Free Amazon SCS-C02 Exam Questions

Question 1

A company's IAM account consists of approximately 300 IAM users. Now there is a mandate that an access change is required for 100 IAM users to have unlimited privileges to S3.As a system administrator, how can you implement this effectively so that there is no need to apply the policy at the individual user level? Please select:

A :

Create a new role and add each user to the IAM role

B :

Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group

C :

Create a policy and apply it to multiple users using a JSON script

D :

Create an S3 bucket policy with unlimited access which includes each user's IAM account ID

Answer: B

Question 2

A new employee is joining a security team. The employee initially requires access to manage Amazon DynamoDB, Amazon RDS, and Amazon CloudWatch. All security team members are added to the security team IAM group that provides additional permissions to manage all other AWS services.

The team lead wants to limit the permissions the new employee has access to until the employee takes on additional responsibilities, and then be able to easily add permissions as required, eventually providing the same access as all other security team employees.

How can the team lead limit the permissions assigned to the new user account whilst minimizing complexity?

A : eate an IAM account for the new employee and add the account to the security team IAM group. Set a permissions boundary that grants access to manage Amazon DynamoDB, Amazon RDS, and Amazon CloudWatch. When the employee takes on new management responsibilities, add the additional services to the permissions boundary IAM policy.

B : eate an IAM account for the new employee in a dedicated account. Use cross-account access to manage resources. Limit the permissions on the cross-account access role to only allow management of Amazon DynamoDB, Amazon RDS, and Amazon CloudWatch. When the employee takes on new management responsibilities, add permissions to the cross-account access IAM role.

C : eate an IAM account for the new employee and add the account to the security team IAM group. Use a Service Control Policy (SCP) to limit the maximum available permissions to Amazon DynamoDB, Amazon RDS, and Amazon CloudWatch. When the employee takes on new management responsibilities, remove the SCP.

D : eate an IAM account for the new employee. Create a new IAM group for the employee and add a permissions policy that grants access to manage Amazon DynamoDB, Amazon RDS, and Amazon CloudWatch. When the employee takes on new management responsibilities, add the additional services to the IAM policy.

Answer: A

Question 3

A company has configured federation between an on-premises identity provider (IdP) and AWS. Developers authenticate into an identity account and assume an IAM role named IdPUsersRole. The developers then access a production account by assuming a role named ProdDevRole in the production account.

Developers are unable to assume the IAM role in the production account. The policy attached to the role in the identity account is:

2023-01-05-03-21-58-1df8c3f4bcc13f6e7590603358e86056

What needs to be done to enable the developers to assume the appropriate role in the production account?

A : date the IAM policy attached to the role in the target account to allow the “sts: AssumeRole” API action for the ProdDevRole principal in the production account.

B : date the IAM policy attached to the role in the identity account to allow the “sts: AssumeRole” API action for the ProdDevRole principal in the production account.

C : date the trust policy on the role in the identity account to allow the “sts: AssumeRole” API action for the IdPUsersRole principal in the identity account.

D : date the trust policy on the role in the production account to allow the “sts: AssumeRole” API action for the IdPUsersRole principal in the identity account

Answer: D

Question 4

A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1 the company cannot access the key that was used to encrypt the original database. What should the company do to set up the snapshot in us-west-1 with proper encryption?

A :

Use AWS Secrets Manager to store the customer managed key in us-west-1 as a secret Use this secret to encrypt the snapshot in us-west-1.

B :

Create a new customer managed key in us-west-1. Use this new key to encrypt the snapshot in us-west-1.

C :

Create an IAM policy that allows access to the customer managed key in us-east-1. Specify am aws kms us-west-1 " as the principal.

D :

Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn aws rds us-west-1. * as the principal.

Answer: B

Question 5

A company has two VPCs in the same AWS Region and in the same AWS account Each VPC uses a CIDR block that does not overlap with the CIDR block of the other VPC One VPC contains AWS Lambda functions that run inside a subnet that accesses the internet through a NAT gateway. The Lambda functions require access to a publicly accessible Amazon Aurora MySQL database that is running in the other VPC A security engineer determines that the Aurora database uses a security group rule that allows connections from the NAT gateway IP address that the Lambda functions use. The company's security policy states that no database should be publicly accessible. What is the MOST secure way that the security engineer can provide the Lambda functions with access to the Aurora database?

A :

Move the Aurora database into a private subnet that has no internet access routes in the database's current VPC Configure the Lambda functions to use the AuroraÃ‚Â database's new private IP address to access the database Configure the Aurora databases security group to allow access from the private IP addresses of the Lambda functions

B :

Establish a VPC endpoint between the two VPCs in the Aurora database's VPC configure a service VPC endpoint for Amazon RDS In the Lambda functions' VPC. configure an interface VPC endpoint that uses the service endpoint in the Aurora database's VPC Configure the service endpoint to allow connections from the Lambda functions.

C :

Establish an AWS Direct Connect interface between the VPCs Configure the Lambda functions to use a new route table that accesses the Aurora database through the Direct Connect interface Configure the Aurora database's security group to allow access from the Direct Connect interface IP address

D :

Move the Lambda functions into a public subnet in their VPC Move the Aurora database into a private subnet in its VPC Configure the Lambda functions to use the Aurora database's new private IP address to access the database Configure the Aurora database to allow access from the public IP addresses of the Lambda functions

Answer: B