SCS-C02 Free Practice Test

- (Exam Topic 2)
Which of the following minimizes the potential attack surface for applications?

1. A. Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level.
2. B. Use network ACLs to provide stateful firewalls at the VPC level to prevent access to any specific IAM resource.
3. C. Use IAM Direct Connect for secure trusted connections between EC2 instances within private subnets.
4. D. Design network security in a single layer within the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) to facilitate quicker responses to threats.

Correct Answer: A
https://IAM.amazon.com/answers/networking/vpc-security-capabilities/ Security Group is stateful and hypervisor level.

- (Exam Topic 4)
A security engineer needs to implement a solution to create and control the keys that a company uses for cryptographic operations. The security engineer must create symmetric keys in which the key material is generated and used within a custom key store that is backed by an AWS CloudHSM cluster.
The security engineer will use symmetric and asymmetric data key pairs for local use within applications. The security engineer also must audit the use of the keys.
How can the security engineer meet these requirements?

1. A. To create the keys use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluste
2. B. For auditing, use Amazon Athena
3. C. To create the keys use Amazon S3 and the custom key stores with the CloudHSM cluste
4. D. For auditing use AWS CloudTrail.
5. E. To create the keys use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluste
6. F. For auditing, use Amazon GuardDuty.
7. G. To create the keys use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluste
8. H. For auditing, use AWS CloudTrail.

Correct Answer: D
AWS KMS supports asymmetric KMS keys that represent a mathematically related RSA, elliptic curve (ECC), or SM2 (China Regions only) public and private key pair. These key pairs are generated in AWS KMS hardware security modules certified under the FIPS 140-2 Cryptographic Module Validation Program, except in the China (Beijing) and China (Ningxia) Regions. The private key never leaves the AWS KMS HSMs unencrypted. https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html

- (Exam Topic 1)
A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an EC2 Auto Scaling group across multiple Availability Zones. The website is under a DDoS attack by a specific loT device brand that is visible in the user agent A security engineer needs to mitigate the attack without impacting the availability of the public website.
What should the security engineer do to accomplish this?

1. A. Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT devic
2. B. Associate the v/eb ACL with the ALB.
3. C. Configure an Amazon CloudFront distribution to use the ALB as an origi
4. D. Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT devic
5. E. Associate the web ACL with the ALB Change the public DNS entry of the website to point to the CloudFront distribution.
6. F. Configure an Amazon CloudFront distribution to use a new ALB as an origi
7. G. Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT devic
8. H. Change the ALB security group to alow access from CloudFront IP address ranges only Change the public DNS entry of the website to point to the CloudFront distribution.
9. I. Activate IAM Shield Advanced to enable DDoS protectio
10. J. Apply an IAM WAF ACL to the AL
11. K. andconfigure a listener rule on the ALB to block loT devices based on the user agent.

Correct Answer: D

- (Exam Topic 2)
A company requires that IP packet data be inspected for invalid or malicious content. Which of the following approaches achieve this requirement? (Choose two.)

1. A. Configure a proxy solution on Amazon EC2 and route all outbound VPC traffic through i
2. B. Perform inspection within proxy software on the EC2 instance.
3. C. Configure the host-based agent on each EC2 instance within the VP
4. D. Perform inspection within the host-based agent.
5. E. Enable VPC Flow Logs for all subnets in the VP
6. F. Perform inspection from the Flow Log data within Amazon CloudWatch Logs.
7. G. Configure Elastic Load Balancing (ELB) access log
8. H. Perform inspection from the log data within the ELB access log files.
9. I. Configure the CloudWatch Logs agent on each EC2 instance within the VP
10. J. Perform inspection from the log data within CloudWatch Logs.

Correct Answer: AB
“EC2 Instance IDS/IPS solutions offer key features to help protect your EC2 instances. This includes alerting administrators of malicious activity and policy violations, as well as identifying and taking action against attacks. You can use IAM services and third party IDS/IPS solutions offered in IAM Marketplace to stay one step ahead of potential attackers.”

- (Exam Topic 2)
A Security Engineer must enforce the use of only Amazon EC2, Amazon S3, Amazon RDS, Amazon DynamoDB, and IAM STS in specific accounts.
What is a scalable and efficient approach to meet this requirement?

1. A. Option A
2. B. Option B
3. C. Option C
4. D. Option D

Correct Answer: A
It says specific accounts which mean specific governed OUs under your organization and you apply specific service control policy to these OUs.