Amazon SCS-C02 Exam Questions Instant Access

Question 1

[Infrastructure Security]

A security engineer is designing an IAM policy for a script that will use the AWS CLI. The script currently assumes an IAM role that is attached to three AWS managed IAM policies: AmazonEC2FullAccess, AmazonDynamoDBFullAccess, and Ama-zonVPCFullAccess.

The security engineer needs to construct a least privilege IAM policy that will replace the AWS managed IAM policies that are attached to this role.

Which solution will meet these requirements in the MOST operationally efficient way?

AIn AWS CloudTrail, create a trail for management events. Run the script with the existing AWS managed IAM policies. Use IAM Access Analyzer to generate a new IAM policy that is based on access activity in the trail. Replace the existing AWS managed IAM policies with the generated IAM poli-cy for the role.

BRemove the existing AWS managed IAM policies from the role. Attach the IAM Access Analyzer Role Policy Generator to the role. Run the script. Return to IAM Access Analyzer and generate a least privilege IAM policy. Attach the new IAM policy to the role.

CCreate an account analyzer in IAM Access Analyzer. Create an archive rule that has a filter that checks whether the PrincipalArn value matches the ARN of the role. Run the script. Remove the existing AWS managed IAM poli-cies from the role.

DIn AWS CloudTrail, create a trail for management events. Remove the exist-ing AWS managed IAM policies from the role. Run the script. Find the au-thorization failure in the trail event that is associated with the script. Create a new IAM policy that includes the action and resource that caused the authorization failure. Repeat the process until the script succeeds. Attach the new IAM policy to the role.

Answer : A

Question 2

[Identity and Access Management]

A company controls user access by using IAM users and groups in AWS accounts across an organization in AWS Organizations. The company uses an external identity provider (IdP) for workforce single sign-on (SSO). The company needs to implement a solution to provide a single management portal to access accounts within the organization. The solution must support the external IdP as a federation source.

AEnable AWS IAM Identity Center. Specify the external IdP as the identity source.

BEnable federation with AWS Identity and Access Management (IAM). Specify the external IdP as the identity source.

CMigrate to Amazon Verified Permissions. Implement fine-grained access to AWS by using policy-based access control (PBAC).

DMigrate users to AWS Directory Service. Use AWS Control Tower to centralize security across the organization.

Answer : A

Comprehensive Detailed Explanation with all AWS References

To provide a single management portal for access and integrate with an external IdP for SSO,AWS IAM Identity Center(formerly AWS Single Sign-On) is the best solution:

AWS IAM Identity Center:

IAM Identity Center enables centralized management of access to AWS accounts within an organization.

Supports external IdPs (e.g., Okta, Azure AD) using SAML 2.0 for workforce SSO.

Incorrect Options:

B:Direct IAM federation can work with an IdP but does not provide a centralized management portal.

C:Amazon Verified Permissions is for fine-grained access control, not SSO or account access.

D:AWS Directory Service is unnecessary and overly complex for this use case. Control Tower is not designed for user access management.

Question 3

[Incident Response]

A security engineer received an Amazon GuardDuty alert indicating a finding involving the Amazon EC2 instance that hosts the company's primary website. The GuardDuty finding read:

UnauthorizedAccess: IAMUser/InstanceCredentialExfiltration.

The security engineer confirmed that a malicious actor used API access keys intended for the EC2 instance from a country where the company does not operate. The security engineer needs to deny access to the malicious actor.

What is the first step the security engineer should take?

AOpen the EC2 console and remove any security groups that allow inbound traffic from 0.0.0.0/0.

BInstall the AWS Systems Manager Agent on the EC2 instance and run an inventory report.

CInstall the Amazon Inspector agent on the host and run an assessment with the CVE rules package.

DOpen the IAM console and revoke all IAM sessions that are associated with the instance profile.
Comprehensive and Detailed Explanation From Exact Extract:
The GuardDuty finding ''IAMUser/InstanceCredentialExfiltration'' indicates that temporary credentials from the instance metadata service have been stolen and used from an unusual location. The immediate priority is to revoke all existing IAM sessions for that instance profile to block the compromised credentials.
This is considered a critical containment action. IAM allows active session revocation, which invalidates credentials associated with a compromised instance profile.
This is explicitly covered under the Incident Response domain in the AWS Security Specialty study material, which emphasizes session revocation and credential rotation in response to exfiltration events.

Answer : D

Question 4

A company stores signed legal contracts for loans in an Amazon S3 bucket that has versioning enabled. Each contract must be stored until the loan is paid back or for 10 years if the loan is not paid back.

The company needs a solution that allows only users with special permissions to delete or modify the contracts before the 10 years. Pass. After 10 years, the contracts must be deleted automatically.

Which solution will meet these requirements'?

AConfigure S3 Object Lock on the bucket with a retention penod of 10 years Specify governance mode as the retention mode. Create an S3 Lifecycle policy that will expire objects after 10 years.

BConfigure S3 Object Lock on the bucket with a retention period of 10 years Specify compliance mode as the retention mode. Create an S3 Lifecycle policy that will expire objects after 10 years.

CConfigure S3 Object Lock on the bucket with a retention penod of 10 years Place a legal hold on the objects. Create an S3 Lifecycle policy that will remove versionmg for the objects and expire objects after 10 years.

DConfigure S3 Object Lock on the bucket Specify compliance mode as the retention mode Place a legal hold on the objects. Create an S3 Lifecycle policy that will expire the objects after 10 years.

Answer : A

Question 5

[Logging and Monitoring]

A company deployed Amazon GuardDuty In the us-east-1 Region. The company wants all DNS logs that relate to the company's Amazon EC2 instances to be inspected. What should a security engineer do to ensure that the EC2 instances are logged?

AUse IPv6 addresses that are configured for hostnames.

BConfigure external DNS resolvers as internal resolvers that are visible only to IAM.

CUse IAM DNS resolvers for all EC2 instances.

DConfigure a third-party DNS resolver with logging for all EC2 instances.

Answer : C

To ensure that the EC2 instances are logged, the security engineer should do the following:

Use AWS DNS resolvers for all EC2 instances. This allows the security engineer to use Amazon-provided DNS servers that resolve public DNS hostnames to private IP addresses within their VPC, and that log DNS queries in Amazon CloudWatch Logs.

Question 6

[Logging and Monitoring]

A company wants to deploy a distributed web application on a fleet of EC2 instances. The fleet will be fronted by a Classic Load Balancer that will be configured to terminate the TLS connection The company wants to make sure that all past and current TLS traffic to the Classic Load Balancer stays secure even if the certificate private key is leaked.

To ensure the company meets these requirements, a Security Engineer can configure a Classic Load Balancer with:

AAn HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.

BAn HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites

CAn HTTPS listener that uses the latest IAM predefined ELBSecuntyPolicy-TLS-1 -2-2017-01 security policy

DA TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.

Answer : B

this is a way to configure a Classic Load Balancer with perfect forward secrecy cipher suites. Perfect forward secrecy is a property of encryption protocols that ensures that past and current TLS traffic stays secure even if the certificate private key is leaked. Cipher suites are sets of algorithms that determine how encryption is performed. A custom security policy is a set of cipher suites and protocols that you can select for your load balancer to support. An HTTPS listener is a process that checks for connection requests using encrypted SSL/TLS protocol. By using an HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites, you can ensure that your Classic Load Balancer meets the requirements. The other options are either invalid or insufficient for configuring a Classic Load Balancer with perfect forward secrecy cipher suites.

Question 7

[Identity and Access Management]

You need to create a policy and apply it for just an individual user. How could you accomplish this in the right way?

Please select:

AAdd an IAM managed policy for the user

BAdd a service policy for the user

CAdd an IAM role for the user

DAdd an inline policy for the user

Answer : D

Options A and B are incorrect since you need to add an inline policy just for the user

Option C is invalid because you don't assign an IAM role to a user

The IAM Documentation mentions the following

An inline policy is a policy that's embedded in a principal entity (a user, group, or role)---that is, the policy is an inherent part of the principal entity. You can create a policy and embed it in a principal entity, either when you create the principal entity or later.

For more information on IAM Access and Inline policies, just browse to the below URL:

https://docs.IAM.amazon.com/IAM/latest/UserGuide/access

The correct answer is: Add an inline policy for the user Submit your Feedback/Queries to our Experts

Amazon AWS Certified Security - Specialty (old) SCS-C02 Exam Questions