Amazon SCS-C02 AWS Certified Security - Specialty Exam Exam Practice Test Questions

• Question 1

  An AWS Lambda function was misused to alter data, and a security engineer must identify who invoked the function and what output was produced. The engineer cannot find any logs create^ by the Lambda function in Amazon CloudWatch Logs.Which of the following explains why the logs are not available?

  • The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.
  • The Lambda function was invoked by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.
  • The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.
  • The version of the Lambda function that was invoked was not current.

  Show Answer Answer: A Next

• Question 2

  A company created an IAM account for its developers to use for testing and learning purposes Because MM account will be shared among multiple teams of developers, the company wants to restrict the ability to stop and terminate Amazon EC2 instances so that a team can perform these actions only on the instances it owns.Developers were Instructed to tag al their instances with a Team tag key and use the team name in the tag value One of the first teams to use this account is Business Intelligence A security engineer needs to develop a highly scalable solution for providing developers with access to the appropriate resources within the account The security engineer has already created individual IAM roles for each team.Which additional configuration steps should the security engineer take to complete the task?

  • For each team, create an AM policy similar to the one that fellows Populate the ec2: ResourceTag/Team condition key with a proper team name Attach resulting policies to the corresponding IAM roles.
  • For each team create an IAM policy similar to the one that follows Populate the IAM TagKeys/Team condition key with a proper team name. Attach the resuming policies to the corresponding IAM roles.
  • Tag each IAM role with a Team lag key. and use the team name in the tag value. Create an IAM policy similar to the one that follows, and attach 4 to all the IAM roles used by developers.
  • Tag each IAM role with the Team key, and use the team name in the tag value. Create an IAM policy similar to the one that follows, and it to all the IAM roles used by developers.

  Show Answer Answer: A Next

• Question 3

  A website currently runs on Amazon EC2, wan mostly statics content on the site. Recently the site was subjected to a DDoS attack a security engineer was (asked was redesigning the edge security to helpMitigate this risk in the future.What are some ways the engineer could achieve this (Select THREE)?

  • Use IAM X-Ray to inspect the trafc going to the EC2 instances.
  • Move the static content to Amazon S3, and front this with an Amazon Cloud Front distribution.
  • Change the security group conguration to block the source of the attack trafc
  • Use IAM WAF security rules to inspect the inbound trafc.
  • Use Amazon Inspector assessment templates to inspect the inbound traffic.
  • Use Amazon Route 53 to distribute trafc.

  Show Answer Answer: B, D, F Next

• Question 4

  You need to create a policy and apply it for just an individual user. How could you accomplish this in the right way?Please select:

  • Add an IAM managed policy for the user
  • Add a service policy for the user
  • Add an IAM role for the user
  • Add an inline policy for the user

  Show Answer Answer: D Next

• Question 5

  A company uses AWS Organizations to manage a small number of AWS accounts. However, the company plans to add 1 000 more accounts soon. The company allows only a centralized security team to create IAM roles for all AWS accounts and teams. Application teams submit requests for IAM roles to the security team. The security team has a backlog of IAM role requests and cannot review and provision the IAM roles quickly.The security team must create a process that will allow application teams to provision their own IAM roles. The process must also limit the scope of IAM roles and prevent privilege escalation.Which solution will meet these requirements with the LEAST operational overhead?

  • Create an IAM group for each application team. Associate policies with each IAM group. Provision IAM users for each application team member. Add the new IAM users to the appropriate IAM group by using role-based access control (RBAC).
  • Delegate application team leads to provision IAM rotes for each team. Conduct a quarterly review of the IAM rotes the team leads have provisioned. Ensure that the application team leads have the appropriate training to review IAM roles.
  • Put each AWS account in its own OU. Add an SCP to each OU to grant access to only the AWS services that the teams plan to use. Include conditions tn the AWS account of each team.
  • Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles.

  Show Answer Answer: D Next