Question 1

A security vulnerability has been discovered that could lead to sensitive data being leaked on TCP port 5601. The development team is working on updating the code, but it could take several days. A security engineer must identify any hosts attempting to send data over port 5601 and prevent the traffic leaving the network.

How can the security engineer accomplish this goal?

Options :

A : Capture IP traffic using VPC Flow Logs and create a metric filter with an alarm that notifies the security team if connection attempts are made. Then, update NACLs to block the traffic

B : Install the unified CloudWatch agent on Amazon EC2 instances and collect log files in CloudWatch Logs. Create a metric filter with an alarm that notifies the security team if connection attempts are made. Then, update NACLs to block the traffic.

C :

Run an Amazon Inspector custom network assessment to identify Amazon EC2 instances that have TCP port 5601 open. Then, update security groups to block the traffic.

D : Use AWS CloudTrail to log API actions in an Amazon S3 bucket. Use Amazon Athena to query the log files and identify attempts to connect. Then, update security groups to block the traffic.

Answer: A

Question 2

A multinational enterprise uses AWS Organizations to manage several AWS accounts spread across different regions. The company's IT department centrally manages the creation of IAM roles. Recently, the company decided to delegate the IAM role creation to various regional teams to speed up the process and reduce the IT department's workload. However, it is critical to prevent privilege escalation and ensure the scope of IAM roles remains within the defined limits.

Which solution will meet these requirements with the LEAST operational overhead?

Options :

A : Organize each AWS account into an Organizational Unit (OU) based on the regions. Attach Service Control Policies (SCP) to each OU, granting access only to the AWS services required by the regional teams.

B : Empower regional team leaders to create IAM roles for their teams and conduct bi-annual audits of the IAM roles they have created. Provide necessary training to these leaders about the rules and best practices of IAM role creation.

C : Establish an SCP and a permissions boundary for IAM roles. Apply the SCP to the root OU so that only roles with the attached permissions boundary can create any new IAM roles.

D : Assign an IAM group for each regional team, attach relevant policies to these groups, and then create IAM users for each regional team member. Add the respective IAM users to their relevant IAM group using Role-Based Access Control (RBAC).

Answer: C

Question 3

A company is running an Amazon RDS for MySQL DB instance in a VPC. The VPC must not send or receive network traffic through the internet. A security engineer wants to use AWS Secrets Manager to rotate the DB instance credentials automatically. Because of a security policy, the security engineer cannot use the standard AWS Lambda function that Secrets Manager provides to rotate the credentials. The security engineer deploys a custom Lambda function in the VPC. The custom Lambda function will be responsible for rotating the secret in Secrets Manager. The security engineer edits the DB instance's security group to allow connections from this function. When the function is invoked, the function cannot communicate with Secrets Manager to rotate the secret properly. What should the security engineer do so that the function can rotate the secret?

Options :

A :

Add an egress-only internet gateway to the VPC. Allow only the Lambda function-s subnet to route traffic through the egress-only internet gateway.

B :

Add a NAT gateway to the VPC. Configure only the Lambda function-s subnet with a default route through the NAT gateway.

C :

Configure a VPC peering connection to the default VPC for Secrets Manager. Configure the Lambda function-s subnet to use the peering connection for routes.

D :

Configure a Secrets Manager interface VPC endpoint. Include the Lambda function-s private subnet during the configuration process.

Answer: D

Question 4

A developer is attempting to access an Amazon S3 bucket in a member account in AWS Organizations. The developer is logged in to the account with user credentials and has received an access denied error with no bucket listed. The developer should have read-only access to all buckets in the account.

A security engineer has reviewed the permissions and found that the developer's IAM user has been granted read-only access to all S3 buckets in the account.

Which additional steps should the security engineer take to troubleshoot the issue? (Select TWO.)

Options :

A : Check for the permissions boundaries set for the IAM user.

B : Check the SCPs set at the organizational units (OUs).

C : Check the ACLs for all S3 buckets.

D : Check if an appropriate IAM role is attached to the IAM user.

E : Check the bucket policies for all S3 buckets.

Answer: A,B

Question 5

A company has a batch-processing system that uses Amazon S3, Amazon EC2, and AWS Key Management Service (AWS KMS). The system uses two AWS accounts: Account A and Account B. Account A hosts an S3 bucket that stores the objects that will be processed. The S3 bucket also stores the results of the processing. All the S3 bucket objects are encrypted by a KMS key that is managed in Account A. Account B hosts a VPC that has a fleet of EC2 instances that access the S3 buck-et in Account A by using statements in the bucket policy. The VPC was created with DNS hostnames enabled and DNS resolution enabled. A security engineer needs to update the design of the system without changing any of the system's code. No AWS API calls from the batch-processing EC2 in-stances can travel over the internet. Which combination of steps will meet these requirements? (Select TWO.)

Options :

A : In the Account B VPC, create a gateway VPC endpoint for Amazon S3. For the gateway VPC endpoint, create a resource policy that allows the s3:GetObject, s3:ListBucket, s3:PutObject, and s3:PutObjectAcl actions for the S3 bucket.

B : In the Account B VPC, create an interface VPC endpoint for Amazon S3. For the interface VPC endpoint, create a resource policy that allows the s3:GetObject, s3:ListBucket, s3:PutObject, and s3:PutObjectAcl actions for the S3 bucket.

C : In the Account B VPC, create an interface VPC endpoint for AWS KMS. For the interface VPC endpoint, create a resource policy that allows the kms:Encrypt, kms:Decrypt, and kms:GenerateDataKey actions for the KMS key. Ensure that private DNS is turned on for the endpoint.

D : In the Account B VPC, create an interface VPC endpoint for AWS KMS. For the interface VPC endpoint, create a resource policy that allows the kms:Encrypt, kms:Decrypt, and kms:GenerateDataKey actions for the KMS key. Ensure that private DNS is turned off for the endpoint.

E : In the Account B VPC, verify that the S3 bucket policy allows the s3:PutObjectAcl action for cross-account use. In the Account B VPC, create a gateway VPC endpoint for Amazon S3. For the gateway VPC endpoint, create a resource policy that allows the s3:GetObject, s3:ListBucket, and s3:PutObject actions for the S3 bucket.

Answer: B,C

Higher Test Marks with Free Online SCS-C02 Exam Practice

Buying Options: