SCS-C02 Free Practice Test

A security engineer is using AWS Organizations and wants to optimize SCPs. The security engineer needs to ensure that the SCPs conform to best practices.
Which approach should the security engineer take to meet this requirement?

1. A. Use AWS IAM Access Analyzer to analyze the policie
2. B. View the findings from policy validation checks.
3. C. Review AWS Trusted Advisor checks for all accounts in the organization.
4. D. Set up AWS Audit Manage
5. E. Run an assessment for all AWS Regions for all accounts.
6. F. Ensure that Amazon Inspector agents are installed on all Amazon EC2 in-stances in all accounts.

Correct Answer: A

A company is evaluating the use of AWS Systems Manager Session Manager to gam access to the company's Amazon EC2 instances. However, until the company implements the change, the company must protect the key file for the EC2 instances from read and write operations by any other users.
When a security administrator tries to connect to a critical EC2 Linux instance during an emergency, the security administrator receives the following error. "Error Unprotected private key file - Permissions for' ssh/my_private_key pern' are too open".
Which command should the security administrator use to modify the private key Me permissions to resolve this error?

1. A. chmod 0040 ssh/my_private_key pern
2. B. chmod 0400 ssh/my_private_key pern
3. C. chmod 0004 ssh/my_private_key pern
4. D. chmod 0777 ssh/my_private_key pern

Correct Answer: B
The error message indicates that the private key file permissions are too open, meaning that other users can read or write to the file. This is a security risk, as the private key should be accessible only by the owner of the file. To fix this error, the security administrator should use the chmod command to change the permissions of the private key file to 0400, which means that only the owner can read the file and no one else can read or write to it.
The chmod command takes a numeric argument that represents the permissions for the owner, group, and others in octal notation. Each digit corresponds to a set of permissions: read (4), write (2), and execute (1). The digits are added together to get the final permissions for each category. For example, 0400 means that the owner has read permission (4) and no other permissions (0), and the group and others have no permissions at all (0).
The other options are incorrect because they either do not change the permissions at all (D), or they give too much or too little permissions to the owner, group, or others (A, C).
Verified References:
https://superuser.com/questions/215504/permissions-on-private-key-in-ssh-folder
https://www.baeldung.com/linux/ssh-key-permissions

A company is running internal microservices on Amazon Elastic Container Service (Amazon ECS) with the Amazon EC2 launch type. The company is using Amazon Elastic Container Registry (Amazon ECR) private repositories.
A security engineer needs to encrypt the private repositories by using AWS Key Management Service (AWS KMS). The security engineer also needs to analyze the container images for any common vulnerabilities and exposures (CVEs).
Which solution will meet these requirements?

1. A. Enable KMS encryption on the existing ECR repositorie
2. B. Install Amazon Inspector Agent from the ECS container instances’ user dat
3. C. Run an assessment with the CVE rules.
4. D. Recreate the ECR repositories with KMS encryption and ECR scanning enable
5. E. Analyze the scan report after the next push of images.
6. F. Recreate the ECR repositories with KMS encryption and ECR scanning enable
7. G. Install AWS Systems Manager Agent on the ECS container instance
8. H. Run an inventory report.
9. I. Enable KMS encryption on the existing ECR repositorie
10. J. Use AWS Trusted Advisor to check the ECS container instances and to verily the findings against a list of current CVEs.

Correct Answer: B

An IT department currently has a Java web application deployed on Apache Tomcat running on Amazon EC2 instances. All traffic to the EC2 instances is sent through an internet-facing Application Load Balancer (ALB)
The Security team has noticed during the past two days thousands of unusual read requests coming from hundreds of IP addresses. This is causing the Tomcat server to run out of threads and reject new connections
Which the SIMPLEST change that would address this server issue?

1. A. Create an Amazon CloudFront distribution and configure the ALB as the origin
2. B. Block the malicious IPs with a network access list (NACL).
3. C. Create an IAM Web Application Firewall (WAF). and attach it to the ALB
4. D. Map the application domain name to use Route 53

Correct Answer: A
this is the simplest change that can address the server issue. CloudFront is a service that provides a global network of edge locations that cache and deliver web content. Creating a CloudFront distribution and configuring the ALB as the origin can help reduce the load on the Tomcat server by serving cached content to the end users. CloudFront can also provide protection against distributed denial-of-service (DDoS) attacks by filtering malicious traffic at the edge locations. The other options are either ineffective or complex for solving the server issue.

A company is deploying an Amazon EC2-based application. The application will include a custom health-checking component that produces health status data in JSON format. A Security Engineer must
implement a secure solution to monitor application availability in near-real time by analyzing the hearth status data.
Which approach should the Security Engineer use?

1. A. Use Amazon CloudWatch monitoring to capture Amazon EC2 and networking metrics Visualizemetrics using Amazon CloudWatch dashboards.
2. B. Run the Amazon Kinesis Agent to write the status data to Amazon Kinesis Data Firehose Store the streaming data from Kinesis Data Firehose in Amazon Redshif
3. C. (hen run a script on the pool data and analyze the data in Amazon Redshift
4. D. Write the status data directly to a public Amazon S3 bucket from the health-checking component Configure S3 events to invoke an IAM Lambda function that analyzes the data
5. E. Generate events from the health-checking component and send them to Amazon CloudWatch Events.Include the status data as event payload
6. F. Use CloudWatch Events rules to invoke an IAM Lambda function that analyzes the data.

Correct Answer: A
Amazon CloudWatch monitoring is a service that collects and tracks metrics from AWS resources and applications, and provides visualization tools and alarms to monitor performance and availability1. The health status data in JSON format can be sent to CloudWatch as custom metrics2, and then displayed in CloudWatch dashboards3. The other options are either inefficient or insecure for monitoring application availability in near-real time.