Curious about Actual Amazon Specialty (SCS-C02) Exam Questions?

Here are sample Amazon AWS Certified Security - Specialty (SCS-C02) Exam questions from real exam. You can get more Amazon Specialty (SCS-C02) Exam premium practice questions at TestInsights.

Page: 1 /
Total 327 questions

Want more questions? Get Premium Access.

Question 1

A company deployed an Amazon EC2 instance to a VPC on AWS. A recent alert indicates that the EC2 instance is receiving a suspicious number of requests over an open TCP port from an external source. The TCP port remains open for long periods of time.

The company's security team needs to stop all activity to this port from the external source to ensure that the EC2 instance is not being compromised. The application must remain available to other users.

Which solution will mefet these requirements?

AUpdate the network ACL that is attached to the subnet that is associated with the EC2 instance. Add a Deny statement for the port and the source IP addresses.

BUpdate the elastic network interface security group that is attached to the EC2 instance to remove the port from theinbound rule list.

CUpdate the elastic network interface security group that is attached to the EC2 instance by adding a Deny entry in the inbound list for the port and the source
IP addresses.

DCreate a new network ACL for the subnet. Deny all traffic from the EC2 instance to prevent data from being removed.

Correct : A

To address the issue of an Amazon EC2 instance receiving suspicious requests over an open TCP port, the most effective solution is to update the Network Access Control List (NACL) associated with the subnet where the EC2 instance resides. By adding a deny rule for the specific TCP port and source IP addresses involved in the suspicious activity, the security team can effectively block unwanted traffic at the subnet level. NACLs act as a stateless firewall for controlling traffic in and out of subnets, allowing for broad-based traffic filtering. This measure ensures that only legitimate traffic can reach the EC2 instance, thereby enhancing security without affecting the application's availability to other users. It's a more granular and immediate way to block specific traffic compared to modifying security group rules, which are stateful and apply at the instance level.

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

AUpdate the network ACL that is attached to the subnet that is associated with the EC2 instance. Add a Deny statement for the port and the source IP addresses.

BUpdate the elastic network interface security group that is attached to the EC2 instance to remove the port from theinbound rule list.

CUpdate the elastic network interface security group that is attached to the EC2 instance by adding a Deny entry in the inbound list for the port and the source
IP addresses.

DCreate a new network ACL for the subnet. Deny all traffic from the EC2 instance to prevent data from being removed.

0 / 1500

Question 2

A company wants to implement host-based security for Amazon EC2 instances and containers in Amazon Elastic Container Registry (Amazon ECR). The company has deployed AWS Systems Manager Agent (SSM Agent) on the EC2 instances. All the company's AWS accounts are in one organization in AWS Organizations. The company will analyze the workloads for software vulnerabilities and unintended network exposure. The company will push any findings to AWS Security Hub. which the company has configured for the organization.

The company must deploy the solution to all member accounts, including pew accounts, automatically. When new workloads come online, the solution must scan the workloads.

Which solution will meet these requirements?

AUse SCPs to configure scanning of EC2 instances and ECR containers for all accounts in the organization.

BConfigure a delegated administrator for Amazon GuardDuty for the organization. Create an Amazon EventBridge rule to initiate analysis of ECR containers

CConfigure a delegated administrator for Amazon Inspector for the organization. Configure automatic scanning for new member accounts.

DConfigure a delegated administrator for Amazon Inspector for the organization. Create an AWS Config rule to initiate analysis of ECR containers

Correct : C

To implement host-based security for Amazon EC2 instances and containers in Amazon ECR with minimal operational overhead and ensure automatic deployment and scanning for new workloads, the recommended solution is to configure a delegated administrator for Amazon Inspector within the AWS Organizations structure. By enabling Amazon Inspector for the organization and configuring it to automatically scan new member accounts, the company can ensure that all EC2 instances and ECR containers are analyzed for software vulnerabilities and unintended network exposure. Amazon Inspector will automatically assess the workloads and push findings to AWS Security Hub, providing centralized security monitoring and compliance checking. This approach ensures that as new accounts or workloads are added, they are automatically included in the security assessments, maintaining a consistent security posture across the organization with minimal manual intervention.

