Amazon Web Services SCS-C02 Exam Questions Free Practice Test

Viewing page 8 out of 14 pages

Viewing questions 71-80 out of questions

Questions # 71:

A company is developing an ecommerce application. The application uses Amazon EC2 instances and an Amazon RDS MySQL database. For compliance reasons, data must be secured in transit and at rest. The company needs a solution that minimizes operational overhead and minimizes cost.

Which solution meets these requirements?

Options:

Use TLS certificates from AWS Certificate Manager (ACM) with an Application Load Balancer. Deploy self-signed certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Enable encryption of the RDS DB instance. Enable encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that support the EC2 instances.

Use TLS certificates from a third-party vendor with an Application Load Balancer. Install the same certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use AWS Secrets Manager for client-side encryption of application data.

Use AWS CloudHSM to generate TLS certificates for the EC2 instances. Install the TLS certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use the encryption keys form CloudHSM for client-side encryption of application data.

Use Amazon CloudFront with AWS WAF. Send HTTP connections to the origin EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use AWS Key Management Service (AWS KMS) for client-side encryption of application data before the data is stored in the RDS database.

Expert Solution

Questions # 72:

A company stores sensitive data in AWS Secrets Manager A security engineer needs to design a solution to generate a notification email when anomalous GetSecretValue API calls occur The security engineer has configured an Amazon EventBndge rule for all Secrets Manager events that AWS CloudTrail delivers.

Which solution will meet these requirements?

Options:

Configure CloudTrail as the target of the EventBndge rule Set up an attribute filter on the IncommgBytes attribute and enable anomaly detection Create an Amazon Simple Notification Service (Amazon SNS) topic Configure a CloudTrail alarm that uses the SNS topic to send the notification.

Configure CloudTrail as the target of the EventBndge rule Set up an attribute filter on the IncommgBytes attribute and enable anomaly detection Create an Amazon Simple Queue Service (Amazon SQS) queue Configure a CloudTrail alarm that uses the SQS queue to send the notification.

Configure Amazon CloudWatch Logs as the target of the EventBndge rule Set up a metnc filter on the IncommgBytes metric and enable anomaly detection Create an AmazonSimple Notification Service (Amazon SNS) topic Configure a CloudWatch alarm that uses the SNS topic to send the notification.

Configure Amazon CloudWatch Logs as the target of the EventBndge rule Use CloudWatch Logs Insights query syntax to search for anomalous GetSecretValue API calls Create an Amazon Simple Queue Service (Amazon SQS) queue Configure a CloudWatch alarm that uses the SQS queue to send the notification.

Expert Solution

Questions # 73:

A security engineer has been asked to troubleshoot inbound connectivity to a web server. This single web server is not receiving inbound connections from the internet, whereas all other web servers are functioning properly.

The architecture includes network ACLs, security groups, and a virtual security appliance. In addition, the development team has implemented Application Load Balancers (ALBs) to distribute the load across all web servers. It is a requirement that traffic between the web servers and the internet flow through the virtual security appliance.

The security engineer has verified the following:

The rule set in the security groups is correct.

The rule set in the network ACLs is correct.

The rule set in the virtual appliance is correct.

Which of the following are other valid items to troubleshoot in this scenario? (Select TWO.)

Options:

Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway.

Verify which security group is applied to the particular web server's elastic network interface (ENI).

Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance.

Verify the registered targets in the ALB.

Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.

Expert Solution

Questions # 74:

A company has an AWS account that hosts a production application. The company receives an email notification that Amazon GuardDuty has detected an Impact:lAMUser/AnomalousBehavior finding in the account. A security engineer needs to run the investigation playbook for this security incident and must collect and analyze the information without affecting the application.

Which solution will meet these requirements MOST quickly?

Options:

Log in to the AWS account by using read-only credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.

Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use Amazon Detective to review the API calls in context.

Log in to the AWS account by using administrator credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.

Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context.

Expert Solution

Questions # 75:

A company's Security Engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other AWS services. The contractor's IAM account must not be able to gain access to any other AWS service, even if the IAM account is assigned additional permissions based on IAM group membership.

What should the Security Engineer do to meet these requirements?

Options:

Create an Inline IAM user policy that allows for Amazon EC2 access for the contractor's IAM user.

Create an IAM permissions boundary policy that allows Amazon EC2 access. Associate the contractor's IAM account with the IAM permissions boundary policy.

Create an IAM group with an attached policy that allows for Amazon EC2 access. Associate the contractor's IAM account with the IAM group.

Create an IAM role that allows for EC2 and explicitly denies all other services. Instruct the contractor to always assume this role.

Expert Solution

Questions # 76:

A company uses Amazon CloudWatch to monitor application metrics. A security engineer needs to centralize the metrics from several AWS accounts. The security engineer also must create a dashboard to securely share the metrics with customers.

Which solution will meet these requirements?

Options:

Set up a designated monitoring account. Configure the necessary permissions in CloudWatch for source accounts to send metrics to the monitoring account. Create a CloudWatch dashboard that includes the metrics Share the dashboard by using SSO Configure Amazon Cognito as the SSO provider.

Set up a designated monitoring account Configure the necessary permissions for a CloudWatch wizard to query the metrics from source accounts. Create a CloudWatch dashboard that includes the metrics Share the dashboard by using SSO Configure AWS 1AM Identity Center as the SSO provider.

