SCS-C02 Free Practice Test

- (Exam Topic 1)
A company's Developers plan to migrate their on-premises applications to Amazon EC2 instances running Amazon Linux AMIs. The applications are accessed by a group of partner companies The Security Engineer needs to implement the following host-based security measures for these instances:
• Block traffic from documented known bad IP addresses
• Detect known software vulnerabilities and CIS Benchmarks compliance. Which solution addresses these requirements?

1. A. Launch the EC2 instances with an IAM role attache
2. B. Include a user data script that uses the IAM CLIto retrieve the list of bad IP addresses from IAM Secrets Manager and uploads it as a threat list in Amazon GuardDuty Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance
3. C. Launch the EC2 instances with an IAM role attached Include a user data script that uses the IAM CLl to create NACLs blocking ingress traffic from the known bad IP addresses in the EC2 instance's subnets Use IAM Systems Manager to scan the instances for known software vulnerabilities, and IAM Trusted Advisor to check instances for CIS Benchmarks compliance
4. D. Launch the EC2 instances with an IAM role attached Include a user data script that uses the IAM CLl to create and attach security groups that only allow an allow listed source IP address range inboun
5. E. Use Amazon Inspector to scan the instances for known software vulnerabilities, and IAM Trusted Advisor to check instances for CIS Benchmarks compliance
6. F. Launch the EC2 instances with an IAM role attached Include a user data script that creates a cron job to periodically retrieve the list of bad IP addresses from Amazon S3, and configures iptabies on the instances blocking the list of bad IP addresses Use Amazon inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.

Correct Answer: D

- (Exam Topic 1)
A company is using IAM Organizations to manage multiple IAM accounts. The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an IAM KMS CMK However when users try to access the files in the S3 bucket they get an access denied error.
What should a Security Engineer do to troubleshoot this error? (Select THREE )

1. A. Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK
2. B. Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket
3. C. Ensure the CMK was created before the S3 bucket.
4. D. Ensure the S3 block public access feature is enabled for the S3 bucket.
5. E. Ensure that automatic key rotation is disabled for the CMK
6. F. Ensure the SCPs within Organizations allow access to the S3 bucket.

Correct Answer: ABF

- (Exam Topic 1)
A website currently runs on Amazon EC2 with mostly static content on the site. Recently, the site was subjected to a DDoS attack, and a Security Engineer was tasked with redesigning the edge security to help mitigate this risk in the future
What are some ways the Engineer could achieve this? (Select THREE )

1. A. Use IAM X-Ray to inspect the traffic going 10 the EC2 instances
2. B. Move the state content to Amazon S3 and font this with an Amazon CloudFront distribution
3. C. Change the security group configuration to block the source of the attack traffic
4. D. Use IAM WAF security rules to inspect the inbound traffic
5. E. Use Amazon inspector assessment templates to inspect the inbound traffic
6. F. Use Amazon Route 53 to distribute traffic

Correct Answer: BDF

- (Exam Topic 2)
A company’s security policy requires that VPC Flow Logs are enabled on all VPCs. A Security Engineer is looking to automate the process of auditing the VPC resources for compliance.
What combination of actions should the Engineer take? (Choose two.)

1. A. Create an IAM Lambda function that determines whether Flow Logs are enabled for a given VPC.
2. B. Create an IAM Config configuration item for each VPC in the company IAM account.
3. C. Create an IAM Config managed rule with a resource type of IAM:: Lambda:: Function.
4. D. Create an Amazon CloudWatch Event rule that triggers on events emitted by IAM Config.
5. E. Create an IAM Config custom rule, and associate it with an IAM Lambda function that contains the evaluating logic.

Correct Answer: AE
https://medium.com/mudita-misra/how-to-audit-your-aws-resources-for-security-compliance-by-using-custom-I