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

AUse SCPs to configure scanning of EC2 instances and ECR containers for all accounts in the organization.

BConfigure a delegated administrator for Amazon GuardDuty for the organization. Create an Amazon EventBridge rule to initiate analysis of ECR containers

CConfigure a delegated administrator for Amazon Inspector for the organization. Configure automatic scanning for new member accounts.

DConfigure a delegated administrator for Amazon Inspector for the organization. Create an AWS Config rule to initiate analysis of ECR containers

0 / 1500

Question 3

A company has secured the AWS account root user for its AWS account by following AWS best practices. The company also has enabled AWS CloudTrail, which is sending its logs to Amazon S3. A security engineer wants to receive notification in near-real time if a user uses the AWS account root user credentials to sign in to the AWS Management Console.

Which solutions will provide this notification? (Select TWO.)

AUse AWS Trusted Advisor and its security evaluations for the root account. Configure an Amazon EventBridge event rule that is invoked by the Trusted Advisor API. Configure the rule to target an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe any required endpoints to the SNS topic so that these endpoints can receive notification.

BUse AWS IAM Access Analyzer. Create an Amazon CloudWatch Logs metric filter to evaluate log entries from Access Analyzer that detect a successful root account login. Create an Amazon CloudWatch alarm that monitors whether a root login has occurred. Configure the CloudWatch alarm to notify an Amazon Simple Notification Service (Amazon SNS) topic when the alarm enters the ALARM state. Subscribe any required endpoints to this SNS topic so that these endpoints can receive notification.

CConfigure AWS CloudTrail to send its logs to Amazon CloudWatch Logs. Configure a metric filter on the CloudWatch Logs log group used by CloudTrail to evaluate log entries for successful root account logins. Create an Amazon CloudWatch alarm that monitors whether a root login has occurred Configure the CloudWatch alarm to notify an Amazon Simple Notification Service (Amazon SNS) topic when the alarm enters the ALARM state. Subscribe any required endpoints to this SNS topic so that these endpoints can receive notification.

DConfigure AWS CloudTrail to send log notifications to an Amazon Simple Notification Service (Amazon SNS) topic. Create an AWS Lambda function that parses the CloudTrail notification for root login activity and notifies a separate SNS topic that contains the endpoints that should receive notification. Subscribe the Lambda function to the SNS topic that is receiving log notifications from CloudTrail.

EConfigure an Amazon EventBridge event rule that runs when Amazon CloudWatch API calls are recorded for a successful root login. Configure the rule to target an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe any required endpoints to the SNS topic so that these endpoints can receive notification.

Correct : C, E

To receive near-real-time notifications of AWS account root user sign-ins, the most effective solutions involve the use of AWS CloudTrail logs, Amazon CloudWatch Logs, and Amazon EventBridge.

Solution C involves configuring AWS CloudTrail to send logs to Amazon CloudWatch Logs and then setting up a CloudWatch Logs metric filter to detect successful root account logins. When such logins are detected, a CloudWatch alarm can be configured to trigger and notify an Amazon Simple Notification Service (Amazon SNS) topic, which in turn can send notifications to the required endpoints. This solution provides an efficient way to monitor and alert on root account usage without requiring custom parsing or handling of log data.

Solution E uses Amazon EventBridge to monitor for specific AWS API calls, such as SignIn events that indicate a successful root account login. By configuring an EventBridge rule to trigger on these events, notifications can be sent directly to an SNS topic, which then distributes the alerts to the necessary endpoints. This approach leverages native AWS event patterns and provides a streamlined mechanism for detecting and alerting on root account activity.

Both solutions offer automation, scalability, and the ability to integrate with other AWS services, ensuring that stakeholders are promptly alerted to critical security events involving the root user.

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

0 / 1500

Question 4

A company has AWS accounts that are in an organization in AWS Organizations. A security engineer needs to set up AWS Security Hub in a dedicated account for security monitoring.

The security engineer must ensure that Security Hub automatically manages all existing accounts and all new accounts that are added to the organization. Security Hub also must receive findings from all AWS Regions.

