Online SCS-C02 Practice TestMore Amazon-Web-Services Products >

Free Amazon-Web-Services SCS-C02 Exam Dumps Questions

Amazon-Web-Services SCS-C02: AWS Certified Security - Specialty

- Get instant access to SCS-C02 practice exam questions

- Get ready to pass the AWS Certified Security - Specialty exam right now using our Amazon-Web-Services SCS-C02 exam package, which includes Amazon-Web-Services SCS-C02 practice test plus an Amazon-Web-Services SCS-C02 Exam Simulator.

- The best online SCS-C02 exam study material and preparation tool is here.

4.5

(4470 ratings)

Question 1

- (Exam Topic 3)
Your company is hosting a set of EC2 Instances in IAM. They want to have the ability to detect if any port scans occur on their IAM EC2 Instances. Which of the following can help in this regard?
Please select:

A. Use IAM inspector to consciously inspect the instances for port scans

B. Use IAM Trusted Advisor to notify of any malicious port scans

C. Use IAM Config to notify of any malicious port scans

D. Use IAM Guard Duty to monitor any malicious port scans

Correct Answer:D
The IAM blogs mention the following to support the use of IAM GuardDuty
GuardDuty voraciously consumes multiple data streams, including several threat intelligence feeds, staying aware of malicious addresses, devious domains, and more importantly, learning to accurately identify malicious or unauthorized behavior in your IAM accounts. In combination with information gleaned from your VPC Flow Logs, IAM CloudTrail Event Logs, and DNS logs, th allows GuardDuty to detect many different types of dangerous and mischievous behavior including probes for known vulnerabilities, port scans and probes, and access from unusual locations. On the IAM side, it looks for suspicious IAM account activity such as unauthorized deployments, unusual CloudTrail activity, patterns of access to IAM API functions, and attempts to exceed multiple service limits. GuardDuty will also look for compromised EC2 instances talking to malicious entities or services, data exfiltration attempts, and instances that are mining cryptocurrency.
Options A, B and C are invalid because these services cannot be used to detect port scans For more information on IAM Guard Duty, please refer to the below Link:
https://IAM.amazon.com/blogs/IAM/amazon-guardduty-continuous-security-monitoring-threat-detection; (
The correct answer is: Use IAM Guard Duty to monitor any malicious port scans Submit your Feedback/Queries to our Experts

Question 3

- (Exam Topic 4)
A development team is using an IAM Key Management Service (IAM KMS) CMK to try to encrypt and decrypt a secure string parameter from IAM Systems Manager Parameter Store. However, the development team receives an error message on each attempt.
Which issues that are related to the CMK could be reasons for the error? (Select TWO.)

A. The CMK that is used in the attempt does not exist.

B. The CMK that is used in the attempt needs to be rotated.

C. The CMK that is used in the attempt is using the CMK's key ID instead of the CMK ARN.

D. The CMK that is used in the attempt is not enabled.

E. The CMK that is used in the attempt is using an alias.

Correct Answer:AD

Question 4

- (Exam Topic 2)
IAM CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected.
What initial actions should be taken to allow delivery of CloudTrail events to S3? (Select two.)

A. Verify that the S3 bucket policy allow CloudTrail to write objects.

B. Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs.

C. Remove any lifecycle policies on the S3 bucket that are archiving objects to Amazon Glacier.

D. Verify that the S3 bucket defined in CloudTrail exists.

E. Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.

Correct Answer:BD
https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html

Question 5

- (Exam Topic 3)
A company has a set of EC2 instances hosted in IAM. These instances have EBS volumes for storing critical information. There is a business continuity requirement and in order to boost the agility of the business and to ensure data durability which of the following options are not required.
Please select:

A. Use lifecycle policies for the EBS volumes

B. Use EBS Snapshots

C. Use EBS volume replication

D. Use EBS volume encryption

Correct Answer:CD
Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations as part of normal operation of those services and at no additional charge. However, Amazon EBS replication is stored within the same availability zone, not across multiple zones; therefore, it is highly recommended that you conduct regular snapshots to Amazon S3 for long-term data durability.
You can use Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and deletion of snapshots
taken to back up your Amazon EBS volumes.
With lifecycle management, you can be sure that snapshots are cleaned up regularly and keep costs under control.
EBS Lifecycle Policies
A lifecycle policy consists of these core settings:
• Resource type—The IAM resource managed by the policy, in this case, EBS volumes.
• Target tag—The tag that must be associated with an EBS volume for it to be managed by the policy.
• Schedule—Defines how often to create snapshots and the maximum number of snapshots to keep. Snapshot creation starts within an hour of the specified start time. If creating a new snapshot exceeds the maximum number of snapshots to keep for the volume, the oldest snapshot is deleted.
Option C is correct. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. But it does not have an explicit feature like that.
Option D is correct Encryption does not ensure data durability
For information on security for Compute Resources, please visit the below URL https://d1.IAMstatic.com/whitepapers/Security/Security Compute Services Whitepaper.pdl
The correct answers are: Use EBS volume replication. Use EBS volume encryption Submit your Feedback/Queries to our Experts

Question 6

- (Exam Topic 4)
A company has a web-based application using Amazon CloudFront and running on Amazon Elastic Container Service (Amazon ECS) behind an Application Load Balancer (ALB). The ALB is terminating TLS and balancing load across ECS service tasks A security engineer needs to design a solution to ensure that application content is accessible only through CloudFront and that I is never accessible directly.
How should the security engineer build the MOST secure solution?

A. Add an origin custom header Set the viewer protocol policy to HTTP and HTTPS Set the origin protocol pokey to HTTPS only Update the application to validate the CloudFront custom header

B. Add an origin custom header Set the viewer protocol policy to HTTPS only Set the origin protocol policy to match viewer Update the application to validate the CloudFront custom header.

C. Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS Set the origin protocol policy to HTTP only Update the application to validate the CloudFront custom header.

D. Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTP

E. Set the origin protocol policy to HTTPS only Update the application to validate the CloudFront custom header

Correct Answer:D

START SCS-C02 EXAM