Big Cyber Monday Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = simple70

Pass the Amazon Web Services AWS Certified Specialty SCS-C02 Questions and answers with Dumpstech

Exam SCS-C02 Premium Access

View all detail and faqs for the SCS-C02 exam

Go to Exam
Practice at least 50% of the questions to maximize your chances of passing.
Viewing page 1 out of 14 pages
Viewing questions 1-10 out of questions
Questions # 1:

A company uses Amazon EC2 instances to host frontend services behind an Application Load Balancer. Amazon Elastic Block Store (Amazon EBS) volumes are attached to the EC2 instances. The company uses Amazon S3 buckets to store large files for images and music.

The company has implemented a security architecture oit>AWS to prevent, identify, and isolate potential ransomware attacks. The company now wants to further reduce risk.

A security engineer must develop a disaster recovery solution that can recover to normal operations if an attacker bypasses preventive and detective controls. The solution must meet an RPO of 1 hour.

Which solution will meet these requirements?

Options:

A.

Use AWS Backup to create backups of the EC2 instances and S3 buckets every hour. Create AWS CloudFormation templates that replicate existing architecture components. Use AWS CodeCommit to store the CloudFormation templates alongside application configuration code.

B.

Use AWS Backup to create backups of the EBS volumes and S3 objects every day. Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPC flow logs. Use the logs for automated response.

C.

Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPC flow logs. Use the logs for automated response Enable AWS Security Hub to establish a single location for recovery procedures. Create AWS CloudFormation templates that replicate existing architecture components. Use AWS CodeCommit to store the CloudFormation templates alongside application configuration code.

D.

Create EBS snapshots every 4 hours Enable Amazon GuardDuty Malware Protection. Create automation to immediately restore the most recent snapshot for any EC2 instances that produce an Execution:EC2/MaliciousFile finding in GuardDuty.

Questions # 2:

A company hosts an application on Amazon EC2 instances. The application also uses Amazon S3 and Amazon Simple Queue Service (Amazon SQS). The application is behind an Application Load Balancer (ALB) and scales with AWS Auto Scaling.

The company’s security policy requires the use of least privilege access, which has been applied to all existing AWS resources. A security engineer needs to implement private connectivity to AWS services.

Which combination of steps should the security engineer take to meet this requirement? (Select THREE.)

Options:

A.

Use an interface VPC endpoint for Amazon SQS

B.

Configure a connection to Amazon S3 through AWS Transit Gateway.

C.

Use a gateway VPC endpoint for Amazon S3.

D.

Modify the 1AM role applied to the EC2 instances in the Auto Scaling group to allow outbound traffic to the interface endpoints.

E.

Modify the endpoint policies on all VPC endpoints. Specify the SQS and S3 resources that the application uses

F.

Configure a connection to Amazon S3 through AWS Firewall Manager

Questions # 3:

A company that operates in a hybrid cloud environment must meet strict compliance requirements. The company wants to create a report that includes evidencefrom on-premises workloads alongside evidence from AWS resources. A security engineer must implement a solution to collect, review, and manage the evidence to demonstrate compliance with company policy.'

Which solution will meet these requirements?

Options:

A.

Create an assessment in AWS Audit Manager from a prebuilt framework or a custom framework. Upload manual evidence from the on-premises workloads. Add the evidence to the assessment. Generate an assessment report after Audit Manager collects the necessary evidence from the AWS resources.

B.

Install the Amazon CloudWatch agent on the on-premises workloads. Use AWS Config to deploy a conformance pack from a sample conformance pack template or a custom YAML template. Generate an assessment report after AWS Config identifies noncompliant workloads and resources.

C.

Set up the appropriate security standard in AWS Security Hub. Upload manual evidence from the on-premises workloads. Wait for Security Hub to collect the evidence from the AWS resources. Download the list of controls as a .csv file.

D.

Install the Amazon CloudWatch agent on the on-premises workloads. Create a CloudWatch dashboard to monitor the on-premises workloads and the AWS resources. Run a query on the workloads and resources. Download the results.

Questions # 4:

A company's engineering team is developing a new application that creates AWS Key Management Service (AWS KMS) customer managed key grants tor users. Immediately after a grant is created, users must be able to use the KMS key to encrypt a 512-byte payload. During load testing. AccessDeniedException errors occur occasionally when a user first attempts to use the key to encrypt.

Which solution should the company's security specialist recommend to eliminate these AccessDeniedException errors?

Options:

A.

Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.

B.

Instruct the engineering team to consume a random grant token from users and to call the CreateGrant operation by passing the grant token to the operation. Instruct users to use that grant token in their call to encrypt.

C.

Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation Return the name to the users and instruct them to provide the name as the grant token in the call to encrypt.

D.

Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.

Questions # 5:

A company is running workloads on AWS. The workloads are in separate AWS accounts for development, testing, and production. All the company's developers can access the development account. A subset of the developers can access the testing account and the production account.

The company is spending too much time managing individual credentials for every developer across every environment. A security engineer must implement a more scalable solution that the company can use when a developer needs different access. The solution must allow developers to access resources across multiple accounts. The solution also must minimize credential sharing.

Which solution will meet these requirements?

Options:

A.

Use AWS Identity and Access Management Access Analyzer to identity the permissions that the developers need on each account. Configure 1AM Access Analyzer to automatically provision the correct access for each developer.

