SCS-C02 Amazon-Web-Services Exam Questions and Free Practice Test

Question 127

- (Exam Topic 4)
Your company is planning on using bastion hosts for administering the servers in IAM. Which of the following is the best description of a bastion host from a security perspective?
Please select:

A. A Bastion host should be on a private subnet and never a public subnet due to security concerns

B. A Bastion host sits on the outside of an internal network and is used as a gateway into the private network and is considered the critical strong point of the network

C. Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources.

D. A Bastion host should maintain extremely tight security and monitoring as it is available to the public

Correct Answer:C
A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer.
In IAM, A bastion host is kept on a public subnet. Users log on to the bastion host via SSH or RDP and then use that session to manage other hosts in the private subnets.
Options A and B are invalid because the bastion host needs to sit on the public network. Option D is invalid because bastion hosts are not used for monitoring For more information on bastion hosts, just browse to the below URL:
https://docsIAM.amazon.com/quickstart/latest/linux-bastion/architecture.htl
The correct answer is: Bastion hosts allow users to log in using RDP or SSH and use that session to SSH into internal network to access private subnet resources.
Submit your Feedback/Queries to our Experts

Question 128

- (Exam Topic 4)
A company's Security Auditor discovers that users are able to assume roles without using multi-factor authentication (MFA). An example of a current policy being applied to these users is as follows:
SCS-C02 dumps exhibit
The Security Auditor finds that the users who are able to assume roles without MFA are alt coming from the IAM CLI. These users are using long-term IAM credentials. Which changes should a Security Engineer implement to resolve this security issue? (Select TWO.)
A)

B)

C)

D)

E)
SCS-C02 dumps exhibit

A. Option A

B. Option B

C. Option C

D. Option D

E. Option E

Correct Answer:AD

Question 129

- (Exam Topic 1)
A company Is building a data lake on Amazon S3. The data consists of millions of small files containing sensitive information. The security team has the following requirements for the architecture:
• Data must be encrypted in transit.
• Data must be encrypted at rest.
• The bucket must be private, but if the bucket is accidentally made public, the data must remain confidential. Which combination of steps would meet the requirements? (Select THREE.)

A. Enable AES-256 encryption using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) on the S3 bucket

B. Enable default encryption with server-side encryption with IAM KMS-managed keys (SSE-KMS) on the S3 bucket.

C. Add a bucket policy that includes a deny if a PutObject request does not include IAMiSecureTcanspoct.

D. Add a bucket policy with ws: Sourcelpto Allow uploads and downloads from the corporate intranet only.

E. Add a bucket policy that includes a deny if a PutObject request does not include s3:x-amz-sairv9r-side-enctyption: "IAM: kms".

F. Enable Amazon Macie to monitor and act on changes to the data lake's S3 bucket.

Correct Answer:BDF

Question 130

- (Exam Topic 2)
An organization has three applications running on IAM, each accessing the same data on Amazon S3. The data on Amazon S3 is server-side encrypted by using an IAM KMS Customer Master Key (CMK).
What is the recommended method to ensure that each application has its own programmatic access control permissions on the KMS CMK?

A. Change the key policy permissions associated with the KMS CMK for each application when it must access the data in Amazon S3.

B. Have each application assume an IAM role that provides permissions to use the IAM Certificate Manager CMK.

C. Have each application use a grant on the KMS CMK to add or remove specific access controls on the KMS CMK.

D. Have each application use an IAM policy in a user context to have specific access permissions on the KMS CMK.

Correct Answer:C

Question 131

- (Exam Topic 2)
A Security Engineer has been asked to create an automated process to disable IAM user access keys that are more than three months old.
Which of the following options should the Security Engineer use?

A. In the IAM Console, choose the IAM service and select “Users”. Review the “Access Key Age” column.

B. Define an IAM policy that denies access if the key age is more than three months and apply to all users.

C. Write a script that uses the GenerateCredentialReport, GetCredentialReport, and UpdateAccessKey APIs.

D. Create an Amazon CloudWatch alarm to detect aged access keys and use an IAM Lambda function to disable the keys older than 90 days.

Correct Answer:C
https://docs.IAM.amazon.com/IAM/latest/APIReference/API_UpdateAccessKey.html
https://docs.IAM.amazon.com/IAM/latest/APIReference/API_GenerateCredentialReport.html https://docs.IAM.amazon.com/IAM/latest/APIReference/API_GetCredentialReport.html

Question 132

- (Exam Topic 3)
Your company has just started using IAM and created an IAM account. They are aware of the potential issues when root access is enabled. How can they best safeguard the account when it comes to root access? Choose 2 answers fro the options given below
Please select:

A. Delete the root access account

B. Create an Admin IAM user with the necessary permissions

C. Change the password for the root account.

D. Delete the root access keys

Correct Answer:BD
The IAM Documentation mentions the following
All IAM accounts have root user credentials (that is, the credentials of the account owner). These credentials allow full access to all resources in the account. Because you cant restrict permissions for root user credentials, we recommend that you delete your root user access keys. Then create IAM Identity and Access Management (IAM) user credentials for everyday interaction with IAM.
Option A is incorrect since you cannot delete the root access account
Option C is partially correct but cannot be used as the ideal solution for safeguarding the account For more information on root access vs admin IAM users, please refer to below URL: https://docs.IAM.amazon.com/eeneral/latest/er/root-vs-iam.html
The correct answers are: Create an Admin IAM user with the necessary permissions. Delete the root access keys Submit your Feedback/Queries to our Experts

START SCS-C02 EXAM