Practice SCS-C02 Exam Online

Question 1

A company's security engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other IAM services The contractors IAM account must not be able to gain access to any other IAM service, even it the IAM account rs assigned additional permissions based on IAM group membership What should the security engineer do to meet these requirements''

A : Create an mime IAM user policy that allows for Amazon EC2 access for the contractor's IAM user

B : Create an IAM permissions boundary policy that allows Amazon EC2 access Associate the contractor's IAM account with the IAM permissions boundary policy

C : Create an IAM group with an attached policy that allows for Amazon EC2 access Associate the contractor's IAM account with the IAM group

D : Create a IAM role that allows for EC2 and explicitly denies all other services Instruct the contractor to always assume this role

Answer: B

Question 2

A security engineer is tasked with securing the network access for an application that uses an AWS Lambda function and an Amazon RDS database. The Lambda function and database both run in the same AWS account.

Which network configuration is the MOST secure?

A : Create an interface VPC endpoint for Lambda and update a private subnet route table to point to the endpoint. Update the DB to connect to the private subnet and access the Lambda function. Use endpoint policies to secure network access between the function and DB instance

B : Attach an Elastic IP to the Lambda function. Attach a security group to the function that allows outbound access to the DB security group. Update the DB instance security group to allow traffic from the Lambda security group.

C : Connect the Lambda function to a public subnet within the VPC. Attach a security group to the function that allows outbound access to the DB security group only. Update the DB instance security group to allow traffic from the Lambda public address space.

D : Connect the Lambda function to a private subnet within the VPC. Attach a security group to the function that allows outbound access to the VPC CIDR block only. Update the DB instance security group to allow traffic from the Lambda security group.

Answer: D

Question 3

You have an S3 bucket defined in IAM. You want to ensure that you encrypt the data before sending it across the wire. What is the best way to achieve this. Please select:

A : Enable server side encryption for the S3 bucket. This request will ensure that the data is encrypted first.

B : Use the IAM Encryption CLI to encrypt the data first

C : Use a Lambda function to encrypt the data before sending it to the S3 bucket.

D : Enable client encryption for the bucket

Answer: B

Question 4

A company has two AWS accounts: Account A and Account B Each account has a VPC. An application that runs in the VPC in Account A needs to write to an Amazon S3 bucket in Account B. The application in Account A already has permission to write to the S3 bucket in Account B. The application and the S3 bucket are in the same AWS Region. The company cannot send network traffic over the public internet. Which solution will meet these requirements?

A :

In both accounts, create a transit gateway and VPC attachments in a subnet in each Availability Zone. Update the VPC route tables.

B :

Deploy a software VPN appliance in Account A. Create a VPN connection between the software VPN appliance and a virtual private gateway in Account B

C :

Create a VPC peering connection between the VPC in Account A and the VPC in Account B. Update the VPC route tables, network ACLs, and security groups to allow network traffic between the peered IP ranges.

D :

In Account A. create a gateway VPC endpoint for Amazon S3. Update the VPC route table in Account A.

Answer: C

Question 5

A company deployed an Amazon EC2 instance to a VPC on AWS. A recent alert indicates that the EC2 instance is receiving a suspicious number of requests over an open TCP port from an external source. The TCP port remains open for long periods of time. The company's security team needs to stop all activity to this port from the external source to ensure that the EC2 instance is not being compromised. The application must remain available to other users. Which solution will mefet these requirements?

A :

Update the network ACL that is attached to the subnet that is associated with the EC2 instance. Add a Deny statement for the port and the source IP addresses.

B :

Update the elastic network interface security group that is attached to the EC2 instance to remove the port from theinbound rule list.

C :

Update the elastic network interface security group that is attached to the EC2 instance by adding a Deny entry in the inbound list for the port and the source IP addresses.

D :

Create a new network ACL for the subnet. Deny all traffic from the EC2 instance to prevent data from being removed.

Answer: A

Name:	AWS Certified Security Specialty
Exam Code:	SCS-C02
Certification:	AWS Certified Specialty
Vendor:	Amazon
Total Questions:	481
Last Updated:	Apr 22, 2024

Amazon SCS-C02