B.

Create an Amazon Simple Workflow Service (Amazon SWF) workflow. Instruct the developers to use the workflow to request access to other accounts when additional access is necessary.

C.

Create I AM roles in the testing account and production account. Add a policy that allows the sts:AssumeRole action to the roles. Create 1AM roles in the development account for the developers who have access to the testing and production accounts. Add these roles to the trust policy on the new roles in the testing and production accounts.

D.

Create service accounts in the testing environment and production environment. Give the access keys for the service accounts to developers who require access to the testing account and the production account. Rotate the access keys for the service accounts periodically.

Questions # 6:

A company is storing data in Amazon S3 Glacier. A security engineer implemented a new vault lock policy for 10 TB of data and called the initiate-vault-lock operation 12hours ago. The audit team identified a typo in the policy that is allowing unintended access to the vault.

What is the MOST cost-effective way to correct this error?

Options:

A.

Call the abort-vault-lock operation. Update the policy. Call the initiate-vault-lock operation again.

B.

Copy the vault data to a new S3 bucket. Delete the vault. Create a new vault with the data.

C.

Update the policy to keep the vault lock in place

D.

Update the policy. Call the initiate-vault-lock operation again to apply the new policy.

Questions # 7:

An organization wants to log all IAM API calls made within all of its IAM accounts, and must have a central place to analyze these logs. What steps should be taken to meet these requirements in the MOST secure manner? (Select TWO)

Options:

A.

Turn on IAM CloudTrail in each IAM account

B.

Turn on CloudTrail in only the account that will be storing the logs

C.

Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it

D.

Create a service-based role for CloudTrail and associate it with CloudTrail in each account

E.

Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it

Questions # 8:

A company's application team wants to replace an internal application with a new IAM architecture that consists of Amazon EC2 instances, an IAM Lambda function, and an Amazon S3 bucket in a single IAM Region. After an architecture review, the security team mandates that no application network traffic can traverse the public internet at any point. The security team already has an SCP in place for the company's organization in IAM Organizations to restrict the creation of internet gateways. NAT gateways, and egress-only gateways.

Which combination of steps should the application team take to meet these requirements? (Select THREE.)

Options:

A.

Create an S3 endpoint that has a full-access policy for the application's VPC.

B.

Create an S3 access point for the S3 bucket. Include a policy that restricts the network origin to VPCs.

C.

Launch the Lambda function. Enable the block public access configuration.

D.

Create a security group that has an outbound rule over port 443 with a destination of the S3 endpomt. Associate the security group with the EC2 instances.

E.

Create a security group that has an outbound rule over port 443 with a destination of the S3 access point. Associate the security group with the EC2 instances.

F.

Launch the Lambda function in a VPC.

Questions # 9:

A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution

Which solution will meet these requirements MOST securely?

Options:

A.

Configure trusted access for AWS System Manager in Organizations Configure a bastion host from the management account Replace SSH and RDP by using Systems Manager Session Manager from the management account Configure Session Manager logging to Amazon CloudWatch Logs

B.

Replace SSH and RDP with AWS Systems Manager Session Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the

C.

AmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudWatch Logs Create a separate logging account that has appropriate cross-account permissions to audit the log data

D.

Install a bastion host in the management account Reconfigure all SSH and RDP to allow access only from the bastion host Install AWS Systems Manager Agent (SSM Agent) on the bastion host Attach the AmazonSSMManagedlnstanceCore role to the bastion host Configure session data streaming to Amazon CloudWatch Logs in a separate logging account to audit log data

E.

Replace SSH and RDP with AWS Systems Manager State Manager Install Systems Manager Agent (SSM Agent) on the instances Attach theAmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudTrail Use CloudTrail Insights to analyze the trail data

Questions # 10:

An AWS account that is used for development projects has a VPC that contains two subnets. The first subnet is named public-subnet-1 and has the CIDR block 192.168.1.0/24 assigned. The other subnet is named private-subnet-2 and has the CIDR block 192.168.2.0/24 assigned. Each subnet contains Amazon EC2 instances.

Each subnet is currently using the VPC's default network ACL. The security groups that the EC2 instances in these subnets use have rules that allow traffic between each instance where required. Currently, all network traffic flow is working as expected between the EC2 instances that are using these subnets.

A security engineer creates a new network ACL that is named subnet-2-NACL with default entries. The security engineer immediately configures private-subnet-2 to use the new network ACL and makes no other changes to the infrastructure. The security engineer starts to receive reports that the EC2 instances in public-subnet-1 and public-subnet-2 cannot communicate with each other.

Which combination of steps should the security engineer take to allow the EC2 instances that are running in these two subnets to communicate again? (Select TWO.)

Options:

A.

Add an outbound allow rule for 192.168.2.0/24 in the VPC's default network ACL.

B.

Add an inbound allow rule for 192.168.2.0/24 in the VPC's default network ACL.

C.

Add an outbound allow rule for 192.168.2.0/24 in subnet-2-NACL.

D.

Add an inbound allow rule for 192.168.1.0/24 in subnet-2-NACL.

E.

Add an outbound allow rule for 192.168.1.0/24 in subnet-2-NACL.

Viewing page 1 out of 14 pages
Viewing questions 1-10 out of questions