SCS-C02 Free Practice Test

- (Exam Topic 2)
A Systems Administrator has written the following Amazon S3 bucket policy designed to allow access to an S3 bucket for only an authorized IAM IAM user from the IP address range 10.10.10.0/24:

When trying to download an object from the S3 bucket from 10.10.10.40, the IAM user receives an access denied message.
What does the Administrator need to change to grant access to the user?

1. A. Change the “Resource” from “arn: IAM:s3:::Bucket” to “arn:IAM:s3:::Bucket/*”.
2. B. Change the “Principal” from “*” to {IAM:”arn:IAM:iam: : account-number: user/username”}
3. C. Change the “Version” from “2012-10-17” to the last revised date of the policy
4. D. Change the “Action” from [“s3:*”] to [“s3:GetObject”, “s3:ListBucket”]

Correct Answer: A

- (Exam Topic 1)
An application is currently secured using network access control lists and security groups. Web servers are located in public subnets behind an Application Load Balancer (ALB); application servers are located in private subnets.
How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose two.)

1. A. Configure the application’s EC2 instances to use NAT gateways for all inbound traffic.
2. B. Move the web servers to private subnets without public IP addresses.
3. C. Configure IAM WAF to provide DDoS attack protection for the ALB.
4. D. Require all inbound network traffic to route through a bastion host in the private subnet.
5. E. Require all inbound and outbound network traffic to route through an IAM Direct Connect connection.

Correct Answer: BC

- (Exam Topic 4)
A company's Security Engineer is copying all application logs to centralized Amazon S3 buckets. Currently, each of the company's applications is in its own IAM account, and logs are pushed into S3 buckets associated with each account. The Engineer will deploy an IAM Lambda function into each account that copies the relevant log files to the centralized S3 bucket.
The Security Engineer is unable to access the log files in the centralized S3 bucket. The Engineer's IAM user policy from the centralized account looks like this:

The centralized S3 bucket policy looks like this:

Why is the Security Engineer unable to access the log files?

1. A. The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.
2. B. The object ACLs are not being updated to allow the users within the centralized account to access the objects
3. C. The Security Engineers IAM policy does not grant permissions to read objects in the S3 bucket
4. D. The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level

Correct Answer: C

- (Exam Topic 2)
A company wants to have a secure way of generating, storing and managing cryptographic exclusive access for the keys. Which of the following can be used for this purpose?
Please select:

1. A. Use KMS and the normal KMS encryption keys
2. B. Use KMS and use an external key material
3. C. Use S3 Server Side encryption
4. D. Use Cloud HSM

Correct Answer: D
The IAM Documentation mentions the following
The IAM CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) instances within the IAM cloud. IAM and IAM Marketplace partners offer a variety of solutions for protecting sensitive data within the IAM platform, but for some applications and data subject to contractual or regulatory mandates for managing cryptographic keys, additional protection may be necessary. CloudHSM complements existing data protection solutions and allows you to protect your encryption keys within HSMs that are desigr and validated to government standards for secure key management. CloudHSM allows you to securely generate, store and manage cryptographic keys used for data encryption in a way that keys are accessible only by you.
Option A.B and Care invalid because in all of these cases, the management of the key will be with IAM. Here the question specifically mentions that you want to have exclusive access over the keys. This can be achieved with Cloud HSM
For more information on CloudHSM, please visit the following URL: https://IAM.amazon.com/cloudhsm/faq:
The correct answer is: Use Cloud HSM Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
How can you ensure that instance in an VPC does not use IAM DNS for routing DNS requests. You want to use your own managed DNS instance. How can this be achieved?
Please select:

1. A. Change the existing DHCP options set
2. B. Create a new DHCP options set and replace the existing one.
3. C. Change the route table for the VPC
4. D. Change the subnet configuration to allow DNS requests from the new DNS Server

Correct Answer: B
In order to use your own DNS server, you need to ensure that you create a new custom DHCP options set with the IP of th custom DNS server. You cannot modify the existing set, so you need to create a new one.
Option A is invalid because you cannot make changes to an existing DHCP options Set.
Option C is invalid because this can only be used to work with Routes and not with a custom DNS solution.
Option D is invalid because this needs to be done at the VPC level and not at the Subnet level For more information on DHCP options set, please visit the following url https://docs.IAM.amazon.com/AmazonVPC/latest/UserGuideA/PC DHCP Options.html
The correct answer is: Create a new DHCP options set and replace the existing one. Submit your Feedback/Queries to our Experts