SCS-C02 Amazon-Web-Services Exam Questions and Free Practice Test

Question 13

- (Exam Topic 2)
An application has a requirement to be resilient across not only Availability Zones within the application’s primary region but also be available within another region altogether.
Which of the following supports this requirement for IAM resources that are encrypted by IAM KMS?

A. Copy the application’s IAM KMS CMK from the source region to the target region so that it can be used to decrypt the resource after it is copied to the target region.

B. Configure IAM KMS to automatically synchronize the CMK between regions so that it can be used to decrypt the resource in the target region.

C. Use IAM services that replicate data across regions, and re-wrap the data encryption key created in the source region by using the CMK in the target region so that the target region’s CMK can decrypt the database encryption key.

D. Configure the target region’s IAM service to communicate with the source region’s IAM KMS so that it can decrypt the resource in the target region.

Correct Answer:C

Question 14

- (Exam Topic 2)
An Amazon EC2 instance is part of an EC2 Auto Scaling group that is behind an Application Load Balancer (ALB). It is suspected that the EC2 instance has been compromised.
Which steps should be taken to investigate the suspected compromise? (Choose three.)

A. Detach the elastic network interface from the EC2 instance.

B. Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.

C. Disable any Amazon Route 53 health checks associated with the EC2 instance.

D. De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.

E. Attach a security group that has restrictive ingress and egress rules to the EC2 instance.

F. Add a rule to an IAM WAF to block access to the EC2 instance.

Correct Answer:BDE
https://d1.IAMstatic.com/whitepapers/IAM_security_incident_response.pdf

Question 15

- (Exam Topic 3)
How can you ensure that instance in an VPC does not use IAM DNS for routing DNS requests. You want to use your own managed DNS instance. How can this be achieved?
Please select:

A. Change the existing DHCP options set

B. Create a new DHCP options set and replace the existing one.

C. Change the route table for the VPC

D. Change the subnet configuration to allow DNS requests from the new DNS Server

Correct Answer:B
In order to use your own DNS server, you need to ensure that you create a new custom DHCP options set with the IP of th custom DNS server. You cannot modify the existing set, so you need to create a new one.
Option A is invalid because you cannot make changes to an existing DHCP options Set.
Option C is invalid because this can only be used to work with Routes and not with a custom DNS solution.
Option D is invalid because this needs to be done at the VPC level and not at the Subnet level For more information on DHCP options set, please visit the following url https://docs.IAM.amazon.com/AmazonVPC/latest/UserGuideA/PC DHCP Options.html
The correct answer is: Create a new DHCP options set and replace the existing one. Submit your Feedback/Queries to our Experts

Question 16

- (Exam Topic 1)
A company has hundreds of IAM accounts, and a centralized Amazon S3 bucket used to collect IAM CloudTrail for all of these accounts. A security engineer wants to create a solution that will enable the company to run ad hoc queues against its CloudTrail logs dating back 3 years from when the trails were first enabled in the company’s IAM account.
How should the company accomplish this with the least amount of administrative overhead?

A. Run an Amazon EMP cluster that uses a MapReduce job to be examine the CloudTrail trails.

B. Use the events history/feature of the CloudTrail console to query the CloudTrail trails.

C. Write an IAM Lambda function to query the CloudTrail trails Configure the Lambda function to be executed whenever a new file is created in the CloudTrail S3 bucket.

D. Create an Amazon Athena table that tools at the S3 bucket the CloudTrail trails are being written to Use Athena to run queries against the trails.

Correct Answer:D

Question 17

- (Exam Topic 4)
A company hosts an application on Amazon EC2 that is subject to specific rules for regulatory compliance. One rule states that traffic to and from the workload must be inspected for network-level attacks. This involves inspecting the whole packet.
To comply with this regulatory rule, a security engineer must install intrusion detection software on a c5n.4xlarge EC2 instance. The engineer must then configure the software to monitor traffic to and from the application instances.
What should the security engineer do next?

A. Place the network interface in promiscuous mode to capture the traffic.

B. Configure VPC Flow Logs to send traffic to the monitoring EC2 instance using a Network Load Balancer.

C. Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer.

D. Use Amazon Inspector to detect network-level attacks and trigger an IAM Lambda function to send the suspicious packets to the EC2 instance.

Correct Answer:D

Question 18

- (Exam Topic 4)
A large corporation is creating a multi-account strategy and needs to determine how its employees should access the IAM infrastructure.
Which of the following solutions would provide the MOST scalable solution?

A. Create dedicated IAM users within each IAM account that employees can assume through federation based upon group membership in their existing identity provider

B. Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider Use cross-account roles to allow the federated users to assume their target role in the resource accounts.

C. Configure the IAM Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access IAM resources directly

D. Configure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider allowing users to assume the role based off their SAML token

Correct Answer:B

START SCS-C02 EXAM