SCS-C02 Free Practice Test

- (Exam Topic 3)
A new application will be deployed on EC2 instances in private subnets. The application will transfer sensitive data to and from an S3 bucket. Compliance requirements state that the data must not traverse the public internet. Which solution meets the compliance requirement?
Please select:

1. A. Access the S3 bucket through a proxy server
2. B. Access the S3 bucket through a NAT gateway.
3. C. Access the S3 bucket through a VPC endpoint for S3
4. D. Access the S3 bucket through the SSL protected S3 endpoint

Correct Answer: C
The IAM Documentation mentions the following
A VPC endpoint enables you to privately connect your VPC to supported IAM services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or IAM Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.
Option A is invalid because using a proxy server is not sufficient enough
Option B and D are invalid because you need secure communication which should not traverse the internet For more information on VPC endpoints please see the below link https://docs.IAM.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.htmll
The correct answer is: Access the S3 bucket through a VPC endpoint for S3 Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
A distributed web application is installed across several EC2 instances in public subnets residing in two Availability Zones. Apache logs show several intermittent brute-force attacks from hundreds of IP addresses at the layer 7 level over the past six months.
What would be the BEST way to reduce the potential impact of these attacks in the future?

1. A. Use custom route tables to prevent malicious traffic from routing to the instances.
2. B. Update security groups to deny traffic from the originating source IP addresses.
3. C. Use network ACLs.
4. D. Install intrusion prevention software (IPS) on each instance.

Correct Answer: D
https://docs.IAM.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html NACL has limit 20 (can increase to maximum 40 rule), and more rule will make more low-latency

- (Exam Topic 3)
Which technique can be used to integrate IAM IAM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service?
Please select:

1. A. Use an IAM policy that references the LDAP account identifiers and the IAM credentials.
2. B. Use SAML (Security Assertion Markup Language) to enable single sign-on between IAM and LDAP.
3. C. Use IAM Security Token Service from an identity broker to issue short-lived IAM credentials.
4. D. Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated.

Correct Answer: B
On the IAM Blog site the following information is present to help on this context
The newly released whitepaper. Single Sign-On: Integrating IAM, OpenLDAP, and Shibboleth, will help you integrate your existing LDAP-based user directory with IAM. When you integrate your existing directory with IAM, your users can access IAM by using their existing credentials. This means that your users don't need to maintain yet another user name and password just to access IAM resources.
Option A.C and D are all invalid because in this sort of configuration, you have to use SAML to enable single sign on.
For more information on integrating IAM with LDAP for Single Sign-On, please visit the following URL:
https://IAM.amazon.eom/blogs/security/new-whitepaper-sinEle-sign-on-inteErating-IAM-openldap-and-shibbol
The correct answer is: Use SAML (Security Assertion Markup Language) to enable single sign-on between IAM and LDAP. Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
An IAM account administrator created an IAM group and applied the following managed policy to require that each individual user authenticate using multi-factor authentication:

After implementing the policy, the administrator receives reports that users are unable to perform Amazon EC2 commands using the IAM CLI. What should the administrator do to resolve this problem while still enforcing multi-factor authentication?

1. A. Change the value of IAM MultiFactorAuthPresent to true.
2. B. Instruct users to run the IAM sts get-session-token CLI command and pass the multi-factor authentication —serial-number and —token-code parameter
3. C. Use these resulting values to make API/CLI calls
4. D. Implement federated API/CLI access using SAML 2.0, then configure the identity provider to enforce multi-factor authentication.
5. E. Create a role and enforce multi-factor authentication in the role trust policy Instruct users to run the sts assume-role CLI command and pass --serial-number and —token-code parameters Store the resulting values in environment variable
6. F. Add sts:AssumeRole to NotAction in the policy.

Correct Answer: B

- (Exam Topic 3)
You are planning on using the IAM KMS service for managing keys for your application. For which of the following can the KMS CMK keys be used for encrypting? Choose 2 answers from the options given below
Please select:

1. A. Image Objects
2. B. Large files
3. C. Password
4. D. RSA Keys

Correct Answer: CD
The CMK keys themselves can only be used for encrypting data that is maximum 4KB in size. Hence it can be used for encryptii information such as passwords and RSA keys.
Option A and B are invalid because the actual CMK key can only be used to encrypt small amounts of data and not large amoui of data. You have to generate the data key from the CMK key in order to encrypt high amounts of data
For more information on the concepts for KMS, please visit the following URL: https://docs.IAM.amazon.com/kms/latest/developereuide/concepts.htmll
The correct answers are: Password, RSA Keys Submit your Feedback/Queries to our Experts