SCS-C02 Free Practice Test

- (Exam Topic 1)
A security engineer has created an Amazon Cognito user pool. The engineer needs to manually verify the ID and access token sent by the application for troubleshooting purposes
What is the MOST secure way to accomplish this?

1. A. Extract the subject (sub), audience (aud), and cognito:username from the ID token payload Manually check the subject and audience for the user name In the user pool
2. B. Search for the public key with a key ID that matches the key ID In the header of the toke
3. C. Then use a JSON Web Token (JWT) library to validate the signature of the token and extract values, such as the expiry date
4. D. Verify that the token is not expire
5. E. Then use the token_use claim function In Amazon Cognito to validate the key IDs
6. F. Copy the JSON Web Token (JWT) as a JSON document Obtain the public JSON Web Key (JWK) and convert It to a pem fil
7. G. Then use the file to validate the original JWT.

Correct Answer: A

- (Exam Topic 2)
A Security Engineer is defining the logging solution for a newly developed product. Systems Administrators and Developers need to have appropriate access to event log files in IAM CloudTrail to support and troubleshoot the product.
Which combination of controls should be used to protect against tampering with and unauthorized access to log files? (Choose two.)

1. A. Ensure that the log file integrity validation mechanism is enabled.
2. B. Ensure that all log files are written to at least two separate Amazon S3 buckets in the same account.
3. C. Ensure that Systems Administrators and Developers can edit log files, but prevent any other access.
4. D. Ensure that Systems Administrators and Developers with job-related need-to-know requirements only are capable of viewing—but not modifying—the log files.
5. E. Ensure that all log files are stored on Amazon EC2 instances that allow SSH access from the internal corporate network only.

Correct Answer: AD

- (Exam Topic 3)
A company had developed an incident response plan 18 months ago. Regular implementations of the response plan are carried out. No changes have been made to the response plan have been made since its creation. Which of the following is a right statement with regards to the plan?
Please select:

1. A. It places too much emphasis on already implemented security controls.
2. B. The response plan is not implemented on a regular basis
3. C. The response plan does not cater to new services
4. D. The response plan is complete in its entirety

Correct Answer: C
So definitely the case here is that the incident response plan is not catering to newly created services. IAM keeps on changing and adding new services and hence the response plan must cater to these new services.
Option A and B are invalid because we don't know this for a fact.
Option D is invalid because we know that the response plan is not complete, because it does not cater to new features of IAM
For more information on incident response plan please visit the following URL: https://IAM.amazon.com/blogs/publicsector/buildins-a-cloud-specific-incident-response-plan;
The correct answer is: The response plan does not cater to new services Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
Your company is hosting a set of EC2 Instances in IAM. They want to have the ability to detect if any port scans occur on their IAM EC2 Instances. Which of the following can help in this regard?
Please select:

1. A. Use IAM inspector to consciously inspect the instances for port scans
2. B. Use IAM Trusted Advisor to notify of any malicious port scans
3. C. Use IAM Config to notify of any malicious port scans
4. D. Use IAM Guard Duty to monitor any malicious port scans

Correct Answer: D
The IAM blogs mention the following to support the use of IAM GuardDuty
GuardDuty voraciously consumes multiple data streams, including several threat intelligence feeds, staying aware of malicious addresses, devious domains, and more importantly, learning to accurately identify malicious or unauthorized behavior in your IAM accounts. In combination with information gleaned from your VPC Flow Logs, IAM CloudTrail Event Logs, and DNS logs, th allows GuardDuty to detect many different types of dangerous and mischievous behavior including probes for known vulnerabilities, port scans and probes, and access from unusual locations. On the IAM side, it looks for suspicious IAM account activity such as unauthorized deployments, unusual CloudTrail activity, patterns of access to IAM API functions, and attempts to exceed multiple service limits. GuardDuty will also look for compromised EC2 instances talking to malicious entities or services, data exfiltration attempts, and instances that are mining cryptocurrency.
Options A, B and C are invalid because these services cannot be used to detect port scans For more information on IAM Guard Duty, please refer to the below Link:
https://IAM.amazon.com/blogs/IAM/amazon-guardduty-continuous-security-monitoring-threat-detection; (
The correct answer is: Use IAM Guard Duty to monitor any malicious port scans Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A company requires that data stored in IAM be encrypted at rest. Which of the following approaches achieve this requirement? Select 2 answers from the options given below.
Please select:

1. A. When storing data in Amazon EBS, use only EBS-optimized Amazon EC2 instances.
2. B. When storing data in EBS, encrypt the volume by using IAM KMS.
3. C. When storing data in Amazon S3, use object versioning and MFA Delete.
4. D. When storing data in Amazon EC2 Instance Store, encrypt the volume by using KMS.
5. E. When storing data in S3, enable server-side encryption.

Correct Answer: BE
The IAM Documentation mentions the following
To create an encrypted Amazon EBS volume, select the appropriate box in the Amazon EBS section of the Amazon EC2 console. You can use a custom customer master key (CMK) by choosing one from the list that appears below the encryption box. If you do not specify a custom CMK, Amazon EBS uses the IAM-managed CMK for Amazon EBS in your account. If there is no IAM-managed CMK for Amazon EBS in your account, Amazon EBS creates one.
Data protection refers to protecting data while in-transit (as it travels to and from Amazon S3) and at rest (while it is stored on disks in Amazon S3 data centers). You can protect data in transit by using SSL or by using client-side encryption. You have the following options of protecting data at rest in Amazon S3.
• Use Server-Side Encryption - You request Amazon S3 to encrypt your object before saving it on disks in its data centers and decrypt it when you download the objects.
• Use Client-Side Encryption - You can encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.
Option A is invalid because using EBS-optimized Amazon EC2 instances alone will not guarantee protection of instances at rest. Option C is invalid because this will not encrypt data at rest for S3 objects. Option D is invalid because you don't store data in Instance store. For more information on EBS encryption, please visit the below URL:
https://docs.IAM.amazon.com/kms/latest/developerguide/services-ebs.html For more information on S3 encryption, please visit the below URL: https://docs.IAM.amazon.com/AmazonS3/latest/dev/UsinEEncryption.html
The correct answers are: When storing data in EBS, encrypt the volume by using IAM KMS. When storing data in S3, enable server-side encryption.
Submit your Feedback/Queries to our Experts