Free AWS Certified Security – Specialty Exam SCS-C02 Exam Practice Test

While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host(IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following:2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OKWhat action should be performed to allow the ping to work?

• In the security group of the EC2 instance, allow inbound ICMP traffic.
• In the security group of the EC2 instance, allow outbound ICMP traffic.
• In the VPC's NACL, allow inbound ICMP traffic.
• In the VPC's NACL, allow outbound ICMP traffic.

A company uses Amazon API Gateway to present REST APIs to users. An API developer wants to analyze API access patterns without the need to parse the log files.Which combination of steps will meet these requirements with the LEAST effort? (Select TWO.)

• Configure access logging for the required API stage.
• Configure an AWS CloudTrail trail destination for API Gateway events. Configure filters on the userldentity, userAgent, and sourcelPAddress fields.
• Configure an Amazon S3 destination for API Gateway logs. Run Amazon Athena queries to analyze API access information.
• Use Amazon CloudWatch Logs Insights to analyze API access information.
• Select the Enable Detailed CloudWatch Metrics option on the required API stage.

There is a requirement for a company to transfer large amounts of data between IAM and an on-premise location. There is an additional requirement for low latency and high consistency traffic to IAM. Given these requirements how would you design a hybrid architecture? Choose the correct answer from the options belowPlease select:

• Provision a Direct Connect connection to an IAM region using a Direct Connect partner.
• Create a VPN tunnel for private connectivity, which increases network consistency and reduces latency.
• Create an iPSec tunnel for private connectivity, which increases network consistency and reduces latency.
• Create a VPC peering connection between IAM and the Customer gateway.

A security engineer receives a notice from the AWS Abuse team about suspicious activity from a Linux-based Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS>-based storage The instance is making connections to known malicious addressesThe instance is in a development account within a VPC that is in the us-east-1 Region The VPC contains an internet gateway and has a subnet in us-east-1a and us-easMb Each subnet is associate with a route table that uses the internet gateway as a default route Each subnet also uses the default network ACL The suspicious EC2 instance runs within the us-east-1 b subnet. During an initial investigation a security engineer discovers that the suspicious instance is the only instance that runs in the subnetWhich response will immediately mitigate the attack and help investigate the root cause?

• Log in to the suspicious instance and use the netstat command to identify remote connections Use the IP addresses from these remote connections to create deny rules in the security group of the instance Install diagnostic tools on the instance for investigation Update the outbound network ACL for the subnet in us-east- lb to explicitly deny all connections as the first rule during the investigation of the instance
• Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule Replace the security group with a new security group that allows connections only from a diagnostics security group Update the outbound network ACL for the us-east-1b subnet to remove the deny all rule Launch a new EC2 instance that has diagnostic tools Assign the new security group to the new EC2 instance Use the new EC2 instance to investigate the suspicious instance
• Ensure that the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the suspicious EC2 instance will not delete upon termination Terminate the instance Launch a new EC2 instance in us-east-1a that has diagnostic tools Mount the EBS volumes from the terminated instance for investigation
• Create an AWS WAF web ACL that denies traffic to and from the suspicious instance Attach the AWS WAF web ACL to the instance to mitigate the attack Log in to the instance and install diagnostic tools to investigate the instance

A company has secured the AWS account root user for its AWS account by following AWS best practices. The company also has enabled AWS CloudTrail, which is sending its logs to Amazon S3. A security engineer wants to receive notification in near-real time if a user uses the AWS account root user credentials to sign in to the AWS Management Console.Which solutions will provide this notification? (Select TWO.)

