AWS Certified Security Specialty SCS-C02 (SCS-C02) — Questions 17261738

1738 questions total · 24pages · All types, answers revealed

Page 23

Page 24 of 24

1726
MCQhard

A company uses AWS CloudTrail to log all API calls. The security team wants to be alerted when an IAM user creates a new access key for another IAM user (an action that could indicate privilege escalation). What is the most effective way to detect this specific API call?

A.Query AWS CloudTrail logs using Amazon Athena on a schedule.
B.Use AWS Config to create a custom rule that checks for changes to IAM users.
C.Create an Amazon CloudWatch Events rule that matches the 'iam:CreateAccessKey' API call and sends a notification to an SNS topic.
D.Enable Amazon GuardDuty and look for the 'UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration' finding.
AnswerC

This provides real-time alerting for the specific action.

Why this answer

Option C is correct because Amazon CloudWatch Events (now Amazon EventBridge) can be configured with a rule that matches the specific 'iam:CreateAccessKey' API call as it occurs. When this API call is made, CloudTrail delivers the event in near real-time to CloudWatch Events, which can then trigger an SNS topic to send an alert. This provides immediate, event-driven detection without the latency of scheduled queries or the overhead of custom rules.

Exam trap

The trap here is that candidates confuse AWS Config (which evaluates resource state) with CloudTrail (which records API actions), leading them to choose Option B, but Config cannot detect the API call itself—only the resulting configuration change, which may be too late or ambiguous.

How to eliminate wrong answers

Option A is wrong because querying CloudTrail logs with Amazon Athena on a schedule introduces significant delay (minutes to hours) between the API call and detection, making it unsuitable for real-time alerting. Option B is wrong because AWS Config custom rules evaluate resource configuration changes, not API calls; they can detect that an access key exists but cannot detect the specific 'iam:CreateAccessKey' API action itself. Option D is wrong because GuardDuty's 'UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration' finding detects stolen credentials being used from an EC2 instance, not the creation of access keys for another user.

1727
MCQhard

A company uses AWS PrivateLink to connect to a SaaS provider's VPC endpoint service. The security team wants to ensure that traffic between the company's VPC and the SaaS provider's VPC is encrypted in transit and that no other AWS service can access the data. Which configuration meets these requirements?

A.Use a Site-to-Site VPN connection between the VPC and the SaaS provider's on-premises network.
B.Create a VPC peering connection and use security groups to restrict traffic.
C.Use an AWS PrivateLink endpoint (interface endpoint) in the company's VPC to connect to the SaaS provider's VPC endpoint service.
D.Use an AWS Transit Gateway with inter-region peering.
AnswerC

PrivateLink provides encrypted traffic within AWS and isolates the traffic.

Why this answer

Option C is correct because PrivateLink uses AWS PrivateLink endpoints, which encrypt traffic within AWS and are isolated. Option A is wrong because VPC peering does not encrypt traffic by default. Option B is wrong because VPN is not needed.

Option D is wrong because Transit Gateway is for routing, not encryption.

1728
MCQmedium

Refer to the exhibit. A security engineer applies the bucket policy to an S3 bucket. A user uploads an object without specifying any encryption header. What happens?

A.The object is uploaded and encrypted with the bucket's default SSE-S3
B.The object is uploaded and encrypted with SSE-KMS
C.The request is denied with an Access Denied error
D.The object is uploaded without encryption
AnswerC

Condition denies when encryption is not KMS.

Why this answer

The policy denies PutObject when the encryption header is not equal to 'aws:kms'. Since the user did not specify the header, the condition evaluates to true (the header is not equal to 'aws:kms'), and the request is denied. Option A is correct.

Option B is wrong because default encryption is not applied; C is wrong because even with default SSE-S3, the header is not 'aws:kms'; D is wrong because the policy denies.

1729
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all new member accounts automatically deny public access to S3 buckets. Which policy should be attached to the root organizational unit?

A.Attach an S3 bucket policy to each bucket
B.Attach an IAM policy to the root user
C.Attach a trust policy to the OrganizationAccountAccessRole
D.Attach a service control policy (SCP) to the root OU
AnswerD

SCPs can set permission boundaries across entire accounts, denying actions like s3:PutBucketPublicAccessBlock.

Why this answer

Option C is correct because an SCP can deny public access to S3 buckets across all accounts in the organization. Option A is wrong because an IAM policy only applies to IAM users/groups/roles, not accounts. Option B is wrong because a bucket policy is per-bucket, not across accounts.

Option D is wrong because a trust policy is for IAM roles, not S3 access control.

1730
MCQmedium

Refer to the exhibit. A security engineer creates the S3 bucket policy above to allow an IAM role to upload objects only from the corporate network IP range (10.0.0.0/16). However, users report that they can still upload objects from outside the range when assuming the role. What is the most likely cause?

A.The condition key aws:SourceIp does not support the IP range 10.0.0.0/16 because it is a private IP range.
B.The bucket policy uses Allow instead of Deny; an explicit Deny is needed to block requests that do not meet the condition.
C.The IAM role's trust policy does not restrict who can assume the role.
D.The resource ARN should not include the trailing /*.
AnswerB

Because the IAM role already has an Allow, an Allow with condition does not restrict; a Deny is required.

Why this answer

The condition key aws:SourceIp checks the IP address of the principal making the request. When using an IAM role, the source IP is that of the role's session, not the end user. If the role is assumed from outside the corporate network, the source IP will be the external IP of the client machine, not the corporate range.

The condition should use aws:SourceIdentity or similar? Actually, aws:SourceIp works for the client IP of the request. But if the role is assumed by a user outside the network, the request comes from that user's IP. However, the condition should work.

Wait: The issue might be that the policy allows the role, but the role itself might have permissions that override? Or the condition is incorrectly applied? The most likely cause is that the condition key aws:SourceIp does not work when the request is made via AWS CLI or SDK from outside? Actually, it should. Another common issue: The condition aws:SourceIp is evaluated against the IP address of the principal, but if the role is assumed by an EC2 instance, the source IP is the instance's private IP? No, that's for VPC endpoints. Hmm.

Let's think about typical exam: The condition aws:SourceIp does not work for requests that come from within a VPC because the source IP is the private IP? Actually, if the role is assumed by an EC2 instance inside the VPC, the source IP is the instance's private IP, which might be within 10.0.0.0/16. But if the role is assumed by a user outside the network, the source IP is the user's public IP, which might not be in 10.0.0.0/16. So the condition should block.

But the question says users can still upload from outside. Possible cause: The condition key is misspelled? No. Another possibility: The policy allows the role, but the role has its own policy that allows s3:PutObject without the condition.

Actually, the bucket policy grants the role permission conditionally, but if the role itself has an IAM policy that grants the same action without the condition, the user might be able to upload using the role's permissions? No, both policies must be satisfied? Actually, if the role has an IAM policy that allows s3:PutObject without conditions, the user assuming the role could upload from anywhere because the role's policy is effective. The bucket policy adds additional restrictions but does not override the role's IAM policy. Wait, that's not correct: For access to S3, if the principal has IAM permissions, the bucket policy can further restrict or allow.

But if the IAM policy allows the action, the bucket policy can deny it. However, if the bucket policy allows conditionally, and the IAM policy allows unconditionally, the effective permission is allow because the bucket policy does not deny. Actually, the evaluation logic: by default, all requests are denied.

An explicit allow in either IAM or bucket policy is not enough; both must allow? No, the AWS access control policy evaluation: An explicit allow in either IAM or bucket policy will allow access, unless there is an explicit deny. So if the IAM role has an explicit allow for s3:PutObject without condition, and the bucket policy has an explicit allow with condition, the request is allowed if the condition is met, but if the condition is not met, the bucket policy does not grant allow, but the IAM policy still grants allow? Actually, the bucket policy is a resource-based policy; if it does not grant access (because condition fails), it is not an explicit allow, but it is not an explicit deny either. The IAM policy explicitly allows the action.

The net effect is that the request is allowed because there is an explicit allow from the IAM policy and no explicit deny from the bucket policy. Wait, but the bucket policy has an allow statement with a condition; if the condition is not met, the statement does not apply, so it's as if the bucket policy does not have that statement. So the IAM policy's allow stands.

Therefore, the bucket policy condition is ineffective if the IAM policy already allows the action. To enforce the condition, the bucket policy must include a Deny statement for requests not meeting the condition. That is a common gotcha.

So the correct answer is that the bucket policy should use a Deny effect, not Allow. Or the IAM policy should be more restrictive. So the most likely cause: The bucket policy uses Allow instead of Deny.

1731
MCQhard

A company has an S3 bucket with a bucket policy that grants access to an IAM role. The security team wants to restrict access to only requests that originate from the company's VPC. How can this be achieved?

