Amazon SCS-C02 Practice Test : Free Online Preparation

Question 1
- A security engineer has created an Amazon GuardDuty detector in several AWS accounts. The accounts are in an organization in AWS Organizations. The security engineer needs centralized visibility of the security findings from the detectors.
  A : Configure Amazon CloudWatch Logs Insights
  
  B : Create an Amazon CloudWatch dashboard
  
  C : Configure AWS Security Hub integrations
  
  D : Query the findings by using Amazon Athena
  
  Answer: C
Question 2
- A security engineer has created an Amazon GuardDuty detector in several AWS accounts. The accounts are in an organization in AWS Organizations. The security engineer needs centralized visibility of the security findings from the detectors.
  A : Configure Amazon CloudWatch Logs Insights
  
  B : Create an Amazon CloudWatch dashboard
  
  C : Configure AWS Security Hub integrations
  
  D : Query the findings by using Amazon Athena
  
  Answer: C
Question 3
- A company is running internal microservices on Amazon Elastic Container Service (Amazon ECS) with the Amazon EC2 launch type. The company is using Amazon Elastic Container Registry (Amazon ECR) private repositories. A security engineer needs to encrypt the private repositories by using AWS Key Management Service (AWS KMS). The security engineer also needs to analyze the container images for any common vulnerabilities and exposures (CVEs). Which solution will meet these requirements?
 
 A : Enable KMS encryption on the existing ECR repositories. Install Amazon Inspector Agent from theÃÂ ECS container instancesÃ¢ user data. Run an assessment with the CVE rules. 
 
 B : Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Analyze the scan report after the next push of images. 
 
 C : Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Install AWS Systems Manager Agent on the ECS container instances. Run an inventory report. 
 
 D : Enable KMS encryption on the existing ECR repositories. Use AWS Trusted Advisor to check the ECS container instances and to verily the findings against a list of current CVEs. 
 
 Answer: B
Question 4
- A security engineer is investigating a malware infection that has spread across a set of Amazon EC2 instances. A key indicator of the compromise is outbound traffic on TCP port 2905 to a set of command and control hosts on the internet. The security engineer creates a network ACL rule that denies the identified outbound traffic. The security engineer applies the network ACL rule to the subnet of the EC2 instances. The security engineer must identify any EC2 instances that are trying to communtcate on TCP port 2905. Which solution will identify the affected EC2 instances with the LEAST operational effort?
  A : Create a Network Access Scope in Amazon VPC Network Access Analyzer. Use the Network Access Scope to identify EC2 instances that try to send traffic to TCP port 2905.
  
  B : Enable VPC flow logs for the VPC where the affected EC2 instances are located Configure the flow logs to capture rejected traffic. In the flow logs, search for REJECT records that have a destination TCP port of 2905.
  
  C : Enable Amazon GuardDuty Create a custom GuardDuty IP list to create a finding when an EC2 instance tries to communicate with one of the command and control hosts. Use Amazon Detective to identify the EC2 instances that initiate the communication.
  
  D : Create a firewall in AWS Network Firewall. Attach the firewall to the subnet of the EC2 instances. Create a custom rule to identify and log traffic from the firewall on TCP port 2905. Create an Amazon CloudWatch Logs metric filter to identify firewall logs that reference traffic on TCP port 2905.
  
  Answer: B
Question 5
- A financial firm receives a warning from the AWS Trust and Safety team about a potential security threat. An IAM access key linked to an IT administrator seems to have been compromised. This key is employed in an automated process that uses AWS Lambda functions to launch AWS Elastic Beanstalk environments.
  The firm's security engineer is tasked with addressing this security issue, preventing further use of the exposed access key, and bolstering security practices.
  Which of the following steps would be the most appropriate in this scenario?
  
  A : Track down the exposed IAM access key and deactivate or remove it. Establish new access keys for the Lambda automation process and integrate them into the system. In the AWS account associated with the exposed key, create a new support case in AWS Support detailing the remediation measures.
  
  B :
  Find the exposed IAM access key and remove the associated IAM user. Generate a new access key, store it in AWS Systems Manager Parameter Store, and encrypt it using an AWS KMS customer-managed key. Modify the AWS Lambda functions to fetch the access key from Parameter Store during execution. Log a new support case with AWS Support providing the details of the remediation steps.
  
  C : Deactivate or delete the compromised IAM access key. Generate a new access key and save it as an environment variable within the configuration settings of the automation system's Lambda functions. Respond to the AWS Trust and Safety team detailing the remediation actions taken.
  
  D : Disable or delete the compromised IAM access key. Stop using static IAM access keys and instead, create a new IAM role for the Lambda automation process. Assign this role to the AWS Lambda functions. Respond to the AWS Trust and Safety team detailing the remediation actions.
  
  Answer: D

Free Amazon SCS-C02 Exam Questions

Try our Free Demo Practice Tests for Comprehensive SCS-C02 Exam Preparation