Amazon SCS-C02 Certification Dumps and Exam Questions – Fast Exam Prep

Question 1: A security engineer configures VPC Flow Logs and the associated IAM role to log all VPC traffic to a log group in Amazon CloudWatch Logs. After a wait of 10 minutes, no logs are appearing in the log group. The security engineer confirms that traffic is being sent to the VPC. After additional debugging, the security engineer isolates the problem to the role that is associated with the VPC flow logs. What could be the reason that the logs are not appearing in CloudWatch Logs?

A) The role does not have permission to tag a CloudWatch Logs stream. B) The security engineer does not have permission to assume the role. C) The logs:GetLogEvents permission is not granted in the role. D) The principal vpc-flow-logs.amazonaws.com does not have permission to assume the role.

Correct Answer: C

Question 2: [Identity and Access Management] A company’s engineering team is developing a new application that creates AWS KMS customer managed key (CMK) grants for users. Immediately after a grant is created, users must be able to use the CMK to encrypt a 512-byte payload. During load testing, the team observes intermittent AccessDeniedException errors when users first attempt to perform the encryption operation. Which solution should the company’s security specialist recommend?

A) Instruct users to implement a retry mechanism every 2 minutes until the call succeeds. B) Instruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token. Instruct use to use that grant token in their call to encrypt. C) Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name asthe grant token in the call to encrypt. D) Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.

Correct Answer: D

To avoid AccessDeniedExceptions when users first attempt to encrypt using the CMK, the security specialist should recommend the following solution:

Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. This allows the engineering team to use the grant token as a form of temporary authorization for the grant.

Instruct users to use that grant token in their call to encrypt. This allows the users to use the grant token as a proof that they have permission to use the CMK, and to avoid any eventual consistency issues with the grant creation.

Question 3: [Identity and Access Management] A company’s security policy requires that all API keys be encrypted and stored separately from source code in a centralized security account managed by the security team. However, an audit reveals that an API key is stored directly in the source code of an AWS Lambda function within an AWS CodeCommit repository in the DevOps account. How should the security team securely store the API key to comply with the company’s policy?

A) Create a CodeCommit repository in the security account using IAM Key Management Service (IAM KMS) tor encryption Require the development team to migrate the Lambda source code to this repository B) Store the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Create a resigned URL tor the S3 key. and specify the URL m a Lambda environmental variable in the IAM CloudFormation template Update the Lambda function code to retrieve the key using the URL and call the API C) Create a secret in IAM Secrets Manager in the security account to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API D) Create an encrypted environment variable for the Lambda function to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can decrypt the key at runtime

Correct Answer: C

To securely store the API key, the security team should do the following:

Create a secret in AWS Secrets Manager in the security account to store the API key using AWS Key Management Service (AWS KMS) for encryption. This allows the security team to encrypt and manage the API key centrally, and to configure automatic rotation schedules for it.

Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API. This allows the security team to avoid storing the API key with the source code, and to use IAM policies to control access to the secret.

Question 4: Here is a clearer and more structured rewrite of your question: [Logging and Monitoring] A company hosts a web application on an Apache web server running on Amazon EC2 instances in an Auto Scaling group. The EC2 instances are configured to send Apache access logs to an Amazon CloudWatch Logs log group with a retention period of 1 year. The company recently identified a suspicious IP address in the Apache logs. A security engineer needs to analyze the past week of logs to determine: The total number of requests made by the suspicious IP address The specific URLs that the IP address accessed What is the most efficient way for the security engineer to perform this analysis with the least operational effort?

A) Export the CloudWatch Logs group data to Amazon S3. Use Amazon Macie to query the logs for the specific IP address and the requested URLs. B) Configure a CloudWatch Logs subscription to stream the log group to an Am-azon OpenSearch Service cluster. Use OpenSearch Service to analyze the logs for the specific IP address and the requested URLs. C) Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested URLs. D) Export the CloudWatch Logs group data to Amazon S3. Use AWS Glue to crawl the S3 bucket for only the log entries that contain the specific IP ad-dress. Use AWS Glue to view the results.

Correct Answer: C

SAP (76)

Salesforce (78)

Oracle (85)

Microsoft (50)

ISC2 (1)

HP (21)

CompTIA (5)

Cisco (67)

Amazon (3)

Amazon SCS-C02 Exam Dumps

Relevant Exams