Free Amazon SCS-C02 Exam Questions

Question 1

A company has a group of Amazon EC2 instances in a single private subnet of a VPC with no internet gateway attached. A security engineer has installed the Amazon CloudWatch agent on all instances in that subnet to capture logs from a specific application. To ensure that the logs flow securely, the company's networking team has created VPC endpoints for CloudWatch monitoring and CloudWatch logs. The networking team has attached the endpoints to the VPC. The application is generating logs. However, when the security engineer queries CloudWatch, the logs do not appear. Which combination of steps should the security engineer take to troubleshoot this issue? (Choose three.)

A : Ensure that the EC2 instance profile that is attached to the EC2 instances has permissions to create log streams and write logs.

B : Create a metric filter on the logs so that they can be viewed in the AWS Management Console.

C : Check the CloudWatch agent configuration file on each EC2 instance to make sure that the CloudWatch agent is collecting the proper log files.

D : Check the VPC endpoint policies of both VPC endpoints to ensure that the EC2 instances have permissions to use them.

E : Create a NAT gateway in the subnet so that the EC2 instances can communicate with CloudWatch.

F : Ensure that the security groups allow all the EC2 instances to communicate with each other to aggregate logs before sending.

Answer: A,C,D

Question 2

A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances. Which solution will meet this requirement with the LEAST operational effort?

A :

Use Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption

B :

Import a third-party SSL certificate to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer

C :

Deploy AWS CloudHSM Import a third-party certificate Configure the EC2 instances and the Elastic Load Balancer to use the CloudHSM imported certificate

D :

Import a third-party certificate bundle to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer.

Answer: A

Question 3

A company hosts a public website on an Amazon EC2 instance. HTTPS traffic must be able to access the website. The company uses SSH for management of the web server. The website is on the subnet 10.0.1.0/24. The management subnet is 192.168.100.0/24. A security engineer must create a security group for the EC2 instance. Which combination of steps should the security engineer take to meet these requirements in the MOST secure manner? (Select TWO.)

A : Allow port 22 from source 0.0.0.0/0.

B : Allow port 443 from source 0.0.0.0/0.

C : Allow port 22 from 192.168.100.0/24.

D : Allow port 22 from 10.0.1.0/24.

E : Allow port 443 from 10.0.1.0/24.

Answer: B,C

Question 4

A security team is working on a solution that will use Amazon EventBridge (Amazon CloudWatch Events) to monitor new Amazon S3 objects. The solution will monitor for public access and for changes to any S3 bucket policy or setting that result in public access. The security team configures EventBridge to watch for specific API calls that are logged from AWS CloudTrail. EventBridge has an action to send an email notification through Amazon Simple Notification Service (Amazon SNS) to the security team immediately with details of the API call. Specifically, the security team wants EventBridge to watch for the s3:PutObjectAcl, s3:DeleteBucketPolicy, and s3:PutBucketPolicy API invocation logs from CloudTrail. While developing the solution in a single account, the security team discovers that the s3:PutObjectAcl API call does not invoke an EventBridge event. However, the s3:DeleteBucketPolicy API call and the s3:PutBucketPolicy API call do invoke an event. The security team has enabled CloudTrail for AWS management events with a basic configuration in the AWS Region in which EventBridge is being tested. Verification of the EventBridge event pattern indicates that the pattern is set up correctly. The security team must implement a solution so that the s3:PutObjectAcl API call will invoke an EventBridge event. The solution must not generate false notifications. Which solution will meet these requirements?

A : Modify the EventBridge event pattern by selecting Amazon S3. Select All Events as the event type.

B : Modify the EventBridge event pattern by selecting Amazon S3. Select Bucket Level Operations as the event type.

C : Enable CloudTrail Insights to identify unusual API activity.

D : Enable CloudTrail to monitor data events for read and write operations to S3 buckets.

Answer: D

Question 5

A security engineer is tasked with securing the network access for an application that uses an AWS Lambda function and an Amazon RDS database. The Lambda function and database both run in the same AWS account.

Which network configuration is the MOST secure?

A : eate an interface VPC endpoint for Lambda and update a private subnet route table to point to the endpoint. Update the DB to connect to the private subnet and access the Lambda function. Use endpoint policies to secure network access between the function and DB instance

B : tach an Elastic IP to the Lambda function. Attach a security group to the function that allows outbound access to the DB security group. Update the DB instance security group to allow traffic from the Lambda security group.

C : nnect the Lambda function to a public subnet within the VPC. Attach a security group to the function that allows outbound access to the DB security group only. Update the DB instance security group to allow traffic from the Lambda public address space.

D : nnect the Lambda function to a private subnet within the VPC. Attach a security group to the function that allows outbound access to the VPC CIDR block only. Update the DB instance security group to allow traffic from the Lambda security group.

Answer: D