SCS-C02 Exam Dumps

Some new sample questions:
Question:
A company runs workloads on Amazon EC2 instances. The company needs to continually monitor the EC2 instances for software vulnerabilities and must display the findings in AWS Security Hub. The company must not install agents on the EC2 instances.
A. Enable Amazon Inspector. Set the scan mode to hybrid scanning. Enable the integration for Amazon Inspector in Security Hub.
B. Use Security Hub to enable the AWS Foundational Security Best Practices standard. Wait for Security Hub to generate the findings.
C. Enable Amazon GuardDuty. Initiate on-demand malware scans by using GuardDuty Malware Protection. Enable the integration for GuardDuty in Security Hub.
D. Use AWS Config managed rules to detect EC2 software vulnerabilities. Ensure that Security Hub has the AWS Config integration enabled.

Question:
A security engineer needs to implement a write-once-read-many (WORM) model for data that a company will store in Amazon S3 buckets. The company uses the S3 Standard storage class for all of its S3 buckets. The security engineer must ensure that objects cannot be overwritten or deleted by any user, including the AWS account root user.
A. Create new S3 buckets with S3 Object Lock enabled in compliance mode. Place objects in the S3 buckets.
B. Use S3 Glacier Vault Lock to attach a Vault Lock policy to new S3 buckets. Wait 24 hours to complete the Vault Lock process. Place objects in the S3 buckets.
C. Create new S3 buckets with S3 Object Lock enabled in governance mode. Place objects in the S3 buckets.
D. Create new S3 buckets with S3 Object Lock enabled in governance mode. Add a legal hold to the S3 buckets. Place objects in the S3 buckets.

Question:
A company needs to improve its ability to identify and prevent IAM policies that grant public access or cross-account access to resources. The company has implemented AWS Organizations and uses AWS IAM Access Analyzer. A security engineer must automate a response for newly created overly permissive policies to remediate access and notify the security team.
Select THREE:
A. Create an AWS Step Functions state machine that checks the resource type in the finding and adds an explicit Deny statement in the trust policy for the IAM role. Configure the state machine to publish a notification to an Amazon SNS topic.
B. Create an AWS Batch job that forwards any resource type findings to an AWS Lambda function. Configure the Lambda function to add an explicit Deny statement in the trust policy for the IAM role. Configure the AWS Batch job to publish a notification to an Amazon SNS topic.
C. In Amazon EventBridge, create an event rule that matches active IAM Access Analyzer findings and invokes AWS Step Functions for resolution.
D. In Amazon CloudWatch, create a metric filter that matches active IAM Access Analyzer findings and invokes AWS Batch for resolution.
E. Create an Amazon SQS queue. Configure the queue to forward a notification to the security team that an external principal has been granted access to the specific IAM role and has been blocked.
F. Create an Amazon SNS topic for external or cross-account access notices. Subscribe the security team’s email addresses to the topic.

Question:
A security engineer discovers that the Lambda function is failing to create the report. The security engineer must implement a solution that corrects the issue and provides least privilege permissions. Which solution will meet these requirements?
A. Create a resource based policy that allows Security Hub access to the ARN of the Lambda function.
B. Attach the AWSSecurityHubReedOnlyAccess AWS managed policy to the Lambda function’s execution role.
C. Grant the Lambda function s execution role read-only permissions to access Amazon Inspector and Security Hub.
D. Create a custom 1AM policy that grants the Security Hub Get’ List’ Batch’ and Desert*’ permissions on the arn aws securityhub us-west-2 productaws/inspector’ resource Anacn the policy to the Lambda function’s execution role.

Question:
A company is running workloads on AWS. The workloads are in separate AWS accounts for development, testing, and production. All the company’s developers can access the development account. A subset of the developers can access the testing account and the production account.
The company is spending too much time managing individual credentials for every developer across every environment. A security engineer must implement a more scalable solution that the company can use when a developer needs different access. The solution must allow developers to access resources across multiple accounts. The solution also must minimize credential sharing.
Which solution will meet these requirements?
A. Use AWS Identity and Access Management Access Analyzer to identity the permissions that the developers need on each account. Configure 1AM Access Analyzer to automatically provision the correct access for each developer.
B. Create an Amazon Simple Workflow Service (Amazon SWF) workflow. Instruct the developers to use the workflow to request access to other accounts when additional access is necessary.
C. Create I AM roles in the testing account and production account. Add a policy that allows the sts:AssumeRole action to the roles. Create 1AM roles in the development account for the developers who have access to the testing and production accounts. Add these roles to the trust policy on the new roles in the testing and production accounts.
D. Create service accounts in the testing environment and production environment. Give the access keys for the service accounts to developers who require access to the testing account and the production account. Rotate the access keys for the service accounts periodically.
……….