SCS-C02 Online Practice Questions and Answers

Which of the following are valid configurations for using SSL certificates with Amazon CloudFront? (Select THREE )

A. Default IAM Certificate Manager certificate

B. Custom SSL certificate stored in IAM KMS

C. Default CloudFront certificate

D. Custom SSL certificate stored in IAM Certificate Manager

E. Default SSL certificate stored in IAM Secrets Manager

F. Custom SSL certificate stored in IAM IAM

A global company must mitigate and respond to DDoS attacks at Layers 3, 4 and 7 All of the company's IAM applications are serverless with static content hosted on Amazon S3 using Amazon CloudFront and Amazon Route 53

Which solution will meet these requirements?

A. Use IAM WAF with an upgrade to the IAM Business support plan

B. Use IAM Certificate Manager with an Application Load Balancer configured with an origin access identity

C. Use IAM Shield Advanced

D. Use IAM WAF to protect IAM Lambda functions encrypted with IAM KMS and a NACL restricting all Ingress traffic

A company uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using Amazon CloudFront. HLS splits the video content into chunks so that the user can request the right chunk based on different conditions

Because the video events last for several hours, the total video is made up of thousands of chunks

The origin URL is not disclosed and every user is forced to access the CloudFront URL The company has a web application that authenticates the paying users against an internal repository and a CloudFront key pair that is already issued.

What is the simplest and MOST effective way to protect the content?

A. Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content.

B. Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.

C. Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content

D. Keep the CloudFront URL encrypted inside the application, and use IAM KMS to resolve the URL on-the-fly after the user is authenticated.

A company's architecture requires that its three Amazon EC2 instances run behind an Application Load Balancer (ALB). The EC2 instances transmit sensitive data between each other Developers use SSL certificates to encrypt the traffic between the public users and the ALB However the Developers are unsure of how to encrypt the data in transit between the ALB and the EC2 instances and the traffic between the EC2 instances

Which combination of activities must the company implement to meet its encryption requirements'? (Select TWO )

A. Configure SSLTLS on the EC2 instances and configure the ALB target group to use HTTPS

B. Ensure that all resources are in the same VPC so the default encryption provided by the VPC is used to encrypt the traffic between the EC2 instances.

C. In the ALB. select the default encryption to encrypt the traffic between the ALB and the EC2 instances

D. In the code for the application, include a cryptography library and encrypt the data before sending it between the EC2 instances

E. Configure IAM Direct Connect to provide an encrypted tunnel between the EC2 instances

During a recent internal investigation, it was discovered that all API logging was disabled in a production account, and the root user had created new API keys that appear to have been used several times.

What could have been done to detect and automatically remediate the incident?

A. Using Amazon Inspector, review all of the API calls and configure the inspector agent to leverage SNS topics to notify security of the change to IAM CloudTrail, and revoke the new API keys for the root user.

B. Using IAM Config, create a config rule that detects when IAM CloudTrail is disabled, as well as any calls to the root user create-api-key. Then use a Lambda function to re-enable CloudTrail logs and deactivate the root API keys.

C. Using Amazon CloudWatch, create a CloudWatch event that detects IAM CloudTrail deactivation and a separate Amazon Trusted Advisor check to automatically detect the creation of root API keys. Then use a Lambda function to enable IAM CloudTrail and deactivate the root API keys.

D. Using Amazon CloudTrail, create a new CloudTrail event that detects the deactivation of CloudTrail logs, and a separate CloudTrail event that detects the creation of root API keys. Then use a Lambda function to enable CloudTrail and deactivate the root API keys.

A Security Engineer has created an Amazon CloudWatch event that invokes an IAM Lambda function daily. The Lambda function runs an Amazon Athena query that checks IAM CloudTrail logs in Amazon S3 to detect whether any IAM user accounts or credentials have been created in the past 30 days. The results of the Athena query are created in the same S3 bucket. The Engineer runs a test execution of the Lambda function via the IAM Console, and the function runs successfully.

After several minutes, the Engineer finds that his Athena query has failed with the error message: "Insufficient Permissions". The IAM permissions of the Security Engineer and the Lambda function are shown below: Security Engineer

Lambda function execution role

What is causing the error?

A. The Lambda function does not have permissions to start the Athena query execution.

B. The Security Engineer does not have permissions to start the Athena query execution.

C. The Athena service does not support invocation through Lambda.

D. The Lambda function does not have permissions to access the CloudTrail S3 bucket.

A company has external vendors that must deliver files to the company. These vendors have cross-account that gives them permission to upload objects to one of the company's S3 buckets.

What combination of steps must the vendor follow to successfully deliver a file to the company? Select 2 answers from the options given below A. Attach an IAM role to the bucket that grants the bucket owner full permissions to the object

B. Add a grant to the objects ACL giving full permissions to bucket owner.

C. Encrypt the object with a KMS key controlled by the company.

D. Add a bucket policy to the bucket that grants the bucket owner full permissions to the object

E. Upload the file to the company's S3 bucket

A Network Load Balancer (NLB) target instance is not entering the InService state. A security engineer determines that health checks are failing.

Which factors could cause the health check failures? (Select THREE.)

A. The target instance's security group does not allow traffic from the NLB.

B. The target instance's security group is not attached to the NLB.

C. The NLB's security group is not attached to the target instance.

D. The target instance's subnet network ACL does not allow traffic from the NLB.

E. The target instance's security group is not using IP addresses to allow traffic from the NLB.

F. The target network ACL is not attached to the NLB.

A company's Chief Security Officer has requested that a Security Analyst review and improve the security posture of each company IAM account The Security Analyst decides to do this by Improving IAM account root user security.

Which actions should the Security Analyst take to meet these requirements? (Select THREE.)

A. Delete the access keys for the account root user in every account.

B. Create an admin IAM user with administrative privileges and delete the account root user in every account.

C. Implement a strong password to help protect account-level access to the IAM Management Console by the account root user.

D. Enable multi-factor authentication (MFA) on every account root user in all accounts.

E. Create a custom IAM policy to limit permissions to required actions for the account root user and attach the policy to the account root user.

F. Attach an IAM role to the account root user to make use of the automated credential rotation in IAM STS.

A security team is working on a solution that will use Amazon EventBridge (Amazon CloudWatch Events) to monitor new Amazon S3 objects. The solution will monitor for public access and for changes to any S3 bucket policy or setting that result in public access. The security team configures EventBridge to watch for specific API calls that are logged from AWS CloudTrail. EventBridge has an action to send an email notification through Amazon Simple Notification Service (Amazon SNS) to the security team immediately with details of the API call.

Specifically, the security team wants EventBridge to watch for the s3:PutObjectAcl, s3:DeleteBucketPolicy, and s3:PutBucketPolicy API invocation logs from CloudTrail. While developing the solution in a single account, the security team discovers that the s3:PutObjectAcl API call does not invoke an EventBridge event However, the s3:DeleteBucketPolicy API call and the s3:PutBucketPolicy API call do invoke an event.

The security team has enabled CloudTrail for AWS management events with a basic configuration in the AWS Region in which EventBridge is being tested. Verification of the EventBridge event pattern indicates that the pattern is set up correctly. The security team must implement a solution so that the s3:PutObjectAcl API call will invoke an EventBridge event. The solution must not generate false notifications.

Which solution will meet these requirements?

A. Modify the EventBridge event pattern by selecting Amazon S3. Select All Events as the event type.

B. Modify the EventBridge event pattern by selecting Amazon S3. Select Bucket Level Operations as the event type.

C. Enable CloudTrail Insights to identify unusual API activity.

D. Enable CloudTrail to monitor data events for read and write operations to S3 buckets.