CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SCS-C02

Free SCS-C02 Exam Braindumps (page: 35)

Page 34 of 76
PDF with 297 Questions

A company has decided to move its fleet of Linux-based web server instances to an Amazon EC2 Auto Scaling group. Currently, the instances are static and are launched manually. When an administrator needs to view log files, the administrator uses SSH to establish a connection to the instances and retrieves the logs manually.
The company often needs to query the logs to produce results about application sessions and user issues. The company does not want its new automatically scaling architecture to result in the loss of any log files when instances are scaled in.
Which combination of steps should a security engineer take to meet these requirements MOST cost-effectively? (Choose two.)

  1. Configure a cron job on the instances to forward the log files to Amazon S3 periodically.
  2. Configure AWS Glue and Amazon Athena to query the log files.
  3. Configure the Amazon CloudWatch agent on the instances to forward the logs to Amazon CloudWatch Logs.
  4. Configure Amazon CloudWatch Logs Insights to query the log files.
  5. Configure the instances to write the logs to an Amazon Elastic File System (Amazon EFS) volume.

Answer(s): C,D



A company uses an external identity provider to allow federation into different AWS accounts. A security engineer for the company needs to identify the federated user that terminated a production Amazon EC2 instance a week ago.
What is the FASTEST way for the security engineer to identify the federated user?

  1. Review the AWS CloudTrail event history logs in an Amazon S3 bucket and look for the TerminateInstances event to identify the federated user from the role session name.
  2. Filter the AWS CloudTrail event history for the TerminateInstances event and identify the assumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username.
  3. Search the AWS CloudTrail logs for the TerminateInstances event and note the event time. Review the IAM Access Advisor tab for all federated roles. The last accessed time should match the time when the instance was terminated.
  4. Use Amazon Athena to run a SQL query on the AWS CloudTrail logs stored in an Amazon S3 bucket and filter on the TerminateInstances event. Identify the corresponding role and run another query to filter the AssumeRoleWithWebIdentity event for the user name.

Answer(s): B



Two Amazon EC2 instances in different subnets should be able to connect to each other but cannot. It has been confirmed that other hosts in the same subnets are able to communicate successfully, and that security groups have valid ALLOW rules in place to permit this traffic.
Which of the following troubleshooting steps should be performed?

  1. Check inbound and outbound security groups, looking for DENY rules
  2. Check inbound and outbound Network ACL rules, looking for DENY rules
  3. Review the rejected packet reason codes in the VPC Flow Logs
  4. Use AWS X-Ray to trace the end-to-end application flow

Answer(s): B



A company has an application that needs to get objects from an Amazon S3 bucket. The application runs on Amazon EC2 instances.
All the objects in the S3 bucket are encrypted with an AWS Key Management Service (AWS KMS) customer managed key. The resources in the VPC do not have access to the internet and use a gateway VPC endpoint to access Amazon S3.
The company discovers that the application is unable to get objects from the S3 bucket.
Which factors could cause this issue? (Choose three.)

  1. The IAM instance profile that is attached to the EC2 instances does not allow the s3:ListBucket action for the S3 bucket.
  2. The IAM instance profile that is attached to the EC2 instances does not allow the s3:ListParts action for the S3 bucket.
  3. The KMS key policy that encrypts the objects in the S3 bucket does not allow the kms:ListKeys action to the EC2 instance profile ARN.
  4. The KMS key policy that encrypts the objects in the S3 bucket does not allow the kms:Decrypt action to the EC2 instance profile ARN.
  5. The S3 bucket policy does not allow access from the gateway VPC endpoint.
  6. The security group that is attached to the EC2 instances is missing an inbound rule from the S3 managed prefix list over port 443.

Answer(s): A,D,E






Post your Comments and Discuss Amazon SCS-C02 exam with other Community members:

SCS-C02 Discussions & Posts