SCS-C02 Free Practice Test

- (Exam Topic 4)
An Application team has requested a new IAM KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different IAM services to limit blast radius.
How can an IAM KMS customer master key (CMK) be constrained to work with only Amazon S3?

1. A. Configure the CMK key policy to allow only the Amazon S3 service to use the kms Encrypt action
2. B. Configure the CMK key policy to allow IAM KMS actions only when the kms ViaService condition matches the Amazon S3 service name.
3. C. Configure the IAM user's policy lo allow KMS to pass a rote lo Amazon S3
4. D. Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK

Correct Answer: B

- (Exam Topic 1)
A company’s security engineer is configuring Amazon S3 permissions to ban all current and future public buckets However, the company hosts several websites directly off S3 buckets with public access enabled
The engineer needs to bock me pubic S3 buckets without causing any outages on me easting websites The engineer has set up an Amazon CloudFrom distribution (or each website
Which set or steps should the security engineer implement next?

1. A. Configure an S3 bucket as the origin an origin access identity (OAI) for the CloudFront distribution Switch the DNS records from websites to point to the CloudFront distribution Enable Nock public access settings at the account level
2. B. Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Switch the ONS records tor the websites to point to the CloudFront disinfection Then, tor each S3 bucket enable block public access settings
3. C. Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Enable block public access settings at the account level
4. D. Configure an S3 bucket as the origin for me CloudFront distribution Configure the S3 bucket policy to accept connections from the CloudFront points of presence only Switch the DNS records for the websites to point to the CloudFront distribution Enable block public access settings at me account level

Correct Answer: A

- (Exam Topic 3)
You are working in the media industry and you have created a web application where users will be able to upload photos they create to your website. This web application must be able to call the S3 API in order to be able to function. Where should you store your API credentials whilst maintaining the maximum level of security?
Please select:

1. A. Save the API credentials to your PHP files.
2. B. Don't save your API credentials, instead create a role in IAM and assign this role to an EC2 instance when you first create it.
3. C. Save your API credentials in a public Github repository.
4. D. Pass API credentials to the instance using instance userdata.

Correct Answer: B
Applications must sign their API requests with IAM credentials. Therefore, if you are an application
developer, you need a strategy for managing credentials for your applications that run on EC2 instances. For example, you can securely distribute your IAM credentials to the instances, enabling the applications on those instances to use your credentials to sign requests, while protecting your credentials from other users. However, it's challenging to securely distribute credentials to each instance. especially those that IAM creates on your behalf, such as Spot Instances or instances in Auto Scaling groups. You must also be able to update the credentials on each instance when you rotate your IAM credentials.
IAM roles are designed so that your applications can securely make API requests from your instances, without requiring you manage the security credentials that the applications use.
Option A.C and D are invalid because using IAM Credentials in an application in production is a direct no recommendation 1 secure access
For more information on IAM Roles, please visit the below URL:
http://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
The correct answer is: Don't save your API credentials. Instead create a role in IAM and assign this role to an EC2 instance when you first create it
Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
A company is using CloudTrail to log all IAM API activity for all regions in all of its accounts. The CISO has asked that additional steps be taken to protect the integrity of the log files.
What combination of steps will protect the log files from intentional or unintentional alteration? Choose 2 answers from the options given below
Please select:

1. A. Create an S3 bucket in a dedicated log account and grant the other accounts write only acces
2. B. Deliver all log files from every account to this S3 bucket.
3. C. Write a Lambda function that queries the Trusted Advisor Cloud Trail check
4. D. Run the function every 10 minutes.
5. E. Enable CloudTrail log file integrity validation
6. F. Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs.
7. G. Create a Security Group that blocks all traffic except calls from the CloudTrail servic
8. H. Associate the security group with) all the Cloud Trail destination S3 buckets.

Correct Answer: AC
The IAM Documentation mentions the following
To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it you can use CloudTrail log fill integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.
Option B is invalid because there is no such thing as Trusted Advisor Cloud Trail checks Option D is invalid because Systems Manager cannot be used for this purpose.
Option E is invalid because Security Groups cannot be used to block calls from other services For more information on Cloudtrail log file validation, please visit the below URL:
https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudtrail-loe-file-validation-intro.htmll For more information on delivering Cloudtrail logs from multiple accounts, please visit the below URL:
https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.ht
The correct answers are: Create an S3 bucket in a dedicated log account and grant the other accounts write only access. Deliver all log files from every account to this S3 bucket, Enable Cloud Trail log file integrity validation
Submit your Feedback/Queries to our Experts

- (Exam Topic 4)
A Development team has built an experimental environment to test a simple stale web application It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer a NAT gateway, and an internet gateway. The private subnet holds ail of the Amazon EC2 instances
There are 3 different types of servers Each server type has its own Security Group that limits access lo only required connectivity. The Security Groups nave both inbound and outbound rules applied Each subnet has both inbound and outbound network ACls applied to limit access to only required connectivity
Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Select THREE.)

1. A. The route tables and the outbound rules on the appropriate private subnet security group
2. B. The outbound network ACL rules on the private subnet and the Inbound network ACL rules on the public subnet
3. C. The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet
4. D. The rules on any host-based firewall that may be applied on the Amazon EC2 instances
5. E. The Security Group applied to the Application Load Balancer and NAT gateway
6. F. That the 0.0.0./0 route in the private subnet route table points to the internet gateway in the public subnet

Correct Answer: CEF