SCS-C02 Free Practice Test

A company has a guideline that mandates the encryption of all Amazon S3 bucket data in transit. A security engineer must implement an S3 bucket policy that denies any S3 operations if data is not encrypted.
Which S3 bucket policy will meet this requirement?

1. A.
2. B.
3. C.
4. D. A screenshot of a computer code Description automatically generated

Correct Answer: B
https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-y

A company has enabled Amazon GuardDuty in all AWS Regions as part of its security monitoring strategy. In one of its VPCs, the company hosts an Amazon EC2 instance that works as an FTP server. A high number of clients from multiple locations contact the FTP server. GuardDuty identifies this activity as a brute force attack because of the high number of connections that happen every hour.
The company has flagged the finding as a false positive, but GuardDuty continues to raise the issue. A security engineer must improve the signal-to-noise ratio without compromising the companys visibility of potential anomalous behavior.
Which solution will meet these requirements?

1. A. Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed.
2. B. Add the FTP server to a trusted IP lis
3. C. Deploy the list to GuardDuty to stop receiving the notifications.
4. D. Create a suppression rule in GuardDuty to filter findings by automatically archiving new findings that match the specified criteria.
5. E. Create an AWS Lambda function that has the appropriate permissions to de-lete the finding whenever a new occurrence is reported.

Correct Answer: C
"When you create an Amazon GuardDuty filter, you choose specific filter criteria, name the filter and can enable the auto-archiving of findings that the filter matches. This allows you to further tune GuardDuty to your unique environment, without degrading the ability to identify threats. With auto-archive set, all findings are still generated by GuardDuty, so you have a complete and immutable history of all suspicious activity."

A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected.
Which combination of steps should the security engineer take to accomplish this? (Select TWO.)

1. A. Create an IAM Config rule to detect the creation of unencrypted RDS database
2. B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the IAM Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
3. C. Use IAM System Manager State Manager to detect RDS database encryption configuration drif
4. D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
5. E. Create a read replica for the existing unencrypted RDS database and enable replica encryption in the proces
6. F. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.
7. G. Take a snapshot of the unencrypted RDS databas
8. H. Copy the snapshot and enable snapshot encryption in the proces
9. I. Restore the database instance from the newly created encrypted snapsho
10. J. Terminate the unencrypted database instance.
11. K. Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database

Correct Answer: AD

A company is using AWS Organizations to create OUs for its accounts. The company has more than 20 accounts that are all part of the OUs. A security engineer must implement a solution to ensure that no account can stop to file delivery to AWS CloudTrail.
Which solution will meet this requirement?

1. A. Use the --is-multi-region-trail option while running the create-trail command to ensure that logs are configured across all AWS Regions.
2. B. Create an SCP that includes a Deny rule tor the cloudtrai
3. C. StopLogging action Apply the SCP to all accounts in the OUs.
4. D. Create an SCP that includes an Allow rule for the cloudtrai
5. E. StopLogging action Apply the SCP to all accounts in the OUs.
6. F. Use AWS Systems Manager to ensure that CloudTrail is always turned on.

Correct Answer: B
This SCP prevents users or roles in any affected account from disabling a CloudTrail log, either directly as a command or through the console. https://asecure.cloud/a/scp_cloudtrail/

A company is using AWS Organizations to manage multiple AWS accounts for its hu-man resources, finance, software development, and production departments. All the company's developers are part of the software development AWS account.
The company discovers that developers have launched Amazon EC2 instances that were preconfigured with software that the company has not approved for use. The company wants to implement a solution to ensure that developers can launch EC2 instances with only approved software applications and only in the software de-velopment AWS account.
Which solution will meet these requirements?

1. A. In the software development account, create AMIS of preconfigured instanc-es that include only approved softwar
2. B. Include the AMI IDs in the condi-tion section of an AWS CloudFormation template to launch the appropriate AMI based on the AWS Regio
3. C. Provide the developers with theCloudFor-mation template to launch EC2 instances in the software development ac-count.
4. D. Create an Amazon EventBridge rule that runs when any EC2 Runlnstances API event occurs in the software development accoun
5. E. Specify AWS Systems Man-ager Run Command as a target of the rul
6. F. Configure Run Command to run a script that will install all approved software onto the instances that the developers launch.
7. G. Use an AWS Service Catalog portfolio that contains EC2 products with ap-propriate AMIS that include only approved softwar
8. H. Grant the developers permission to portfolio access only the Service Catalog to launch a prod-uct in the software development account.
9. I. In the management account, create AMIS of preconfigured instances that in-clude only approved softwar
10. J. Use AWS CloudFormation StackSets to launch the AMIS across any AWS account in the organizatio
11. K. Grant the developers permission to launch the stack sets within the management account.

Correct Answer: C