Practice Free SCS-C02 Exam Online Questions
A company’s engineering team is developing a new application that creates IAM Key Management Service (IAM KMS) CMK grants for users immediately after a grant IS created users must be able to use the CMK tu encrypt a 512-byte payload. During load testing, a bug appears |intermittently where AccessDeniedExceptions are occasionally triggered when a user rst attempts to encrypt using the CMK
Which solution should the c0mpany‘s security specialist recommend‘?
- A . Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.
- B . Instruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token. Instruct use to use that grant token in their call to encrypt.
- C . Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name as the grant token in the call to encrypt.
- D . Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.
A security team is working on a solution that will use Amazon EventBridge (Amazon CloudWatch Events) to monitor new Amazon S3 objects. The solution will monitor for public access and for changes to any S3 bucket policy or setting that result in public access. The security team configures EventBridge to watch for specific API calls that are logged from AWS CloudTrail. EventBridge has an action to send an email notification through Amazon Simple Notification Service (Amazon SNS) to the security team immediately with details of the API call.
Specifically, the security team wants EventBridge to watch for the s3:PutObjectAcl, s3:DeleteBucketPolicy, and s3:PutBucketPolicy API invocation logs from CloudTrail. While developing the solution in a single account, the security team discovers that the s3:PutObjectAcl API call does not invoke an EventBridge event. However, the s3:DeleteBucketPolicy API call and the s3:PutBucketPolicy API call do invoke an event.
The security team has enabled CloudTrail for AWS management events with a basic configuration in the AWS Region in which EventBridge is being tested. Verification of the EventBridge event pattern indicates that the pattern is set up correctly. The security team must implement a solution so that the s3:PutObjectAcl API call will invoke an EventBridge event. The solution must not generate false notifications.
Which solution will meet these requirements?
- A . Modify the EventBridge event pattern by selecting Amazon S3. Select All Events as the event type.
- B . Modify the EventBridge event pattern by selecting Amazon S3. Select Bucket Level Operations as the event type.
- C . Enable CloudTrail Insights to identify unusual API activity.
- D . Enable CloudTrail to monitor data events for read and write operations to S3 buckets.
D
Explanation:
The correct answer is D. Enable CloudTrail to monitor data events for read and write operations to S3 buckets.
According to the AWS documentation1, CloudTrail data events are the resource operations performed on or within a resource. These are also known as data plane operations. Data events are often high-volume activities. For example, Amazon S3 object-level API activity (such as GetObject, DeleteObject, and PutObject) is a data event.
By default, trails do not log data events. To record CloudTrail data events, you must explicitly add the supported resources or resource types for which you want to collect activity. For more information, see Logging data events in the Amazon S3 User Guide2.
In this case, the security team wants EventBridge to watch for the s3:PutObjectAcl API invocation logs from CloudTrail. This API uses the acl subresource to set the access control list (ACL) permissions for a new or existing object in an S3 bucket3. This is a data event that affects the S3 object resource type. Therefore, the security team must enable CloudTrail to monitor data events for read and write operations to S3 buckets in order to invoke an EventBridge event for this API call.
The other options are incorrect because:
A) Modifying the EventBridge event pattern by selecting Amazon S3 and All Events as the event type will not capture the s3:PutObjectAcl API call, because this is a data event and not a management event. Management events provide information about management operations that are performed on resources in your AWS account. These are also known as control plane operations4.
B) Modifying the EventBridge event pattern by selecting Amazon S3 and Bucket Level Operations as the event type will not capture the s3:PutObjectAcl API call, because this is a data event that affects the S3 object resource type and not the S3 bucket resource type. Bucket level operations are management events that affect the configuration or metadata of an S3 bucket5.
C) Enabling CloudTrail Insights to identify unusual API activity will not help the security team monitor new S3 objects or changes to any S3 bucket policy or setting that result in public access. CloudTrail Insights helps AWS users identify and respond to unusual activity associated with API calls and API error rates by continuously analyzing CloudTrail management events6. It does not analyze data events or generate EventBridge events.
Reference: 1: CloudTrail log event reference – AWS CloudTrail
2: Logging data events – AWS CloudTrail
3: PutObjectAcl – Amazon Simple Storage Service
4: [Logging management events – AWS CloudTrail]
5: [Amazon S3 Event Types – Amazon Simple Storage Service]
6: Logging Insights events for trails – AWS CloudTrail
A security engineer needs to implement a solution to identify any sensitive data that s stored in an Amazon S3 bucket. The solution must report on sensitive data in the S3 bucket by using an existing Amazon Simple Notification Service (Amazon SNS) topic.
Which solution will meet these requirements with the LEAST implementation effort?
- A . Enable AWS Config. Configure AWS Config to monitor for sensitive data in the S3 bucket and to send notifications to the SNS topic.
- B . Create an AWS Lambda function to scan the S3 bucket for sensitive data that matches a pattern.
Program the Lambda function to send notifications to the SNS topic. - C . Configure Amazon Made to use managed data identifiers to identify and categorize sensitive data.
Create an Amazon EventBndge rule to send notifications to the SNS topic. - D . Enable Amazon GuardDuty Configure AWS CloudTrail S3 data events Create an Amazon CloudWatch alarm that reacts to GuardDuty findings and sends notifications to the SNS topic.
C
36 1. A company needs to delect unauthenticated access to its Amazon Elastic Kubernetes Service (Amazon EKS) clusters. The company needs a solution that requires no additional configuration ot the existing EKS deployment.
Which solution will meet these requirements with the LEAST operational effort?
A company needs to improve its ability to identify and prevent IAM policies that grant public access or cross-account access to resources. The company has implemented AWS Organizations and uses AWS IAM Access Analyzer. A security engineer must automate a response for newly created overly permissive policies to remediate access and notify the security team. Select THREE
- A . Create an AWS Step Functions state machine that checks the resource type in the finding and adds an explicit Deny statement in the trust policy for the IAM role. Configure the state machine to publish a notification to an Amazon SNS topic.
- B . Create an AWS Batch job that forwards any resource type findings to an AWS Lambda function.
Configure the Lambda function to add an explicit Deny statement in the trust policy for the IAM role.
Configure the AWS Batch job to publish a notification to an Amazon SNS topic. - C . In Amazon EventBridge, create an event rule that matches active IAM Access Analyzer findings and invokes AWS Step Functions for resolution.
- D . In Amazon CloudWatch, create a metric filter that matches active IAM Access Analyzer findings and invokes AWS Batch for resolution.
- E . Create an Amazon SQS queue. Configure the queue to forward a notification to the security team that an external principal has been granted access to the specific IAM role and has been blocked.
- F . Create an Amazon SNS topic for external or cross-account access notices. Subscribe the security team’s email addresses to the topic.
A company’s data scientists want to create artificial intelligence and machine learning (AI/ML) training models by using Amazon SageMaker. The training models will use large datasets in an Amazon S3 bucket. The datasets contain sensitive information.
On average. the data scientists need 30 days to train models. The S3 bucket has been secured appropriately The companfs data retention policy states that all data that is older than 45 days must be removed from the S3 bucket.
Which action should a security engineer take to enforce this data retention policy?
- A . Configure an S3 Lifecycle rule on the S3 bucket to delete objects after 45 days.
- B . Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an S3 event notification to invoke the Lambda function for each PutObject operation.
- C . Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an Amazon EventBridge rule to invoke the Lambda function each month.
- D . Configure S3 Intelligent-Ttering on the S3 bucket to automatically transition objects to another storage class.
A
Explanation:
The correct answer is
An application is running on an Amazon EC2 instance that has an IAM role attached. The IAM role provides access to an AWS Key Management Service (AWS KMS) customer managed key and an Amazon S3 bucket. The key is used to access 2 TB of sensitive data that is stored in the S3 bucket.
A security engineer discovers a potential vulnerability on the EC2 instance that could result in the compromise of the sensitive data. Due to other critical operations, the security engineer cannot immediately shut down the EC2 instance for vulnerability patching.
What is the FASTEST way to prevent the sensitive data from being exposed?
- A . Download the data from the existing S3 bucket to a new EC2 instance. Then delete the data from the S3 bucket. Re-encrypt the data with a client-based key. Upload the data to a new S3 bucket.
- B . Block access to the public range of S3 endpoint IP addresses by using a host-based firewall. Ensure that internet-bound traffic from the affected EC2 instance is routed through the host-based firewall.
- C . Revoke the IAM role’s active session permissions. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile.
- D . Disable the current key. Create a new KMS key that the IAM role does not have access to, and re-encrypt all the data with the new key. Schedule the compromised key for deletion.
What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account? (Select TWO.)
- A . Use the AWS account root user access keys instead of the AWS Management Console.
- B . Enable multi-factor authentication for the AWS IAM users with the Adminis-tratorAccess managed policy attached to them.
- C . Enable multi-factor authentication for the AWS account root user.
- D . Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days.
- E . Do not create access keys for the AWS account root user; instead, create AWS IAM users.
A security engineer is implementing a solution to allow users to seamlessly encrypt Amazon S3 objects without having to touch the keys directly. The solution must be highly scalable without requiring continual management. Additionally, the organization must be able to immediately delete the encryption keys.
Which solution meets these requirements?
- A . Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary.
- B . Use KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.
- C . Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.
- D . Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the keys if necessary.
B
Explanation:
For seamless encryption of Amazon S3 objects without direct key management, AWS Key Management Service (KMS) with AWS managed keys offers a highly scalable and manageable solution. The ScheduleKeyDeletion API with PendingWindowInDays set to 0 allows for immediate deletion of the keys, meeting the requirement for immediate key removal. This approach leverages the managed infrastructure of KMS, reducing the overhead of key management while ensuring scalability and security. The integration of KMS with S3 and the ability to schedule key deletion provides a balance between ease of use and security control.
A company hired an external consultant who needs to use a laptop to access the company’s VPCs Specifically, the consultant needs access to two VPCs that are peered together in the same AWS Region. The company wants to provide the consultant with access to these VPCs without also providing any unnecessary access to other network resources.
Which solution will meet these requirements?
Create an AWS Site-to-Site VPN endpoint in the same Region as the VPCs. Configure access through an appropriate subnet and authorization rule. Create an AWS account Use the VPC sharing feature through AWS Resource Access Manager to allow the consultant to access the VPCs.
- A . Create an AWS Client VPN endpoint in the same Region as the
- B . VPCs. Configure access through an appropriate subnet and authorization rule.
- C . Create a gateway VPC endpoint in the same Region as the VPCs.
- D . Configure access through an appropriate subnet and authorization rule.
A company plans to create Amazon S3 buckets to store log data. All the S3 buckets will have versioning enabled and will use the S3 Standard storage class.
A security engineer needs to implement a solution that protects objects in the S3 buckets from deletion for 90 days. The solution must ensure that no object can be deleted during this time period, even by an administrator or the AWS account root user.
Which solution will meet these requirements?
- A . Enable S3 Object Lock in governance mode. Set a legal hold of 90 days.
- B . Enable S3 Object Lock in governance mode. Set a retention period of 90 days.
- C . Enable S3 Object Lock in compliance mode. Set a retention period of 90 days.
- D . Create an S3 Glacier Vault Lock policy that prevents deletion for 90 days.