Latest SCS-C02 Practice Tests with Actual Questions

Get Complete pool of questions with Premium PDF and Test Engine

Exam Code : SCS-C02
Exam Name : AWS Certified Security - Specialty
Vendor Name :
"Amazon"

Download Full Version of SCS-C02

---

SCS-C02 Dumps SCS-C02 Braindumps

SCS-C02 Real Questions SCS-C02 Practice Test SCS-C02 Actual Questions

Amazon

SCS-C02

AWS Certified Security - Specialty

https://killexams.com/pass4sure/exam-detail/SCS-C02

Question: 75

A company wants to monitor the deletion of customer managed CMKs A security engineer must create an alarm that will notify the company before a CMK is deleted. The security engineer has configured the integration of IAM CloudTrail with Amazon CloudWatch

What should the security engineer do next to meet this requirement?

1. Use inbound rule 100 to allow traffic on TCP port 443 Use inbound rule 200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443

2. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port 443

3. Use inbound rule 100 to allow traffic on TCP port range 1024-65535 Use inbound rule 200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443

4. Use inbound rule 100 to deny traffic on TCP port 3306 Use inbound rule 200 to allow traffic on TCP port 443 Use outbound rule 100 to allow traffic on TCP port 443

Answer: A
Question: 76

A company is building an application on IAM that will store sensitive Information. The company has a support team with access to the IT infrastructure, including databases. The company's security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead. The credentials must be regularly rotated.

What should the security engineer recommend?

1. Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store

   (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an IAM Lambda function to rotate database credentials. Set up TLS for the connection to the database.

2. Install a database on an Amazon EC2 Instance. Enable third-party disk encryption to encrypt the Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in IAM CloudHSM with automatic rotation. Set up TLS for the connection to the database.

3. Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in IAM Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.

4. Set up an IAM CloudHSM cluster with IAM Key Management Service (IAM KMS) to store KMS keys. Set up Amazon RDS encryption using IAM KMS to encrypt the database. Store database credentials in the IAM Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.

Answer: C
Question: 77

A company deployed IAM Organizations to help manage its increasing number of IAM accounts. A security engineer wants to ensure only principals in the Organization structure can access a specic Amazon S3 bucket. The solution must also minimize operational overhead

Which solution will meet these requirements?

1. 1 Put all users into an IAM group with an access policy granting access to the J bucket.

2. Have the account creation trigger an IAM Lambda function that manages the bucket policy, allowing access to accounts listed in the policy only.

3. Add an SCP to the Organizations master account, allowing all principals access to the bucket.

4. Specify the organization ID in the global key condition element of a bucket policy, allowing all principals access.

Answer: D
Question: 78

A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running on IAM.

Which combination of IAM services and features will provide protection in this scenario? (Select THREE).

1. Amazon Route 53

2. IAM Certificate Manager (ACM)

3. Amazon S3

4. IAM Shield

5. Elastic Load Balancer

6. Amazon Guard Duty

Answer: A,D,E
Question: 79

Your CTO thinks your IAM account was hacked.

What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated IAM engineers and doing everything they can to cover their tracks?

1. Use CloudTrail Log File Integrity Validation.

2. Use IAM Config SNS Subscriptions and process events in real time.

3. Use CloudTrail backed up to IAM S3 and Glacier.

4. Use IAM Config Timeline forensics.

Answer: A

Explanation:

The IAM Documentation mentions the following

To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. You can use the IAM CLI to validate the files in the location where CloudTrail delivered them

Validated log files are invaluable in security and forensic investigations. For example, a validated log file enables you to assert positively that the log file itself has not changed, or that particular user credentials performed specific API activity. The CloudTrail log file integrity validation process also lets you know if a log file has been deleted or changed, or assert positively that no log files were delivered to your account during a given period of time.

Options B.C and D is invalid because you need to check for log File Integrity Validation for cloudtrail logs For more information on Cloudtrail log file validation, please visit the below URL: http://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html

The correct answer is: Use CloudTrail Log File Integrity Validation. omit your Feedback/Queries to our Expert

Question: 80

A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances. The application will store highly sensitive user data in Amazon RDS tables

The application must

⢠Include migration to a different IAM Region in the application disaster recovery plan. ⢠Provide a full audit trail of encryption key administration events

⢠Allow only company administrators to administer keys. ⢠Protect data at rest using application layer encryption

A Security Engineer is evaluating options for encryption key management

Why should the Security Engineer choose IAM CloudHSM over IAM KMS for encryption key management in this situation?

1. The key administration event logging generated by CloudHSM is significantly more extensive than IAM KM

2. CloudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys

3. The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by IAM KMS

4. CloudHSM provides the ability to copy keys to a different Region, whereas IAM KMS does not

Answer: A
Question: 81

A company wants to ensure that its IAM resources can be launched only in the us-east-1 and us-west-2 Regions.

What is the MOST operationally efficient solution that will prevent developers from launching Amazon EC2 instances in other Regions?

1. Enable Amazon GuardDuty in all Regions. Create alerts to detect unauthorized activity outside us-east-1 and us- west-2.

2. Use an organization in IAM Organizations. Attach an SCP that allows all actions when the IAM: Requested Region condition key is either us-east-1 or us-west-2. Delete the FullIAMAccess policy.

3. Provision EC2 resources by using IAM Cloud Formation templates through IAM CodePipeline. Allow only the values of us-east-1 and us-west-2 in the IAM CloudFormation template's parameters.

4. Create an IAM Config rule to prevent unauthorized activity outside us-east-1 and us-west-2.

Answer: B
Question: 82

A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised

Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)

1. Open a support case with the IAM Security team and ask them to remove the malicious code from the affected instance

2. Respond to the notification and list the actions that have been taken to address the incident

3. Delete all IAM users and resources in the account

4. Detach the internet gateway from the VPC remove aft rules that contain 0.0.0.0V0 from the security groups, and create a NACL rule to deny all traffic Inbound from the internet

5. Delete the identified compromised instances and delete any associated resources that the Security team did not create.

Answer: B,D
Question: 83

A company is using Amazon Macie, AWS Firewall Manager, Amazon Inspector, and AWS Shield Advanced in its AWS account. The company wants to receive alerts if a DDoS attack occurs against the account.

Which solution will meet this requirement?

1. Use Macie to detect an active DDoS event. Create Amazon CloudWatch alarms that respond to Macie findings.

2. Use Amazon Inspector to review resources and to invoke Amazon CloudWatch alarms for any resources that are vulnerable to DDoS attacks.

3. Create an Amazon CloudWatch alarm that monitors Firewall Manager metrics for an active DDoS event.

4. Create an Amazon CloudWatch alarm that monitors Shield Advanced metrics for an active DDoS event.

Answer: D

Explanation:

This answer is correct because AWS Shield Advanced is a service that provides comprehensive protection against DDoS attacks of any size or duration. It also provides metrics and reports on the DDoS attack vectors, duration, and size. You can create an Amazon CloudWatch alarm that monitors Shield Advanced metrics such as DDoSAttackBitsPerSecond, DDoSAttackPacketsPerSecond, and DDoSAttackRequestsPerSecond to receive alerts if a DDoS attack occurs against your account.

For more information, see Monitoring AWS Shield Advanced with Amazon CloudWatch and AWS Shield Advanced metrics and alarms.

Question: 84

A company is running internal microservices on Amazon Elastic Container Service (Amazon ECS) with the Amazon EC2 launch type. The company is using Amazon Elastic Container Registry (Amazon ECR) private repositories.

A security engineer needs to encrypt the private repositories by using AWS Key Management Service (AWS KMS). The security engineer also needs to analyze the container images for any common vulnerabilities and exposures (CVEs).

Which solution will meet these requirements?

1. Enable KMS encryption on the existing ECR repositories. Install Amazon Inspector Agent from the ECS container instancesâ user data. Run an assessment with the CVE rules.

2. Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Analyze the scan report after the next push of images.

3. Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Install AWS Systems Manager Agent on the ECS container instances. Run an inventory report.

4. Enable KMS encryption on the existing ECR repositories. Use AWS Trusted Advisor to check the ECS container instances and to verily the findings against a list of current CVEs.

Answer: B
Question: 85

A business stores website images in an Amazon S3 bucket. The firm serves the photos to end users through Amazon CloudFront. The firm learned lately that the photographs are being accessible from nations in which it does not have a distribution license.

Which steps should the business take to safeguard the photographs and restrict their distribution? (Select two.)

1. Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).

2. Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.

3. Add a CloudFront geo restriction deny list of countries where the company lacks a license.

4. Update the S3 bucket policy with a deny list of countries where the company lacks a license.

5. Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.

Answer: A,C

Explanation:

For Enable Geo-Restriction, choose Yes. For Restriction Type, choose Whitelist to allow access to certain countries, or choose Blacklist to block access from certain countries. https://IAM.amazon.com/premiumsupport/knowledge- center/cloudfront-geo-restriction/

Question: 86

A company wants to remove all SSH keys permanently from a specific subset of its Amazon Linux 2 Amazon EC2 instances that are using the same 1AM instance profile However three individuals who have IAM user accounts will need to access these instances by using an SSH session to perform critical duties

How can a security engineer provide the access to meet these requirements?

1. Assign an 1AM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the 1AM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Inventory to select the EC2 instance and connect

2. Assign an 1AM policy to the 1AM user accounts to provide permission to use AWS Systems Manager Run Command Remove the SSH keys from the EC2 instances Use Run Command to open an SSH connection to the EC2 instance

3. Assign an 1AM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the 1AM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Session Manager to select the EC2 instance and connect

4. Assign an 1AM policy to the 1AM user accounts to provide permission to use the EC2 service in the AWS Management Console Remove the SSH keys from the EC2 instances Connect to the EC2 instance as the ec2-user through the AWS Management Console's EC2 SSH client method

Answer: C

Explanation:

To provide access to the three individuals who have IAM user accounts to access the Amazon Linux 2 Amazon EC2 instances that are using the same IAM instance profile, the most appropriate solution would be to assign an IAM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager, provide the IAM user accounts with permission to use Systems Manager, remove the SSH keys from the EC2 instances, and use Systems Manager Session Manager to select the EC2 instance and connect.

References: AWS Systems Manager Session Manager - AWS Systems Manager: AWS Systems Manager - AWS Management Console: AWS Identity and Access Management - AWS Management Console: Amazon

Elastic Compute Cloud - Amazon Web Services: Amazon Linux 2 - Amazon Web Services: AWS Systems

Manager - AWS Management Console: AWS Systems Manager - AWS Management Console: AWS Systems Manager

- AWS Management Console

Question: 87

A security engineer is using AWS Organizations and wants to optimize SCPs. The security engineer needs to ensure that the SCPs conform to best practices.

Which approach should the security engineer take to meet this requirement?

1. Use AWS IAM Access Analyzer to analyze the policies. View the findings from policy validation checks.

2. Review AWS Trusted Advisor checks for all accounts in the organization.

3. Set up AWS Audit Manager. Run an assessment for all AWS Regions for all accounts.

4. Ensure that Amazon Inspector agents are installed on all Amazon EC2 in-stances in all accounts.

Answer: A
Question: 88

A company's security engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other IAM services The contractors IAM account must not be able to gain access to any other IAM service, even it the IAM account rs assigned additional permissions based on IAM group membership

What should the security engineer do to meet these requirements''

1. Create an mime IAM user policy that allows for Amazon EC2 access for the contractor's IAM user

2. Create an IAM permissions boundary policy that allows Amazon EC2 access Associate the contractor's IAM account with the IAM permissions boundary policy

3. Create an IAM group with an attached policy that allows for Amazon EC2 access Associate the contractor's IAM account with the IAM group

4. Create a IAM role that allows for EC2 and explicitly denies all other services Instruct the contractor to always assume this role

Answer: B
Question: 89

A company is using AWS Organizations to manage multiple accounts. The company needs to allow an IAM user to use a role to access resources that are in another organization's AWS account.

