Practice SCS-C02 Exam Online

Question 1

A company needs to use HTTPS when connecting to its web applications to meet compliance requirements. These web applications run in Amazon VPC on Amazon EC2 instances behind an Application Load Balancer (ALB). A security engineer wants to ensure that the load balancer win only accept connections over port 443. even if the ALB is mistakenly configured with an HTTP listener Which configuration steps should the security engineer take to accomplish this task?

A : Create a security group with a rule that denies Inbound connections from 0.0.0 0/0 on port 00. Attach this security group to the ALB to overwrite more permissive rules from the ALB's default security group

B : Create a network ACL that denies inbound connections from 0 0.0.0/0 on port 80 Associate the network ACL with the VPC s internet gateway

C : Create a network ACL that allows outbound connections to the VPC IP range on port 443 only. Associate the network ACL with the VPC's internet gateway.

D : Create a security group with a single inbound rule that allows connections from 0.0.0 0/0 on port 443. Ensure this security group is the only one associated with the ALB

Answer: D

Question 2

A developer who was recently fired by a company has a personal laptop that contains the SSH keys used to access multiple Amazon EC2 instances. The security team need to ensure the developer is unable to access the EC2 instances.

How can a security engineer protect the running EC2 instances?

A : Connect to each EC2 instance and replace the public key information in the authorized_keys file.

B : Use the modify-instance-attribute API to change the key on any EC2 instance that is using the key.

C :

Modify the key pair in the AMIs used to launch the EC2 instances and then restart the EC2 instances.

D : Delete the key pair, create a new key pair, and use the EC2 console to modify the EC2 instances to use the new key pair.

Answer: A

Question 3

A company uses a third-party identity provider and SAML-based SSO for its AWS accounts. After the third-party identity provider renewed an expired signing certificate, users saw the following message when trying to log in: Error: Response Signature Invalid (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidldentityToken) A security engineer needs to provide a solution that corrects the error and min-imizes operational overhead. Which solution meets these requirements?

A : Upload the third-party signing certificate's new private key to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS Management Console.

B : Sign the identity provider's metadata file with the new public key. Upload the signature to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CU.

C : Download the updated SAML metadata file from the identity service provid-er. Update the file in the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CLI.

D : Configure the AWS identity provider entity defined in AWS Identity and Ac-cess Management (IAM) to synchronously fetch the new public key by using the AWS Management Console.

Answer: C

Question 4

A company manages multiple IAM accounts using IAM Organizations. The company's security team notices that some member accounts are not sending IAM CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured (or all existing accounts and for any account that is created in the future. Which set of actions should the security team implement to accomplish this?

A : Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.

B : Deploy an IAM Lambda function in every account to check if there is an existing trail and create a new trail, if needed.

C : Edit the existing trail in the Organizations master account and apply it to the organization.

D : Create an SCP to deny the cloudtrail:Delete" and cloudtrail:Stop' actions. Apply the SCP to all accounts.

Answer: C

Question 5

A security team is working on a solution that will use Amazon EventBridge (Amazon CloudWatch Events) to monitor new Amazon S3 objects. The solution will monitor for public access and for changes to any S3 bucket policy or setting that result in public access. The security team configures EventBridge to watch for specific API calls that are logged from AWS CloudTrail. EventBridge has an action to send an email notification through Amazon Simple Notification Service (Amazon SNS) to the security team immediately with details of the API call. Specifically, the security team wants EventBridge to watch for the s3:PutObjectAcl, s3:DeleteBucketPolicy, and s3:PutBucketPolicy API invocation logs from CloudTrail. While developing the solution in a single account, the security team discovers that the s3:PutObjectAcl API call does not invoke an EventBridge event. However, the s3:DeleteBucketPolicy API call and the s3:PutBucketPolicy API call do invoke an event. The security team has enabled CloudTrail for AWS management events with a basic configuration in the AWS Region in which EventBridge is being tested. Verification of the EventBridge event pattern indicates that the pattern is set up correctly. The security team must implement a solution so that the s3:PutObjectAcl API call will invoke an EventBridge event. The solution must not generate false notifications. Which solution will meet these requirements?

A : Modify the EventBridge event pattern by selecting Amazon S3. Select All Events as the event type.

B :

Modify the EventBridge event pattern by selecting Amazon S3. Select Bucket Level Operations as the event type.

C : Enable CloudTrail Insights to identify unusual API activity.

D : Enable CloudTrail to monitor data events for read and write operations to S3 buckets.

Answer: D

Name:	AWS Certified Security Specialty
Exam Code:	SCS-C02
Certification:	AWS Certified Specialty
Vendor:	Amazon
Total Questions:	481
Last Updated:	Apr 22, 2024

Amazon SCS-C02