SCS-C02 Free Practice Test

- (Exam Topic 4)
A company stores images for a website in an Amazon S3 bucket. The company is using Amazon CloudFront to serve the images to end users. The company recently discovered that the images are being accessed from countries where the company does not have a distribution license.
Which actions should the company take to secure the images to limit their distribution? (Select TWO.)

1. A. Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).
2. B. Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.
3. C. Add a CloudFront geo restriction deny list of countries where the company lacks a license.
4. D. Update the S3 bucket policy with a deny list of countries where the company lacks a license.
5. E. Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.

Correct Answer: AC

- (Exam Topic 1)
A security engineer is asked to update an AW3 CoudTrail log file prefix for an existing trail. When attempting to save the change in the CloudTrail console, the security engineer receives the following error message. "There is a problem with the bucket policy''
What will enable the security engineer to saw the change?

1. A. Create a new trail with the updated log file prefix, and then delete the original nail Update the existing bucket policy in the Amazon S3 console with the new log the prefix, and then update the log file prefix in the CloudTrail console
2. B. Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform PutBucketPolic
3. C. and then update the log file prefix in the CloudTrail console
4. D. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.
5. E. Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console

Correct Answer: C
https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html#cloud

- (Exam Topic 3)
Your company has just started using IAM and created an IAM account. They are aware of the potential issues when root access is enabled. How can they best safeguard the account when it comes to root access? Choose 2 answers fro the options given below
Please select:

1. A. Delete the root access account
2. B. Create an Admin IAM user with the necessary permissions
3. C. Change the password for the root account.
4. D. Delete the root access keys

Correct Answer: BD
The IAM Documentation mentions the following
All IAM accounts have root user credentials (that is, the credentials of the account owner). These credentials allow full access to all resources in the account. Because you cant restrict permissions for root user credentials, we recommend that you delete your root user access keys. Then create IAM Identity and Access Management (IAM) user credentials for everyday interaction with IAM.
Option A is incorrect since you cannot delete the root access account
Option C is partially correct but cannot be used as the ideal solution for safeguarding the account For more information on root access vs admin IAM users, please refer to below URL: https://docs.IAM.amazon.com/eeneral/latest/er/root-vs-iam.html
The correct answers are: Create an Admin IAM user with the necessary permissions. Delete the root access keys Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A company has implemented centralized logging and monitoring of IAM CloudTrail logs from all Regions in an Amazon S3 bucket. The log Hies are encrypted using IAM KMS. A Security Engineer is attempting to review the log files using a third-party tool hosted on an Amazon EC2 instance The Security Engineer is unable to access the logs in the S3 bucket and receives an access denied error message
What should the Security Engineer do to fix this issue?

1. A. Check that the role the Security Engineer uses grants permission to decrypt objects using the KMS CMK.
2. B. Check that the role the Security Engineer uses grants permission to decrypt objects using the KMS CMK and gives access to the S3 bucket and objects
3. C. Check that the role the EC2 instance profile uses grants permission lo decrypt objects using the KMS CMK and gives access to the S3 bucket and objects
4. D. Check that the role the EC2 instance profile uses grants permission to decrypt objects using the KMS CMK

Correct Answer: C

- (Exam Topic 4)
A company deploys a distributed web application on a fleet of Amazon EC2 instances. The fleet is behind an Application Load Balancer (ALB) that will be configured to terminate the TLS connection. All TLS traffic to the ALB must stay secure, even if the certificate private key is compromised.
How can a security engineer meet this requirement?

1. A. Create an HTTPS listener that uses a certificate that is managed by IAM Certificate Manager (ACM).
2. B. Create an HTTPS listener that uses a security policy that uses a cipher suite with perfect toward secrecy (PFS).
3. C. Create an HTTPS listener that uses the Server Order Preference security feature.
4. D. Create a TCP listener that uses a custom security policy that allows only cipher suites with perfect forward secrecy (PFS).

Correct Answer: A