Nest 0 Cart
Nest Account
Popular Exams
All Categories...
Nest
Nest 0
Contact
Log In / Sign Up
Copyright 2024 © store. All rights reserved.
Home Amazon AWS Certified Security - Specialty SCS-C02

Amazon AWS Certified Security - Specialty SCS-C02 Exam Practice Questions (P. 2)

  • Full Access (307 questions)
  • Six months of Premium Access
  • Access to one million comments
  • Seamless ChatGPT Integration
  • Ability to download PDF files
  • Anki Flashcard files for revision
  • No Captcha & No AdSense
  • Advanced Exam Configuration
Get Contributor Access
Question #11
A company wants to receive an email notification about critical findings in AWS Security Hub. The company does not have an existing architecture that supports this functionality.
Which solution will meet the requirement?
  1. A
    Create an AWS Lambda function to identify critical Security Hub findings. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target of the Lambda function. Subscribe an email endpoint to the SNS topic to receive published messages.
  2. B
    Create an Amazon Kinesis Data Firehose delivery stream. Integrate the delivery stream with Amazon EventBridge. Create an EventBridge rule that has a filter to detect critical Security Hub findings. Configure the delivery stream to send the findings to an email address.
  3. C
    Create an Amazon EventBridge rule to detect critical Security Hub findings. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target of the EventBridge rule. Subscribe an email endpoint to the SNS topic to receive published messages.
  4. D
    Create an Amazon EventBridge rule to detect critical Security Hub findings. Create an Amazon Simple Email Service (Amazon SES) topic as the target of the EventBridge rule. Use the Amazon SES API to format the message. Choose an email address to be the recipient of the message.

Correct Answer:
D
chatbot-img GPT-4o - Answer
Using Amazon EventBridge to detect critical Security Hub findings, coupled with Amazon Simple Notification Service (SNS) as a notification system, is a practical approach. Users can easily subscribe to the SNS topic via email to receive critical updates. However, there seems to be some confusion or a potential misunderstanding regarding the use of Amazon Simple Email Service (SES) as the target in the event solution. While direct integration of EventBridge with SES isn't standard, typically SNS serves as an intermediary for email notifications. Therefore, ensuring clarity on service compatibility and configuration in solution architecture is crucial.

Question #12
An international company has established a new business entity in South Korea. The company also has established a new AWS account to contain the workload for the South Korean region. The company has set up the workload in the new account in the ap-northeast-2 Region. The workload consists of three Auto Scaling groups of Amazon EC2 instances. All workloads that operate in this Region must keep system logs and application logs for 7 years.
A security engineer must implement a solution to ensure that no logging data is lost for each instance during scaling activities. The solution also must keep the logs for only the required period of 7 years.
Which combination of steps should the security engineer take to meet these requirements? (Choose three.)
  1. A
    Ensure that the Amazon CloudWatch agent is installed on all the EC2 instances that the Auto Scaling groups launch. Generate a CloudWatch agent configuration file to forward the required logs to Amazon CloudWatch Logs.
  2. B
    Set the log retention for desired log groups to 7 years.
  3. C
    Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon CloudWatch Logs.
  4. D
    Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon S3.
  5. E
    Ensure that a log forwarding application is installed on all the EC2 instances that the Auto Scaling groups launch. Configure the log forwarding application to periodically bundle the logs and forward the logs to Amazon S3.
  6. F
    Configure an Amazon S3 Lifecycle policy on the target S3 bucket to expire objects after 7 years.

Correct Answer:
ABC
chatbot-img GPT-4o - Answer
To comply with the logging requirements stipulated for the Auto Scaling groups in the ap-northeast-2 Region, it's crucial to optimize the setup ensuring no data loss during scaling and compliance with the 7-year retention policy. Installing CloudWatch agent on the EC2 instances ensures logs are captured efficiently. Configuring the IAM role for permissions helps in seamless log forwarding to CloudWatch Logs. Setting the retention period to 7 years in CloudWatch Log groups accomplishes the compliance aspect effectively, ensuring logs are retained for the required duration. This approach provides a robust and compliant logging solution for the described scenario.

Question #13
A security engineer is designing an IAM policy to protect AWS API operations. The policy must enforce multi-factor authentication (MFA) for IAM users to access certain services in the AWS production account. Each session must remain valid for only 2 hours. The current version of the IAM policy is as follows:

Which combination of conditions must the security engineer add to the IAM policy to meet these requirements? (Choose two.)
  1. A
    "Bool": {"aws:MultiFactorAuthPresent": "true"}
  2. B
    "Bool": {"aws:MultiFactorAuthPresent": "false"}
  3. C
    "NumericLessThan": {"aws:MultiFactorAuthAge": "7200"}
  4. D
    "NumericGreaterThan": {"aws:MultiFactorAuthAge": "7200"}
  5. E
    "NumericLessThan": {"MaxSessionDuration": "7200"}

Correct Answer:
AD

Question #14
A company uses AWS Organizations and has production workloads across multiple AWS accounts. A security engineer needs to design a solution that will proactively monitor for suspicious behavior across all the accounts that contain production workloads.
The solution must automate remediation of incidents across the production accounts. The solution also must publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic when a critical security finding is detected. In addition, the solution must send all security incident logs to a dedicated account.
Which solution will meet these requirements?
  1. A
    Activate Amazon GuardDuty in each production account. In a dedicated logging account, aggregate all GuardDuty logs from each production account. Remediate incidents by configuring GuardDuty to directly invoke an AWS Lambda function. Configure the Lambda function to also publish notifications to the SNS topic.
  2. B
    Activate AWS Security Hub in each production account. In a dedicated logging account, aggregate all Security Hub findings from each production account. Remediate incidents by using AWS Config and AWS Systems Manager. Configure Systems Manager to also publish notifications to the SNS topic.
  3. C
    Activate Amazon GuardDuty in each production account. In a dedicated logging account, aggregate all GuardDuty logs from each production account. Remediate incidents by using Amazon EventBridge to invoke a custom AWS Lambda function from the GuardDuty findings. Configure the Lambda function to also publish notifications to the SNS topic.
  4. D
    Activate AWS Security Hub in each production account. In a dedicated logging account, aggregate all Security Hub findings from each production account. Remediate incidents by using Amazon EventBridge to invoke a custom AWS Lambda function from the Security Hub findings. Configure the Lambda function to also publish notifications to the SNS topic.

Correct Answer:
D
chatbot-img GPT-4o - Answer
Option D is the correct answer when considering the requirement to monitor, automate remediation, and send notifications for suspicious behavior across multiple AWS accounts. While Amazon GuardDuty is vital for threat detection, AWS Security Hub provides a comprehensive view by aggregating security findings across services, which is essential for managing security posture and compliance effectively. Security Hub, combined with Amazon EventBridge and AWS Lambda, facilitates centralized incident management and automated response—factors critical for handling security incidents efficiently in a multi-account environment.

Question #15
A company is designing a multi-account structure for its development teams. The company is using AWS Organizations and AWS IAM Identity Center (AWS Single Sign-On). The company must implement a solution so that the development teams can use only specific AWS Regions and so that each AWS account allows access to only specific AWS services.
Which solution will meet these requirements with the LEAST operational overhead?
  1. A
    Use IAM Identity Center to set up service-linked roles with IAM policy statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
  2. B
    Deactivate AWS Security Token Service (AWS STS) in Regions that the developers are not allowed to use.
  3. C
    Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
  4. D
    For each AWS account, create tailored identity-based policies for IAM Identity Center. Use statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.

Correct Answer:
C
chatbot-img GPT-4o - Answer
Service Control Policies (SCPs) are the optimal approach to managing permissions across multiple AWS accounts with minimal effort. By applying SCPs, organizations can restrict accounts within their organization from accessing specific AWS services in certain regions. SCPs manage permissions at the organizational level, providing a centralized policy management system that reduces the complexity of individual account configurations. With SCPs, it's straightforward to enforce consistent access controls across all accounts, ensuring compliance and simplifying administration. Remember that the 'NotAction' element is indeed usable in SCPs, allowing for effective exceptions within your policies.

Question #16
A company is developing an ecommerce application. The application uses Amazon EC2 instances and an Amazon RDS MySQL database. For compliance reasons, data must be secured in transit and at rest. The company needs a solution that minimizes operational overhead and minimizes cost.
Which solution meets these requirements?
  1. A
    Use TLS certificates from AWS Certificate Manager (ACM) with an Application Load Balancer. Deploy self-signed certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Enable encryption of the RDS DB instance. Enable encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that support the EC2 instances.
  2. B
    Use TLS certificates from a third-party vendor with an Application Load Balancer. Install the same certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use AWS Secrets Manager for client-side encryption of application data.
  3. C
    Use AWS CloudHSM to generate TLS certificates for the EC2 instances. Install the TLS certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use the encryption keys from CloudHSM for client-side encryption of application data.
  4. D
    Use Amazon CloudFront with AWS WAF. Send HTTP connections to the origin EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use AWS Key Management Service (AWS KMS) for client-side encryption of application data before the data is stored in the RDS database.

Correct Answer:
A
chatbot-img GPT-4o - Answer
Option A is optimal because it efficiently addresses both data encryption at rest and in transit, crucial for meeting compliance requirements in the described ecommerce application. Utilizing AWS Certificate Manager for TLS certificates with an Application Load Balancer, combined with the direct implementation of self-signed certificates on EC2 instances, ensures a secure, encrypted connection. The secure TLS connection to the Amazon RDS and enabling encryption on the RDS DB instance and Amazon EBS volumes provide comprehensive security measures that are both cost-effective and minimize operational overhead compared to the alternative options suggested.

Question #17
A security engineer is working with a company to design an ecommerce application. The application will run on Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB). The application will use an Amazon RDS DB instance for its database.
The only required connectivity from the internet is for HTTP and HTTPS traffic to the application. The application must communicate with an external payment provider that allows traffic only from a preconfigured allow list of IP addresses. The company must ensure that communications with the external payment provider are not interrupted as the environment scales.
Which combination of actions should the security engineer recommend to meet these requirements? (Choose three.)
  1. A
    Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.
  2. B
    Place the DB instance in a public subnet.
  3. C
    Place the DB instance in a private subnet.
  4. D
    Configure the Auto Scaling group to place the EC2 instances in a public subnet.
  5. E
    Configure the Auto Scaling group to place the EC2 instances in a private subnet.
  6. F
    Deploy the ALB in a private subnet.

Correct Answer:
DEF

Question #18
A company uses several AWS CloudFormation stacks to handle the deployment of a suite of applications. The leader of the company's application development team notices that the stack deployments fail with permission errors when some team members try to deploy the stacks. However, other team members can deploy the stacks successfully.
The team members access the account by assuming a role that has a specific set of permissions that are necessary for the job responsibilities of the team members. All team members have permissions to perform operations on the stacks.
Which combination of steps will ensure consistent deployment of the stacks MOST securely? (Choose three.)
  1. A
    Create a service role that has a composite principal that contains each service that needs the necessary permissions. Configure the role to allow the sts:AssumeRole action.
  2. B
    Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts:AssumeRole action.
  3. C
    For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each CloudFormation stack in the resource field of each policy.
  4. D
    For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each service that needs the permissions in the resource field of the corresponding policy.
  5. E
    Update each stack to use the service role.
    F Add a policy to each member role to allow the iam:PassRole action. Set the policy's resource field to the ARN of the service role.

Correct Answer:
DEA

Question #19
A company used a lift-and-shift approach to migrate from its on-premises data centers to the AWS Cloud. The company migrated on-premises VMs to Amazon EC2 instances. Now the company wants to replace some of components that are running on the EC2 instances with managed AWS services that provide similar functionality.
Initially, the company will transition from load balancer software that runs on EC2 instances to AWS Elastic Load Balancers. A security engineer must ensure that after this transition, all the load balancer logs are centralized and searchable for auditing. The security engineer must also ensure that metrics are generated to show which ciphers are in use.
Which solution will meet these requirements?
  1. A
    Create an Amazon CloudWatch Logs log group. Configure the load balancers to send logs to the log group. Use the CloudWatch Logs console to search the logs. Create CloudWatch Logs filters on the logs for the required metrics.
  2. B
    Create an Amazon S3 bucket. Configure the load balancers to send logs to the S3 bucket. Use Amazon Athena to search the logs that are in the S3 bucket. Create Amazon CloudWatch filters on the S3 log files for the required metrics.
  3. C
    Create an Amazon S3 bucket. Configure the load balancers to send logs to the S3 bucket. Use Amazon Athena to search the logs that are in the S3 bucket. Create Athena queries for the required metrics. Publish the metrics to Amazon CloudWatch.
  4. D
    Create an Amazon CloudWatch Logs log group. Configure the load balancers to send logs to the log group. Use the AWS Management Console to search the logs. Create Amazon Athena queries for the required metrics. Publish the metrics to Amazon CloudWatch.

Correct Answer:
B

Question #20
A company uses AWS Organizations to manage a multi-account AWS environment in a single AWS Region. The organization's management account is named management-01. The company has turned on AWS Config in all accounts in the organization. The company has designated an account named security-01 as the delegated administrator for AWS Config.
All accounts report the compliance status of each account's rules to the AWS Config delegated administrator account by using an AWS Config aggregator. Each account administrator can configure and manage the account's own AWS Config rules to handle each account's unique compliance requirements.
A security engineer needs to implement a solution to automatically deploy a set of 10 AWS Config rules to all existing and future AWS accounts in the organization. The solution must turn on AWS Config automatically during account creation.
Which combination of steps will meet these requirements? (Choose two.)
  1. A
    Create an AWS CloudFormation template that contains the 10 required AWS Config rules. Deploy the template by using CloudFormation StackSets in the security-01 account.
  2. B
    Create a conformance pack that contains the 10 required AWS Config rules. Deploy the conformance pack from the security-01 account.
  3. C
    Create a conformance pack that contains the 10 required AWS Config rules. Deploy the conformance pack from the management-01 account.
  4. D
    Create an AWS CloudFormation template that will activate AWS Config. Deploy the template by using CloudFormation StackSets in the security-01 account.
  5. E
    Create an AWS CloudFormation template that will activate AWS Config. Deploy the template by using CloudFormation StackSets in the management-01 account.

Correct Answer:
AD

Previous Questions Next Questions

All Pages