SCS-C02 Free Practice Test

- (Exam Topic 3)
You are planning on hosting a web application on IAM. You create an EC2 Instance in a public subnet. This instance needs to connect to an EC2 Instance that will host an Oracle database. Which of the following steps should be followed to ensure a secure setup is in place? Select 2 answers.
Please select:

1. A. Place the EC2 Instance with the Oracle database in the same public subnet as the Web server for faster communication
2. B. Place the EC2 Instance with the Oracle database in a separate private subnet
3. C. Create a database security group and ensure the web security group to allowed incoming access
4. D. Ensure the database security group allows incoming traffic from 0.0.0.0/0

Correct Answer: BC
The best secure option is to place the database in a private subnet. The below diagram from the IAM Documentation shows this setup. Also ensure that access is not allowed from all sources but just from the web servers.
Option A is invalid because databases should not be placed in the public subnet
Option D is invalid because the database security group should not allow traffic from the internet For more information on this type of setup, please refer to the below URL:
https://docs.IAM.amazon.com/AmazonVPC/latest/UserGuideA/PC Scenario2.
The correct answers are: Place the EC2 Instance with the Oracle database in a separate private subnet Create a database security group and ensure the web security group to allowed incoming access
Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
The Development team receives an error message each time the team members attempt to encrypt or decrypt a Secure String parameter from the SSM Parameter Store by using an IAM KMS customer managed key (CMK).
Which CMK-related issues could be responsible? (Choose two.)

1. A. The CMK specified in the application does not exist.
2. B. The CMK specified in the application is currently in use.
3. C. The CMK specified in the application is using the CMK KeyID instead of CMK Amazon Resource Name.
4. D. The CMK specified in the application is not enabled.
5. E. The CMK specified in the application is using an alias.

Correct Answer: AD
https://docs.amazonIAM.cn/en_us/kms/latest/developerguide/services-parameter-store.html

- (Exam Topic 2)
A security alert has been raised for an Amazon EC2 instance in a customer account that is exhibiting strange behavior. The Security Engineer must first isolate the EC2 instance and then use tools for further investigation.
What should the Security Engineer use to isolate and research this event? (Choose three.)

1. A. IAM CloudTrail
2. B. Amazon Athena
3. C. IAM Key Management Service (IAM KMS)
4. D. VPC Flow Logs
5. E. IAM Firewall Manager
6. F. Security groups

Correct Answer: ADF
https://github.com/IAMlabs/aws-well-architected-labs/blob/master/Security/300_Incident_Response_with_IAM

- (Exam Topic 2)
Amazon CloudWatch Logs agent is successfully delivering logs to the CloudWatch Logs service. However, logs stop being delivered after the associated log stream has been active for a specific number of hours.
What steps are necessary to identify the cause of this phenomenon? (Choose two.)

1. A. Ensure that file permissions for monitored files that allow the CloudWatch Logs agent to read the file have not been modified.
2. B. Verify that the OS Log rotation rules are compatible with the configuration requirements for agent streaming.
3. C. Configure an Amazon Kinesis producer to first put the logs into Amazon Kinesis Streams.
4. D. Create a CloudWatch Logs metric to isolate a value that changes at least once during the period before logging stops.
5. E. Use IAM CloudFormation to dynamically create and maintain the configuration file for the CloudWatch Logs agent.

Correct Answer: AB
https://acloud.guru/forums/IAM-certified-security-specialty/discussion/-Lm5A3w6_NybQPhh6tRP/Cloudwatch

- (Exam Topic 2)
A company maintains sensitive data in an Amazon S3 bucket that must be protected using an IAM KMS
CMK. The company requires that keys be rotated automatically every year. How should the bucket be configured?

1. A. Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select an IAM-managed CMK.
2. B. Select Amazon S3-IAM KMS managed encryption keys (S3-KMS) and select a customer-managed CMK with key rotation enabled.
3. C. Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select a customer-managed CMK that has imported key material.
4. D. Select server-side encryption with IAM KMS-managed keys (SSE-KMS) and select an alias to an IAM-managed CMK.

Correct Answer: B