SCS-C02 Amazon-Web-Services Exam Questions and Free Practice Test

Question 49

- (Exam Topic 1)
A company uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using
Amazon CloudFront. HLS splits the video content into chunks so that the user can request the right chunk based on different conditions Because the video events last for several hours, the total video is made up of thousands of chunks
The origin URL is not disclosed and every user is forced to access the CloudFront URL The company has a web application that authenticates the paying users against an internal repository and a CloudFront key pair that is already issued.
What is the simplest and MOST effective way to protect the content?

A. Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content.

B. Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.

C. Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content

D. Keep the CloudFront URL encrypted inside the application, and use IAM KMS to resolve the URL on-the-fly after the user is authenticated.

Correct Answer:B

Question 50

- (Exam Topic 4)
A company is running workloads in a single IAM account on Amazon EC2 instances and Amazon EMR clusters a recent security audit revealed that multiple Amazon Elastic Block Store (Amazon EBS) volumes and snapshots are not encrypted
The company's security engineer is working on a solution that will allow users to deploy EC2 Instances and EMR clusters while ensuring that all new EBS volumes and EBS snapshots are encrypted at rest. The solution must also minimize operational overhead
Which steps should the security engineer take to meet these requirements?

A. Create an Amazon Event Bridge (Amazon Cloud watch Events) event with an EC2 instance as the source and create volume as the event trigge

B. When the event is triggered invoke an IAM Lambda function to evaluate and notify the security engineer if the EBS volume that was created is not encrypted.

C. Use a customer managed IAM policy that will verify that the encryption ag of the Createvolume context is set to tru

D. Apply this rule to all users.

E. Create an IAM Config rule to evaluate the conguration of each EC2 instance on creation or modication.Have the IAM Cong rule trigger an IAM Lambdafunction to alert the security team and terminate the instance it the EBS volume is not encrypte

F. 5

G. Use the IAM Management Console or IAM CLi to enable encryption by default for EBS volumes in each IAM Region where the company operates.

Correct Answer:D

Question 51

- (Exam Topic 3)
Your company has a set of 1000 EC2 Instances defined in an IAM Account. They want to effectively automate several administrative tasks on these instances. Which of the following would be an effective way to achieve this?
Please select:

A. Use the IAM Systems Manager Parameter Store

B. Use the IAM Systems Manager Run Command

C. Use the IAM Inspector

D. Use IAM Config

Correct Answer:B
The IAM Documentation mentions the following
IAM Systems Manager Run Command lets you remotely and securely manage the configuration of your managed instances. A managed instance is any Amazon EC2 instance or on-premises machine in your hybrid environment that has been configured for Systems Manager. Run Command enables you to automate common administrative tasks and perform ad hoc configuration changes at scale. You can use Run Command from the IAM console, the IAM Command Line Interface, IAM Tools for Windows PowerShell, or the IAM SDKs. Run Command is offered at no additional cost.
Option A is invalid because this service is used to store parameter Option C is invalid because this service is used to scan vulnerabilities in an EC2 Instance. Option D is invalid because this service is used to check for configuration changes For more information on executing remote commands, please visit the below U
https://docs.IAM.amazon.com/systems-manaEer/latest/usereuide/execute-remote-commands.htmll (
The correct answer is: Use the IAM Systems Manager Run Command Submit your Feedback/Queries to our Experts

Question 52

- (Exam Topic 1)
An IAM account administrator created an IAM group and applied the following managed policy to require that each individual user authenticate using multi-factor authentication:
SCS-C02 dumps exhibit
After implementing the policy, the administrator receives reports that users are unable to perform Amazon EC2 commands using the IAM CLI. What should the administrator do to resolve this problem while still enforcing multi-factor authentication?

A. Change the value of IAM MultiFactorAuthPresent to true.

B. Instruct users to run the IAM sts get-session-token CLI command and pass the multi-factor authentication —serial-number and —token-code parameter

C. Use these resulting values to make API/CLI calls

D. Implement federated API/CLI access using SAML 2.0, then configure the identity provider to enforce multi-factor authentication.

E. Create a role and enforce multi-factor authentication in the role trust policy Instruct users to run the sts assume-role CLI command and pass --serial-number and —token-code parameters Store the resulting values in environment variable

F. Add sts:AssumeRole to NotAction in the policy.

Correct Answer:B

Question 53

- (Exam Topic 2)
Due to new compliance requirements, a Security Engineer must enable encryption with customer-provided keys on corporate data that is stored in DynamoDB. The company wants to retain full control of the encryption keys.
Which DynamoDB feature should the Engineer use to achieve compliance'?

A. Use IAM Certificate Manager to request a certificat

B. Use that certificate to encrypt data prior to uploading it to DynamoDB.

C. Enable S3 server-side encryption with the customer-provided key

D. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB

E. Create a KMS master ke

F. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoD

G. Dispose of the cleartext and encrypted data keys after encryption without storing.

H. Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.

Correct Answer:D
Follow the link:
https://docs.IAM.amazon.com/dynamodb-encryption-client/latest/devguide/what-is-ddb-encrypt.html

Question 54

- (Exam Topic 4)
A website currently runs on Amazon EC2, wan mostly statics content on the site. Recently the site was subjected to a DDoS attack a security engineer was (asked was redesigning the edge security to help
Mitigate this risk in the future.
What are some ways the engineer could achieve this (Select THREE)?

A. Use IAM X-Ray to inspect the trafc going to the EC2 instances.

B. Move the static content to Amazon S3, and front this with an Amazon Cloud Front distribution.

C. Change the security group conguration to block the source of the attack trafc

D. Use IAM WAF security rules to inspect the inbound trafc.

E. Use Amazon Inspector assessment templates to inspect the inbound traffic.

F. Use Amazon Route 53 to distribute trafc.

Correct Answer:BDF

START SCS-C02 EXAM