SCS-C02 Free Practice Test

- (Exam Topic 3)
In order to encrypt data in transit for a connection to an IAM RDS instance, which of the following would you implement
Please select:

1. A. Transparent data encryption
2. B. SSL from your application
3. C. Data keys from IAM KMS
4. D. Data Keys from CloudHSM

Correct Answer: B
This is mentioned in the IAM Documentation
You can use SSL from your application to encrypt a connection to a DB instance running MySQL MariaDB, Amazon Aurora, SQL Server, Oracle, or PostgreSQL.
Option A is incorrect since Transparent data encryption is used for data at rest and not in transit Options C and D are incorrect since keys can be used for encryption of data at rest
For more information on working with RDS and SSL, please refer to below URL: https://docs.IAM.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
The correct answer is: SSL from your application Submit your Feedback/Queries to our Experts

- (Exam Topic 4)
Within a VPC, a corporation runs an Amazon RDS Multi-AZ DB instance. The database instance is connected to the internet through a NAT gateway via two subnets.
Additionally, the organization has application servers that are hosted on Amazon EC2 instances and use the RDS database. These EC2 instances have been deployed onto two more private subnets inside the same VPC. These EC2 instances connect to the internet through a default route via the same NAT gateway. Each VPC subnet has its own route table.
The organization implemented a new security requirement after a recent security examination. Never allow the database instance to connect to the internet. A security engineer must perform this update promptly without interfering with the network traffic of the application servers.
How will the security engineer be able to comply with these requirements?

1. A. Remove the existing NAT gatewa
2. B. Create a new NAT gateway that only the application server subnets can use.
3. C. Configure the DB instance€™s inbound network ACL to deny traffic from the security group ID of the NAT gateway.
4. D. Modify the route tables of the DB instance subnets to remove the default route to the NAT gateway.
5. E. Configure the route table of the NAT gateway to deny connections to the DB instance subnets.

Correct Answer: C
Each subnet has a route table, so modify the routing associated with DB instance subnets to prevent internet access.

- (Exam Topic 3)
A company wants to use Cloudtrail for logging all API activity. They want to segregate the logging of data events and management events. How can this be achieved? Choose 2 answers from the options given below
Please select:

1. A. Create one Cloudtrail log group for data events
2. B. Create one trail that logs data events to an S3 bucket
3. C. Create another trail that logs management events to another S3 bucket
4. D. Create another Cloudtrail log group for management events

Correct Answer: BC
The IAM Documentation mentions the following
You can configure multiple trails differently so that the trails process and log only the events that you specify. For example, one trail can log read-only data and management events, so that all read-only events are delivered to one S3 bucket. Another trail can log only write-only data and management events, so that all write-only events are delivered to a separate S3 bucket
Options A and D are invalid because you have to create a trail and not a log group
For more information on managing events with cloudtrail, please visit the following URL: https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/loHEing-manasement-and-data-events-with-cloud The correct answers are: Create one trail that logs data events to an S3 bucket. Create another trail that logs management events to another S3 bucket
Submit your Feedback/Queries to our Experts

- (Exam Topic 4)
You work at a company that makes use of IAM resources. One of the key security policies is to ensure that all data i encrypted both at rest and in transit. Which of the following is one of the right ways to implement this.
Please select:

1. A. Use S3 SSE and use SSL for data in transit
2. B. SSL termination on the ELB
3. C. Enabling Proxy Protocol
4. D. Enabling sticky sessions on your load balancer

Correct Answer: A
By disabling SSL termination, you are leaving an unsecure connection from the ELB to the back end instances. Hence this means that part of the data transit is not being encrypted.
Option B is incorrect because this would not guarantee complete encryption of data in transit Option C and D are incorrect because these would not guarantee encryption
For more information on SSL Listeners for your load balancer, please visit the below URL: http://docs.IAM.amazon.com/elasticloadbalancine/latest/classic/elb-https-load-balancers.htmll The correct answer is: Use S3 SSE and use SSL for data in transit
Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A Security Engineer is troubleshooting a connectivity issue between a web server that is writing log files to the logging server in another VPC. The Engineer has confirmed that a peering relationship exists between the two VPCs. VPC flow logs show that requests sent from the web server are accepted by the togging server but the web server never receives a reply
Which of the following actions could fix this issue1?

1. A. Add an inbound rule to the security group associated with the logging server that allows requests from the web server
2. B. Add an outbound rule to the security group associated with the web server that allows requests to the logging server.
3. C. Add a route to the route table associated with the subnet that hosts the logging server that targets the peering connection
4. D. Add a route to the route table associated with the subnet that hosts the web server that targets the peering connection

Correct Answer: C