Use AWS Resource Access Manager (AWS RAM) to share CloudWatch metrics between the accounts. Set up a designated monitoring account. Create a CloudWatch dashboard that includes the metncs Share the dashboard by using SSO Configure AWS 1AM Identity Center as the SSO provider.

Use AWS Resource Access Manager (AWS RAM) to share CloudWatch metrics between the accounts. Set up a designated monitoring account Create a CloudWatch dashboard that includes the metrics. Share the dashboard Specify the email addresses of users who can use a password to view the dashboard.

Expert Solution

Questions # 77:

A company has an application that needs to read objects from an Amazon S3 bucket. The company configures an IAM policy and attaches the policy to an IAM role that the application uses. When the application tries to read objects from the S3 bucket, the application receives AccessDenied errors. A security engineer must resolve this problem without decreasing the security of the S3 bucket or the application.

Options:

Attach a resource policy to the S3 bucket to grant read access to the role.

Launch a new deployment of the application in a different AWS Region. Attach the role to the application.

Review the IAM policy by using AWS Identity and Access Management Access Analyzer to ensure that the policy grants the right permissions. Validate that the application is assuming the role correctly.

Ensure that the S3 Block Public Access feature is disabled on the S3 bucket. Review AWS CloudTrail logs to validate that the application is assuming the role correctly.

Expert Solution

Questions # 78:

A solutions architect is designing a web application that uses Amazon CloudFront an Elastic Load Balancing Application Load Balancer and an Auto Scaling group of Amazon EC2 instances. The load balancer and EC2 instances are in the US West (Oregon) region. It has been decided that encryption in transit is necessary by using a customer-branded domain name from the client to CloudFront and from CloudFront to the load balancer.

Assuming that AWS Certificate Manager is used how many certificates will need to be generated'?

Options:

One in the US West (Oregon) region and one in the US East (Virginia) region

Two in the US West (Oregon) region and none in the US East (Virginia) region

One in the US West (Oregon) region and none in the US East (Virginia) region

Two in the US East (Virginia) region and none in the US West (Oregon) region

Expert Solution

Questions # 79:

A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance.

What should the security engineer do to resolve this error?

Options:

Import the key material into AWS Key Management Service (AWS KMS).

Manually upload the new host key to the AWS trusted host keys database.

Ensure that the AmazonSSMManagedInstanceCore policy is attached to the EC2 instance profile.

Create a new SSH key pair for the EC2 instance.

Expert Solution

Answer

Explanation

To set up a CloudFront distribution for an S3 bucket that hosts a static website, and to allow only specified IP addresses to access the website, the following steps are required:

Create a CloudFront origin access identity (OAI), which is a special CloudFront user that you can associate with your distribution. An OAI allows you to restrict access to your S3 content by using signed URLs or signed cookies. For more information, see Using an origin access identity to restrict access to your Amazon S3 content.

Create the S3 bucket policy so that only the OAI has access. This will prevent users from accessing the website directly by using S3 URLs, as they will receive an Access Denied error. To do this, use the AWS Policy Generator to create a bucket policy that grants s3:GetObject permission to the OAI, and attach it to the S3 bucket. For more information, see Restricting access to Amazon S3 content by using an origin access identity.

Create an AWS WAF web ACL and add an IP set rule. AWS WAF is a web application firewall service that lets you control access to your web applications. An IP set is a condition that specifies a list of IP addresses or IP address ranges that requests originate from. You can use an IP set rule to allow or block requests based on the IP addresses of the requesters.For more information, see Working with IP match conditions.

Associate the web ACL with the CloudFront distribution. This will ensure that the web ACL filters all requests for your website before they reach your origin. You can do this by using the AWS WAF console, API, or CLI. For more information, see Associating or disassociating a web ACL with a CloudFront distribution.

This solution will meet the requirements of allowing only specified IP addresses to access the website and preventing direct access by using S3 URLs.

The other options are incorrect because they either do not create a CloudFront distribution for the S3 bucket (A), do not use an OAI to restrict access to the S3 bucket ©, or do not use AWS WAF to block traffic from outside the specified IP addresses (D).

Verified References:

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-ip-conditions.html

Questions # 80:

A company discovers a billing anomaly in its AWS account. A security consultant investigates the anomaly and discovers that an employee who left the company 30 days ago still has access to the account.

The company has not monitored account activity in the past.

The security consultant needs to determine which resources have been deployed or reconfigured by the employee as quickly as possible.

Which solution will meet these requirements?

Options:

In AWS Cost Explorer, filter chart data to display results from the past 30 days. Export the results to a data table. Group the data table by re-source.

Use AWS Cost Anomaly Detection to create a cost monitor. Access the detec-tion history. Set the time frame to Last 30 days. In the search area, choose the service category.

In AWS CloudTrail, filter the event history to display results from the past 30 days. Create an Amazon Athena table that contains the data. Parti-tion the table by event source.

Use AWS Audit Manager to create an assessment for the past 30 days. Apply a usage-based framework to the assessment. Configure the assessment to as-sess by resource.

Expert Solution

Viewing page 8 out of 14 pages

Viewing questions 71-80 out of questions

New Year Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: simple70

Pass the Amazon Web Services AWS Certified Specialty SCS-C02 Questions and answers with CertsForce