole.
- D . Ensure that the trust policy for LambdaAuditRole allows the sts:AssumeRole action from the lambda.amazonaws.com service.
- E . Ensure that the sts:AssumeRole API call is being issued to the us-east-I Region endpoint.
An AWS account that is used for development projects has a VPC that contains two subnets. The first subnet is named public-subnet-1 and has the CIDR block 192.168.1.0/24 assigned. The other subnet is named private-subnet-2 and has the CIDR block 192.168.2.0/24 assigned. Each subnet contains Amazon EC2 instances.
Each subnet is currently using the VPC’s default network ACL. The security groups that the EC2 instances in these subnets use have rules that allow traffic between each instance where required. Currently, all network traffic flow is working as expected between the EC2 instances that are using these subnets.
A security engineer creates a new network ACL that is named subnet-2-NACL with default entries. The security engineer immediately configures private-subnet-2 to use the new network ACL and makes no other changes to the infrastructure. The security engineer starts to receive reports that the EC2 instances in public-subnet-1 and public-subnet-2 cannot communicate with each other.
Which combination of steps should the security engineer take to allow the EC2 instances that are running in these two subnets to communicate again? (Select TWO.)
- A . Add an outbound allow rule for 192.168.2.0/24 in the VPC’s default network ACL.
- B . Add an inbound allow rule for 192.168.2.0/24 in the VPC’s default network ACL.
- C . Add an outbound allow rule for 192.168.2.0/24 in subnet-2-NACL.
- D . Add an inbound allow rule for 192.168.1.0/24 in subnet-2-NACL.
- E . Add an outbound allow rule for 192.168.1.0/24 in subnet-2-NACL.
DE
Explanation:
This rule would allow traffic originating from the public-subnet-1 (192.168.1.0/24) to flow to the private-subnet-2. This would enable the instances in public-subnet-1 to communicate with the instances in private-subnet-2.
By configuring these rules, the security engineer should be able to reestablish the communication between the EC2 instances in both subnets. It’s essential to remember that Network ACLs are stateless, meaning that both inbound and outbound rules are needed to allow the bidirectional flow of traffic.