SCS-C02 Amazon-Web-Services Exam Questions and Free Practice Test

Question 55

- (Exam Topic 2)
A company uses user data scripts that contain sensitive information to bootstrap Amazon EC2 instances. A Security Engineer discovers that this sensitive information is viewable by people who should not have access to it.
What is the MOST secure way to protect the sensitive information used to bootstrap the instances?

A. Store the scripts in the AMI and encrypt the sensitive data using IAM KMS Use the instance role profile to control access to the KMS keys needed to decrypt the data.

B. Store the sensitive data in IAM Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role.

C. Externalize the bootstrap scripts in Amazon S3 and encrypt them using IAM KM

D. Remove the scripts from the instance and clear the logs after the instance is configured.

E. Block user access of the EC2 instance's metadata service using IAM policie

F. Remove all scripts and clear the logs after execution.

Correct Answer:B

Question 56

- (Exam Topic 2)
An application uses Amazon Cognito to manage end users’ permissions when directly accessing IAM resources, including Amazon DynamoDB. A new feature request reads as follows:
Provide a mechanism to mark customers as suspended pending investigation or suspended permanently. Customers should still be able to log in when suspended, but should not be able to make changes.
The priorities are to reduce complexity and avoid potential for future security issues. Which approach will meet these requirements and priorities?

A. Create a new database field “suspended_status” and modify the application logic to validate that field when processing requests.

B. Add suspended customers to second Cognito user pool and update the application login flow to check both user pools.

C. Use Amazon Cognito Sync to push out a “suspension_status” parameter and split the lAM policy into normal users and suspended users.

D. Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.

Correct Answer:D
https://IAM.amazon.com/blogs/IAM/new-amazon-cognito-groups-and-fine-grained-role-based-access-control-2

Question 57

- (Exam Topic 1)
A large government organization is moving to the cloud and has specific encryption requirements. The first workload to move requires that a customer's data be immediately destroyed when the customer makes that request.
Management has asked the security team to provide a solution that will securely store the data, allow only authorized applications to perform encryption and decryption and allow for immediate destruction of the data
Which solution will meet these requirements?

A. Use IAM Secrets Manager and an IAM SDK to create a unique secret for the customer-specific data

B. Use IAM Key Management Service (IAM KMS) and the IAM Encryption SDK to generate and store a data encryption key for each customer.

C. Use IAM Key Management Service (IAM KMS) with service-managed keys to generate and store customer-specific data encryption keys

D. Use IAM Key Management Service (IAM KMS) and create an IAM CloudHSM custom key store Use CloudHSM to generate and store a new CMK for each customer.

Correct Answer:A

Question 58

- (Exam Topic 1)
A company has decided to use encryption in its IAM account to secure the objects in Amazon S3 using server-side encryption. Object sizes range from 16.000 B to 5 MB. The requirements are as follows:
• The key material must be generated and stored in a certified Federal Information Processing Standard (FIPS) 140-2 Level 3 machine.
• The key material must be available in multiple Regions. Which option meets these requirements?

A. Use an IAM KMS customer managed key and store the key material in IAM with replication across Regions

B. Use an IAM customer managed key, import the key material into IAM KMS using in-house IAM CloudHS

C. and store the key material securely in Amazon S3.

D. Use an IAM KMS custom key store backed by IAM CloudHSM clusters, and copy backups across Regions

E. Use IAM CloudHSM to generate the key material and backup keys across Regions Use the Java Cryptography Extension (JCE) and Public Key Cryptography Standards #11 (PKCS #11) encryption libraries to encrypt and decrypt the data.

Correct Answer:D

Question 59

- (Exam Topic 4)
A company uses Amazon EC2 Linux instances in the AWS Cloud. A member of the company's security team recently received a report about common vulnerability identifiers on the instances.
A security engineer needs to verify patching and perform remediation if the instances do not have the correct patches installed. The security engineer must determine which EC2 instances are at risk and must implement a solution to automatically update those instances with the applicable patches.
What should the security engineer do to meet these requirements?

A. Use AWS Systems Manager Patch Manager to view vulnerability identifiers for missing patches on the instance

B. Use Patch Manager also to automate the patching process.

C. Use AWS Shield Advanced to view vulnerability identifiers for missing patches on the instance

D. Use AWS Systems Manager Patch Manager to automate the patching process.

E. Use Amazon GuardDuty to view vulnerability identifiers for missing patches on the instance

F. Use Amazon Inspector to automate the patching process.

G. Use Amazon Inspector to view vulnerability identifiers for missing patches on the instance

H. Use Amazon Inspector also to automate the patching process.

Correct Answer:A
https://aws.amazon.com/about-aws/whats-new/2020/10/now-use-aws-systems-manager-to-view-vulnerability-id

Question 60

- (Exam Topic 3)
A company is planning on using IAM EC2 and IAM Cloudfrontfor their web application. For which one of the below attacks is usage of Cloudfront most suited for?
Please select:

A. Cross side scripting

B. SQL injection

C. DDoS attacks

D. Malware attacks

Correct Answer:C
The below table from IAM shows the security capabilities of IAM Cloudfront IAM Cloudfront is more prominent for DDoS attacks.
Options A,B and D are invalid because Cloudfront is specifically used to protect sites against DDoS attacks For more information on security with Cloudfront, please refer to the below Link:
https://d1.IAMstatic.com/whitepapers/Security/Secure content delivery with CloudFront whitepaper.pdi The correct answer is: DDoS attacks
Submit your Feedback/Queries to our Experts

START SCS-C02 EXAM