SCS-C02 Free Practice Test

- (Exam Topic 2)
A Security Engineer is trying to determine whether the encryption keys used in an IAM service are in compliance with certain regulatory standards.
Which of the following actions should the Engineer perform to get further guidance?

1. A. Read the IAM Customer Agreement.
2. B. Use IAM Artifact to access IAM compliance reports.
3. C. Post the question on the IAM Discussion Forums.
4. D. Run IAM Config and evaluate the configuration outputs.

Correct Answer: B
https://IAM.amazon.com/artifact/
Third-party auditors assess the security and compliance of IAM Key Management Service as part of multiple IAM compliance programs. These include SOC, PCI, FedRAMP, HIPPA, and others. The compliance document is found in IAM Artifact.

- (Exam Topic 4)
Amazon GuardDuty has detected communications to a known command and control endpoint from a company's Amazon EC2 instance. The instance was found to be running a vulnerable version of a common web framework. The company's security operations team wants to quickly identity other compute resources with the specific version of that framework installed.
Which approach should the team take to accomplish this task?

1. A. Scan all the EC2 instances for noncompliance with IAM Confi
2. B. Use Amazon Athena to query IAM CloudTrail logs for the framework installation
3. C. Scan all the EC2 instances with the Amazon Inspector Network Reachability rules package to identity instances running a web server with RecognizedPortWithListener findings
4. D. Scan all the EC2 instances with IAM Systems Manager to identify the vulnerable version of the web framework
5. E. Scan an the EC2 instances with IAM Resource Access Manager to identify the vulnerable version of the web framework

Correct Answer: C

- (Exam Topic 4)
A company is deploying an Amazon EC2-based application. The application will include a custom health-checking component that produces health status data in JSON format. A Security Engineer must
implement a secure solution to monitor application availability in near-real time by analyzing the hearth status data.
Which approach should the Security Engineer use?

1. A. Use Amazon CloudWatch monitoring to capture Amazon EC2 and networking metrics Visualize metrics using Amazon CloudWatch dashboards.
2. B. Run the Amazon Kinesis Agent to write the status data to Amazon Kinesis Data Firehose Store the streaming data from Kinesis Data Firehose in Amazon Redshif
3. C. (hen run a script on the pool data and analyze the data in Amazon Redshift
4. D. Write the status data directly to a public Amazon S3 bucket from the health-checking component Configure S3 events to invoke an IAM Lambda function that analyzes the data
5. E. Generate events from the health-checking component and send them to Amazon CloudWatch Events.Include the status data as event payload
6. F. Use CloudWatch Events rules to invoke an IAM Lambda function that analyzes the data.

Correct Answer: A

- (Exam Topic 2)
A security team is creating a response plan in the event an employee executes unauthorized actions on IAM infrastructure. They want to include steps to determine if the employee's IAM permissions changed as part of the incident.
What steps should the team document in the plan? Please select:

1. A. Use IAM Config to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
2. B. Use Made to examine the employee's IAM permissions prior to the incident and compare them to the employee's A current IAM permissions.
3. C. Use CloudTrail to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
4. D. Use Trusted Advisor to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.

Correct Answer: A
You can use the IAMConfig history to see the history of a particular item.
The below snapshot shows an example configuration for a user in IAM Config C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option B,C and D are all invalid because these services cannot be used to see the history of a particular
configuration item. This can only be accomplished by IAM Config.
For more information on tracking changes in IAM Config, please visit the below URL: https://docs.IAM.amazon.com/AmazonCloudFront/latest/DeveloperGuide/TrackineChanees.htmll
The correct answer is: Use IAM Config to examine the employee's IAM permissions prior to the incident and compare them the employee's current IAM permissions.
Submit your Feedback/Queries to our Experts

- (Exam Topic 4)
A website currently runs on Amazon EC2, wan mostly statics content on the site. Recently the site was subjected to a DDoS attack a security engineer was (asked was redesigning the edge security to help
Mitigate this risk in the future.
What are some ways the engineer could achieve this (Select THREE)?

1. A. Use IAM X-Ray to inspect the trafc going to the EC2 instances.
2. B. Move the static content to Amazon S3, and front this with an Amazon Cloud Front distribution.
3. C. Change the security group conguration to block the source of the attack trafc
4. D. Use IAM WAF security rules to inspect the inbound trafc.
5. E. Use Amazon Inspector assessment templates to inspect the inbound traffic.
6. F. Use Amazon Route 53 to distribute trafc.

Correct Answer: BDF