SCS-C02 Free Practice Test

- (Exam Topic 2)
An organization is using Amazon CloudWatch Logs with agents deployed on its Linux Amazon EC2 instances. The agent configuration files have been checked and the application log files to be pushed are configured correctly. A review has identified that logging from specific instances is missing.
Which steps should be taken to troubleshoot the issue? (Choose two.)

1. A. Use an EC2 run command to confirm that the “IAMlogs” service is running on all instances.
2. B. Verify that the permissions used by the agent allow creation of log groups/streams and to put log events.
3. C. Check whether any application log entries were rejected because of invalid time stamps by reviewing/var/cwlogs/rejects.log.
4. D. Check that the trust relationship grants the service “cwlogs.amazonIAM.com” permission to write objects to the Amazon S3 staging bucket.
5. E. Verify that the time zone on the application servers is in UTC.

Correct Answer: AB
EC2 run command - can run scripts, install software, collect metrics and log files, manage patches and more. Bringing these two services together - can create CloudWatch Events rules that use EC2 Run Command to perform actions on EC2 instances or on-premises servers.

- (Exam Topic 3)
A company has a set of EC2 instances hosted in IAM. These instances have EBS volumes for storing critical information. There is a business continuity requirement and in order to boost the agility of the business and to ensure data durability which of the following options are not required.
Please select:

1. A. Use lifecycle policies for the EBS volumes
2. B. Use EBS Snapshots
3. C. Use EBS volume replication
4. D. Use EBS volume encryption

Correct Answer: CD
Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations as part of normal operation of those services and at no additional charge. However, Amazon EBS replication is stored within the same availability zone, not across multiple zones; therefore, it is highly recommended that you conduct regular snapshots to Amazon S3 for long-term data durability.
You can use Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and deletion of snapshots
taken to back up your Amazon EBS volumes.
With lifecycle management, you can be sure that snapshots are cleaned up regularly and keep costs under control.
EBS Lifecycle Policies
A lifecycle policy consists of these core settings:
• Resource type—The IAM resource managed by the policy, in this case, EBS volumes.
• Target tag—The tag that must be associated with an EBS volume for it to be managed by the policy.
• Schedule—Defines how often to create snapshots and the maximum number of snapshots to keep. Snapshot creation starts within an hour of the specified start time. If creating a new snapshot exceeds the maximum number of snapshots to keep for the volume, the oldest snapshot is deleted.
Option C is correct. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. But it does not have an explicit feature like that.
Option D is correct Encryption does not ensure data durability
For information on security for Compute Resources, please visit the below URL https://d1.IAMstatic.com/whitepapers/Security/Security Compute Services Whitepaper.pdl
The correct answers are: Use EBS volume replication. Use EBS volume encryption Submit your Feedback/Queries to our Experts

- (Exam Topic 4)
An audit determined that a company's Amazon EC2 instance security group violated company policy by allowing unrestricted incoming SSH traffic. A security engineer must implement a near-real-time monitoring and alerting solution that will notify administrators of such violations.
Which solution meets these requirements with the MOST operational efficiency?

1. A. Create a recurring Amazon Inspector assessment run that runs every day and uses the Network Reachability packag
2. B. Create an Amazon CloudWatch rule that invokes an IAM Lambda function when an assessment run start
3. C. Configure the Lambda function to retrieve and evaluate the assessment run report when it complete
4. D. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification if there are any violations for unrestricted incoming SSH traffic.
5. E. Use the restricted-ssh IAM Config managed rule that is invoked by security group configuration changes that are not complian
6. F. Use the IAM Config remediation feature to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
7. G. Configure VPC Flow Logs for the VP
8. H. and specify an Amazon CloudWatch Logs grou
9. I. Subscribe the CloudWatch Logs group to an IAM Lambda function that parses new log entries, detects successful connections on port 22, and publishes a notification through Amazon Simple Notification Service (Amazon SNS).
10. J. Create a recurring Amazon Inspector assessment run that runs every day and uses the Security Best Practices packag
11. K. Create an Amazon CloudWatch rule that invokes an IAM Lambda function when an assessment run start
12. L. Configure the Lambda function to retrieve and evaluate the assessment run report when it complete
13. M. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification if there are any violations for unrestricted incoming SSH traffic.

Correct Answer: A

- (Exam Topic 4)
A company wants to establish separate IAM Key Management Service (IAM KMS) keys to use for different IAM services. The company's security engineer created the following key policy lo allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructureDeployment IAM role:

The security engineer recently discovered that IAM roles other than the InfrastructureDeployment role used this key (or other services. Which change to the policy should the security engineer make to resolve these issues?

1. A. In the statement block that contains the Sid "Allow use of the key", under the "Condition" block, change StringEquals to StringLike.
2. B. In the policy document, remove the statement Dlock that contains the Sid "Enable IAM User Permissions". Add key management policies to the KMS policy.
3. C. In the statement block that contains the Sid "Allow use of the Key", under the "Condition" block, change the Kms:ViaService value to ec2.us-east-1 .amazonIAM com.
4. D. In the policy document, add a new statement block that grants the kms:Disable' permission to the security engineer's IAM role.

Correct Answer: C

- (Exam Topic 4)
A company in France uses Amazon Cognito with the Cognito Hosted Ul as an identity broker for sign-in and sign-up processes. The company is marketing an application and expects that all the application's users will come from France.
When the company launches the application the company's security team observes fraudulent sign-ups for the application. Most of the fraudulent registrations are from users outside of France.
The security team needs a solution to perform custom validation at sign-up Based on the results of the validation the solution must accept or deny the registration request.
Which combination of steps will meet these requirements? (Select TWO.)

1. A. Create a pre sign-up AWS Lambda trigge
2. B. Associate the Amazon Cognito function with the Amazon Cognito user pool.
3. C. Use a geographic match rule statement to configure an AWS WAF web AC
4. D. Associate the web ACL with the Amazon Cognito user pool.
5. E. Configure an app client for the application's Amazon Cognito user poo
6. F. Use the app client ID to validate the requests in the hosted Ul.
7. G. Update the application's Amazon Cognito user pool to configure a geographic restriction setting.
8. H. Use Amazon Cognito to configure a social identity provider (IdP) to validate the requests on the hosted Ul.

Correct Answer: B
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-authentication.html