A.Create a new IAM role that can only be assumed by instances in the VPC.
B.Add a condition in the IAM role policy using aws:SourceVpce.
C.Add a condition in the bucket policy using aws:SourceIp with the VPC CIDR range.
D.Add a condition in the bucket policy using aws:SourceVpce with the VPC endpoint ID.
AnswerD

This ensures requests come through the specified VPC endpoint.

Why this answer

Option A is correct: use a VPC endpoint and the aws:SourceVpce condition. Option B is wrong because aws:SourceIp is not effective for VPC traffic from S3. Option C is wrong because the condition is on the bucket policy, not the role policy.

Option D is wrong because allowing only specific instances is not granular.

1732
Multi-Selectmedium

A security engineer is designing a data protection strategy for Amazon RDS for PostgreSQL. The database contains sensitive personal information. Which TWO actions should the engineer take to protect the data at rest? (Choose TWO.)

Select 2 answers
A.Enable encryption at rest for the RDS instance using AWS KMS.
B.Enable SSL/TLS for connections to the database.
C.Delete automated backups after 30 days.
D.Enable encryption for automated backups using the same KMS key.
E.Enable deletion protection for the RDS instance.
AnswersA, D

Encrypts the database storage and automated backups.

Why this answer

Enabling encryption at rest for RDS (Option A) and enabling automated backups with encryption (Option D) ensure data at rest is encrypted. Deleting backups (Option B) does not protect data at rest. Enabling encryption in transit (Option C) protects data in motion.

Enabling deletion protection (Option E) prevents accidental deletion but does not encrypt data.

1733
MCQmedium

Refer to the exhibit. A security engineer ran this AWS CLI command to find when a specific CreateKeyPair API call was made. The command returns no results, even though the engineer knows the call was made. What is the MOST likely reason?

A.The time range is too narrow.
B.The command did not specify a region, so it defaults to us-east-1, but the call was made in a different region.
C.The event name should be 'CreateKeypair' (lowercase p).
D.The --lookup-attributes parameter has incorrect syntax.
AnswerD

The comma should be a space or the syntax is wrong.

Why this answer

Option B is correct. The --lookup-attributes parameter syntax requires a space after the comma, not an equals sign. The correct syntax is 'AttributeKey=EventName, AttributeValue=CreateKeyPair' or use separate parameters.

Option A is wrong because the time range is valid. Option C is wrong because the region is not specified, but the command uses the default region; however, that might cause missing results if the call was in another region. Option D is wrong because the event name is correct.

1734
MCQeasy

A company wants to grant a Lambda function access to write logs to CloudWatch Logs in the same AWS account. What is the BEST practice for granting this permission?

A.Store AWS access keys in the Lambda environment variables
B.Add a resource-based policy to the Lambda function to allow CloudWatch Logs to write logs
C.Use the AWS account root user credentials directly in the Lambda function
D.Create an IAM role with a policy allowing logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents, and attach it to the Lambda function
AnswerD

This is the correct approach: using an IAM role that the Lambda assumes.

Why this answer

Option B is correct because attaching an IAM role with the required permissions to the Lambda function is the standard and secure method. Option A is wrong because embedding credentials in code is insecure. Option C is wrong because resource-based policies are used for cross-account access, not for Lambda to CloudWatch.

Option D is wrong because using the root user is insecure and unnecessary.

1735
Multi-Selectmedium

A security engineer is configuring automated incident response for Amazon GuardDuty findings. The engineer wants to isolate a compromised EC2 instance by changing its security group and stopping the instance. Which THREE services should the engineer use together to achieve this? (Choose THREE.)

Select 3 answers
A.Amazon EC2
B.AWS Config
C.AWS Systems Manager
D.Amazon EventBridge
E.AWS Lambda
AnswersC, D, E

Systems Manager can run automation documents to isolate instances.

Why this answer

AWS Systems Manager (SSM) is correct because it provides the Automation runbook capability that can be used to stop an EC2 instance and modify its security groups as part of an incident response workflow. SSM Automation can be triggered by an EventBridge rule and can invoke Lambda functions or run commands directly on the instance to isolate it. This allows the security engineer to automate the isolation and stopping of the compromised instance without manual intervention.

Exam trap

The trap here is that candidates may think AWS Config can directly remediate findings (e.g., via AWS Config Rules with auto-remediation), but Config only triggers evaluations and cannot perform actions like stopping instances or modifying security groups without a separate automation service like SSM or Lambda.

