Amazon SCS-C02 Exam Practice Test Instant Access

Question 1

[Identity and Access Management]

A company's application team needs to host a MySQL database on IAM. According to the company's security policy, all data that is stored on IAM must be encrypted at rest. In addition, all cryptographic material must be compliant with FIPS 140-2 Level 3 validation.

The application team needs a solution that satisfies the company's security requirements and minimizes operational overhead.

Which solution will meet these requirements?

AHost the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an IAM Key Management Service (IAM KMS) custom key store that is backed by IAM CloudHSM for key management.

BHost the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an IAM managed CMK in IAM Key Management Service (IAM KMS) for key management.

CHost the database on an Amazon EC2 instance. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use a customer managed CMK in IAM Key Management Service (IAM KMS) for key management.

DHost the database on an Amazon EC2 instance. Use Transparent Data Encryption (TDE) for encryption and key management.

Answer : B

Question 2

[Infrastructure Security]

A company is developing an ecommerce application. The application uses Amazon EC2 instances and an Amazon RDS MySQL database. For compliance reasons, data must be secured in transit and at rest. The company needs a solution that minimizes operational overhead and minimizes cost.

Which solution meets these requirements?

AUse TLS certificates from AWS Certificate Manager (ACM) with an Application Load Balancer. Deploy self-signed certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Enable encryption of the RDS DB instance. Enable encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that support the EC2 instances.

BUse TLS certificates from a third-party vendor with an Application Load Balancer. Install the same certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use AWS Secrets Manager for client-side encryption of application data.

CUse AWS CloudHSM to generate TLS certificates for the EC2 instances. Install the TLS certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use the encryption keys form CloudHSM for client-side encryption of application data.

DUse Amazon CloudFront with AWS WAF. Send HTTP connections to the origin EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use AWS Key Management Service (AWS KMS) for client-side encryption of application data before the data is stored in the RDS database.

Answer : A

Question 3

[Identity and Access Management]

A company has an AWS account that includes an Amazon S3 bucket. The S3 bucket uses server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all the objects at rest by using a customer managed key. The S3 bucket does not have a bucket policy.

An IAM role in the same account has an IAM policy that allows s3 List* and s3 Get' permissions for the S3 bucket. When the IAM role attempts to access an object in the S3 bucket the role receives an access denied message.

Why does the IAM rote not have access to the objects that are in the S3 bucket?

AThe IAM rote does not have permission to use the KMS CreateKey operation.

BThe S3 bucket lacks a policy that allows access to the customer managed key that encrypts the objects.

CThe IAM rote does not have permission to use the customer managed key that encrypts the objects that are in the S3 bucket.

DThe ACL of the S3 objects does not allow read access for the objects when the objects ace encrypted at rest.

Answer : C

When using server-side encryption with AWS KMS keys (SSE-KMS), the requester must have both Amazon S3 permissions and AWS KMS permissions to access the objects. The Amazon S3 permissions are for the bucket and object operations, such as s3:ListBucket and s3:GetObject. The AWS KMS permissions are for the key operations, such as kms:GenerateDataKey and kms:Decrypt. In this case, the IAM role has the necessary Amazon S3 permissions, but not the AWS KMS permissions to use the customer managed key that encrypts the objects. Therefore, the IAM role receives an access denied message when trying to access the objects.Verified References:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/troubleshoot-403-errors.html

https://repost.aws/knowledge-center/s3-access-denied-error-kms

https://repost.aws/knowledge-center/cross-account-access-denied-error-s3

Question 4

[Identity and Access Management]

A company uses an organization in AWS Organizations to manage its AWS accounts. The company has implemented a Service Control Policy (SCP) in the root account to prevent resources from being shared with external accounts.

The company now needs to allow applications in its marketing team's AWS account to share resources with external accounts. The company must continue to prevent all the other accounts in the organization from sharing resources with external accounts. All the accounts in the organization are members of the same Organizational Unit (OU).

Which solution will meet these requirements?

ACreate a new SCP in the marketing team's account. Configure the SCP to explicitly allow resource sharing.

BEdit the existing SCP to add a Condition statement that excludes the marketing team's account.

CEdit the existing SCP to include an Allow statement that specifies the marketing team's account.

DCreate an IAM permissions boundary policy to explicitly allow resource sharing. Attach the policy to IAM users in the marketing team's account.
Comprehensive and Detailed Explanation From Exact Extract:
Service Control Policies (SCPs) are applied at the AWS Organizations level to manage what permissions are available across accounts. SCPs do not grant permissions themselves but restrict them.
In this case, the existing SCP denies resource sharing with external accounts across the organization. To allow an exception for the marketing team, the correct solution is to edit the existing SCP and apply a Condition that excludes the marketing team's account. This is typically done using the StringNotEquals condition with the aws:PrincipalAccount or aws:PrincipalOrgID key.
By using a condition statement, you can tailor the SCP to deny access only to accounts other than the marketing account. This method ensures granular control without having to restructure the Organizational Unit (OU) or write an entirely separate policy.
Reference from AWS Certified Security - Specialty Official Guide:
This scenario is covered under the Identity and Access Management domain, where SCP exceptions and conditions are used to precisely control permission inheritance across accounts in an organization.

Answer : B

Question 5

[Identity and Access Management]

A development team is attempting to encrypt and decode a secure string parameter from the IAM Systems Manager Parameter Store using an IAM Key Management Service (IAM KMS) CMK. However, each attempt results in an error message being sent to the development team.

Which CMK-related problems possibly account for the error? (Select two.)

AThe CMK is used in the attempt does not exist.

BThe CMK is used in the attempt needs to be rotated.

CThe CMK is used in the attempt is using the CMKs key ID instead of the CMK ARN.

DThe CMK is used in the attempt is not enabled.

EThe CMK is used in the attempt is using an alias.

Answer : A, D

https://docs.IAM.amazon.com/kms/latest/developerguide/services-parameter-store.html#parameter-store-cmk-fail

Question 6

[Identity and Access Management]

A company uses an organization in AWS Organizations to manage hundreds of AWS accounts. Some of the accounts provide access to external AWS principals through cross-account IAM roles and Amazon S3 bucket policies.

The company needs to identify which external principals have access to which accounts.

Which solution will provide this information?

AEnable AWS Identity and Access Management Access Analyzer for the organization. Configure the organization as a zone of trust. Filter findings by AWS account ID.

BCreate a custom AWS Config rule to monitor IAM roles in each account. Deploy an AWS Config aggregator to a central account. Filter findings by AWS account ID.

CActivate Amazon Inspector. Integrate Amazon Inspector with AWS Security Hub. Filter findings by AWS account ID for the last role resource type and the S3 bucket policy resource type.

DConfigure the organization to use Amazon GuardDuty. Filter findings by AWS account ID for the Discovery:IAMUser/AnomalousBehavior finding type.
Comprehensive and Detailed Explanation From Exact Extract:
IAM Access Analyzer can be enabled at the organization level and configured to use the org as a zone of trust. It scans IAM policies and S3 bucket policies across accounts and identifies external principals (from other AWS accounts or public access) that have access to resources.
This is the most accurate and least operationally complex method for cross-account access visibility and is highlighted under IAM governance and security controls.

Answer : A

Question 7

A company has several Amazon S3 buckets thai do not enforce encryption in transit A security engineer must implement a solution that enforces encryption in transit for all the company's existing and future S3 buckets.

Which solution will meet these requirements'?

AEnable AWS Config Create a proactive AWS. Config Custom Policy rule Create a Guard clause to evaluate the S3 bucket policies to check for a value of True for the aws SecureTransport condition key. If the AWS Config rule evaluates to NON_COMPLIANT, block resource creation.

BEnable AWS Config Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid Create an AWS Systems Manager.
Automation runbook that applies a bucket policy to deny requests when the value of the aws SecureTransport condition key is False Configure automatic remediation Set the runbook as the target of the rule.

CEnable Amazon Inspector Create a custom AWS Lambda rule. Create a Lambda function that applies a bucket policy to deny requests when the value of the aws SecureTransport condition key is False Set the Lambda function as the target of the rule.

DCreate an AWS CloudTrail trail Enable S3 data events on the trail. Create an AWS Lambda function that applies a bucket policy to deny requests when the value of the aws SecureTransport condition key is False. Configure the CloudTrail trail to invoke the Lambda function.

Answer : B

Amazon AWS Certified Security - Specialty SCS-C02 Exam Practice Test