SCS-C02 Practice Online

Question 1

A company uses Amazon API Gateway to present REST APIs to users. An API developer wants to analyze API access patterns without the need to parse the log files. Which combination of steps will meet these requirements with the LEAST effort? (Select TWO.)

A : Configure access logging for the required API stage.

B : Configure an AWS CloudTrail trail destination for API Gateway events. Configure filters on the userldentity, userAgent, and sourcelPAddress fields.

C : Configure an Amazon S3 destination for API Gateway logs. Run Amazon Athena queries to analyze API access information.

D : Use Amazon CloudWatch Logs Insights to analyze API access information.

E : Select the Enable Detailed CloudWatch Metrics option on the required API stage.

Answer: C,D

Question 2

A company has hundreds of AWS accounts in an organization in AWS Organizations. The company operates out of a single AWS Region. The company has a dedicated security tooling AWS account in the organization. The security tooling account is configured as the organization's delegated administrator for Amazon GuardDuty and AWS Security Hub. The company has configured the environment to automatically enable GuardDuty and Security Hub for existing AWS accounts and new AWS accounts. The company is performing control tests on specific GuardDuty findings to make sure that the company's security team can detect and respond to security events. The security team launched an Amazon EC2 instance and attempted to run DNS requests against a test domain, example.com, to generate a DNS finding. However, the GuardDuty finding was never created in the Security Hub delegated administrator account. Why was the finding was not created in the Security Hub delegated administrator account?

A : VPC flow logs were not turned on for the VPC where the EC2 instance was launched.

B :

The VPC where the EC2 instance was launched had the DHCP option configured for a custom OpenDNS resolver.

C :

The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.

D : Cross-Region aggregation in Security Hub was not configured.

Answer: C

Question 3

An online gaming company has a network of Amazon EC2 instances that are frequently targeted by rogue bots. The security team needs to implement an automated system to block traffic from identified malicious sources. The system needs to respond in near real-time and the security team decided to use AWS Step Functions to orchestrate this solution.

Which solution should the security engineer implement to meet these requirements?

A : Use AWS CloudTrail to monitor for malicious traffic. Store the identified IP addresses in a DynamoDB table. Utilize Lambda to update the DynamoDB table and modify a WAF web ACL rule to block the traffic

B : Use Amazon GuardDuty to identify malicious traffic. Store the identified IP addresses in a DynamoDB table. Use Lambda to update the DynamoDB table and modify a Security Group rule to block the traffic from these IP addresses.

C : Use Amazon GuardDuty to identify malicious traffic. Store the identified IP addresses in a DynamoDB table. Use Lambda to update the DynamoDB table and modify an AWS Network Firewall rule group to block the traffic

D : Use AWS WAF to detect malicious traffic. Use DynamoDB to store the identified IP addresses. Utilize Lambda to update the DynamoDB table and modify an AWS Network Firewall rule group to block the traffic

Answer: C

Question 4

A security engineer needs to create an Amazon S3 bucket policy to grant least privilege read access to IAM user accounts that are named User=1, User2. and User3. These IAM user accounts are members of the AuthorizedPeople IAM group. The security engineer drafts the following S3 bucket policy:

When the security engineer tries to add the policy to the S3 bucket, the following error message appears: "Missing required field Principal." The security engineer is adding a Principal element to the policy. The addition must provide read access to only User1. User2, and User3. Which solution meets these requirements?

A : "Principal" : {"AWS" : ["arn : aws : iam: : 1234567890 : user/User1 ","arn : aws : iam: : 1234567890 : user/User2 ","arn : aws : iam: : 1234567890 : user/User3 ",]}

B : "Principal" : {"AWS" : ["arn : aws : iam: : 1234567890 : root "]}

C : "Principal" : {"AWS" : ["*"]}

D : "Principal" : {"AWS" : "arn : aws : iam: : 1234567890 : group/AuthorizedPeople "}

Answer: A

Question 5

A company has a group of Amazon EC2 instances in a private subnet that does not have a NAT gateway attached. A security engineer needs to capture logs from an application and collect the log files in Amazon CloudWatch Logs.

Which steps should the security engineer take to securely meet the requirements? (Select TWO.)

A : Install and configure the unified CloudWatch agent on the EC2 instances and attach an instance profile with permissions to write to CloudWatch Logs.

B : Attach an internet gateway to the subnet and update the subnet route table to point to the internet gateway.

C : Create an interface VPC endpoint for CloudWatch Logs. Configure the endpoint policy to allow the EC2 instances to use the endpoint.

D : Schedule a local cron job on each EC2 instance that copies the log files to an Amazon S3 bucket. Point CloudWatch Logs to the S3 bucket.

E : Create a gateway VPC endpoint for Amazon S3. Configure the bucket policy to allow access only for connections from the VPC endpoint.

Answer: A,C

Name:	AWS Certified Security Specialty
Exam Code:	SCS-C02
Certification:	AWS Certified Specialty
Vendor:	Amazon
Total Questions:	481
Last Updated:	Apr 24, 2024

Download Demo SCS-C02 Dumps

Create Account

Password Recovery

SCS-C02 Practice Online

Download Demo SCS-C02 Dumps

Member Login

Create Account

Password Recovery

SCS-C02 Practice Online