Which combination of steps must the company perform to meet this requirement? (Select TWO.)

1. Create an identity policy that allows the sts: AssumeRole action in the AWS account that contains the resources. Attach the identity policy to the IAM user.

2. Ensure that the sts: AssumeRole action is allowed by the SCPs of the organization that owns the resources that the IAM user needs to access.

3. Create a role in the AWS account that contains the resources. Create an entry in the role's trust policy that allows the IAM user to assume the role. Attach the trust policy to the role.

4. Establish a trust relationship between the IAM user and the AWS account that contains the resources.

5. Create a role in the IAM user's AWS account. Create an identity policy that allows the sts: AssumeRole action. Attach the identity policy to the role.

Answer: A,C

Explanation:

Option A: Create an identity policy that allows the sts:AssumeRole action in the AWS account that contains the resources. Attach the identity policy to the IAM user. This will ensure that the IAM user has the necessary permissions to assume roles in the other account.

Option C: Create a role in the AWS account that contains the resources. Create an entry in the role's trust policy that allows the IAM user to assume the role. Attach the trust policy to the role. This step is necessary to allow the IAM user from the other account to assume the role in this account.

Explanation of other options:

Option B: This option involves Service Control Policies (SCPs), which are used to define the maximum permissions for account members in AWS Organizations. While ensuring the SCPs allow the sts:AssumeRole action might be necessary, it doesn't directly allow cross-account role assumption.

Option D: This option seems too vague and doesn't clearly explain how the trust relationship would be established. Trust relationships are generally established via trust policies, as mentioned in option C.

Option E: This option suggests creating a role in the IAM user's account and attaching a policy allowing sts:AssumeRole to this role. This wouldn't be effective since the role that needs to be assumed would be in the other AWS account that contains the resources, not in the IAM user's own account.

Question: 90

A company's AWS CloudTrail logs are all centrally stored in an Amazon S3 bucket. The security team controls the company's AWS account. The security team must prevent unauthorized access and tampering of the CloudTrail logs.

Which combination of steps should the security team take? (Choose three.)

1. Configure server-side encryption with AWS KMS managed encryption keys (SSE-KMS)

2. Compress log file with secure gzip.

3. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to notify the security team of any modifications on CloudTrail log files.

4. Implement least privilege access to the S3 bucket by configuring a bucket policy.

5. Configure CloudTrail log file integrity validation.

6. Configure Access Analyzer for S3.

Answer: A,D,E

User: Catalina***** Killexams.com accurate questions and answers helped me pass the SCS-C02 exam on my first attempt, scoring 78% marks. Although my score was initially 90%, it was incorrectly marked down. Nevertheless, Killexams.com team did an excellent job, and I appreciate their efforts. Thank you for helping me achieve my goals.

User: Yekateri***** Killexams.com is the best site for anyone looking to achieve their dreams. Their study material is top-notch, and I was able to score the best marks in the SCS-C02 exam with their help. I found it easy to face the exam with the assistance of their material, and I cannot thank them enough for their great work. Keep it up, guys!

User: Júlia***** I am proud to have passed my SCS-C02 exam, achieving a score of 89%, thanks to my studies with killexams.com. This was not just a simple pass but a great one, and I would proudly recommend this guide to anyone.

User: Sashya***** The brain dump specialists at killexams.com were always available via live chat to help with even the smallest problems. Their advice and clarifications were invaluable, and I passed my SCS-C02 certification exam on my first try using the killexams.com practice tests. The SCS-C02 exam simulator through killexams.com is also superb. I am grateful to have killexams.com SCS-C02 material, as it helped me achieve my goals.

User: Tanja***** After researching the scs-c02 exam and considering it, I feel that I made the right choice in taking it. With the help of killexams.com practice tests, I was able to pass the exam with an impressive 89% mark, which has opened up several job opportunities for me. I am grateful to killexams.com for helping me improve my knowledge and achieve this success.

---