SCS-C02 Free Practice Test

- (Exam Topic 4)
A company's Security Auditor discovers that users are able to assume roles without using multi-factor authentication (MFA). An example of a current policy being applied to these users is as follows:

The Security Auditor finds that the users who are able to assume roles without MFA are alt coming from the IAM CLI. These users are using long-term IAM credentials. Which changes should a Security Engineer implement to resolve this security issue? (Select TWO.)
A)

B)

C)

D)

E)

1. A. Option A
2. B. Option B
3. C. Option C
4. D. Option D
5. E. Option E

Correct Answer: AD

- (Exam Topic 1)
A security engineer needs to configure monitoring and auditing for IAM Lambda.
Which combination of actions using IAM services should the security engineer take to accomplish this goal? (Select TWO.)

1. A. Use IAM Config to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.
2. B. Use IAM CloudTrail to implement governance, compliance, operational, and risk auditing for Lambda.
3. C. Use Amazon Inspector to automatically monitor for vulnerabilities and perform governance, compliance, operational, and risk auditing for Lambda.
4. D. Use IAM Resource Access Manager to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.
5. E. Use Amazon Macie to discover, classify, and protect sensitive data being executed inside the Lambda function.

Correct Answer: AB

- (Exam Topic 1)
A company has an encrypted Amazon S3 bucket. An Application Developer has an IAM policy that allows access to the S3 bucket, but the Application Developer is unable to access objects within the bucket.
What is a possible cause of the issue?

1. A. The S3 ACL for the S3 bucket fails to explicitly grant access to the Application Developer
2. B. The IAM KMS key for the S3 bucket fails to list the Application Developer as an administrator
3. C. The S3 bucket policy fails to explicitly grant access to the Application Developer
4. D. The S3 bucket policy explicitly denies access to the Application Developer

Correct Answer: C

- (Exam Topic 1)
A recent security audit identified that a company's application team injects database credentials into the environment variables of an IAM Fargate task. The company's security policy mandates that all sensitive data be encrypted at rest and in transit.
When combination of actions should the security team take to make the application compliant within the security policy? (Select THREE)

1. A. Store the credentials securely in a file in an Amazon S3 bucket with restricted access to the application team IAM role Ask the application team to read the credentials from the S3 object instead
2. B. Create an IAM Secrets Manager secret and specify the key/value pairs to be stored in this secret
3. C. Modify the application to pull credentials from the IAM Secrets Manager secret instead of the environment variables.
4. D. Add the following statement to the container instance IAM role policy
5. E. Add the following statement to the execution role policy.
6. F. Log in to the IAM Fargate instance, create a script to read the secret value from IAM Secret Manager, and inject the environment variable
7. G. Ask the application team to redeploy the application.

Correct Answer: BEF

- (Exam Topic 4)
A business stores website images in an Amazon S3 bucket. The firm serves the photos to end users through Amazon CloudFront. The firm learned lately that the photographs are being accessible from nations in which it does not have a distribution license.
Which steps should the business take to safeguard the photographs and restrict their distribution? (Select two.)

1. A. Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).
2. B. Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.
3. C. Add a CloudFront geo restriction deny list of countries where the company lacks a license.
4. D. Update the S3 bucket policy with a deny list of countries where the company lacks a license.
5. E. Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.

Correct Answer: AC
For Enable Geo-Restriction, choose Yes. For Restriction Type, choose Whitelist to allow access to certain countries, or choose Blacklist to block access from certain countries. https://IAM.amazon.com/premiumsupport/knowledge-center/cloudfront-geo-restriction/