SCS-C02 Amazon-Web-Services Exam Questions and Free Practice Test

Question 121

- (Exam Topic 1)
A Developer reported that IAM CloudTrail was disabled on their account. A Security Engineer investigated the account and discovered the event was undetected by the current security solution. The Security Engineer must recommend a solution that will detect future changes to the CloudTrail configuration and send alerts when changes occur.
What should the Security Engineer do to meet these requirements?

A. Use IAM Resource Access Manager (IAM RAM) to monitor the IAM CloudTrail configuratio

B. Send notifications using Amazon SNS.

C. Create an Amazon CloudWatch Events rule to monitor Amazon GuardDuty finding

D. Send email notifications using Amazon SNS.

E. Update security contact details in IAM account settings for IAM Support to send alerts when suspicious activity is detected.

F. Use Amazon Inspector to automatically detect security issue

G. Send alerts using Amazon SNS.

Correct Answer:B

Question 122

- (Exam Topic 4)
A security engineer is defining the controls required to protect the IAM account root user credentials in an IAM Organizations hierarchy. The controls should also limit the impact in case these credentials have been compromised.
Which combination of controls should the security engineer propose? (Select THREE.)
A)
SCS-C02 dumps exhibit
B)

C) Enable multi-factor authentication (MFA) for the root user.
D) Set a strong randomized password and store it in a secure location.
E) Create an access key ID and secret access key, and store them in a secure location.
F) Apply the following permissions boundary to the toot user:
SCS-C02 dumps exhibit

A. Option A

B. Option B

C. Option C

D. Option D

E. Option E

F. Option F

Correct Answer:ACE

Question 123

- (Exam Topic 1)
A company's Security Engineer has been asked to monitor and report all IAM account root user activities. Which of the following would enable the Security Engineer to monitor and report all root user activities?
(Select TWO)

A. Configuring IAM Organizations to monitor root user API calls on the paying account

B. Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported

C. Configuring Amazon Inspector to scan the IAM account for any root user activity

D. Configuring IAM Trusted Advisor to send an email to the Security team when the root user logs in to the console

E. Using Amazon SNS to notify the target group

Correct Answer:BE

Question 124

- (Exam Topic 2)
An Amazon EC2 instance is denied access to a newly created IAM KMS CMK used for decrypt actions. The environment has the following configuration:
SCS-C02 dumps exhibit The instance is allowed the kms:Decrypt action in its IAM role for all resources
The IAM KMS CMK status is set to enabled
The instance can communicate with the KMS API using a configured VPC endpoint What is causing the issue?

A. The kms:GenerateDataKey permission is missing from the EC2 instance’s IAM role

B. The ARN tag on the CMK contains the EC2 instance’s ID instead of the instance’s ARN

C. The kms:Encrypt permission is missing from the EC2 IAM role

D. The KMS CMK key policy that enables IAM user permissions is missing

Correct Answer:D
In a key policy, you use "*" for the resource, which means "this CMK." A key policy applies only to the CMK it is attached to

Question 125

- (Exam Topic 3)
A large organization is planning on IAM to host their resources. They have a number of autonomous departments that wish to use IAM. What could be the strategy to adopt for managing the accounts.
Please select:

A. Use multiple VPCs in the account each VPC for each department

B. Use multiple IAM groups, each group for each department

C. Use multiple IAM roles, each group for each department

D. Use multiple IAM accounts, each account for each department

Correct Answer:D
A recommendation for this is given in the IAM Security best practices Option A is incorrect since this would be applicable for resources in a VPC Options B and C are incorrect since operationally it would be difficult to manage For more information on IAM Security best practices please refer to the below URL
https://d1.IAMstatic.com/whitepapers/Security/IAM Security Best Practices.pdl
The correct answer is: Use multiple IAM accounts, each account for each department Submit your Feedback/Queries to our Experts

Question 126

- (Exam Topic 2)
During a recent security audit, it was discovered that multiple teams in a large organization have placed restricted data in multiple Amazon S3 buckets, and the data may have been exposed. The auditor has requested that the organization identify all possible objects that contain personally identifiable information (PII) and then determine whether this information has been accessed.
What solution will allow the Security team to complete this request?

A. Using Amazon Athena, query the impacted S3 buckets by using the PII query identifier functio

B. Then, create a new Amazon CloudWatch metric for Amazon S3 object access to alert when the objects are accessed.

C. Enable Amazon Macie on the S3 buckets that were impacted, then perform data classificatio

D. For identified objects that contain PII, use the research function for auditing IAM CloudTrail logs and S3 bucket logs for GET operations.

E. Enable Amazon GuardDuty and enable the PII rule set on the S3 buckets that were impacted, then perform data classificatio

F. Using the PII findings report from GuardDuty, query the S3 bucket logs by using Athena for GET operations.

G. Enable Amazon Inspector on the S3 buckets that were impacted, then perform data classificatio

H. For identified objects that contain PII, query the S3 bucket logs by using Athena for GET operations.

Correct Answer:B

START SCS-C02 EXAM