Which combination of actions will meet these requirements with the LEAST operational overhead? (Select TWO.)

AConfigure a finding aggregation Region for Security Hub. Link the other Regions to the aggregation Region.

BCreate an AWS Lambda function that routes events from other Regions to the dedicated Security Hub account. Create an Amazon EventBridge rule to invoke the Lambda function.

CTurn on the option to automatically enable accounts for Security Hub.

DCreate an SCP that denies the securityhub DisableSecurityHub permission. Attach the SCP to the organization's root account.

EConfigure services in other Regions to write events to an AWS CloudTrail organization trail. Configure Security Hub to read events from the trail.

Correct : A, C

To set up AWS Security Hub for centralized security monitoring across all accounts in an AWS Organization with the least operational overhead, the best actions to take are:

Solution A: Configure a finding aggregation Region for Security Hub. This allows Security Hub to aggregate findings from multiple regions into a single designated region, simplifying monitoring and analysis. By centralizing findings, the security team can have a unified view of security alerts and compliance statuses across all accounts and regions, enhancing the efficiency of security operations.

Solution C: Turn on the option to automatically enable accounts for Security Hub within the AWS Organization. This ensures that as new accounts are created and added to the organization, they are automatically enrolled in Security Hub, and their findings are included in the centralized monitoring. This automation reduces the manual effort required to manage account enrollment and ensures comprehensive coverage of security monitoring across the organization.

These actions collectively ensure that Security Hub is effectively configured to manage security findings across all accounts and regions, providing a comprehensive and automated approach to security monitoring with minimal manual intervention.

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

AConfigure a finding aggregation Region for Security Hub. Link the other Regions to the aggregation Region.

BCreate an AWS Lambda function that routes events from other Regions to the dedicated Security Hub account. Create an Amazon EventBridge rule to invoke the Lambda function.

CTurn on the option to automatically enable accounts for Security Hub.

DCreate an SCP that denies the securityhub DisableSecurityHub permission. Attach the SCP to the organization's root account.

EConfigure services in other Regions to write events to an AWS CloudTrail organization trail. Configure Security Hub to read events from the trail.

0 / 1500

Question 5

A company is storing data in Amazon S3 Glacier. A security engineer implemented a new vault lock policy for 10 TB of data and called the initiate-vault-lock operation 12 hours ago. The audit team identified a typo in the policy that is allowing unintended access to the vault.

What is the MOST cost-effective way to correct this error?

ACall the abort-vault-lock operation. Update the policy. Call the initiate-vault-lock operation again.

BCopy the vault data to a new S3 bucket. Delete the vault. Create a new vault with the data.

CUpdate the policy to keep the vault lock in place

DUpdate the policy. Call the initiate-vault-lock operation again to apply the new policy.

Correct : A

The most cost-effective way to correct a typo in a vault lock policy during the 24-hour initiation period is to call the abort-vault-lock operation. This action stops the vault lock process, allowing the security engineer to correct the policy and re-initiate the vault lock with the corrected policy. This approach avoids the need for data transfer or creating a new vault, thus minimizing costs and operational overhead.

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

ACall the abort-vault-lock operation. Update the policy. Call the initiate-vault-lock operation again.

BCopy the vault data to a new S3 bucket. Delete the vault. Create a new vault with the data.

CUpdate the policy to keep the vault lock in place

DUpdate the policy. Call the initiate-vault-lock operation again to apply the new policy.

0 / 1500

Page: 1 / 66
Total 327 questions

Unlock Full
SCS-C02 Exam Features

In Just $49 You can Access

All Official Question Types
Interactive Web-Based Practice Test Software
No Installation or 3rd Party Software Required
Customize your practice sessions (Free Demo)
24/7 Customer Support

Get Full Access Now

Marked Questions
SCS-C02 Exam

SCS-C02 Exam Question 1
SCS-C02 Exam Question 2
SCS-C02 Exam Question 3
SCS-C02 Exam Question 4
SCS-C02 Exam Question 5

Download PDF File Demo

Try Web-Based Exam Practice Software Demo

Commenting

In order to participate in the comments you need to be logged-in.
You can sign-up or login