SCS-C02 Free Practice Test

- (Exam Topic 3)
A web application runs in a VPC on EC2 instances behind an ELB Application Load Balancer. The application stores data in an RDS MySQL DB instance. A Linux bastion host is used to apply schema updates to the database - administrators connect to the host via SSH from a corporate workstation. The following security groups are applied to the infrastructure
* sgLB - associated with the ELB
* sgWeb - associated with the EC2 instances.
* sgDB - associated with the database
* sgBastion - associated with the bastion host Which security group configuration will allow the application to be secure and functional?
Please select:

1. A. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from 0.0.0.0/0 sgDB :allow port 3306 traffic from sgWeb and sgBastionsgBastion: allow port 22 traffic from the corporate IP address range
2. B. sgLB :aIlow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLB sgDB :allow port 3306 traffic from sgWeb and sgLBsgBastion: allow port 22 traffic from the VPC IP address range
3. C. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLBsgDB :allow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the VPC IP address range
4. D. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLBsgDB :allow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the corporate IP address range

Correct Answer: D
The Load Balancer should accept traffic on ow port 80 and 443 traffic from 0.0.0.0/0 The backend EC2 Instances should accept traffic from the Load Balancer
The database should allow traffic from the Web server
And the Bastion host should only allow traffic from a specific corporate IP address range Option A is incorrect because the Web group should only allow traffic from the Load balancer For more information on IAM Security Groups, please refer to below URL: https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/usins-network-security.htmll
The correct answer is: sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLB
sgDB :allow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the corporate IP address range Submit your Feedback/Queries to our Experts

- (Exam Topic 4)
A company's Chief Security Officer has requested that a Security Analyst review and improve the security posture of each company IAM account The Security Analyst decides to do this by Improving IAM account root user security.
Which actions should the Security Analyst take to meet these requirements? (Select THREE.)

1. A. Delete the access keys for the account root user in every account.
2. B. Create an admin IAM user with administrative privileges and delete the account root user in every account.
3. C. Implement a strong password to help protect account-level access to the IAM Management Console by the account root user.
4. D. Enable multi-factor authentication (MFA) on every account root user in all accounts.
5. E. Create a custom IAM policy to limit permissions to required actions for the account root user and attach the policy to the account root user.
6. F. Attach an IAM role to the account root user to make use of the automated credential rotation in IAM STS.

Correct Answer: ADE

- (Exam Topic 2)
A Security Engineer is working with a Product team building a web application on IAM. The application uses Amazon S3 to host the static content, Amazon API Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider.
Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)

1. A. Create a custom authorization service using IAM Lambda.
2. B. Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.
3. C. Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.
4. D. Configure an Amazon Cognito identity pool to integrate with social login providers.
5. E. Update DynamoDB to store the user email addresses and passwords.
6. F. Update API Gateway to use a COGNITO_USER_POOLS authorizer.

Correct Answer: BDE

- (Exam Topic 2)
During a recent security audit, it was discovered that multiple teams in a large organization have placed restricted data in multiple Amazon S3 buckets, and the data may have been exposed. The auditor has requested that the organization identify all possible objects that contain personally identifiable information (PII) and then determine whether this information has been accessed.
What solution will allow the Security team to complete this request?

1. A. Using Amazon Athena, query the impacted S3 buckets by using the PII query identifier functio
2. B. Then, create a new Amazon CloudWatch metric for Amazon S3 object access to alert when the objects are accessed.
3. C. Enable Amazon Macie on the S3 buckets that were impacted, then perform data classificatio
4. D. For identified objects that contain PII, use the research function for auditing IAM CloudTrail logs and S3 bucket logs for GET operations.
5. E. Enable Amazon GuardDuty and enable the PII rule set on the S3 buckets that were impacted, then perform data classificatio
6. F. Using the PII findings report from GuardDuty, query the S3 bucket logs by using Athena for GET operations.
7. G. Enable Amazon Inspector on the S3 buckets that were impacted, then perform data classificatio
8. H. For identified objects that contain PII, query the S3 bucket logs by using Athena for GET operations.

Correct Answer: B

- (Exam Topic 3)
You have a set of 100 EC2 Instances in an IAM account. You need to ensure that all of these instances are patched and kept to date. All of the instances are in a private subnet. How can you achieve this. Choose 2 answers from the options given below
Please select:

1. A. Ensure a NAT gateway is present to download the updates
2. B. Use the Systems Manager to patch the instances
3. C. Ensure an internet gateway is present to download the updates
4. D. Use the IAM inspector to patch the updates

Correct Answer: AB
Option C is invalid because the instances need to remain in the private: Option D is invalid because IAM inspector can only detect the patches
One of the IAM Blogs mentions how patching of Linux servers can be accomplished. Below is the diagram representation of the architecture setup
For more information on patching Linux workloads in IAM, please refer to the Lin. https://IAM.amazon.com/blogs/security/how-to-patch-linux-workloads-on-IAMj
The correct answers are: Ensure a NAT gateway is present to download the updates. Use the Systems Manager to patch the instances
Submit your Feedback/Queries to our Experts