Question 1

A company is evaluating the use of AWS Systems Manager Session Manager to gam access to the company's Amazon EC2 instances. However, until the company implements the change, the company must protect the key file for the EC2 instances from read and write operations by any other users. When a security administrator tries to connect to a critical EC2 Linux instance during an emergency, the security administrator receives the following error. "Error Unprotected private key file - Permissions for' ssh/my_private_key pern' are too open". Which command should the security administrator use to modify the private key Me permissions to resolve this error?

Options :

A : chmod 0040 ssh/my_private_key pern

B : chmod 0400 ssh/my_private_key pern

C : chmod 0004 ssh/my_private_key pern

D : chmod 0777 ssh/my_private_key pern

Answer: B

Question 2

A security engineer is configuring a new website that is named example.com. The security engineer wants to secure communications with the website by requiring users to connect to example.com through HTTPS. Which of the following is a valid option for storing SSL/TLS certificates?

Options :

A : Custom SSL certificate that is stored in AWS Key Management Service (AWS KMS)

B : Default SSL certificate that is stored in Amazon CloudFront.

C : Custom SSL certificate that is stored in AWS Certificate Manager (ACM)

D : Default SSL certificate that is stored in Amazon S3

Answer: C

Question 3

A new application requires an AWS KMS key for encrypting sensitive data. The security policy requires that separate keys are used for different AWS services.How can the AWS KMS key be constrained to work with only Amazon S3?

Options :

A :

Configure the key policy with a kms:CallerAccount condition key that limits use of the KMS key to identities in the specific AWS account.

B :

Configure the key policy with a kms:RequestAlias condition key that limits use of the KMS key to requests that use a specific alias.

C :

Configure the key policy with a kms:ViaService condition key that limits use of the KMS key to the Amazon S3 service name.

D :

Configure the key policy with a kms:ViaService condition key that limits use of the KMS key to the Amazon S3 service name.

Answer: C

Question 4

A company has a group of Amazon EC2 instances in a single private subnet of a VPC with no internet gateway attached. A security engineer has installed the Amazon CloudWatch agent on all instances in that subnet to capture logs from a specific application. To ensure that the logs flow securely, the company's networking team has created VPC endpoints for CloudWatch monitoring and CloudWatch logs. The networking team has attached the endpoints to the VPC. The application is generating logs. However, when the security engineer queries CloudWatch, the logs do not appear. Which combination of steps should the security engineer take to troubleshoot this issue? (Choose three.)

Options :

A :

Ensure that the EC2 instance profile that is attached to the EC2 instances has permissions to create log streams and write logs.

B : Create a metric filter on the logs so that they can be viewed in the AWS Management Console.

C :

Check the CloudWatch agent configuration file on each EC2 instance to make sure that the CloudWatch agent is collecting the proper log files.c

D :

Check the VPC endpoint policies of both VPC endpoints to ensure that the EC2 instances have permissions to use them.

E : Create a NAT gateway in the subnet so that the EC2 instances can communicate with CloudWatch.

F :

Ensure that the security groups allow all the EC2 instances to communicate with each other to aggregate logs before sending.

Answer: A,C,D

Question 5

A company is migrating its Amazon EC2 based applications to use Instance Metadata Service Version 2 (IMDSv2). A security engineer needs to determine whether any of the EC2 instances are still using Instance Metadata Service Version 1 (IMDSv1). What should the security engineer do to confirm that the IMDSv1 endpoint is no longer being used?

Options :

A :

Configure logging on the Amazon CloudWatch agent for IMDSv1 as part of EC2 instance startup. Create a metric filter and a CloudWatch dashboard. Track the metric in the dashboard.

B :

Create an Amazon CloudWatch dashboard Verify that the EC2MetadataNoToken metric is zero across all EC2 instances. Monitor the dashboard.

C :

Create a security group that blocks access to HTTP for the IMDSv1 endpoint Attach the security group to all EC2 instances.

D :

Configure user data scripts for all EC2 instances to send logging information to AWS CloudTrail when IMDSv1 is used Create a metric filter and an Amazon CloudWatch dashboard Track the metric in the dashboard.

Answer: B

Confidently Practice Online with Free SCS-C02 Exam Cram

Buying Options: