Amazon SCS-C02 Exam Practice Test Instant Access

Question 1

[Data Protection]

A company has developed a new Amazon RDS database application. The company must secure the ROS database credentials for encryption in transit and encryption at rest. The company also must rotate the credentials automatically on a regular basis.

Which solution meets these requirements?

AUse IAM Systems Manager Parameter Store to store the database credentiais. Configureautomatic rotation of the credentials.

BUse IAM Secrets Manager to store the database credentials. Configure automat* rotation of the credentials

CStore the database credentials in an Amazon S3 bucket that is configured with server-side encryption with S3 managed encryption keys (SSE-S3) Rotate the credentials with IAM database authentication.

DStore the database credentials m Amazon S3 Glacier, and use S3 Glacier Vault Lock Configure an IAM Lambda function to rotate the credentials on a scheduled basts

Answer : A

Question 2

[Infrastructure Security]

A company has launched an Amazon EC2 instance with an Amazon Elastic Block Store(Amazon EBS) volume in the us-east-1 Region The volume is encrypted with an AWS Key Management Service (AWS KMS) customer managed key that the company's security team created The security team has created an 1AM key policy and has assigned the policy to the key The security team has also created an 1AM instance profile and has assigned the profile to the instance

The EC2 instance will not start and transitions from the pending state to the shutting-down state to the terminated state

Which combination of steps should a security engineer take to troubleshoot this issue? (Select TWO )

AVerify that the KMS key policy specifies a deny statement that prevents access to the key by using the aws SourcelP condition key Check that the range includes the EC2 instance IP address that is associated with the EBS volume

BVerify that the KMS key that is associated with the EBS volume is set to the Symmetric key type

CVerify that the KMS key that is associated with the EBS volume is in the Enabled state

DVerify that the EC2 role that is associated with the instance profile has the correct 1AM instance policy to launch an EC2 instance with the EBS volume

EVerify that the key that is associated with the EBS volume has not expired and needs to be rotated

Answer : C, D

To troubleshoot the issue of an EC2 instance failing to start and transitioning to a terminated state when it has an EBS volume encrypted with an AWS KMS customer managed key, a security engineer should take the following steps:

C . Verify that the KMS key that is associated with the EBS volume is in the Enabled state. If the key is not enabled, it will not function properly and could cause the EC2 instance to fail.

D . Verify that the EC2 role that is associated with the instance profile has the correct IAM instance policy to launch an EC2 instance with the EBS volume. If the instance does not have the necessary permissions, it may not be able to mount the volume and could cause the instance to fail.

Therefore, options C and D are the correct answers.

[1] 'Amazon EBS encryption uses AWS KMS keys when creating encrypted volumes ...'.

Question 3

[Incident Response]

A security engineer is investigating a malware infection that has spread across a set of Amazon EC2 instances. A key indicator of the compromise is outbound traffic on TCP port 2905 to a set of command and control hosts on the internet.

The security engineer creates a network ACL rule that denies the identified outbound traffic. The security engineer applies the network ACL rule to the subnet of the EC2 instances. The security engineer must identify any EC2 instances that are trying to communtcate on TCP port 2905.

Which solution will identify the affected EC2 instances with the LEAST operational effort?

ACreate a Network Access Scope in Amazon VPC Network Access Analyzer. Use the Network Access Scope to identify EC2 instances that try to send traffic to TCP port 2905.

BEnable VPC flow logs for the VPC where the affected EC2 instances are located Configure the flow logs to capture rejected traffic. In the flow logs, search for REJECT records that have a destination TCP port of 2905.

CEnable Amazon GuardDuty Create a custom GuardDuty IP list to create a finding when an EC2 instance tries to communicate with one of the command and control hosts. Use Amazon Detective to identify the EC2 instances that initiate the communication.

DCreate a firewall in AWS Network Firewall. Attach the firewall to the subnet of the EC2 instances. Create a custom rule to identify and log traffic from the firewall on TCP port 2905. Create an Amazon CloudWatch Logs metric filter to identify firewall logs that reference traffic on TCP port 2905.

Answer : B

Enable VPC Flow Logs:

VPC flow logs capture details about the network traffic in your VPC, including both accepted and rejected traffic.

Configure the flow logs to capture traffic for the subnet where the affected EC2 instances are located.

Filter Rejected Traffic:

In the flow log configuration, ensure that you capture rejected traffic (log-status = REJECT).

This will provide a record of instances that attempted to communicate on TCP port 2905 and were blocked by the NACL rule.

Analyze Flow Logs:

Search the flow log records for entries where:

destination-port = 2905

log-status = REJECT

This will help identify the specific EC2 instances attempting to communicate on TCP port 2905.

Advantages of Using VPC Flow Logs:

Cost-effective: No additional infrastructure or services are required.

Scalable: Automatically captures traffic across the subnet without manual intervention.

Detailed Logs: Provides granular details about the rejected traffic.

VPC Flow Logs Documentation

Filtering VPC Flow Logs

Question 4

[Identity and Access Management]

A company wants to remove all SSH keys permanently from a specific subset of its Amazon Linux 2 Amazon EC2 instances that are using the same 1AM instance profile However three individuals who have IAM user accounts will need to access these instances by using an SSH session to perform critical duties

How can a security engineer provide the access to meet these requirements'?

AAssign an 1AM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the 1AM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Inventory to select the EC2 instance and connect

BAssign an 1AM policy to the 1AM user accounts to provide permission to use AWS Systems Manager Run Command Remove the SSH keys from the EC2 instances Use Run Command to open an SSH connection to the EC2 instance

CAssign an 1AM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the 1AM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Session Manager to select the EC2 instance and connect

DAssign an 1AM policy to the 1AM user accounts to provide permission to use the EC2 service in the AWS Management Console Remove the SSH keys from the EC2 instances Connect to the EC2 instance as the ec2-user through the AWS Management Console's EC2 SSH client method

Answer : C

To provide access to the three individuals who have IAM user accounts to access the Amazon Linux 2 Amazon EC2 instances that are using the same IAM instance profile, the most appropriate solution would be to assign an IAM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager, provide the IAM user accounts with permission to use Systems Manager, remove the SSH keys from the EC2 instances, and use Systems Manager Session Manager to select the EC2 instance and connect.

References: :AWS Systems Manager Session Manager - AWS Systems Manager:AWS Systems Manager - AWS Management Console:AWS Identity and Access Management - AWS Management Console:Amazon Elastic Compute Cloud - Amazon Web Services:Amazon Linux 2 - Amazon Web Services:AWS Systems Manager - AWS Management Console:AWS Systems Manager - AWS Management Console:AWS Systems Manager - AWS Management Console

Question 5

[Infrastructure Security]

A company accidentally deleted the private key for an Amazon Elastic Block Store (Amazon EBS)-backed Amazon EC2 instance. A security engineer needs to regain access to the instance.

Which combination of steps will meet this requirement? (Choose two.)

AStop the instance. Detach the root volume. Generate a new key pair.

BKeep the instance running. Detach the root volume. Generate a new key pair.

CWhen the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new public key. Move the volume back to the original instance. Start the instance.

DWhen the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new private key. Move the volume back to the original instance. Start the instance.

EWhen the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new public key. Move the volume back to the original instance that is running.

Answer : A, C

If you lose the private key for an EBS-backed instance, you can regain access to your instance. You must stop the instance, detach its root volume and attach it to another instance as a data volume, modify the authorized_keys file with a new public key, move the volume back to the original instance, and restart the instance.https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html#replacing-lost-key-pai

Question 6

[Identity and Access Management]

A developer at a company uses an SSH key to access multiple Amazon EC2 instances. The company discovers that the SSH key has been posted on a public GitHub repository. A security engineer verifies that the key has not been used recently.

How should the security engineer prevent unauthorized access to the EC2 instances?

ADelete the key pair from the EC2 console. Create a new key pair.

BUse the ModifylnstanceAttribute API operation to change the key on any EC2 instance that is using the key.

CRestrict SSH access in the security group to only known corporate IP addresses.

DUpdate the key pair in any AMI that is used to launch the EC2 instances. Restart the EC2 instances.

Answer : C

To prevent unauthorized access to the EC2 instances, the security engineer should do the following:

Restrict SSH access in the security group to only known corporate IP addresses. This allows the security engineer to use a virtual firewall that controls inbound and outbound traffic for their EC2 instances, and limit SSH access to only trusted sources.

Question 7

[Identity and Access Management]

A company uses AWS Organizations. The company wants to implement short-term cre-dentials for third-party AWS accounts to use to access accounts within the com-pany's organization. Access is for the AWS Management Console and third-party software-as-a-service (SaaS) applications. Trust must be enhanced to prevent two external accounts from using the same credentials. The solution must require the least possible operational effort.

Which solution will meet these requirements?

AUse a bearer token authentication with OAuth or SAML to manage and share a central Amazon Cognito user pool across multiple Amazon API Gateway APIs.

BImplement AWS IAM Identity Center (AWS Single Sign-On), and use an identi-ty source of choice. Grant access to users and groups from other accounts by using permission sets that are assigned by account.

CCreate a unique IAM role for each external account. Create a trust policy. Use AWS Secrets Manager to create a random external key.

DCreate a unique IAM role for each external account. Create a trust policy that includes a condition that uses the sts:Externalld condition key.

Answer : D

The correct answer is D.

To implement short-term credentials for third-party AWS accounts, you can use IAM roles and trust policies. A trust policy is a policy document that defines who can assume the role. You can specify the AWS account ID of the third-party account as a principal in the trust policy, and use the sts:ExternalId condition key to enhance the security of the role. The sts:ExternalId condition key is a unique identifier that is agreed upon by both parties and included in the AssumeRole request. This way, you can prevent the ''confused deputy'' problem, where an unauthorized party can use the same role as a legitimate party.

Option A is incorrect because bearer token authentication with OAuth or SAML is not suitable for granting access to AWS accounts and resources. Amazon Cognito and API Gateway are used for building web and mobile applications that require user authentication and authorization.

Option B is incorrect because AWS IAM Identity Center (AWS Single Sign-On) is a service that simplifies the management of access to multiple AWS accounts and cloud applications for your workforce users. It does not support granting access to third-party AWS accounts.

Option C is incorrect because using AWS Secrets Manager to create a random external key is not necessary and adds operational complexity. You can use the sts:ExternalId condition key instead to provide a unique identifier for each external account.

Amazon SCS-C02 AWS Certified Security - Specialty Exam Practice Test