SCS-C02 Exam: Absolutely Free Online Practice

Question 1
- A company has AWS accounts in an organization in AWS Organizations. The company needs to install a corporate software package on all Amazon EC2 instances for all the accounts in the organization. A central account provides base AMIs for the EC2 instances. The company uses AWS Systems Manager for software inventory and patching operations. A security engineer must implement a solution that detects EC2 instances ttjat do not have the required software. The solution also must automatically install the software if the software is not present. Which solution will meet these requirements?
  
  A :
  Provide new AMIs that have the required software pre-installed. Apply a tag to the AMIs to indicate that the AMIs have the required software. Configure an SCP that allows new EC2 instances to be launched only if the instances have the tagged AMIs. Tag all existing EC2 instances.
  
  B :
  Configure a custom patch baseline in Systems Manager Patch Manager. Add the package name for the required software to the approved packages list. Associate the new patch baseline with all EC2 instances. Set up a maintenance window for software deployment.
  
  C :
  Centrally enable AWS Config. Set up the ec2-managedinstance-applications-required AWS Config rule for all accounts Create an Amazon EventBridge rule that reacts to AWS Config events. Configure the EventBridge rule to invoke an AWS Lambda function that uses Systems Manager Run Command to install the required software.
  
  D :
  Create a new Systems Manager Distributor package for the required software. Specify the download location. Select all EC2 instances in the different accounts. Install the software by using Systems Manager Run Command.
  
  Answer: C
Question 2
- A company is using an AWS Key Management Service (AWS KMS) AWS owned key in its application to encrypt files in an AWS account The company's security team wants the ability to change to new key material for new files whenever a potential key breach occurs A security engineer must implement a solution that gives the security team the ability to change the key whenever the team wants to do so Which solution will meet these requirements?
 
 A : Create a new customer managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change 
 
 B : Create a new AWS managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change 
 
 C : Create a key alias Create a new customer managed key every time the security team requests a key change Associate the alias with the new key 
 
 D : Create a key alias Create a new AWS managed key every time the security team requests a key change Associate the alias with the new key 
 
 Answer: A
Question 3
- A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message. What is the likely cause of this access denial?
 
 A : The ACL in the bucket needs to be updated 
 
 B : The IAM policy does not allow the user to access the bucket 
 
 C : It takes a few minutes for a bucket policy to take effect 
 
 D : The allow permission is being overridden by the deny 
 
 Answer: D
Question 4
- A security engineer is building an application that is running on Amazon EC2. The application communicates with an Amazon RDS MySQL instance and authenticates with a user name and password. The credentials should be encrypted and rotated every 60 days.
  Which steps should the engineer take to protect the credentials and ensure they can be automatically rotated?
  
  A : ore the credentials in AWS Secrets Manager and choose an AWS KMS key. Enable automatic rotation every 60 days and configure the application to retrieve the secret programmatically.
  
  B : ore the credentials on an encrypted Amazon EFS volume. Configure the application instances to mount the volume. Use an AWS Lambda function to update the credentials on the EFS volume every 60 days.
  
  C : ore the credentials as an encrypted string parameter in AWS Systems Manager Parameter Store. Enable automatic rotation every 60 days and grant permission to the EC2 instance role to retrieve the parameter programmatically.
  
  D : ore the credentials in an Amazon S3 bucket configured with SSE-KMS encryption. Grant permission to the EC2 instance role to retrieve the credentials from S3 programmatically. Update the credential files every 60 days.
  
  Answer: A
Question 5
- A company is hosting a static website on Amazon S3 The company has configured an Amazon CloudFront distribution to serve the website contents The company has associated an IAM WAF web ACL with the CloudFront distribution. The web ACL ensures that requests originate from the United States to address compliance restrictions. THE company is worried that the S3 URL might still be accessible directly and that requests can bypass the CloudFront distribution Which combination of steps should the company take to remove direct access to the S3 URL? (Select TWO. )
 
 A : Select "Restrict Bucket Access" in the origin settings of the CloudFront distribution 
 
 B : Create an origin access identity (OAI) for the S3 origin 
 
 C : Update the S3 bucket policy to allow s3 GetObject with a condition that the IAM Referer key matches the secret value Deny all other requests 
 
 D : Configure the S3 bucket poky so that only the origin access identity (OAI) has read permission for objects in the bucket 
 
 E : Add an origin custom header that has the name Referer to the CloudFront distribution Give the header a secret value. 
 
 Answer: A,D

Free Amazon SCS-C02 Exam Questions

Absolute Free SCS-C02 Exam Practice for Comprehensive Preparation