SCS-C02 Free Practice Test

- (Exam Topic 4)
A company created an IAM account for its developers to use for testing and learning purposes Because MM account will be shared among multiple teams of developers, the company wants to restrict the ability to stop and terminate Amazon EC2 instances so that a team can perform these actions only on the instances it owns.
Developers were Instructed to tag al their instances with a Team tag key and use the team name in the tag value One of the first teams to use this account is Business Intelligence A security engineer needs to develop a highly scalable solution for providing developers with access to the appropriate resources within the account The security engineer has already created individual IAM roles for each team.
Which additional configuration steps should the security engineer take to complete the task?

1. A. For each team, create an AM policy similar to the one that fellows Populate the ec2: ResourceTag/Team condition key with a proper team name Attach resulting policies to the corresponding IAM roles.
2. B. For each team create an IAM policy similar to the one that follows Populate the IAM TagKeys/Team condition key with a proper team nam
3. C. Attach the resuming policies to the corresponding IAM roles.
4. D. Tag each IAM role with a Team lag ke
5. E. and use the team name in the tag valu
6. F. Create an IAM policy similar to the one that follows, and attach 4 to all the IAM roles used by developers.
7. G. Tag each IAM role with the Team key, and use the team name in the tag valu
8. H. Create an IAM policy similar to the one that follows, and it to all the IAM roles used by developers.

Correct Answer: A

- (Exam Topic 1)
The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet.
What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.)

1. A. Use IAM Certificate Manager to encrypt all traffic between the client and application servers.
2. B. Review the application security groups to ensure that only the necessary ports are open.
3. C. Use Elastic Load Balancing to offload Secure Sockets Layer encryption.
4. D. Use Amazon Inspector to periodically scan the backend instances.
5. E. Use IAM Key Management Services to encrypt all the traffic between the client and application servers.

Correct Answer: BD

- (Exam Topic 3)
You have a set of Customer keys created using the IAM KMS service. These keys have been used for around 6 months. You are now trying to use the new KMS features for the existing set of key's but are not able to do so. What could be the reason for this.
Please select:

1. A. You have not explicitly given access via the key policy
2. B. You have not explicitly given access via the IAM policy
3. C. You have not given access via the IAM roles
4. D. You have not explicitly given access via IAM users

Correct Answer: A
By default, keys created in KMS are created with the default key policy. When features are added to KMS, you need to explii update the default key policy for these keys.
Option B,C and D are invalid because the key policy is the main entity used to provide access to the keys For more information on upgrading key policies please visit the following URL: https://docs.IAM.ama20n.com/kms/latest/developerguide/key-policy-upgrading.html
(
The correct answer is: You have not explicitly given access via the key policy Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
Your company has an EC2 Instance hosted in IAM. This EC2 Instance hosts an application. Currently this application is experiencing a number of issues. You need to inspect the network packets to see what the type of error that is occurring? Which one of the below steps can help address this issue?
Please select:

1. A. Use the VPC Flow Logs.
2. B. Use a network monitoring tool provided by an IAM partner.
3. C. Use another instanc
4. D. Setup a port to "promiscuous mode" and sniff the traffic to analyze the packet
5. E. Use Cloudwatch metric

Correct Answer: B

- (Exam Topic 2)
An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised.
What techniques will limit lateral movement and allow evidence gathering?

1. A. Remove the instance from the load balancer and terminate it.
2. B. Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.
3. C. Reboot the instance and check for any Amazon CloudWatch alarms.
4. D. Stop the instance and make a snapshot of the root EBS volume.

Correct Answer: B
https://d1.IAMstatic.com/whitepapers/IAM_security_incident_response.pdf