• Use AWS Trusted Advisor and its security evaluations for the root account. Configure an Amazon EventBridge event rule that is invoked by the Trusted Advisor API. Configure the rule to target an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe any required endpoints to the SNS topic so that these endpoints can receive notification.
• Use AWS IAM Access Analyzer. Create an Amazon CloudWatch Logs metric filter to evaluate log entries from Access Analyzer that detect a successful root account login. Create an Amazon CloudWatch alarm that monitors whether a root login has occurred. Configure the CloudWatch alarm to notify an Amazon Simple Notification Service (Amazon SNS) topic when the alarm enters the ALARM state. Subscribe any required endpoints to this SNS topic so that these endpoints can receive notification.
• Configure AWS CloudTrail to send its logs to Amazon CloudWatch Logs. Configure a metric filter on the CloudWatch Logs log group used by CloudTrail to evaluate log entries for successful root account logins. Create an Amazon CloudWatch alarm that monitors whether a root login has occurred Configure the CloudWatch alarm to notify an Amazon Simple Notification Service (Amazon SNS) topic when the alarm enters the ALARM state. Subscribe any required endpoints to this SNS topic so that these endpoints can receive notification.
• Configure AWS CloudTrail to send log notifications to an Amazon Simple Notification Service (Amazon SNS) topic. Create an AWS Lambda function that parses the CloudTrail notification for root login activity and notifies a separate SNS topic that contains the endpoints that should receive notification. Subscribe the Lambda function to the SNS topic that is receiving log notifications from CloudTrail.
• Configure an Amazon EventBridge event rule that runs when Amazon CloudWatch API calls are recorded for a successful root login. Configure the rule to target an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe any required endpoints to the SNS topic so that these endpoints can receive notification.

A company needs to retain tog data archives for several years to be compliant with regulations. The tog data is no longer used but It must be retainedWhat Is the MOST secure and cost-effective solution to meet these requirements?

• Archive the data to Amazon S3 and apply a restrictive bucket policy to deny the s3 DeleteOotect API
• Archive the data to Amazon S3 Glacier and apply a Vault Lock policy
• Archive the data to Amazon S3 and replicate it to a second bucket in a second IAM Region Choose the S3 Standard-Infrequent Access (S3 Standard-1A) storage class and apply a restrictive bucket policy to deny the s3 DeleteObject API
• Migrate the log data to a 16 T8 Amazon Elastic Block Store (Amazon EBS) volume Create a snapshot of the EBS volume

A developer at a company uses an SSH key to access multiple Amazon EC2 instances. The company discovers that the SSH key has been posted on a public GitHub repository. A security engineer verifies that the key has not been used recently.How should the security engineer prevent unauthorized access to the EC2 instances?

• Delete the key pair from the EC2 console. Create a new key pair.
• Use the ModifylnstanceAttribute API operation to change the key on any EC2 instance that is using the key.
• Restrict SSH access in the security group to only known corporate IP addresses.
• Update the key pair in any AMI that is used to launch the EC2 instances. Restart the EC2 instances.

Your company has just set up a new central server in a VPC. There is a requirement for other teams who have their servers located in different VPC's in the same region to connect to the central server. Which of the below options is best suited to achieve this requirement.Please select:

• Set up VPC peering between the central server VPC and each of the teams VPCs.
• Set up IAM DirectConnect between the central server VPC and each of the teams VPCs.
• Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.
• None of the above options will work.

A company is operating a website using Amazon CloudFornt. CloudFront servers some content from Amazon S3 and other from web servers running EC2 instances behind an Application. Load Balancer (ALB). Amazon DynamoDB is used as the data store. The company already uses IAM Certificate Manager (ACM) to store a public TLS certificate that can optionally secure connections between the website users and CloudFront. The company has a new requirement to enforce end-to-end encryption in transit.Which combination of steps should the company take to meet this requirement? (Select THREE.)

• Update the CloudFront distribution. configuring it to optionally use HTTPS when connecting to origins on Amazon S3
• Update the web application configuration on the web servers to use HTTPS instead of HTTP when connecting to DynamoDB
• Update the CloudFront distribution to redirect HTTP corrections to HTTPS
• Configure the web servers on the EC2 instances to listen using HTTPS using the public ACM TLS certificate Update the ALB to connect to the target group using HTTPS
• Update the ALB listen to listen using HTTPS using the public ACM TLS certificate. Update the CloudFront distribution to connect to the HTTPS listener.
• Create a TLS certificate Configure the web servers on the EC2 instances to use HTTPS only with that certificate. Update the ALB to connect to the target group using HTTPS.

For compliance reasons a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied. The Engineer must also ensure that no system goes more than 30 days without the latest approved updates being appliedWhat would the MOST efficient way to achieve these goals?

• Use Amazon inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version
• Configure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows
• Examine IAM CloudTrail togs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances
• Update the AMls with the latest approved patches and redeploy each instance during the defined maintenance window