SCS-C02 Free Practice Test

A security engineer needs to develop a process to investigate and respond to po-tential security events on a company's Amazon EC2 instances. All the EC2 in-stances are backed by Amazon Elastic Block Store (Amazon EBS). The company uses AWS Systems Manager to manage all the EC2 instances and has installed Systems Manager Agent (SSM Agent) on all the EC2 instances.
The process that the security engineer is developing must comply with AWS secu-rity best practices and must meet the following requirements:
• A compromised EC2 instance's volatile memory and non-volatile memory must be preserved for forensic purposes.
• A compromised EC2 instance's metadata must be updated with corresponding inci-dent ticket information.
• A compromised EC2 instance must remain online during the investigation but must be isolated to prevent the spread of malware.
• Any investigative activity during the collection of volatile data must be cap-tured as part of the process. Which combination of steps should the security engineer take to meet these re-quirements with the LEAST
operational overhead? (Select THREE.)

1. A. Gather any relevant metadata for the compromised EC2 instanc
2. B. Enable ter-mination protectio
3. C. Isolate the instance by updating the instance's secu-rity groups to restrict acces
4. D. Detach the instance from anyAuto Scaling groups that the instance is a member o
5. E. Deregister the instance from any Elastic Load Balancing (ELB) resources.
6. F. Gather any relevant metadata for the compromised EC2 instanc
7. G. Enable ter-mination protectio
8. H. Move the instance to an isolation subnet that denies all source and destination traffi
9. I. Associate the instance with the subnet to restrict acces
10. J. Detach the instance from any Auto Scaling groups that the instance is a member o
11. K. Deregister the instance from any Elastic Load Balancing (ELB) resources.
12. L. Use Systems Manager Run Command to invoke scripts that collect volatile data.
13. M. Establish a Linux SSH or Windows Remote Desktop Protocol (RDP) session to the compromised EC2 instance to invoke scripts that collect volatile data.
14. N. Create a snapshot of the compromised EC2 instance's EBS volume for follow-up investigation
15. O. Tag the instance with any relevant metadata and inci-dent ticket information.
16. P. Create a Systems Manager State Manager association to generate an EBS vol-ume snapshot of the compromised EC2 instanc
17. Q. Tag the instance with any relevant metadata and incident ticket information.

Correct Answer: ACE

An application team wants to use IAM Certificate Manager (ACM) to request public certificates to ensure that data is secured in transit. The domains that are being used are not currently hosted on Amazon Route 53
The application team wants to use an IAM managed distribution and caching solution to optimize requests to its systems and provide better points of presence to customers The distribution solution will use a primary domain name that is customized The distribution solution also will use several alternative domain names The certificates must renew automatically over an indefinite period of time
Which combination of steps should the application team take to deploy this architecture? (Select THREE.)

1. A. Request a certificate (torn ACM in the us-west-2 Region Add the domain names that the certificate will secure
2. B. Send an email message to the domain administrators to request vacation of the domains for ACM
3. C. Request validation of the domains for ACM through DNS Insert CNAME records into each domain's DNS zone
4. D. Create an Application Load Balancer for me caching solution Select the newly requested certificate from ACM to be used for secure connections
5. E. Create an Amazon CloudFront distribution for the caching solution Enter the main CNAME record as the Origin Name Enter the subdomain names or alternate names in the Alternate Domain Names Distribution Settings Select the newly requested certificate from ACM to be used for secure connections
6. F. Request a certificate from ACM in the us-east-1 Region Add the domain names that the certificate wil secure

Correct Answer: CDF

A company's Security Engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other AWS services. The contractor's IAM account must not be able to gain access to any other AWS service, even if the IAM account is assigned additional permissions based on IAM group membership.
What should the Security Engineer do to meet these requirements?

1. A. Create an Inline IAM user policy that allows for Amazon EC2 access for the contractor's IAM user.
2. B. Create an IAM permissions boundary policy that allows Amazon EC2 acces
3. C. Associate the contractor's IAM account with the IAM permissions boundary policy.
4. D. Create an IAM group with an attached policy that allows for Amazon EC2 acces
5. E. Associate the contractor's IAM account with the IAM group.
6. F. Create an IAM role that allows for EC2 and explicitly denies all other service
7. G. Instruct the contractor to always assume this role.

Correct Answer: B

A company deployed IAM Organizations to help manage its increasing number of IAM accounts. A security engineer wants to ensure only principals in the Organization structure can access a specic Amazon S3 bucket. The solution must also minimize operational overhead
Which solution will meet these requirements?

1. A. 1 Put all users into an IAM group with an access policy granting access to the J bucket.
2. B. Have the account creation trigger an IAM Lambda function that manages the bucket policy, allowing access to accounts listed in the policy only.
3. C. Add an SCP to the Organizations master account, allowing all principals access to the bucket.
4. D. Specify the organization ID in the global key condition element of a bucket policy, allowing all principals access.

Correct Answer: D

A company's cloud operations team is responsible for building effective security for IAM cross-account access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows:

Which recommendations should the security engineer make to resolve this issue? (Select TWO.)

1. A. Ask the developers to change their password and use a different web browser.
2. B. Ensure that developers are using multi-factor authentication (MFA) when they log in to their developer account as the developer role.
3. C. Modify the production account ReadS3 role policy to allow the PutBucketPolicy action on the productionapp S3 bucket.
4. D. Update the trust relationship policy on the production account S3 role to allow the account number of the developer account.
5. E. Update the developer group permissions in the developer account to allow access to the productionapp S3 bucket.

Correct Answer: AD