SCS-C02 Free Practice Test

- (Exam Topic 1)
A Developer signed in to a new account within an IAM Organizations organizations unit (OU) containing multiple accounts. Access to the Amazon S3 service is restricted with the following SCP:

How can the Security Engineer provide the Developer with Amazon S3 access without affecting other accounts?

1. A. Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.
2. B. Add an IAM policy for the Developer, which grants S3 access.
3. C. Create a new OU without applying the SCP restricting S3 acces
4. D. Move the Developer account to this new OU.
5. E. Add an allow list for the Developer account for the S3 service.

Correct Answer: C

- (Exam Topic 4)
A company uses AWS Organizations. The company has teams that use an AWS CloudHSM hardware security module (HSM) that is hosted in a central AWS account. One of the teams creates its own new dedicated AWS account and wants to use the HSM that is hosted in the central account.
How should a security engineer share the HSM that is hosted in the central account with the new dedicated account?

1. A. Use AWS Resource Access Manager (AWS RAM) to share the VPC subnet ID of the HSM that is hosted in the central account with the new dedicated accoun
2. B. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.
3. C. Use AWS Identity and Access Management (IAM) to create a cross-account rote to access the CloudHSM cluster that is in the central account Create a new IAM user in the new dedicated accountAssign the cross-account rote to the new IAM user.
4. D. Use AWS 1AM Identity Center (AWS Single Sign-On) to create an AWS Security Token Service (AWS STS) token to authenticate from the new dedicated account to the central accoun
5. E. Use thecross-account permissions that are assigned to the STS token to invoke an operation on the HSM in the central account.
6. F. Use AWS Resource Access Manager (AWS RAM) to share the ID of the HSM that is hosted in the central account with the new dedicated accoun
7. G. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.

Correct Answer: A
https://aws.amazon.com/premiumsupport/knowledge-center/cloudhsm-share-clusters/#:~:text=In the nav

- (Exam Topic 4)
A security engineer needs to create an Amazon S3 bucket policy to grant least privilege read access to IAM user accounts that are named User=1, User2. and User3. These IAM user accounts are members of the AuthorizedPeople IAM group. The security engineer drafts the following S3 bucket policy:

When the security engineer tries to add the policy to the S3 bucket, the following error message appears: "Missing required field Principal." The security engineer is adding a Principal element to the policy. The addition must provide read access to only User1. User2, and User3. Which solution meets these requirements?
A)

B)

C)

D)

1. A. Option A
2. B. Option B
3. C. Option C
4. D. Option D

Correct Answer: A

- (Exam Topic 1)
A developer is creating an IAM Lambda function that requires environment variables to store connection information and logging settings. The developer is required to use an IAM KMS Customer Master Key (CMK> supplied by the information security department in order to adhere to company standards for securing Lambda environment variables.
Which of the following are required for this configuration to work? (Select TWO.)

1. A. The developer must configure Lambda access to the VPC using the --vpc-config parameter.
2. B. The Lambda function execution role must have the kms:Decrypt- permission added in the IAM IAM policy.
3. C. The KMS key policy must allow permissions for the developer to use the KMS key.
4. D. The IAM IAM policy assigned to the developer must have the kmseGcnerate-DataKcy permission added.
5. E. The Lambda execution role must have the kms:Encrypt permission added in the IAM IAM policy.

Correct Answer: BC

- (Exam Topic 1)
A Security Engineer accidentally deleted the imported key material in an IAM KMS CMK. What should the Security Engineer do to restore the deleted key material?

1. A. Create a new CM
2. B. Download a new wrapping key and a new import token to import the original key material
3. C. Create a new CMK Use the original wrapping key and import token to import the original key material.
4. D. Download a new wrapping key and a new import token Import the original key material into the existing CMK.
5. E. Use the original wrapping key and import token Import the original key material into the existing CMK

Correct Answer: C