Free Amazon SCS-C02 Exam Questions

Question 1

A financial firm receives a warning from the AWS Trust and Safety team about a potential security threat. An IAM access key linked to an IT administrator seems to have been compromised. This key is employed in an automated process that uses AWS Lambda functions to launch AWS Elastic Beanstalk environments.

The firm's security engineer is tasked with addressing this security issue, preventing further use of the exposed access key, and bolstering security practices.

Which of the following steps would be the most appropriate in this scenario?

A : ack down the exposed IAM access key and deactivate or remove it. Establish new access keys for the Lambda automation process and integrate them into the system. In the AWS account associated with the exposed key, create a new support case in AWS Support detailing the remediation measures.

B : Find the exposed IAM access key and remove the associated IAM user. Generate a new access key, store it in AWS Systems Manager Parameter Store, and encrypt it using an AWS KMS customer-managed key. Modify the AWS Lambda functions to fetch the access key from Parameter Store during execution. Log a new support case with AWS Support providing the details of the remediation steps.

C : activate or delete the compromised IAM access key. Generate a new access key and save it as an environment variable within the configuration settings of the automation system's Lambda functions. Respond to the AWS Trust and Safety team detailing the remediation actions taken.

D : able or delete the compromised IAM access key. Stop using static IAM access keys and instead, create a new IAM role for the Lambda automation process. Assign this role to the AWS Lambda functions. Respond to the AWS Trust and Safety team detailing the remediation actions.

Answer: D

Question 2

A company wants to deploy a distributed web application on a fleet of EC2 instances. The fleet will be fronted by a Classic Load Balancer that will be configured to terminate the TLS connection The company wants to make sure that all past and current TLS traffic to the Classic Load Balancer stays secure even if the certificate private key is leaked. To ensure the company meets these requirements, a Security Engineer can configure a Classic Load Balancer with:

A : An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.

B : An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites

C : An HTTPS listener that uses the latest IAM predefined ELBSecuntyPolicy-TLS-1 -2-2017-01 security policy

D : A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.

Answer: B

Question 3

A company needs to implement DNS Security Extensions (DNSSEC) for a specific subdomain. The subdomain is already registered with Amazon Route 53. A security engineer has enabled DNSSEC signing and has created a key-signing key (KSK). When the security engineer tries to test the configuration, the security engineer receives an error for a broken trust chain. What should the security engineer do to resolve this error?

A : Replace the KSK with a zone-signing key (ZSK).

B : Deactivate and then activate the KSK.

C : Create a Delegation Signer (DS) record in the parent hosted zone.

D : Create a Delegation Signer (DS) record in the subdomain.

Answer: C

Question 4

A company wants to start processing sensitive data on Amazon EC2 instances. The company will use Amazon CloudWatch Logs to monitor, store, and access log files from the EC2 instances. The company's developers use CloudWatch Logs for troubleshooting. A security engineer must implement a solution that prevents the developers from viewing the sensitive data The solution must automatically apply to any new log groups that are created in the account in the future. Which solution will meet these requirements?

A : Create a CloudWatch Logs account-wide data protection policy. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logs:Unmask 1AM permission.

B : Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Create a custom data identifier for the sensitive data. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.

C : Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Specify the appropriate managed data identifiers. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.

D : Create a CloudWatch Logs data protection policy for each log group. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logsiUnmask 1AM permission

Answer: A

Question 5

A company's security engineer is developing an incident response plan to detect suspicious activity in an AWS account for VPC hosted resources. The security engineer needs to provide visibility for as many AWS Regions as possible. Which combination of steps will meet these requirements MOST cost-effectively? (Select TWO.)

A :

Turn on VPC Flow Logs for all VPCs in the account.

B :

Activate Amazon GuardDuty across all AWS Regions.

C :

Activate Amazon Detective across all AWS Regions.

D :

Create an Amazon Simple Notification Service (Amazon SNS) topic. Create an Amazon EventBridge rule that responds to findings and publishes the find-ings to the SNS topic.

E :

Create an AWS Lambda function. Create an Amazon EventBridge rule that in-vokes the Lambda function to publish findings to Amazon Simple Email Ser-vice (Amazon SES).

Answer: B,D