Amazon SCS-C02 Quiz 1 Topic 1 Questions 1-5

Question: 1

A company is running workloads in a single IAM account on Amazon EC2 instances and Amazon EMR clusters a recent security audit revealed that multiple Amazon Elastic Block Store (Amazon EBS) volumes and snapshots are not encrypted

The company's security engineer is working on a solution that will allow users to deploy EC2 Instances and EMR clusters while ensuring that all new EBS volumes and EBS snapshots are encrypted at rest. The solution must also minimize operational overhead

Which steps should the security engineer take to meet these requirements?

ACreate an Amazon Event Bridge (Amazon Cloud watch Events) event with an EC2 instance as the source and create volume as the event trigger. When the event is triggered invoke an IAM Lambda function to evaluate and notify the security engineer if the EBS volume that was created is not encrypted.

BUse a customer managed IAM policy that will verify that the encryption ag of the Createvolume context is set to true. Apply this rule to all users.

CCreate an IAM Config rule to evaluate the conguration of each EC2 instance on creation or modication. Have the IAM Cong rule trigger an IAM Lambdafunction to alert the security team and terminate the instance it the EBS volume is not encrypted. 5

DUse the IAM Management Console or IAM CLi to enable encryption by default for EBS volumes in each IAM Region where the company operates.

Show Answer

Question: 2

A Network Load Balancer (NLB) target instance is not entering the InService state. A security engineer determines that health checks are failing.

Which factors could cause the health check failures? (Select THREE.)

AThe target instance's security group does not allow traffic from the NLB.

BThe target instance's security group is not attached to the NLB.

CThe NLB's security group is not attached to the target instance.

DThe target instance's subnet network ACL does not allow traffic from the NLB.

EThe target instance's security group is not using IP addresses to allow traffic from the NLB.

FThe target network ACL is not attached to the NLB.

Show Answer

Question: 3

An international company wants to combine AWS Security Hub findings across all the company's AWS Regions and from multiple accounts. In addition, the company

wants to create a centralized custom dashboard to correlate these findings with operational data for deeper analysis and insights. The company needs an analytics tool to search and visualize Security Hub findings.

Which combination of steps will meet these requirements? (Select THREE.)

ADesignate an AWS account as a delegated administrator for Security Hub. Publish events to Amazon CloudWatch from the delegated administrator account,
all member accounts, and required Regions that are enabled for Security Hub findings.

BDesignate an AWS account in an organization in AWS Organizations as a delegated administrator for Security Hub. Publish events to Amazon EventBridge
from the delegated administrator account, all member accounts, and required Regions that are enabled for Security Hub findings.

CIn each Region, create an Amazon EventBridge rule to deliver findings to an Amazon Kinesis data stream. Configure the Kinesis data streams to output the logs to a single Amazon S3 bucket.

DIn each Region, create an Amazon EventBridge rule to deliver findings to an Amazon Kinesis Data Firehose delivery stream. Configure the Kinesis Data Firehose delivery streams to deliver the logs to a single Amazon S3 bucket.

EUse AWS Glue DataBrew to crawl the Amazon S3 bucket and build the schema. Use AWS Glue Data Catalog to query the data and create views to flatten nested attributes. Build Amazon QuickSight dashboards by using Amazon Athena.

FPartition the Amazon S3 data. Use AWS Glue to crawl the S3 bucket and build the schema. Use Amazon Athena to query the data and create views to flatten nested attributes. Build Amazon QuickSight dashboards that use the Athena views.

Show Answer

Question: 4

A System Administrator is unable to start an Amazon EC2 instance in the eu-west-1 Region using an IAM role The same System Administrator is able to start an EC2 instance in the eu-west-2 and eu-west-3 Regions. The IAMSystemAdministrator access policy attached to the System Administrator IAM role allows unconditional access to all IAM services and resources within the account

Which configuration caused this issue?

A) An SCP is attached to the account with the following permission statement:

q4_SCS-C02

B)

A permission boundary policy is attached to the System Administrator role with the following permission statement:

q4_SCS-C02

C)

A permission boundary is attached to the System Administrator role with the following permission statement:

q4_SCS-C02

D)

An SCP is attached to the account with the following statement:

q4_SCS-C02

AOption A

BOption B

COption C

DOption D

Show Answer

Question: 5

Your company uses IAM to host its resources. They have the following requirements

1) Record all API calls and Transitions

2) Help in understanding what resources are there in the account

3) Facility to allow auditing credentials and logins Which services would suffice the above requirements

Amazon SCS-C02 Quiz:1 Topic:1 Questions:1-5