SCS-C02 Free Practice Test

- (Exam Topic 1)
While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host (IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following:
2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK
2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK
What action should be performed to allow the ping to work?

1. A. In the security group of the EC2 instance, allow inbound ICMP traffic.
2. B. In the security group of the EC2 instance, allow outbound ICMP traffic.
3. C. In the VPC's NACL, allow inbound ICMP traffic.
4. D. In the VPC's NACL, allow outbound ICMP traffic.

Correct Answer: D

- (Exam Topic 1)
A company's information security team want to do near-real-time anomaly detection on Amazon EC2 performance and usage statistics. Log aggregation is the responsibility of a security engineer. To do the study, the Engineer needs gather logs from all of the company's IAM accounts in a single place.
How should the Security Engineer go about doing this?

1. A. Log in to each account four times a day and filter the IAM CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.
2. B. Set up Amazon CloudWatch to stream data to an Amazon S3 bucket in each source accoun
3. C. Set up bucket replication for each source account into a centralized bucket owned by the Security Engineer.
4. D. Set up an IAM Config aggregator to collect IAM configuration data from multiple sources.
5. E. Set up Amazon CloudWatch cross-account log data sharing with subscriptions in each accoun
6. F. Send the logs to Amazon Kinesis Data Firehose in the Security Engineer's account.

Correct Answer: D
Read the prerequisites in the question carefully. The solution must support "near real time" analysis of the log data. Cloudwatch doesn't stream logs to S3; it supports exporting them to S3 with an up to 12 hour expected delay:
https://docs.IAM.amazon.com/AmazonCloudWatch/latest/logs/S3Export.html
"Log data can take up to 12 hours to become available for export. For near real-time analysis of log data, see Analyzing log data with CloudWatch Logs Insights or Real-time processing of log data with subscriptions instead."
https://docs.IAM.amazon.com/AmazonCloudWatch/latest/logs/Subscriptions.html
"You can use subscriptions to get access to a real-time feed of log events from CloudWatch Logs and have it delivered to other services such as an Amazon Kinesis stream, an Amazon Kinesis Data Firehose stream, or IAM Lambda for custom processing, analysis, or loading to other systems. When log events are sent to the receiving service, they are Base64 encoded and compressed with the gzip format."
https://docs.IAM.amazon.com/AmazonCloudWatch/latest/logs/CrossAccountSubscriptions.html

- (Exam Topic 1)
A security engineer need to ensure their company’s uses of IAM meets IAM security best practices. As part of this, the IAM account root user must not be used for daily work. The root user must be monitored for use, and the Security team must be alerted as quickly as possible if the root user is used.
Which solution meets these requirements?

1. A. Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification.
2. B. Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification logs from S3 and generate notifications using Amazon SNS.
3. C. Set up a rule in IAM config to trigger root user event
4. D. Trigger an IAM Lambda function and generate notifications using Amazon SNS.
5. E. Use Amazon Inspector to monitor the usage of the root user and generate notifications using Amazon SNS

Correct Answer: A

- (Exam Topic 4)
Your company uses IAM to host its resources. They have the following requirements
1) Record all API calls and Transitions
2) Help in understanding what resources are there in the account
3) Facility to allow auditing credentials and logins Which services would suffice the above requirements Please select:

1. A. IAM Inspector, CloudTrail, IAM Credential Reports
2. B. CloudTrai
3. C. IAM Credential Reports, IAM SNS
4. D. CloudTrail, IAM Config, IAM Credential Reports
5. E. IAM SQS, IAM Credential Reports, CloudTrail

Correct Answer: C
You can use IAM CloudTrail to get a history of IAM API calls and related events for your account. This history includes calls made with the IAM Management Console, IAM Command Line Interface, IAM SDKs, and other IAM services.
Options A,B and D are invalid because you need to ensure that you use the services of CloudTrail, IAM Config, IAM Credential Reports
For more information on Cloudtrail, please visit the below URL:
http://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudtrail-user-guide.html
IAM Config is a service that enables you to assess, audit and evaluate the configurations of your IAM resources. Config continuously monitors and records your IAM resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between IAM resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, char management and operational troubleshooting.
For more information on the config service, please visit the below URL https://IAM.amazon.com/config/
You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices. You can get a credential report from the IAM Management Console, the IAM SDKs and Command Line Tools, or the IAM API.
For more information on Credentials Report, please visit the below URL: http://docs.IAM.amazon.com/IAM/latest/UserGuide/id credentials_getting-report.html
The correct answer is: CloudTrail, IAM Config, IAM Credential Reports Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
An Amazon EC2 instance is part of an EC2 Auto Scaling group that is behind an Application Load Balancer (ALB). It is suspected that the EC2 instance has been compromised.
Which steps should be taken to investigate the suspected compromise? (Choose three.)

1. A. Detach the elastic network interface from the EC2 instance.
2. B. Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.
3. C. Disable any Amazon Route 53 health checks associated with the EC2 instance.
4. D. De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.
5. E. Attach a security group that has restrictive ingress and egress rules to the EC2 instance.
6. F. Add a rule to an IAM WAF to block access to the EC2 instance.

Correct Answer: BDE
https://d1.IAMstatic.com/whitepapers/IAM_security_incident_response.pdf