SCS-C02 Free Practice Test

Which of the following are valid configurations for using SSL certificates with Amazon CloudFront? (Select THREE )

1. A. Default AWS Certificate Manager certificate
2. B. Custom SSL certificate stored in AWS KMS
3. C. Default CloudFront certificate
4. D. Custom SSL certificate stored in AWS Certificate Manager
5. E. Default SSL certificate stored in AWS Secrets Manager
6. F. Custom SSL certificate stored in AWS IAM

Correct Answer: ABC
The key length for an RSA certificate that you use with CloudFront is 2048 bits, even though ACM supports larger keys. If you use an imported certificate with CloudFront, your key length must be 1024 or 2048 bits and cannot exceed 2048 bits. You must import the certificate in the US East (N. Virginia) Region. You must have permission to use and import the SSL/TLS certificate
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html

An AWS account administrator created an IAM group and applied the following managed policy to require that each individual user authenticate using multi-factor authentication:

After implementing the policy, the administrator receives reports that users are unable to perform Amazon EC2 commands using the AWS CLI.
What should the administrator do to resolve this problem while still enforcing multi-factor authentication?

1. A. Change the value of aws:MultiFactorAuthPresent to true.
2. B. Instruct users to run the aws sts get-session-token CLI command and pass the multi-factor authentication--serial-number and --token-code parameter
3. C. Use these resulting values to make API/CLI calls.
4. D. Implement federated API/CLI access using SAML 2.0, then configure the identity provider to enforce multi-factor authentication.
5. E. Create a role and enforce multi-factor authentication in the role trust polic
6. F. Instruct users to run the sts assume-role CLI command and pass --serial-number and --token-code parameter
7. G. Store the resultingvalues in environment variable
8. H. Add sts:AssumeRole to NotAction in the policy.

Correct Answer: B
The correct answer is B. Instruct users to run the aws sts get-session-token CLI command and pass the multi-factor authentication --serial-number and --token-code parameters. Use these resulting values to make API/CLI calls.
According to the AWS documentation1, the aws sts get-session-token CLI command returns a set of temporary credentials for an AWS account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token. These credentials are valid for the specified duration only. The session duration for IAM users can be between 15 minutes and 36 hours, with a default of 12 hours.
You can use the --serial-number and --token-code parameters to provide the MFA device serial number and the MFA code from the device. The MFA device must be associated with the user who is making the
get-session-token call. If you do not provide these parameters when your IAM user or role has a policy that requires MFA, you will receive an Access Denied error.
The temporary security credentials that are returned by the get-session-token command can then be used to make subsequent API or CLI calls that require MFA authentication. You can use environment variables or a profile in your AWS CLI configuration file to specify the temporary credentials.
Therefore, this solution will resolve the problem of users being unable to perform EC2 commands using the AWS CLI, while still enforcing MFA.
The other options are incorrect because:
A. Changing the value of aws:MultiFactorAuthPresent to true will not work, because this is a condition key that is evaluated by AWS when a request is made. You cannot set this value manually in your policy or request. You must provide valid MFA information to AWS for this condition key to be true.
C. Implementing federated API/CLI access using SAML 2.0 may work, but it requires more operational effort than using the get-session-token command. You would need to configure a SAML identity provider and trust relationship with AWS, and use a custom SAML client to request temporary credentials from AWS STS. This solution may also introduce additional security risks if the identity provider is compromised.
D. Creating a role and enforcing MFA in the role trust policy may work, but it also requires more operational effort than using the get-session-token command. You would need to create a role for each user or group that needs to perform EC2 commands, and specify a trust policy that requires MFA. You would also need to grant the users permission to assume the role, and instruct them to use the sts assume-role command instead of the get-session-token command.
References:
1: get-session-token — AWS CLI Command Reference

A company has developed a new Amazon RDS database application. The company must secure the ROS database credentials for encryption in transit and encryption at rest. The company also must rotate the credentials automatically on a regular basis.
Which solution meets these requirements?

1. A. Use IAM Systems Manager Parameter Store to store the database credentiai
2. B. Configure automatic rotation of the credentials.
3. C. Use IAM Secrets Manager to store the database credential
4. D. Configure automat* rotation of the credentials
5. E. Store the database credentials in an Amazon S3 bucket that is configured with server-side encryption with S3 managed encryption keys (SSE-S3) Rotate the credentials with IAM database authentication.
6. F. Store the database credentials m Amazon S3 Glacier, and use S3 Glacier Vault Lock Configure an IAM Lambda function to rotate the credentials on a scheduled basts

Correct Answer: A

A company has two teams, and each team needs to access its respective Amazon S3 buckets. The company anticipates adding more teams that also will have their own S3 buckets. When the company adds these teams, team members will need the ability to be assigned to multiple teams. Team members also will need the ability to change teams. Additional S3 buckets can be created or deleted.
An IAM administrator must design a solution to accomplish these goals. The solution also must be scalable and must require the least possible operational overhead.
Which solution meets these requirements?

1. A. Add users to groups that represent the team
2. B. Create a policy for each team that allows the team to access its respective S3 buckets onl
3. C. Attach the policy to the corresponding group.
4. D. Create an IAM role for each tea
5. E. Create a policy for each team that allows the team to access its respective S3 buckets onl
6. F. Attach the policy to the corresponding role.
7. G. Create IAM roles that are labeled with an access tag value of a tea
8. H. Create one policy that allows dynamic access to S3 buckets with the same ta
9. I. Attach the policy to the IAM role
10. J. Tag the S3 buckets accordingly.
11. K. Implement a role-based access control (RBAC) authorization mode
12. L. Create the corresponding policies, and attach them to the IAM users.

Correct Answer: A

A company is building an application on AWS that will store sensitive information. The company has a support team with access to the IT infrastructure, including databases. The company's security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead. The credentials must be regularly rotated.
What should the security engineer recommend?

1. A. Enable Amazon RDS encryption to encrypt the database and snapshot
2. B. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instance
3. C. Include the database credential in the EC2 user data fiel
4. D. Use an AWS Lambda function to rotate database credential
5. E. Set up TLS for the connection to the database.
6. F. Install a database on an Amazon EC2 instanc
7. G. Enable third-party disk encryption to encrypt Amazon Elastic Block Store (Amazon EBS) volum
8. H. Store the database credentials in AWS CloudHSM with automatic rotatio
9. I. Set up TLS for the connection to the database.
10. J. Enable Amazon RDS encryption to encrypt the database and snapshot
11. K. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instance
12. L. Store the database credentials in AWS Secrets Manager with automatic rotatio
13. M. Set up TLS for the connection to the RDS hosted database.
14. N. Set up an AWS CloudHSM cluster with AWS Key Management Service (AWS KMS) to store KMS key
15. O. Set up Amazon RDS encryption using AWS KSM to encrypt the databas
16. P. Store the database credentials in AWS Systems Manager Parameter Store with automatic rotatio
17. Q. Set up TLS for the connection to the RDS hosted database.

Correct Answer: C