Question 1

A company is running its workloads in a single AWS Region and uses AWS Organizations. A security engineer must implement a solution to prevent users from launching resources in other Regions. Which solution will meet these requirements with the LEAST operational overhead?

Options :

A : Create an IAM policy that has an aws RequestedRegion condition that allows actions only in the designated Region Attach the policy to all users.

B : Create an I AM policy that has an aws RequestedRegion condition that denies actions that are not in the designated Region Attach the policy to the AWS account in AWS Organizations.

C : Create an IAM policy that has an aws RequestedRegion condition that allows the desired actions Attach the policy only to the users who are in the designated Region.

D : Create an SCP that has an aws RequestedRegion condition that denies actions that are not in the designated Region. Attach the SCP to the AWS account in AWS Organizations.

Answer: D

Question 2

A company has created an organization in AWS Organizations. The company has several accounts and OUs and uses the default FullAWSAccess SCP. A security engineer needs to ensure that no one in member accounts can disable specific AWS services. The security engineer must ensure that permissions granted by IAM policies defined in member accounts are not overridden.

What will be the effect of adding the following SCP to the root of the organization?

Options :

A : All users in the root account will not be able to disable AWS SecurityHub or delete or modify the Amazon GuardDuty configuration. IAM policies defined in member accounts will be overridden.

B : All users in member accounts will not be able to disable AWS SecurityHub or delete or modify the Amazon GuardDuty configuration. IAM policies defined in member accounts will not be overridden

C : Users (but not administrators) in member accounts will not be able to disable AWS SecurityHub or delete or modify the Amazon GuardDuty configuration. IAM policies defined in member accounts will not be overridden

D : All users in member accounts will be able to disable AWS SecurityHub and delete or modify the Amazon GuardDuty configuration. IAM policies defined in member accounts will be overridden.

Answer: B

Question 3

A company has a group of Amazon EC2 instances in a private subnet that does not have a NAT gateway attached. A security engineer needs to capture logs from an application and collect the log files in Amazon CloudWatch Logs.

Which steps should the security engineer take to securely meet the requirements? (Select TWO.)

Options :

A : Install and configure the unified CloudWatch agent on the EC2 instances and attach an instance profile with permissions to write to CloudWatch Logs.

B : Attach an internet gateway to the subnet and update the subnet route table to point to the internet gateway.

C : Create an interface VPC endpoint for CloudWatch Logs. Configure the endpoint policy to allow the EC2 instances to use the endpoint.

D : Schedule a local cron job on each EC2 instance that copies the log files to an Amazon S3 bucket. Point CloudWatch Logs to the S3 bucket.

E : Create a gateway VPC endpoint for Amazon S3. Configure the bucket policy to allow access only for connections from the VPC endpoint.

Answer: A,C

Question 4

A security engineer is trying to use Amazon EC2 Image Builder to create an image of an EC2 instance. The security engineer has configured the pipeline to send logs to an Amazon S3 bucket. When the security engineer runs the pipeline, the build fails with the following error: “AccessDenied: Access Denied status code: 403”. The security engineer must resolve the error by implementing a solution that complies with best practices for least privilege access. Which combination of steps will meet these requirements? (Choose two.)

Options :

A :

Ensure that the following policies are attached to the IAM role that the security engineer is using: EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore.

B :

Ensure that the following policies are attached to the instance profile for the EC2 instance: EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore.x

C :

Ensure that the AWSImageBuilderFullAccess policy is attached to the instance profile for the EC2 instance.

D : Ensure that the security engineer’s IAM role has the s3:PutObject permission for the S3 bucket.

E : Ensure that the instance profile for the EC2 instance has the s3:PutObject permission for the S3 bucket.

Answer: B,E

Question 5

A security engineer needs to implement a solution to create and control the keys that a company uses for cryptographic operations. The security engineer must create symmetric keys in which the key material is generated and used within a custom key store that is backed by an AWS CloudHSM cluster. The security engineer will use symmetric and asymmetric data key pairs for local use within applications. The security engineer also must audit the use of the keys. How can the security engineer meet these requirements?

Options :

A : To create the keys use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon Athena

B : To create the keys use Amazon S3 and the custom key stores with the CloudHSM cluster. For auditing use AWS CloudTrail.

C : To create the keys use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon GuardDuty.

D : To create the keys use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use AWS CloudTrail.

Answer: D

Higher Test Marks with Free Online SCS-C02 Exam Practice

Buying Options: