SCS-C02 Amazon-Web-Services Exam Questions and Free Practice Test

Question 133

- (Exam Topic 1)
A developer is creating an IAM Lambda function that requires environment variables to store connection information and logging settings. The developer is required to use an IAM KMS Customer Master Key (CMK> supplied by the information security department in order to adhere to company standards for securing Lambda environment variables.
Which of the following are required for this configuration to work? (Select TWO.)

A. The developer must configure Lambda access to the VPC using the --vpc-config parameter.

B. The Lambda function execution role must have the kms:Decrypt- permission added in the IAM IAM policy.

C. The KMS key policy must allow permissions for the developer to use the KMS key.

D. The IAM IAM policy assigned to the developer must have the kmseGcnerate-DataKcy permission added.

E. The Lambda execution role must have the kms:Encrypt permission added in the IAM IAM policy.

Correct Answer:BC

Question 134

- (Exam Topic 2)
A company has Windows Amazon EC2 instances in a VPC that are joined to on-premises Active Directory servers for domain services. The security team has enabled Amazon GuardDuty on the IAM account to alert on issues with the instances.
During a weekly audit of network traffic, the Security Engineer notices that one of the EC2 instances is attempting to communicate with a known command-and-control server but failing. This alert does not show up in GuardDuty.
Why did GuardDuty fail to alert to this behavior?

A. GuardDuty did not have the appropriate alerts activated.

B. GuardDuty does not see these DNS requests.

C. GuardDuty only monitors active network traffic flow for command-and-control activity.

D. GuardDuty does not report on command-and-control activity.

Correct Answer:B
https://docs.IAM.amazon.com/guardduty/latest/ug/guardduty_data-sources.html https://docs.IAM.amazon.com/guardduty/latest/ug/guardduty_backdoor.html

Question 135

- (Exam Topic 2)
An application has been built with Amazon EC2 instances that retrieve messages from Amazon SQS. Recently, IAM changes were made and the instances can no longer retrieve messages.
What actions should be taken to troubleshoot the issue while maintaining least privilege. (Select two.)

A. Configure and assign an MFA device to the role used by the instances.

B. Verify that the SQS resource policy does not explicitly deny access to the role used by the instances.

C. Verify that the access key attached to the role used by the instances is active.

D. Attach the AmazonSQSFullAccess managed policy to the role used by the instances.

E. Verify that the role attached to the instances contains policies that allow access to the queue.

Correct Answer:BE

Question 136

- (Exam Topic 3)
You have a set of Keys defined using the IAM KMS service. You want to stop using a couple of keys , but are not sure of which services are currently using the keys. Which of the following would be a safe option to stop using the keys from further usage.
Please select:

A. Delete the keys since anyway there is a 7 day waiting period before deletion

B. Disable the keys

C. Set an alias for the key

D. Change the key material for the key

Correct Answer:B
Option A is invalid because once you schedule the deletion and waiting period ends, you cannot come back from the deletion process.
Option C and D are invalid because these will not check to see if the keys are being used or not The IAM Documentation mentions the following
Deleting a customer master key (CMK) in IAM Key Management Service (IAM KMS) is destructive and potentially dangerous. It deletes the key material and all metadata associated with the CMK, and is irreversible. After a CMK is deleted you can no longer decrypt the data that was encrypted under that CMK, which means that data becomes unrecoverable. You should delete a CMK only when you are sure that you don't need to use it anymore. If you are not sure, consider disabling the CMK instead of deleting it. You can re-enable a disabled CMK if you need to use it again later, but you cannot recover a deleted CMK.
For more information on deleting keys from KMS, please visit the below URL: https://docs.IAM.amazon.com/kms/latest/developereuide/deleting-keys.html
The correct answer is: Disable the keys Submit your Feedback/Queries to our Experts

START SCS-C02 EXAM