1736
MCQmedium

A security administrator discovers that an IAM user has been deleted accidentally. What is the correct way to restore the user's access?

A.Contact AWS Support to undo the deletion
B.Use the AWS IAM console to undelete the user
C.Restore the user from a backup of IAM
D.Create a new IAM user with the same name and attach the same policies
AnswerD

This is the only way to restore access; password and keys must be reset.

Why this answer

Option D is correct because IAM does not support undeletion or restoration of deleted users. When an IAM user is deleted, all associated credentials, permissions, and metadata are permanently removed. The only way to restore access is to create a new IAM user with the same name and manually reattach the same policies, groups, and tags, and then regenerate access keys and passwords as needed.

Exam trap

The trap here is that candidates may assume AWS provides an 'undelete' or 'restore from backup' feature for IAM users, similar to features in other AWS services like S3 versioning or RDS snapshots, but IAM has no such recovery mechanism.

How to eliminate wrong answers

Option A is wrong because AWS Support cannot undo an IAM user deletion; IAM user deletions are irreversible and not stored in any recoverable state. Option B is wrong because the AWS IAM console does not provide an 'undelete' feature; once a user is deleted, it is permanently removed from the IAM service. Option C is wrong because IAM does not have a native backup or restore mechanism; while you can use AWS CloudTrail logs or infrastructure-as-code templates to recreate configurations, there is no backup of the user object itself.

1737
MCQhard

A security engineer is troubleshooting connectivity issues between an Amazon EC2 instance in a VPC and an on-premises server over a Direct Connect virtual interface. The EC2 instance has a security group that allows outbound traffic to the on-premises CIDR block (10.0.0.0/16). The VPC has a route table entry pointing the on-premises CIDR to the virtual private gateway. The on-premises firewall shows that packets are received from the EC2 instance but responses are not reaching the instance. What is the most likely cause?

A.The on-premises router does not have a route pointing the VPC CIDR back to the Direct Connect interface.
B.The network ACL for the subnet is blocking outbound traffic to the on-premises CIDR.
C.The virtual private gateway is not attached to the VPC.
D.The security group does not allow inbound traffic from the on-premises server.
AnswerA

Without a return route, responses from on-premises are dropped.

Why this answer

The on-premises firewall logs show packets are received from the EC2 instance, but responses are not reaching it. This indicates a routing issue on the on-premises side: the on-premises router must have a route pointing the VPC CIDR back to the Direct Connect interface (virtual interface) for return traffic to be forwarded correctly. Without this return route, the on-premises server sends responses via its default route (likely the internet), which are dropped by the VPC security group or never reach the EC2 instance.

Exam trap

The trap here is that candidates often assume security groups or network ACLs are the cause of asymmetric connectivity issues, but the real problem is the missing return route on the on-premises side, which is a common misconfiguration in hybrid networking scenarios.

How to eliminate wrong answers

Option B is wrong because the network ACL for the subnet is not blocking outbound traffic to the on-premises CIDR; the question states the EC2 instance can send packets (they are received on-premises), so outbound ACL rules are not the issue. Option C is wrong because if the virtual private gateway were not attached to the VPC, the EC2 instance would not be able to send packets to the on-premises CIDR at all (the route table entry would be invalid), yet packets are received on-premises. Option D is wrong because the security group does not need to allow inbound traffic from the on-premises server for the response to reach the EC2 instance; security groups are stateful, so if the outbound traffic is allowed, the return traffic is automatically permitted regardless of inbound rules.

1738
Multi-Selecteasy

A company wants to detect anomalous behavior in their AWS environment. Which THREE AWS services can be used for threat detection? (Choose THREE.)

Select 3 answers
A.AWS Trusted Advisor
B.AWS Security Hub
C.AWS Config
D.Amazon GuardDuty
E.Amazon Inspector
AnswersB, D, E

Aggregates findings from multiple detection services.

Why this answer

AWS Security Hub is correct because it aggregates and prioritizes security findings from multiple AWS services (like GuardDuty, Inspector, and Macie) and third-party tools, providing a comprehensive view of security alerts and compliance status. It uses integrated findings to detect anomalous behavior across accounts and regions, making it a central threat detection service.

Exam trap

The trap here is that candidates often confuse AWS Trusted Advisor's security checks (like open port alerts) with threat detection, but Trusted Advisor is a best-practice advisor, not a real-time threat detection service—it lacks the ML-based anomaly detection and threat intelligence that GuardDuty and Security Hub provide.

Page 23

Page 24 of 24