SCS-C02 Free Practice Test

- (Exam Topic 2)
Due to new compliance requirements, a Security Engineer must enable encryption with customer-provided keys on corporate data that is stored in DynamoDB. The company wants to retain full control of the encryption keys.
Which DynamoDB feature should the Engineer use to achieve compliance'?

1. A. Use IAM Certificate Manager to request a certificat
2. B. Use that certificate to encrypt data prior to uploading it to DynamoDB.
3. C. Enable S3 server-side encryption with the customer-provided key
4. D. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB
5. E. Create a KMS master ke
6. F. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoD
7. G. Dispose of the cleartext and encrypted data keys after encryption without storing.
8. H. Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.

Correct Answer: D
Follow the link:
https://docs.IAM.amazon.com/dynamodb-encryption-client/latest/devguide/what-is-ddb-encrypt.html

- (Exam Topic 2)
A water utility company uses a number of Amazon EC2 instances to manage updates to a fleet of 2,000 Internet of Things (IoT) field devices that monitor water quality. These devices each have unique access credentials.
An operational safety policy requires that access to specific credentials is independently auditable. What is the MOST cost-effective way to manage the storage of credentials?

1. A. Use IAM Systems Manager to store the credentials as Secure Strings Parameter
2. B. Secure by using an IAM KMS key.
3. C. Use IAM Key Management System to store a master key, which is used to encrypt the credential
4. D. The encrypted credentials are stored in an Amazon RDS instance.
5. E. Use IAM Secrets Manager to store the credentials.
6. F. Store the credentials in a JSON file on Amazon S3 with server-side encryption.

Correct Answer: A
https://docs.IAM.amazon.com/systems-manager/latest/userguide/parameter-store-advanced-parameters.html

- (Exam Topic 3)
Your organization is preparing for a security assessment of your use of IAM. In preparation for this assessment, which three IAM best practices should you consider implementing?
Please select:

1. A. Create individual IAM users
2. B. Configure MFA on the root account and for privileged IAM users
3. C. Assign IAM users and groups configured with policies granting least privilege access
4. D. Ensure all users have been assigned and dre frequently rotating a password, access ID/secret key, andX.509 certificate

Correct Answer: ABC
When you go to the security dashboard, the security status will show the best practices for initiating the first level of security.
Option D is invalid because as per the dashboard, this is not part of the security recommendation For more information on best security practices please visit the URL:
https://IAM.amazon.com/whitepapers/IAM-security-best-practices;
The correct answers are: Create individual IAM users, Configure MFA on the root account and for privileged IAM users. Assign IAM users and groups configured with policies granting least privilege access
Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK. Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below
Please select:

1. A. Add the EC2 instance role as a trusted service to the SSM service role.
2. B. Add permission to use the KMS key to decrypt to the SSM service role.
3. C. Add permission to read the SSM parameter to the EC2 instance rol
4. D. .
5. E. Add permission to use the KMS key to decrypt to the EC2 instance role
6. F. Add the SSM service role as a trusted service to the EC2 instance role.

Correct Answer: CD
The below example policy from the IAM Documentation is required to be given to the EC2 Instance in order to read a secure string from IAM KMS. Permissions need to be given to the Get Parameter API and the KMS API call to decrypt the secret.
C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A is invalid because roles can be attached to EC2 and not EC2 roles to SSM Option B is invalid because the KMS key does not need to decrypt the SSM service role.
Option E is invalid because this configuration is valid For more information on the parameter store, please visit the below URL:
https://docs.IAM.amazon.com/kms/latest/developerguide/services-parameter-store.htmll
The correct answers are: Add permission to read the SSM parameter to the EC2 instance role., Add permission to use the KMS key to decrypt to the EC2 instance role
Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A convoys data lake uses Amazon S3 and Amazon Athena. The company's security engineer has been asked to design an encryption solution that meets the company's data protection requirements. The encryption solution must work with Amazon S3 and keys managed by the company. The encryption solution must be protected in a hardware security module that is validated id Federal information Processing Standards (FPS) 140-2 Level 3.
Which solution meets these requirements?

1. A. Use client-side encryption with an IAM KMS customer-managed key implemented with the IAM Encryption SDK
2. B. Use IAM CloudHSM to store the keys and perform cryptographic operations Save the encrypted text in Amazon S3
3. C. Use an IAM KMS customer-managed key that is backed by a custom key store using IAM CloudHSM
4. D. Use an IAM KMS customer-managed key with the bring your own key (BYOK) feature to import a key stored in IAM CloudHSM

Correct Answer: B