Free SCS-C02 Exam Braindumps (page: 28)

Page 27 of 76

A company hosts a public website on an Amazon EC2 instance. HTTPS traffic must be able to access the website. The company uses SSH for management of the web server.
The website is on the subnet 10.0.1.0/24. The management subnet is 192.168.100.0/24. A security engineer must create a security group for the EC2 instance.
Which combination of steps should the security engineer take to meet these requirements in the MOST secure manner? (Choose two.)

  1. Allow port 22 from source 0.0.0.0/0.
  2. Allow port 443 from source 0.0 0 0/0.
  3. Allow port 22 from 192.168.100.0/24.
  4. Allow port 22 from 10.0.1.0/24.
  5. Allow port 443 from 10.0.1.0/24.

Answer(s): B,C



A security engineer wants to forward custom application-security logs from an Amazon EC2 instance to Amazon CloudWatch. The security engineer installs the CloudWatch agent on the EC2 instance and adds the path of the logs to the CloudWatch configuration file.
However, CloudWatch does not receive the logs. The security engineer verifies that the awslogs service is running on the EC2 instance.
What should the security engineer do next to resolve the issue?

  1. Add AWS CloudTrail to the trust policy of the EC2 in stance. Send the custom logs to CloudTrail instead of CloudWatch.
  2. Add Amazon S3 to the trust policy of the EC2 instance. Configure the application to write the custom logs to an S3 bucket that CloudWatch can use to ingest the logs.
  3. Add Amazon Inspector to the trust policy of the EC2 instance. Use Amazon Inspector instead of the CloudWatch agent to collect the custom logs.
  4. Attach the CloudWatchAgentServerPolicy AWS managed policy to the EC2 instance role.

Answer(s): D



A systems engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the development team wants to use security groups and network ACLs to accomplish various security requirements in the environment.
What configuration is necessary to allow the virtual security appliance to route the traffic?

  1. Disable network ACLs.
  2. Configure the security appliance's elastic network interface for promiscuous mode.
  3. Disable the Network Source/Destination check on the security appliance's elastic network interface.
  4. Place the security appliance in the public subnet with the internet gateway.

Answer(s): C



A security engineer needs to create an Amazon S3 bucket policy to grant least privilege read access to IAM user accounts that are named User1, User2, and User3. These IAM user accounts are members of the AuthorizedPeople IAM group. The security engineer drafts the following S3 bucket policy:
When the security engineer tries to add the policy to the S3 bucket, the following error message appears: "Missing required field Principal."
The security engineer is adding a Principal element to the policy. The addition must provide read access to only User1, User2, and User3.
Which solution meets these requirements?

Answer(s): A






Post your Comments and Discuss Amazon SCS-C02 exam with other Community members:

SCS-C02 Discussions & Posts