Amazon SCS-C02 Exam Questions

Question 6 of 307

A company has an application that uses dozens of Amazon DynamoDB tables to store data. Auditors find that the tables do not comply with the company's data protection policy.
The company's retention policy states that all data must be backed up twice each month: once at midnight on the 15th day of the month and again at midnight on the 25th day of the month. The company must retain the backups for 3 months.
Which combination of steps should a security engineer take to meet these requirements? (Choose two.)

Use the DynamoDB on-demand backup capability to create a backup plan. Configure a lifecycle policy to expire backups after 3 months.

Use AWS DataSync to create a backup plan. Add a backup rule that includes a retention period of 3 months.

Use AWS Backup to create a backup plan. Add a backup rule that includes a retention period of 3 months.

Set the backup frequency by using a cron schedule expression. Assign each DynamoDB table to the backup plan.

Set the backup frequency by using a rate schedule expression. Assign each DynamoDB table to the backup plan.

Correct Answer: C, D

To meet the requirement of backing up DynamoDB tables twice each month with a retention period of 3 months, a security engineer should use AWS Backup to create a backup plan. AWS Backup allows the creation of backup plans with specific rules, including retention periods. Additionally, specifying the backup frequency using a cron schedule expression aligns with the need to schedule backups precisely at midnight on the 15th and 25th days of the month. This combination ensures that the backups are created as per the specified times and retained for the required duration.

Question 7 of 307

A company needs a security engineer to implement a scalable solution for multi-account authentication and authorization. The solution should not introduce additional user-managed architectural components. Native AWS features should be used as much as possible. The security engineer has set up AWS Organizations with all features activated and AWS IAM Identity Center (AWS Single Sign-On) enabled.
Which additional steps should the security engineer take to complete the task?

Use AD Connector to create users and groups for all employees that require access to AWS accounts. Assign AD Connector groups to AWS accounts and link to the IAM roles in accordance with the employees’ job functions and access requirements. Instruct employees to access AWS accounts by using the AWS Directory Service user portal.

Use an IAM Identity Center default directory to create users and groups for all employees that require access to AWS accounts. Assign groups to AWS accounts and link to permission sets in accordance with the employees’ job functions and access requirements. Instruct employees to access AWS accounts by using the IAM Identity Center user portal.

Use an IAM Identity Center default directory to create users and groups for all employees that require access to AWS accounts. Link IAM Identity Center groups to the IAM users present in all accounts to inherit existing permissions. Instruct employees to access AWS accounts by using the IAM Identity Center user portal.

Use AWS Directory Service for Microsoft Active Directory to create users and groups for all employees that require access to AWS accounts. Enable AWS Management Console access in the created directory and specify IAM Identity Center as a source of information for integrated accounts and permission sets. Instruct employees to access AWS accounts by using the AWS Directory Service user portal.

Correct Answer: B

To implement a scalable solution for multi-account authentication and authorization using native AWS features, the appropriate approach is to use the IAM Identity Center's default directory to create users and groups for all employees that require access to AWS accounts. You should then assign groups to AWS accounts and link them to permission sets in accordance with the employees’ job functions and access requirements. This method leverages AWS IAM Identity Center's integrated capabilities to manage access without introducing additional user-managed architectural components, ensuring a streamlined and manageable solution. Employees should be instructed to access AWS accounts using the IAM Identity Center user portal, which aligns with the setup described.

Question 8 of 307

A company has deployed Amazon GuardDuty and now wants to implement automation for potential threats. The company has decided to start with RDP brute force attacks that come from Amazon EC2 instances in the company's AWS environment. A security engineer needs to implement a solution that blocks the detected communication from a suspicious instance until investigation and potential remediation can occur.
Which solution will meet these requirements?

Configure GuardDuty to send the event to an Amazon Kinesis data stream. Process the event with an Amazon Kinesis Data Analytics for Apache Flink application that sends a notification to the company through Amazon Simple Notification Service (Amazon SNS). Add rules to the network ACL to block traffic to and from the suspicious instance.

Configure GuardDuty to send the event to Amazon EventBridge. Deploy an AWS WAF web ACL. Process the event with an AWS Lambda function that sends a notification to the company through Amazon Simple Notification Service (Amazon SNS) and adds a web ACL rule to block traffic to and from the suspicious instance.

Enable AWS Security Hub to ingest GuardDuty findings and send the event to Amazon EventBridge. Deploy AWS Network Firewall. Process the event with an AWS Lambda function that adds a rule to a Network Firewall firewall policy to block traffic to and from the suspicious instance.

Enable AWS Security Hub to ingest GuardDuty findings. Configure an Amazon Kinesis data stream as an event destination for Security Hub. Process the event with an AWS Lambda function that replaces the security group of the suspicious instance with a security group that does not allow any connections.

Correct Answer: D

To meet the requirements of blocking detected communication from a suspicious instance until investigation and potential remediation can occur, the best approach is to replace the security group of the suspicious instance with one that does not allow any connections. By doing so, it effectively isolates the instance without affecting other parts of the network. This method leverages AWS Security Hub to ingest GuardDuty findings and an AWS Lambda function to make the necessary security group changes, ensuring a swift and automated response to the detected threat.

Question 9 of 307

A company has an AWS account that hosts a production application. The company receives an email notification that Amazon GuardDuty has detected an Impact:IAMUser/AnomalousBehavior finding in the account. A security engineer needs to run the investigation playbook for this security incident and must collect and analyze the information without affecting the application.
Which solution will meet these requirements MOST quickly?

Log in to the AWS account by using read-only credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.

Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use Amazon Detective to review the API calls in context.

Log in to the AWS account by using administrator credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.

Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context.

Correct Answer: B

To investigate the security incident quickly without affecting the application, the security engineer should use read-only credentials to review the GuardDuty finding and determine which API calls initiated the finding. Amazon Detective provides a direct integration with GuardDuty, allowing the engineer to review the API calls in context efficiently. This method allows for a swift and detailed analysis while maintaining the integrity of the production application.

Question 10 of 307

Company A has an AWS account that is named Account A. Company A recently acquired Company B, which has an AWS account that is named Account B. Company B stores its files in an Amazon S3 bucket. The administrators need to give a user from Account A full access to the S3 bucket in Account B.
After the administrators adjust the IAM permissions for the user in Account A to access the S3 bucket in Account B, the user still cannot access any files in the S3 bucket.
Which solution will resolve this issue?

In Account B, create a bucket ACL to allow the user from Account A to access the S3 bucket in Account B.

In Account B, create an object ACL to allow the user from Account A to access all the objects in the S3 bucket in Account B.

In Account B, create a bucket policy to allow the user from Account A to access the S3 bucket in Account B.

In Account B, create a user policy to allow the user from Account A to access the S3 bucket in Account B.

Correct Answer: C

For cross-account access to an S3 bucket, the most appropriate method is to modify the bucket policy to grant the necessary permissions. A bucket policy in Account B can be configured to allow the user from Account A to access the S3 bucket and its contents. This approach is more secure and flexible compared to using bucket or object ACLs, which are considered less efficient for managing complex permissions.