SCS-C02 Amazon-Web-Services Exam Questions and Free Practice Test

Question 61

- (Exam Topic 2)
An organization is using Amazon CloudWatch Logs with agents deployed on its Linux Amazon EC2 instances. The agent configuration files have been checked and the application log files to be pushed are configured correctly. A review has identified that logging from specific instances is missing.
Which steps should be taken to troubleshoot the issue? (Choose two.)

A. Use an EC2 run command to confirm that the “IAMlogs” service is running on all instances.

B. Verify that the permissions used by the agent allow creation of log groups/streams and to put log events.

C. Check whether any application log entries were rejected because of invalid time stamps by reviewing/var/cwlogs/rejects.log.

D. Check that the trust relationship grants the service “cwlogs.amazonIAM.com” permission to write objects to the Amazon S3 staging bucket.

E. Verify that the time zone on the application servers is in UTC.

Correct Answer:AB
EC2 run command - can run scripts, install software, collect metrics and log files, manage patches and more. Bringing these two services together - can create CloudWatch Events rules that use EC2 Run Command to perform actions on EC2 instances or on-premises servers.

Question 62

- (Exam Topic 1)
A company is running an application on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally A security engineer noticed that logs were lost after a scale-in event. The security engineer needs to recommend a solution to ensure the durability and availability of log data All logs must be kept for a minimum of 1 year for auditing purposes
What should the security engineer recommend?

A. Within the Auto Scaling lifecycle, add a hook to create and attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is create

B. When the instance is terminated, the EBS volume can be reattached to another instance for log review.

C. Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system.

D. Build the Amazon CloudWatch agent into the AMI used in the Auto Scaling grou

E. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review.

F. Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to allow manual review of the security logs prior to instance termination.

Correct Answer:B

Question 63

- (Exam Topic 1)
A company's security information events management (SIEM) tool receives new IAM CloudTrail logs from an Amazon S3 bucket that is configured to send all object created event notification to an Amazon SNS topic An Amazon SQS queue is subscribed to this SNS topic. The company's SEM tool then ports this SQS queue for new messages using an IAM role and fetches new log events from the S3 bucket based on the SQS messages.
After a recent security review that resulted m restricted permissions, the SEM tool has stopped receiving new CloudTral logs
Which of the following are possible causes of this issue? (Select THREE)

A. The SOS queue does not allow the SQS SendMessage action from the SNS topic

B. The SNS topic does not allow the SNS Publish action from Amazon S3

C. The SNS topic is not delivering raw messages to the SQS queue

D. The S3 bucket policy does not allow CloudTrail to perform the PutObject action

E. The IAM role used by the 5EM tool does not have permission to subscribe to the SNS topic

F. The IAM role used by the SEM tool does not allow the SQS DeleteMessage action.

Correct Answer:ADF

Question 64

- (Exam Topic 4)
A company uses Amazon API Gateway to present REST APIs to users. An API developer wants to analyze API access patterns without the need to parse the log files.
Which combination of steps will meet these requirements with the LEAST effort? (Select TWO.)

A. Configure access logging for the required API stage.

B. Configure an AWS CloudTrail trail destination for API Gateway event

C. Configure filters on the userldentity, userAgent, and sourcelPAddress fields.

D. Configure an Amazon S3 destination for API Gateway log

E. Run Amazon Athena queries to analyze API access information.

F. Use Amazon CloudWatch Logs Insights to analyze API access information.

G. Select the Enable Detailed CloudWatch Metrics option on the required API stage.

Correct Answer:CD

Question 65

- (Exam Topic 4)
Within a VPC, a corporation runs an Amazon RDS Multi-AZ DB instance. The database instance is connected to the internet through a NAT gateway via two subnets.
Additionally, the organization has application servers that are hosted on Amazon EC2 instances and use the RDS database. These EC2 instances have been deployed onto two more private subnets inside the same VPC. These EC2 instances connect to the internet through a default route via the same NAT gateway. Each VPC subnet has its own route table.
The organization implemented a new security requirement after a recent security examination. Never allow the database instance to connect to the internet. A security engineer must perform this update promptly without interfering with the network traffic of the application servers.
How will the security engineer be able to comply with these requirements?

A. Remove the existing NAT gatewa

B. Create a new NAT gateway that only the application server subnets can use.

C. Configure the DB instance€™s inbound network ACL to deny traffic from the security group ID of the NAT gateway.

D. Modify the route tables of the DB instance subnets to remove the default route to the NAT gateway.

E. Configure the route table of the NAT gateway to deny connections to the DB instance subnets.

Correct Answer:C
Each subnet has a route table, so modify the routing associated with DB instance subnets to prevent internet access.

Question 66

- (Exam Topic 1)
A security engineer is responsible for providing secure access to IAM resources for thousands of developer in a company’s corporate identity provider (idp). The developers access a set of IAM services from the corporate premises using IAM credential. Due to the velum of require for provisioning new IAM users, it is taking a long time to grant access permissions. The security engineer receives reports that developer are sharing their IAM credentials with others to avoid provisioning delays. The causes concern about overall security for the security engineer.
Which actions will meet the program requirements that address security?

A. Create an Amazon CloudWatch alarm for IAM CloudTrail Events Create a metric filter to send a notification when me same set of IAM credentials is used by multiple developer

B. Create a federation between IAM and the existing corporate IdP Leverage IAM roles to provide federated access to IAM resources

C. Create a VPN tunnel between the corporate premises and the VPC Allow permissions to all IAM services only if it originates from corporate premises.

D. Create multiple IAM rotes for each IAM user Ensure that users who use the same IAM credentials cannot assume the same IAM role at the same time.

Correct Answer:B

START SCS-C02 EXAM