Question 1

Temporary security credentials that were issued by the AWS Security Token Service (STS) may have been compromised. A security engineer needs to immediately revoke the credentials so they cannot be used with any AWS service.

Which action should the security engineer take?

Options :

A : Use the AWS management console to delete the IAM user.

B : Use the AWS management console to delete the IAM role.

C : Use the AWS management console to revoke active sessions for the IAM user.

D : Use the AWS management console to revoke active sessions for the IAM role.

Answer: D

Question 2

An e-commerce company receives an AWS Abuse notification stating that an IAM user's access key, used by an inventory management system, may have been compromised. The security manager needs to address the potential security breach while ensuring minimal service interruption to the inventory system.

What would be the optimal strategy to address this situation?

Options :

A : Generate a new access key for the IAM user. Update the inventory management system to utilize the new access key. Subsequently, deactivate the compromised access key.

B : Immediately delete the IAM user-s access key. Then, produce a new access key and implement it within the inventory management system.

C : Implement an IAM policy that terminates all sessions before the moment specified in the AWS Abuse notification.

D : Modify the inventory management system to utilize an IAM role with identical permissions as the IAM user.

Answer: A

Question 3

A company needs to create a centralized solution to analyze log files. The company uses an organization in AWS Organizations to manage its AWS accounts. The solution must aggregate and normalize events from the following sources: • The entire organization in Organizations • All AWS Marketplace offerings that run in the company’s AWS accounts • The company's on-premises systems Which solution will meet these requirements?

Options :

A :

Configure log streams in Amazon CloudWatch Logs for the sources that need monitoring. Create log subscription filters for each log stream. Forward the messages to Amazon OpenSearch Service for analysis.

B :

Set up a delegated Amazon Security Lake administrator account in Organizations. Enable and configure Security Lake for the organization. Add the accounts that need monitoring. Use Amazon Athena to query the log data.

C :

Apply an SCP to configure all member accounts and services to deliver log files to a centralized Amazon S3 bucket. Use Amazon OpenSearch Service to query the centralized S3 bucket for log entries.

Answer: C

Question 4

Skipped

In response to an incident a security engineer locked down an Amazon S3 bucket with a policy that denies access to all users. Subsequently, the engineer attempted to grant access to a forensic analyst. After updating the bucket policy the forensic analyst still cannot access the bucket and is receiving access denied messages.

What is the most likely explanation for the denial?

Options :

A : S3 is eventually consistent, and the changes are not yet updated.

B : An IAM user policy may be denying access to the bucket.

C : An explicit deny will always override an explicit allow.

D : The Amazon S3 Block Public Access feature is enabled.

Answer: C

Question 5

A company is using an AWS Key Management Service (AWS KMS) AWS owned key in its application to encrypt files in an AWS account The company's security team wants the ability to change to new key material for new files whenever a potential key breach occurs A security engineer must implement a solution that gives the security team the ability to change the key whenever the team wants to do so Which solution will meet these requirements?

Options :

A : Create a new customer managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change

B : Create a new AWS managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change

C : Create a key alias Create a new customer managed key every time the security team requests a key change Associate the alias with the new key

D : Create a key alias Create a new AWS managed key every time the security team requests a key change Associate the alias with the new key

Answer: A

Higher Test Marks with Free Online SCS-C02 Exam Practice

Buying Options: